Cyber Threat Weekly – #95
The week of September 8th through September 14th, about 369 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share. Been thinkin about how our lack of foundational security practices is coming back to haunt us.
If you don’t have a complete inventory of all assets, strong segmentation, robust data access governance and tight identity and access governance at a minimum, post quantum crypto and agentic AI may seem overwhelming. It’s ironic how the things we should’ve done but didn’t, are becoming a necessity.
Let’s start with threat actor plants malicious extensions in Visual Studio marketplace. Managing tokens in third party applications. Researchers find a bootkit laden malware sample. Intel shared on realistic phishing lures used for tool download.
Year old SonicWall bug actively exploited again. Going with the buzz, AI prompt injection tactics. New ransomware gang ‘The Gentlemen’ has 27 victims already. Another open-source command and control framework abused in attacks.
New Salty2FA phishing kit. Researchers share observed ransomware incidents stopped.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – September 8th to September 14th:
CVE-2025-5086 – Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability:
Could lead to a remote code execution.
Threat Actor Targets Visual Studio Marketplace
‘White Cobra’ plants 24 malicious crypto stealing extensions. The targets are VS (Visual Studio) Code, Cursor, and Windsurf supporting the VSIX extension. The extensions appear legitimate with professional appearance and inflated download count.
Third Party Applications Token Management
The supply chain can be tough to secure. The basis for secure integration with third parties are OAuth tokens. Threat actors are actively targeting OAuth tokens providing them the means to bypass security controls.
https://unit42.paloaltonetworks.com/third-party-supply-chain-token-management/
UEFI Bootkit Laced Malware Called HybridPetya
This one is for tracking purposes; the malware appears to be a proof of concept. A key part of the malware is the abuse of CVE-2024-7344, a UEFI secure boot bypass bug. So far, the malware doesn’t appear to be used in the wild.
Remote Management Tools Delivered with Realistic Phishing Lures
Four lures: fake browser updates, meeting invitations, party invitations, and fake government forms were used to deliver remote monitoring and management (RMM) tools to victims. Mitigation and IoC’s are shared.
https://redcanary.com/blog/threat-intelligence/phishing-rmm-tools/
Actively Exploited Again, Year Old SonicWall Bug
Proper mitigations are important, it appears that more than patching was needed for this one. The trend to go after n-day bugs continues. The lesson here, ensure all mitigations are in place and keep your Internet facing devices fully patched.
Some Tactics and Techniques for AI Prompt Injection
This one describes various ways malicious prompts are injected. Increasingly, macros are being abused. There are many ways for indirect prompt injection, ultra small text, background-matched text, and more. Indirect prompt injection will continue, new and novel ways have yet to be discovered.
Behaviors of ‘The Gentlemen’ Ransomware Gang Exposed
This group is new, uses living-off-the-land techniques, and adapts tools and behavior mid-campaign. With 27 victims and counting, they are moving fast. Researchers share observed behaviors and defenses.
https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
Lesser Known AdaptixC2 Post-Exploitation Framework
Threat actors are abusing tools made for pen testers. Open-source tooling allows for easy adaptability. This largely unknown tool is no exception. Sophisticated tunneling, beacon support, and a lot more.
https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/
New Level of Capability with Salty2FA Phishing Kit
This kit includes session-based rotating subdomains, legit platform abuse, defense evasion techniques, and dynamic branding. Also, support for six different multi-factor authentication methods including SMS and push notifications.
https://www.infosecurity-magazine.com/news/salty2fa-phishing-kit/
https://www.ontinue.com/resource/blog-salty2fa-multi-stage-evasion-phishing/
Ransomware Incidents Stopped Before Encryption, Key Indicators
Researchers share lessons learned over two plus years around ransomware incident investigations. Some key hindrances include rapid containment, security controls stop lateral movement, and controls in block / quarantine mode.
https://blog.talosintelligence.com/stopping-ransomware-before-it-starts/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
