Cyber Threat Weekly – #92

The week of August 18^th through August 24^th, roughly 327 cyber news articles were reviewed. A very light amount of cyber threat trends and adversarial behavior news to share.  Been on vacation, so this is a short newsletter.

Was ruthless on the trends and behaviors picked. Are shorter newsletters better? Share your thoughts in the comments!

Let’s start with massive spike in RDP probing observed.  Silk Typhoon abusing trusted relationships in the cloud.  Some testing with an agentic AI browser gets interesting results.  ClickFix with an interesting twist, access-as-a-service.

QR code phishing, two new techniques. 

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

CISA Known Exploited Vulnerabilities – August 17^th to August 24^th:

CVE-2025-54948 – Trend Micro Apex One OS Command Injection Vulnerability:
Could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.

CVE-2025-43300 – Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability:
The bug is an out-of-bounds write vulnerability in the Image I/O framework.

RDP Probing, Massive Spike Observed

Well above the 3 to 5 IPs a day baseline, 1,971 IPs we’re observed targeting Microsoft RD Web Access and RDP Web Client.  The sole target country, the United States.  Roughly 92% of the IPs observed were already tagged as malicious.  If you are exposing RDP to the Internet, not a good idea, harden your systems.

https://www.greynoise.io/blog/surge-malicious-ips-probe-microsoft-remote-desktop

Trusted Relationships in the Cloud Abused by Nation State Actors

Silk Typhoon, the infamous nation state group, abuses trusted relationships to move laterally to downstream customers in the cloud.  Researchers share TTPs and observations.  Yesterday’s nation state attack is tomorrow’s commodity attack.  Cyber criminals have been adopting nation state tactics and techniques for over a decade.

https://thecyberexpress.com/silk-typhoon-hackers-target-saas-providers/

https://www.crowdstrike.com/en-us/blog/murky-panda-trusted-relationship-threat-in-cloud/

Agentic AI Browser Testing, Some Interesting Results

Using Perplexity’s Comet, researchers built and tested three scenarios.  Would like to have seen some percentages of failure rate and a more scientific testing methodology.  But the results are that the agentic AI falls for simple scams.  This underscores the need to move slow with agentic AI.

https://www.bleepingcomputer.com/news/security/perplexitys-comet-ai-browser-tricked-into-buying-fake-items-online/

https://guard.io/labs/scamlexity-we-put-agentic-ai-browsers-to-the-test-they-clicked-they-paid-they-failed

From ClickFix to Access-as-a-Service – CORNFLAKE.V3 Backdoor

Threat actor ‘A’ uses ClickFix to gain access and install malware, threat actor ‘B’ interacts with the malware and performs recon and credential harvesting.  Additional payloads are possible.  Researches analyze a sample and walk through observations.

https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor/

Two New QR Code Phishing Techniques

The first technique involves splitting the QR code into to two images, it looks like a single image, but looking at the visual in HTML, it’s actually two different images.  The second technique is QR code nesting, a malicious QR code is embedded within a larger QR code.

https://blog.barracuda.com/2025/08/20/threat-spotlight-split-nested-qr-codes-quishing-attacks