Cyber Threat Weekly – #99

The week of October 13^th through October 19^th, around 377 cyber news articles were reviewed. A very light amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about AI chat records and how they can signal intent. 

From a corporate perspective, Claude, ChatGPT, and similar tools capture how people think, plan, research, and other interactions.  Are you performing competitive research, researching business ideas, troubleshooting, or testing?  Depending on how you are using LLMs, is there evidence that can be used against the company? Can threat actors take advantage?

Let’s start with two examples of ClickFix campaigns.  Criminals and nation state actors abusing ‘EtherHiding’.  Microsoft Digital Defense Report 2025.  Bimonthly Threat Intelligence Executive Report – July / August. 

F5 source code and undisclosed software bugs stolen by nation state threat actors. 

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

CISA Known Exploited Vulnerabilities – October 13^th to October 19^th:

CVE-2025-47827 – IGEL OS Use of a Key Past its Expiration Date Vulnerability:
Allows for Secure Boot bypass. The igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image.

CVE-2025-24990 – Microsoft Windows Untrusted Pointer Dereference Vulnerability:
Allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain administrator privileges.

CVE-2025-59230 – Microsoft Windows Improper Access Control Vulnerability:
Could allow an authorized attacker to elevate privileges locally.

CVE-2025-6264 – Rapid7 Velociraptor Incorrect Default Permissions Vulnerability:
Could lead to arbitrary command execution and endpoint takeover. To successfully exploit this vulnerability the user must already have access to collect artifacts from the endpoint.  Known to be used in ransomware campaigns.

CVE-2016-7836 – SKYSEA Client View Improper Authentication Vulnerability:
Allows remote code execution via a flaw in processing authentication on the TCP connection with the management console program.

CVE-2025-54253 – Adobe Experience Manager Forms Code Execution Vulnerability:
Allows for arbitrary code execution.

A Couple of ClickFix Campaigns

Infostealers pushed via TikTok videos and Google Ads.  The TikTok campaign abuses activate legit products as a lure, while the Google campaign uses fake sites such as LogMeIn as a lure.  ClickFix is a hugely popular social engineering technique, it continues to rise is usage.

https://www.bleepingcomputer.com/news/security/tiktok-videos-continue-to-push-infostealers-in-clickfix-attacks/

https://www.bleepingcomputer.com/news/security/google-ads-for-fake-homebrew-logmein-sites-push-infostealers/

‘EtherHiding’ Abused by Criminals & North Korea Backed Threat Actors

Blockchain smart contracts are being used to host malicious payloads.  This technique aids defense evasion and makes take downs more difficult.  Reserchers observed two different campaigns that are evolving.

https://www.csoonline.com/article/4074916/north-korean-threat-actors-turn-blockchains-into-malware-delivery-servers.html

https://cloud.google.com/blog/topics/threat-intelligence/unc5142-etherhiding-distribute-malware

https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherhiding

Microsoft Digital Defense Report 2025

Now more than ever proactive principle-based security is a necessity.  AI technology is aiding defenders but is also large target.  Prompt injection, indirect prompt injection, and data poisoning both models and systems is prevalent.  Infostealers are a threat that leads to attackers simply logging in.  Initial access has become diverse mixing tactics and techniques.

https://www.infosecurity-magazine.com/news/microsoft-process-100-trillion/

https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2025#Threat-landscape

https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/bade/documents/products-and-services/en-us/security/Microsoft-Digital-Defense-Report-2025.pdf

https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/bade/documents/products-and-services/en-us/security/CISO-Executive-Summary-MDDR-2025.pdf

Bimonthly Threat Intelligence Executive Report – July / August

Notable trends observed from researchers during the two-month period.  Ransomware remains a prolific threat with an increase in the number of groups, many pivoting to the cloud.  Stolen credentials and lack of phishing resistant multi-factor authentication allow threat actors to login instead of break in.  N-day bugs are still heavily abused, patching actively exploited bugs is critical.

https://news.sophos.com/en-us/2025/10/17/threat-intelligence-executive-report-volume-2025-number-5/

Undisclosed Software Bugs and Source Code Stolen from F5

Nation state actor conducted a long-term compromise of F5 corporate networks.  The source code and bugs were from their BIG-IP suite of products.  Attackers accessed the product development environment and engineering knowledge management platform. 

https://unit42.paloaltonetworks.com/nation-state-threat-actor-steals-f5-source-code/