Cyber Threat Weekly – #93

The week of August 25^th through August 31^st, roughly 311 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about threat exposure management again lately.

Every week the same types of stories come up, often with software bugs abused or social engineering like ClickFix for initial access.  The real battle is attacker behavior once an adversary gains a foothold in your environment.  How do you know if your security controls are working as expected?  Do you have the right level of visibility to thwart an attack?

Let’s start with apps distributed via Google ads turning malicious after an update.  Yet another legit tool abused, this time for command-and-control comms.  H1 2025 Malware and Vulnerability Trends report.

Public repositories continue to get attacked.  Claude AI abused to actively attack not just advise.  Ransomware actors going after cloud systems.  Account takeover and legit emails end in remote access for abuse and / or profit.

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

CISA Known Exploited Vulnerabilities – August 25^th to August 31^st:

CVE-2025-48384 – Git Link Following Vulnerability:
This bug stems from Git’s inconsistent handling of carriage return characters in configuration files.

CVE-2024-8068 – Citrix Session Recording Improper Privilege Management Vulnerability:
Could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user in the same Windows Active Directory domain as the session recording server domain.

CVE-2024-8069 – Citrix Session Recording Deserialization of Untrusted Data Vulnerability:
Allows limited remote code execution with privilege of a NetworkService Account access. Attacker must be an authenticated user on the same intranet as the session recording server.

CVE-2025-7775 – Citrix NetScaler Memory Overflow Vulnerability:
Could allow for remote code execution and/or denial of service.

CVE-2025-57819 – Sangoma FreePBX Authentication Bypass Vulnerability:
Allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution.

PDF Editing Software Turns Malicious After an Update

Delivered through Google ads, more than 50 domains were used to distribute software called AppSuite PDF Editor.  An update was received which turned on malicious capabilities like collecting credentials and web cookies.  It was only a matter of time before auto updates were used against us.

https://www.bleepingcomputer.com/news/security/tamperedchef-infostealer-delivered-through-fraudulent-pdf-editor/

https://www.truesec.com/hub/blog/tamperedchef-the-bad-pdf-editor

https://expel.com/blog/you-dont-find-manualfinder-manualfinder-finds-you/

Velociraptor Abused, Likely to Establish Command and Control Tunnel

Legit open-source forensics tool deployed to download and execute Visual Studio Code.  The tunnel mode is enabled allowing both remote access and remote code execution.  The use of legit tools is nothing new, we continue to see interesting uses of them from threat actors.

https://thehackernews.com/2025/08/attackers-abuse-velociraptor-forensic.html

https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/

H1 2025 Malware and Vulnerability Trends Report

There is a lot to unpack in this report.  Software bugs increased 16% over H1 2024, 161 of which were actively exploited.  ClickFix social engineering for initial access, endpoint detection and response (EDR) evasion, and legit tool abuse were prevalent. 

https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-2025-0828.pdf

Public Repository Attack Stories

This is a single thread where public repository attacks are shared.  The first one is a supply chain attack on Nx, compromising GitHub and npm tokens, and more.

https://www.infosecurity-magazine.com/news/npm-package-hijacked-ai-malware/

https://www.stepsecurity.io/blog/supply-chain-security-alert-popular-nx-build-system-package-compromised-with-data-stealing-malware

https://www.wiz.io/blog/s1ngularity-supply-chain-attack

https://www.infosecurity-magazine.com/news/vs-code-extensions-exploit-name/

Anthropic Threat Intelligence Report: August 2025

The AI-on-AI hype has caught up; agentic AI is now being weaponized.  In this report several case studies are shared, while these are specific to Claude, it’s likely these behaviors are consistent across other AI models.  This is an interesting read.

https://www.bleepingcomputer.com/news/security/malware-devs-abuse-anthropics-claude-ai-to-build-ransomware/

https://www.anthropic.com/news/detecting-countering-misuse-aug-2025

https://www-cdn.anthropic.com/b2a76c6f6992465c09a6f2fce282f6c0cea8c200.pdf

Ransomware Actors Attack Cloud and Delete Cloud Data

More threat actors are going after the cloud, in this case, instead of ransomware, they simply delete the cloud data.  Lateral movement is the norm in these campaigns.  They even attempted to turn off cloud security controls in mas deletion attempts.  Let’s hope these types of operations don’t become the new favorite for threat actors.

https://therecord.media/ransomware-gangs-shift-to-stealing-cloud-data

https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/

AI Enhanced Emails Lead to Remote Access via ScreenConnect

Email account takeovers help threat actors send phishing emails within ongoing conversations.  The only limitation is that of your address book.  This isn’t a new technique, but is becoming more widespread.  Abusing trusted relationships works.

https://www.securityweek.com/hackers-weaponize-trust-with-ai-crafted-emails-to-deploy-screenconnect/

https://files.abnormalsecurity.com/production/files/Weaponizing-Workplace-Communications.pdf