Cyber Alerts

F5 disclosed that nation-state hackers accessed internal networks and sensitive vulnerability information tied to BIG-IP. Within 24 hours, researchers counted 600k+ internet-reachable F5 devices. CISA directed agencies to patch promptly and disconnect management interfaces from the internet due to the risk that stolen details could speed exploit creation before patches are fully deployed. What You Should Know: - Scope: ~600k devices online globally; ~130k in the U.S. (Shadowserver). - Risk: Theft of confidential vuln details could enable exploit development ahead of patch uptake. - Status: F5 says it has evicted intruders; investigation ongoing with public/private partners. - Context: Edge devices are high-value targets for nation-state operations and ransomware crews. Recommended Actions: - Apply latest F5 BIG-IP patches immediately and watch for out-of-band releases. - Isolate/disable internet-exposed management; require VPN/JIT admin with MFA. - Rotate credentials, review auth integrations, and audit recent config changes. - Increase monitoring for exploitation indicators and anomalous device behavior. - Validate network segmentation and tested device backups.

Microsoft announced that Outlook for Web and the new Outlook for Windows will no longer render inline SVG images. The change mitigates phishing and malware attacks leveraging the SVG format, which has been heavily abused in phishing-as-a-service operations. What You Should Know: - Inline SVGs are blocked beginning September 2025, with full rollout expected by mid-October 2025. - SVG-based attacks have surged by 1,800% year-over-year, often used to deliver phishing content or malicious scripts. - Only inline SVGs are affected — attached SVG files remain supported and viewable. - The update also follows Microsoft’s ongoing effort to disable legacy features exploited in attacks, including macros, ActiveX controls, and certain file types. Recommended Actions: - Communicate the Outlook behavior change to users to avoid confusion when images fail to render - Replace SVG-based templates or images with safer formats (e.g., PNG, JPG) - Strengthen mail filtering and sandboxing for nontraditional file types - Maintain user training on recognizing phishing attempts using attachments or embedded content

Corporate executives are the focus of a large-scale extortion campaign launched by hackers claiming affiliation with the Clop ransomware gang. The campaign leverages compromised email accounts to pressure executives with threats of exposing alleged data from Oracle E-Business Suite applications. What You Should Know: - While claims of Oracle E-Business Suite breaches are unverified, researchers have confirmed strong links to FIN11, a Clop-associated threat actor. - Extortion notes include email addresses tied to Clop’s leak site, validating threat actor connections. - The campaign is high volume and has been observed across hundreds of compromised accounts. - Clop has a history of mass exploitation campaigns, including MOVEit (2023) and Cleo file transfer (2024). Recommended Actions: - Alert executive leadership and staff who may be targeted by extortion emails - Block and report suspicious emails referencing Oracle or Clop - Investigate Oracle E-Business Suite environments for compromise indicators - Develop an internal executive extortion response protocol that prioritizes incident reporting, not engagement

The Shai-Hulud worm spread through more than 500 npm packages, stealing developer credentials and automatically propagating malicious code to additional projects. CISA has issued an alert urging organizations to review all npm dependencies and rotate developer credentials. What You Should Know: - Attackers used malicious code to scan for and exfiltrate secrets such as GitHub tokens and cloud service API keys. - The worm’s self-replication allowed it to automatically infect new packages once a compromised developer environment was accessed. - GitHub removed the malicious packages from the npm registry and blocked future uploads tied to the compromise. - Experts say this incident represents the first large-scale supply chain worm to succeed in the npm ecosystem. Recommended Actions: - Immediately review npm environments for indicators of compromise - Rotate all credentials and API keys tied to developer accounts - Monitor for suspicious network traffic and unauthorized repository activity - Implement stronger authentication and publishing safeguards in open-source workflows

SonicWall has confirmed that attackers are conducting brute force attacks against the MySonicWall.com portal, targeting the company’s cloud backup service for firewalls. Investigators found that attackers accessed about 5% of firewall backup preference files. While stored credentials were encrypted, the files contain configuration details that could aid in future firewall exploitation. What You Should Know: - Backup files include sensitive configuration data such as user accounts, group settings, DNS, and log configurations. - SonicWall has shut down an unauthorized backup point linked to the incident. - CISA urged customers to log into their MySonicWall accounts immediately to determine exposure. - Nation-state and ransomware actors have historically leveraged firewall configuration data for follow-on intrusions. - SonicWall is working with law enforcement and cybersecurity partners; a customer video advisory is available. Recommended Actions: - Reset all stored credentials associated with SonicWall devices - Audit firewall configurations for anomalies or changes - Apply segmentation and monitoring controls to firewall-connected environments - Follow SonicWall and CISA advisories for ongoing updates

