Cyber Threat Weekly – #91

The week of August 11^th through August 17^th, roughly 323 cyber news articles were reviewed. A moderate amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about AI usage and the need for strong AI governance.

The common governance pieces of the puzzle data access and identity and access management governance are crucial.  Just as important, are privacy and trust.  When you give an autonomous agent the ability to make decisions on your behalf, you need to ensure transparency and explainability of those decisions.  In addition, accuracy and reliability need to be measured.

Let’s start with threat actors continue with social engineering and n-day bugs.  Top five ransomware groups, Qilin leads the pack.  Cisco Firewall Management Center max severity bug.  The United States and partners release the foundations for OT cybersecurity.

Application security is changing, survey of over 1,500 AppSec stakeholders.  Crypto24 ransomware group stealthy attacks.  Researchers share details of new cyberespionage group.  FortiSIEM bug with exploit code available.

Malvertising delivers multi-stage PS1Bot.  Nations-state tactics with a ransomware payload.  Possible ShinyHunters / Scattered Spider collaboration. 

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

CISA Known Exploited Vulnerabilities – August 11^th to August 17^th:

CVE-2025-8088 – RARLAB WinRAR Path Traversal Vulnerability:
Could allow an attacker to execute arbitrary code by crafting malicious archive files.

CVE-2007-0671 – Microsoft Office Excel Remote Code Execution Vulnerability:
Can be exploited when a specially crafted Excel file is opened. This malicious file could be delivered as an email attachment or hosted on a malicious website.

CVE-2013-3893 – Microsoft Internet Explorer Resource Management Errors Vulnerability:
Allows for remote code execution. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

CVE-2025-8876 – N-able N-Central Command Injection Vulnerability:
A command injection vulnerability via improper sanitization of user input.

CVE-2025-8875 – N-able N-Central Insecure Deserialization Vulnerability:
Could lead to command execution.

EncryptHub Threat Group Abuses Social Engineering and N-Day Bug

Many threat actors are moving to social engineering for initial access.  Impersonating IT support staff and convincing users to establish a remote desktop connection.  EncryptHub is following suit.  Once a foothold is established, they run PowerShell commands and ultimately exploit CVE-2025-26633 which is the MMC EvilTwin bug. 

https://thehackernews.com/2025/08/russian-group-encrypthub-exploits-msc.html

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/when-hackers-call-social-engineering-abusing-brave-support-and-encrypthubs-expanding-arsenal/

Ransomware Threats are Ramping Up

Qilin was most active in July, but other groups aren’t standing still.  July saw 423 victims with INC Ransom second, SafePay, Akira, and Play rounding out the top five.  New groups entering the game: BEAST, D4RK4RMY, Payouts King, Sinobi, AiLock, KaWaLocker, DeadLock, Crux, and Gunra.  All in all, the ransomware threat is still prolific.  These are the ones we know about, many more aren’t reported.

https://thecyberexpress.com/qilin-remains-top-ransomware-group/

https://cyble.com/blog/ransomware-groups-july-2025-attacks

Max Severity Bug in Cisco Firewall Management Center

This one is for tracking purposes.  The bug is a remote code execution flaw that affecting the RADIUS subsystem.  RADIUS is a centralized authentication protocol for managing devices.  Tracked as CVE-2025-20265 and rated 10 / 10.

https://www.bleepingcomputer.com/news/security/cisco-warns-of-max-severity-flaw-in-firewall-management-center/

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79

Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators

The United States and five partners released this document to help OT owners and operators build a taxonomy for asset inventory.  Proper asset inventory is the key to prioritized security.  Get the most bang from your resources and efforts.

https://www.infosecurity-magazine.com/news/us-canada-australia-nz-ot-security/

 https://www.cisa.gov/sites/default/files/2025-08/joint-guide-foundations-for-OT-cybersecurity-asset-inventory-guidance_508c.pdf

Over 1,500 AppSec Stakeholders Shed Light on AI Code and More

Many developers (50%) are using AI generated code already.  Under pressure, 81% of organizations surveyed shipped vulnerable code.  A lack of operational accountability is driving shipping vulnerable code as acceptable.  These are some of the things allowing persistent threats to continue to grow in volume and velocity.

https://www.infosecurity-magazine.com/news/majority-of-orgs-ship-vulnerable/

https://checkmarx.com/wp-content/uploads/2025/08/The_future_of_AppSec_report.pdf

Custom EDR Bypass Tool Used by Cypto24 Ransomware Group

Blending living off the land and a custom open-source EDR bypass tool to stay stealthy.  The EDR bypass targets several EDR tools.  Researchers note a high level of operational maturity and patience uncommon among commodity ransomware.

https://www.bleepingcomputer.com/news/security/crypto24-ransomware-hits-large-orgs-with-custom-edr-evasion-tool/

https://www.trendmicro.com/en_us/research/25/h/crypto24-ransomware-stealth-attacks.html

Curly COMrades, a New Cyberespionage Threat Group

The use of living off the land and a custom backdoor adds to their stealthiness.  Executing PowerShell through System.Management.Automation without invoking powershell.exe helps evade detection.  The use of CLISD hijacking along with NGEN for persistence allows for extreme stealth.  The attacks include the abuse of a remote monitoring and management tool called Remote Utilities.

https://www.csoonline.com/article/4039318/russian-apt-group-curly-comrades-employs-novel-backdoor-and-persistence-tricks.html

https://businessinsights.bitdefender.com/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds

A FortiSIEM Remote Code Execution Bug with Exploit Code Available

The bug rated CVSS: 9.8 and is tracked as CVE-2025-25256.  This one is for tracking purposes; threat actors generally go after Fortinet bugs.  A workaround:  Limit access to the phMonitor port (7900).  There is a spike for Fortinet VPN devices.

https://cyberscoop.com/fortinet-fortisiem-critical-vulnerability-ssl-vpn-brute-force-traffic/

https://fortiguard.fortinet.com/psirt/FG-IR-25-152

https://www.greynoise.io/blog/vulnerability-fortinet-vpn-bruteforce-spike

Stealthy Multi-Stage PS1Bot Delivered via Malvertising

Researchers have been observing a malware campaign active throughout 2025 delivering a modular malware.  Multiple modules including information theft, recon, keylogging, and persistence.  Most modules are delivered in-memory, no artifacts on disk.

https://thehackernews.com/2025/08/new-ps1bot-malware-campaign-uses.html

https://blog.talosintelligence.com/ps1bot-malvertising-campaign/

Nation State Evasion Tactics + Charon Ransomware

The use of living off the land and highly evasive tactics by ransomware affiliates is not new, but the trend is growing.  In this case the tactics mimic a particular nation state threat, Earth Baxia.  The payload has not been seen before.  This is one to keep an eye on.

https://thehackernews.com/2025/08/charon-ransomware-hits-middle-east.html

https://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html

Some Evidence of a ShinyHunters / Scattered Spider Collaboration

This one is for tracking purposes and because its interesting.  There is some evidence of a collaboration, it’s a bit thin, but there none the less.  ShinyHunters has been stepping up their game with Scattered Spider tactics.  An update a swell, BreachForums appears to have been taken down by law enfocement.

https://thehackernews.com/2025/08/cybercrime-groups-shinyhunters.html

https://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/

https://databreaches.net/2025/08/12/updating-two-telegram-channels-and-two-accounts-banned-one-bounty-offered-and-breachforums-goes-down/