Cyber Threat Weekly – #94
The week of September 1st through September 7th, around 323 cyber news articles were reviewed. A moderate amount of cyber threat trends and adversarial behavior news to share. Been thinkin about how easily AI is tricked and abused.
There’s a lot of hype promising AI agents with true agency taking on security operations tasks, business operations, and more. Whether an adversary abuses prompt injection to get a desired result, or worse, turning the agent into an insider threat, the risk is real.
Let’s start with phishing emails sent from Apple servers. The Nx NPM supply chain attack “s1ngularity” resulted in significant fallout. The assault on open-source repositories continues. Researchers share some indirect prompt injection.
Tracking critical SAP bug, now actively exploited. Researchers share a walk-through of OAuth application attacks. Grokking on X to spread malicious links. Massive spike in Cisco ASA devices scanned in a single day.
Another open-source offensive security tool possibly abused by threat actors. Joint guidance on Software Bill of Materials (SBOM) released.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – September 1st to September 7th:
CVE-2020-24363 – TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability:
Could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST request for a factory reset and reboot. The attacker can then obtain incorrect access control by setting a new administrative password. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2025-55177 – Meta Platforms WhatsApp Incorrect Authorization Vulnerability:
Could allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.
CVE-2023-50224 – TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability:
Contains an authentication bypass by spoofing vulnerability within the httpd service, which listens on TCP port 80 by default, leading to the disclose of stored credentials. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2025-9377 – TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability:
Contain an OS command injection vulnerability that exists in the Parental Control page. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2025-38352 – Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability:
Linux kernel contains a time-of-check time-of-use (TOCTOU) race condition vulnerability that has a high impact on confidentiality, integrity, and availability.
CVE-2025-48543 – Android Runtime Use-After-Free Vulnerability:
Potentially allows a chrome sandbox escape leading to local privilege escalation.
CVE-2025-53690 – Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability:
This bug allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.
Phishing Emails Sent from Apple’s iCloud Calendar
Threat actors are sending callback phishing emails masked as purchase notifications. The goal, bypass spam filters and reach their targets. The campaign is a typical tech support scam. Another example of legit resource abuse.
“S1ngularity” NX NPM Supply Chain Attack Impact
Researchers provide a postmortem of the incident, although it could’ve been much worse. This might even had been a dry run to test the use of AI in the campaign. Overall, thousands of secrets were leaked, which could lead to follow on attacks.
https://www.wiz.io/blog/s1ngularitys-aftermath
Open-Source Repository Attacks are Relentless
Flashbots are impersonated by npm packages. GitHub and npm packages using smart contracts lead to malware payloads. Email library npm package impersonated.
https://thehackernews.com/2025/09/malicious-npm-packages-impersonate.html
https://thehackernews.com/2025/09/malicious-npm-package-nodejs-smtp.html
Simple Indirect Prompt Injection
Many adversaries delete and / or change logs to cover their tracks during an attack. What happens if an attacker can use logs to modify details, hide attacks, or create false events to distract? Researchers share a quick proof of concept.
Actively Exploited SAP S/4HANA Bug
This one is for tracking purposes. A fix was released less than a month ago, and the bug is already being exploited, although it’s not widespread exploitation.
https://securitybridge.com/blog/critical-sap-s-4hana-code-injection-vulnerability-cve-2025-42957/
Defending Against OAuth Application Attacks
While not new, these attacks are more difficult find once executed. This walk-through showcases an attack and defenses. Like most legit resource abuse, these account take over attacks generally work really well.
https://redcanary.com/blog/threat-detection/oauth-app-attacks/
Abusing X’s AI Assistant to Push Malicious Links on X
“Grokking” as it’s called, is simply asking @Grok where is this video from? Grok happily grabs the link and republishes it. Depending on ad spend, the links could reach hundreds of thousands to millions of potential victims. Bottom line, AI is easily abused.
https://www.darkreading.com/threat-intelligence/scammers-grok-malicious-links-x
Cisco ASA Devices Scanned by over 25,000 Unique IPs
Could be an indicator of future attack. The single day spike of 25,198 source IPs is well above the less than 500 a day baseline. A second smaller attack came a few days later. The ASA web login path was targeted both days.
https://www.greynoise.io/blog/scanning-surge-cisco-asa-devices
Threat Actors Looking to Abuse Open-Source Hexstrike-AI
This offensive tool uses MCP agents to help automate pen testing capabilities. The latest version 6.0 includes autonomous agents, over 150 tools, intelligent decision engine, feedback loop, and more. This is one to keep an eye on.
https://github.com/0x4m4/hexstrike-ai
https://blog.checkpoint.com/executive-insights/hexstrike-ai-when-llms-meet-zero-day-exploitation/
Collaboration on Software Bill of Materials (SBOM) Guidance
CISA, NSA, and 19 international cybersecurity organizations release a shared vision of Software Bill of Materials. The SBOM highlights software components, modules, and libraries used to create modern software highlighting software’s supply chain.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