OpenAI patched a critical flaw, CVE pending – ShadowLeak, in its Deep Research agent. The bug enabled attackers to exfiltrate sensitive data without user interaction by embedding malicious instructions in emails or documents ingested by the tool. What You Should Know: - The exploit was zero-click: victims didn’t need to open or interact with the malicious message. - Deep Research could be tricked into calling attacker-controlled URLs with private parameters like employee names, addresses, or internal business data. - While demonstrated with Gmail, the technique could extend to other connectors (Google Drive, Dropbox, SharePoint, etc.). - Radware disclosed the issue in June; OpenAI fixed it in August and marked it resolved September 3. - No exploitation in the wild has been observed, but researchers warn this reflects a new category of AI agent abuse. Recommended Actions: - Confirm updates to Deep Research and related connectors are applied - Audit usage of AI-integrated email and document systems for anomalies - Establish AI usage policies to treat these agents as privileged applications - Monitor emerging research on prompt injection and autonomous agent exploits

The FBI issued Public Service Announcement I-091925, warning that attackers are creating spoofed versions of the IC3.gov website to steal personal and financial data. What You Should Know: - Spoofed domains may use slight spelling changes or alternative top-level domains to impersonate IC3. - Fraudulent sites are harvesting names, addresses, banking details, and more from unsuspecting victims. - The real IC3 site is only www.ic3.gov . IC3 does not charge fees, direct users to third-party recovery firms, or maintain social media accounts. Recommended Actions: - Always type www.ic3.gov directly into your browser—do not rely on search results or ads. - Confirm URLs end in .gov before entering personal or financial data. - Report fraudulent sites and impersonation attempts to the FBI via the legitimate IC3 site. - Educate users on recognizing spoofed domains and avoiding phishing websites.

Security researchers have identified malicious packages in the npm registry that impersonated CrowdStrike tools. The packages delivered JavaScript backdoors capable of executing attacker commands and exfiltrating sensitive data. What You Should Know: - The fake packages were designed to blend in with legitimate CrowdStrike libraries, increasing the chance of accidental installation. - Once installed, the malware could collect system and credential data and provide attackers remote access. - Supply chain attacks like this highlight the risks of dependency trust in modern development workflows, particularly in npm’s open ecosystem. Recommended Actions: - Immediately audit npm projects for suspicious CrowdStrike-themed dependencies - Lock dependencies with integrity verification and use private registries when possible - Educate development teams on spotting package impersonation attacks - Monitor CI/CD pipelines for unauthorized package pulls or script execution

Apple and CISA have disclosed CVE-2025-43300, a zero-day vulnerability in the ImageIO framework impacting iPhones, iPads, and Macs. The bug is already being used in “extremely sophisticated” attacks against select individuals. What You Should Know: - This is a zero-click exploit—it requires no user interaction and can be triggered by a malicious image delivered via email, message, or web content. - Apple’s advisory explicitly acknowledges targeted exploitation, language the company rarely uses. - The bug is now listed in CISA’s Known Exploited Vulnerabilities catalog. - Exploitation echoes past spyware activity (e.g., the 2023 BLASTPASS chain used to deliver Pegasus). - While attacks are targeted, Apple stresses that all users should patch immediately. Recommended Actions: - Update to the latest iOS, iPadOS, and macOS versions as soon as possible - Treat unexpected or suspicious media files with caution until fully patched - Prioritize updates for executives, administrators, and other high-risk roles - Enhance monitoring for spyware-like behavior on Apple endpoints

