Cyber Threat Weekly – #97
The week of September 29th through October 5th, around 369 cyber news articles were reviewed. A light ish amount of cyber threat trends and adversarial behavior news to share. Been thinkin about a simple fact, packets don’t lie.
Network visibility is the foundation of modern cybersecurity. Infiltration of a threat actor starts with the network. Lateral movement happens across the network. Applications and protocols intercommunicate at the network level. Do we understand our data flows and how our systems are interconnected?
Let’s start with Palo Alto Networks portal scanning spiked in one day. New threat group abusing IIS servers for SEO fraud. Perplexity’s Comet agentic AI browser hidden prompt injection attack shared by researchers.
Increase in the number of threat actors abusing Microsoft Direct Send feature. Single day spike in exploitation attempts of Grafana. Social engineering is brutal; identity verification is a must. More AI attack capabilities shared by researchers.
Multiple agencies published follow-up guidance for OT owners and operators. A new Chinese APT, Phantom Taurus.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – September 29th to October 5th:
CVE-2025-32463 – Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability:
Could allow a local attacker to leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.
CVE-2025-59689 – Libraesva Email Security Gateway Command Injection Vulnerability:
Could allow command injection via a compressed e-mail attachment.
CVE-2025-10035 – Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability:
Allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
CVE-2025-20352 – Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability:
Could allow for denial of service or remote code execution. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system.
CVE-2021-21311 – Adminer Server-Side Request Forgery Vulnerability:
Allows a remote attacker to obtain potentially sensitive information.
CVE-2014-6278 – GNU Bash OS Command Injection Vulnerability:
Allows remote attackers to execute arbitrary commands via a crafted environment.
CVE-2017-1000353 – Jenkins Remote Code Execution Vulnerability:
Could allow attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection mechanism.
CVE-2015-7755 – Juniper ScreenOS Improper Authentication Vulnerability:
Could allow unauthorized remote administrative access to the device.
CVE-2025-21043 – Samsung Mobile Devices Out-of-Bounds Write Vulnerability:
Allows remote attackers to execute arbitrary code.
CVE-2025-4008 – Smartbedded Meteobridge Command Injection Vulnerability:
Could allow remote unauthenticated attackers to gain arbitrary command execution with elevated privileges (root) on affected devices.
Huge Spike in Scanning Palo Alto Networks Portals
More often than not, a huge spike in scanning activity leads to either zero-day bugs being announced or active attacks of existing bugs. Researchers observe a single day 500% spike in scanning for Palo Alto portals. Edge devices have been a massive target, architecture and zero trust network access capabilities can help minimize attack surface.
https://thehackernews.com/2025/10/scanning-activity-on-palo-alto-networks.html
https://www.greynoise.io/blog/palo-alto-scanning-surges
Chinese Threat Group Targeting Internet Information Server (IIS)
Victims are chosen for their high domain and IP reputation. Initial access starts with weakly configured servers allowing unrestricted file uploads. A web shell is uploaded, a guest account is created and quickly elevated to admin level. Tactics, techniques, and procedures are shared.
https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/
Hidden Prompt Injection Attack on Comet Agentic AI Browser
Researchers share an attack called CometJacking, where a hidden prompt instructs the agent to query its memory and connected services. The prompt also instructs the agent to base64 encode the data and send to an external endpoint. We are going to see more hidden and indirect prompt injection attacks on AI.
Increase in the Number of Threat Actors Abusing Microsoft Direct Send
Direct Send is a Microsoft 365 feature allowing devices and applications to send unauthenticated emails without a mailbox. The malicious emails appear to originate from within an organization. It’s not surprising this tactic is growing on popularity.
https://www.rapid7.com/blog/post/dr-microsoft-365-direct-send-abuse/
Single Day Spike in Grafana Exploitation Attempts
Most of the 110 unique source IPs observed targeted the United States. All the IPs observed were classified as malicious and attempted exploitation of CVE-2021-43798. This could be a resurge of the older bug or fingerprinting and weaponizing of newer bugs.
https://www.greynoise.io/blog/coordinated-grafana-exploitation-attempts
Identity Verification in the Age of Social Engineering
Scattered Spider and other threat actors perform social engineering to attack the some of the largest organizations. Researchers share attack patterns, proactive defense methodologies, and guiding principles to help defend against social engineering.
https://www.darkreading.com/threat-intelligence/google-sheds-light-shinyhunters-salesforce-tactics
Gemini AI Indirect Prompt Injection and Other Attacks
Researchers detail several attack scenarios achieved abusing Gemini AI. A few different indirect prompt injection techniques are shared as well as data exfiltration. This highlights the need for strong security when deploying AI technologies.
https://www.malwarebytes.com/blog/news/2025/10/gemini-ai-flaws-could-have-exposed-your-data
Multiple Countries and Agencies Provide Updated OT Guidance
The US, Canada, Australia, New Zealand, the Netherlands, Germany, and now the UK have released guidance on a definitive view of your OT architecture. This new guidance provides a principles-based approach building, maintaining, and storing your systems understanding.
https://www.ic3.gov/CSA/2025/250929.pdf
Newly Named Threat Group – Phantom Taurus
Researchers detail the evolution from activity cluster to threat actor and provide an attribution breakdown. This threat actor exhibits behavior differentiating it from other threat actors.
https://unit42.paloaltonetworks.com/phantom-taurus/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
