Cyber Threat Weekly – #96
The week of September 15th through September 21st, about 356 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share. Been thinkin about Model Context Protocol (MCP) and agentic AI.
MCP is not even a year old yet. The MCP servers themselves are applications we need to protect. Control and visibility into what they have access too can be a blind spot. Indirect prompt injection will be rampant without guardrails in place. Are we ready?
Let’s start with interesting use cases of LLM-enabled malware. CISA details two malware strains abused in Ivanti EPMM attacks. A great share on MCP tools for AI agents. The CIA deputy director shares AI transformation lessons learned.
Ransomware rundown for August. Public repositories still under attack. Steganography and FileFix campaign in the wild. AI native pen testing tool, Villager, nearly 11,000 downloads.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
Researchers Share Their Hunt for LLM-Enabled Malware
Starting with defining the threat large language models (LLMs) bring to bear and defining LLM-enabled malware. From there focus is applied to hunting for LLM-embedded malware and some samples were indeed found.
https://www.sentinelone.com/labs/prompts-as-code-embedded-keys-the-hunt-for-llm-enabled-malware/
Malware Details Shared by CISA for EPMM Attacks
Two zero-day bugs, patched in May 2025, led to malware on Ivanti Endpoint Manager Mobile (EPMM), CISA provides details on two strains. In addition, CISA provides indicators of compromise, YARA and SIGMA rules.
https://thehackernews.com/2025/09/cisa-warns-of-two-malware-strains.html
MCP Tools for Agentic AI and AI Agents – Attack Vectors and Defenses
As we move into agentic AI and AI agents, MCP servers are becoming prevalent. The MCP standard was released November 2024, so new tech. There are many public sources for MCP servers. Researchers share how MCP tools work and some common attacks.
https://www.elastic.co/security-labs/mcp-tools-attack-defense-recommendations
Seven Lessons Shared on Securing AI Transformation
Former deputy director Jennifer Ewbank’s lessons learned from the Central Intelligence Agency’s digital transformation. A huge lesson, foundational security and boring fundamentals are a must when rolling out AI. Another lesson, you need to think like an adversary.
https://www.darkreading.com/cyber-risk/7-lessons-securing-ai-transformation-former-cia-digital-guru
New Ransomware Threats Arise, But Qilin Remains on top
Akira is a distant second and Sinobi hits third with only two months in existence. August saw 467 ransomware attacks based on data leak sites. Another new player, The Gentlemen, has claimed 30 victims in September. Another comeback attempt by LockBit.
https://thecyberexpress.com/qilin-top-ransomware-group-amid-new-threats/
Public Repository Attack Stories
Combining attack stories on public repositories such as npm, PyPI, and more.
https://thehackernews.com/2025/09/silentsync-rat-delivered-via-two.html
https://www.zscaler.com/blogs/security-research/malicious-pypi-packages-deliver-silentsync-rat
https://www.infosecurity-magazine.com/news/supply-chain-worm-hundreds-npm/
Multi-Stage FileFix and Steganography Campaign Observed
Social engineering campaigns such as ClickFix have skyrocketed. A variant ‘FileFix’ campaign has been spotted, using steganography and JavaScript minification to hide code. With multi-stage delivery, the final payload is StealC.
https://www.infosecurity-magazine.com/news/filefix-steganography-multistage/
Another AI Native Pen Testing Tool Called Villager
With nearly 11,000 downloads this is a dual use tool cybercriminals and state actors can easily abuse. The tool comes from a Chinese based group and combines Kali Linux utilities and DeepSeek AI models as an automation layer.
https://www.infosecurity-magazine.com/news/chinese-ai-villager-pen-testing/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.