NetScaler has released urgent security updates after confirming active exploitation of CVE-2025-7775, a critical memory overflow vulnerability affecting its application delivery controllers and remote-access tools. The flaw carries a CVSS score of 9.2 and can result in denial of service or remote code execution. What You Should Know: - Exploitation is ongoing, with evidence of attackers installing backdoors that persist post-patch - At least 28,000 vulnerable NetScaler instances remain exposed online - Exploitation requires common configurations such as Gateway mode or AAA virtual servers - Additional flaws (CVE-2025-7776 and CVE-2025-8424) can cause denial of service or unauthorized file access - CISA has added CVE-2025-7775 to the Known Exploited Vulnerabilities catalog Recommended Actions: - Patch all affected NetScaler appliances immediately - Audit for persistence mechanisms and unauthorized access - Limit external exposure of NetScaler services - Monitor for anomalies linked to denial of service or RCE attempts

A credential-harvesting campaign dating back to 2022 is targeting ScreenConnect cloud administrators. Using spear-phishing emails sent from compromised Amazon accounts, attackers aim to steal super-admin credentials, providing deep access to remote management environments. What You Should Know: - The phishing kits leverage EvilGinx adversary-in-the-middle tools to bypass MFA. - With stolen credentials, attackers can deploy their own ScreenConnect instances across multiple systems, facilitating lateral movement. - The campaign is linked to the Qilin ransomware group, whose affiliates have used the access to exfiltrate, encrypt, and ransom organizational data. - Incident responders have observed attacks against managed service providers and enterprises, underscoring the scale of exposure. Recommended Actions: - Warn and retrain admins on ScreenConnect phishing impersonations - Enforce phishing-resistant MFA (e.g., FIDO2, hardware keys) -Audit and rotate privileged accounts; minimize super-admin access -Monitor for new or unauthorized ScreenConnect installations in your environment

CISA and Microsoft have issued urgent guidance on CVE-2025-53786, a high-severity flaw in on-premise Microsoft Exchange servers. If exploited, the vulnerability could allow an attacker with admin-level access to escalate privileges and compromise both on-premises and cloud-based identities in hybrid deployments. What You Should Know: - Applies to on-premise Exchange servers in hybrid or standalone environments - Poses a risk of total domain compromise if unpatched - End-of-life versions—like SharePoint Server 2013—should be taken offline - No confirmed exploitation yet, but both CISA and Microsoft are urging immediate mitigation Recommended Actions: - Apply Microsoft’s April 2025 (or later) Hot Fix and follow all configuration changes from the April 18 guidance - Remove public access to unsupported Exchange and SharePoint servers - Audit and monitor privileged accounts for suspicious activity - Follow CISA’s emergency directive timelines if applicable

Security researchers at Cisco Talos have disclosed critical firmware vulnerabilities in Broadcom’s ControlVault chip, used in over 100 models of Dell Latitude and Precision laptops. The flaws allow attackers to access, exfiltrate, and modify sensitive credential stores below the OS level—undetected by traditional security tools. What You Should Know: ControlVault is designed as a hardware “vault” for biometric templates, smartcard credentials, and encryption keys. The vulnerabilities, including CVE-2025-24919, enable: - Remote access without admin privileges using Windows APIs - Out-of-bounds reads and writes exposing and modifying sensitive memory - Code execution within the chip to embed persistent, undetectable malware - Credential theft or destruction with long-term operational consequences Impacted systems are used in sectors requiring elevated security postures, including cybersecurity, government, and ruggedized field deployments. Recommended Actions: - Patch all impacted Dell devices with the latest ControlVault firmware - Validate security policies around biometric or smartcard authentication - Re-key and re-authenticate users in high-trust roles if compromise is suspected - Harden endpoint privilege access to avoid remote code execution triggers

A fast-moving ransomware campaign is actively exploiting a likely zero-day vulnerability in SonicWall Gen 7 firewall SSL VPNs. Multiple external response teams and researchers have confirmed that attackers are gaining access to environments—even those fully patched and secured with MFA. What You Should Know: - Over 20 confirmed intrusions observed since July 25 - Ransomware deployed by the Akira group - SonicWall has acknowledged the issue but not yet released a patch - Access vectors appear tied directly to SSL VPN services - Huntress and Arctic Wolf are urging organizations to take systems offline now Recommended Actions: - Disable SSL VPN on Gen 7 SonicWall devices immediately - Scan firewall logs for unusual activity, especially reboots or access failures - Review and rotate privileged credentials - Strengthen lateral movement defenses and ransomware response plans

Two separate incidents involving Amazon and Google show that AI-powered development tools are now viable targets for attackers. With deep access to developer environments, weak authentication controls, and high trust, these tools create new risk surfaces across the software supply chain. Incident #1: Amazon Q Developer Extension A malicious actor injected code into Amazon Q’s GitHub repo via an unverified pull request. The altered version (1.84.0) was published to nearly a million users through the VS Code marketplace. While the code was malformed, it demonstrated how workflow misconfigurations can turn helpful extensions into attack vectors. Incident #2: Google Gemini CLI Flaw A vulnerability in Gemini CLI’s setup workflow allowed attackers to hijack authentication tokens and silently execute commands on dev systems. The issue was fixed, but not before showing how token handling flaws can create remote execution paths. Recommended Actions: - Patch Amazon Q Developer to v1.85.0 - Audit permission scopes for CLI and IDE extensions - Harden GitHub workflows and authentication tokens - Treat AI development tools as privileged software—because they are

CISA has confirmed active exploitation of CVE‑2023‑2533, a remote code execution vulnerability in PaperCut NG/MF. The flaw allows unauthenticated attackers to execute code on vulnerable servers via the SetupCompleted configuration page. What You Should Know: - Exploited in the wild, this bug poses a major risk to organizations using PaperCut to manage print services. - - Attackers can bypass authentication, run malicious code, and gain full control of the affected systems. Recommended Actions: - Apply PaperCut patches immediately - Restrict PaperCut access to internal networks only - Review logs for any unusual SetupCompleted access - Isolate print servers from business-critical assets

Scattered Spider, known for targeting retailers, has expanded into insurance and now airline sectors. Their updated campaign uses deepfake video calls, vishing, and in-platform impersonations to breach MFA and trick employees. What You Should Know: - Google TAG confirms the shift to insurance; the FBI warns airlines are now at risk. - The group leverages human trust—posing as IT support to bypass MFA—and uses collaboration apps and deepfake tools to access systems without technical exploits. Recommended Actions: - Educate staff on multi-channel impersonation across video, voice, and chat - Restrict remote-access tool installations to official channels - Monitor for anomalous activity in help-desk and ticketing platforms - Verify all MFA and support requests with strict multi-factor verification

Citrix has disclosed a new critical vulnerability in NetScaler ADC and Gateway (CVE-2025-5777), dubbed CitrixBleed 2. The flaw allows unauthenticated attackers to extract sensitive data directly from system memory, including session tokens, credentials, and encryption keys. What You Should Know: - Though no exploitation has yet been confirmed, experts predict that attacks are likely imminent. - The vulnerability affects common NetScaler configurations for remote access (VPN, ICA Proxy, CVPN, RDP Proxy) used by many large enterprises. - Attackers can leverage this weakness without user interaction or credentials. Recommended Actions: - Apply Citrix security updates immediately - Verify all external-facing NetScaler appliances are patched - Execute Citrix-recommended commands post-patch to terminate active sessions - Monitor logs for signs of unauthorized session access

Microsoft has patched a zero-click vulnerability in Copilot, the AI assistant integrated into Microsoft 365. The flaw allowed attackers to extract internal data by embedding malicious prompts in emails—without the user clicking or responding. What You Should Know: This is the first known exploit of its kind involving an enterprise AI assistant. The vulnerability—CVE-2025-32711—was significant because it demonstrated how prompt injection could be weaponized for real-world data theft without user interaction. The incident underscores the importance of visibility and control over AI-assisted workflows. Recommended Actions: - Audit Copilot activity logs for unusual data access patterns - Evaluate where AI may interact with sensitive business information - Train users on risks tied to AI-generated email content - Begin establishing monitoring protocols for future AI-driven features

Google’s Threat Analysis Group has warned of a campaign in which attackers are exploiting OAuth permissions to gain persistent access to Salesforce accounts. Once in, they install malicious applications capable of data theft or malware deployment. What You Should Know: OAuth-based attacks bypass login credentials entirely. Traditional security controls—like MFA or login alerts—don’t detect this. The risk is elevated for any organization with widely used or lightly monitored SaaS platforms. Recommended Actions: - Review and restrict third-party app access in Salesforce - Audit OAuth token logs and scopes for abnormalities - Remove unused or suspicious integrations - Train staff on the risks of app authorization and fake consent screens

China-linked APT41 is leveraging Google Calendar to stealthily deliver malware. Victims receive calendar invites with malicious URLs disguised as event details, leading to second-stage malware. What You Should Know: This method blends into daily workflow and is unlikely to trigger traditional email filters. It’s a reminder that even trusted cloud platforms can be weaponized. Recommended Actions - Monitor for abnormal calendar event creation - Enforce calendar URL scanning and restriction policies - Train staff to flag suspicious event invites - Evaluate G Workspace settings for risk reduction

Threat actors have created a convincing fake Bitdefender website to spread malware. Unsuspecting users who download software from the site receive VenomRAT or a credential-harvesting infostealer. What You Should Know: This campaign targets users seeking legitimate antivirus protection—turning their search into an infection. Malicious downloads bypass some endpoint tools via trusted branding. Recommended Actions - Block impersonation domains and scan installer traffic - Educate users on software sourcing hygiene - Monitor for RAT behavior and credential leaks - Review endpoint protection efficacy against sideloaded threats

New Interlock ransomware is being deployed alongside NodeSnake, a JavaScript-based RAT. This tactic allows threat actors to silently exfiltrate data before executing encryption, increasing the impact and complexity of response. What You Should Know: This threat is a dual-pronged attack. Even with backups in place, stolen data can lead to compliance risks, legal exposure, and leverage for extortion. Detection and prevention must extend beyond traditional ransomware defenses. Recommended Actions: - Strengthen detection rules for JavaScript and fileless malware activity. - Monitor endpoints and cloud workloads for NodeSake behavior. - Enforce DLP policies and inspect outbound traffic for exfiltration signs. - Adapt ransomware response plans to cover data theft before encryption.

CISA has issued a new alert detailing active exploitation of critical vulnerabilities in Commvault software—a widely used backup and recovery platform. Threat actors are leveraging these flaws to gain remote access, exfiltrate data, and move laterally into cloud environments. What You Should Know: These vulnerabilities are actively being exploited in the wild—this is not a drill. If left unaddressed, they create a clear path for attackers to escalate privilege and compromise critical cloud systems. Steps to take now: Patch all exposed Commvault instances—especially those accessible via the internet. Audit cloud and backup integrations for unusual behavior. Strengthen identity controls to prevent lateral movement. Hunt for activity tied to CVE-2025-3928 and related indicators of compromise.

A joint advisory from the U.S., Australia, and Canada highlights a growing ransomware tactic: fast-flux DNS — a technique that rapidly rotates IPs and domains to evade detection and takedown. Cybercriminal groups like LockBit and Black Basta, with links to Russia, are actively using it to target sectors including healthcare, government, and critical infrastructure. Why it matters to you: •Fast-flux makes ransomware attacks harder to trace, contain, and mitigate •Traditional defenses may not detect this level of infrastructure agility •The tactic signals a continued evolution in attacker sophistication 📌 Next steps: Ensure your teams are evaluating DNS-layer defense strategies and securing offline backups.

A critical Windows zero-day vulnerability, identified as ZDI-CAN-25373, is currently being actively exploited by nation-state threat actors. This flaw allows attackers to execute hidden malicious commands via specially crafted Windows shortcut (.lnk) files. The vulnerability has been present for at least eight years, was reported six months ago but remains unpatched by Microsoft. Nation-state actors from North Korea, Iran, Russia, and China are leveraging this exploit to conduct cyber espionage and financial crimes, particularly targeting cryptocurrency platforms and sensitive government data. To mitigate the risk, please take the following immediate actions: •Monitor for suspicious .lnk files: Scan systems for shortcut files that may contain embedded malicious commands. •Restrict execution of unknown shortcuts: Prevent the automatic execution of .lnk files from untrusted sources. •Use endpoint detection and response (EDR) solutions: Deploy advanced security tools to detect anomalous behavior linked to shortcut exploitation. •Educate employees: Train staff to recognize suspicious files and avoid executing unknown shortcuts. Given the severity and active exploitation of ZDI-CAN-25373, it is imperative to assess your exposure and strengthen defenses accordingly.

A critical Windows zero-day vulnerability, identified as ZDI-CAN-25373, is currently being actively exploited by nation-state threat actors. This flaw allows attackers to execute hidden malicious commands via specially crafted Windows shortcut (.lnk) files. The vulnerability has been present for at least eight years, was reported six months ago but remains unpatched by Microsoft. Nation-state actors from North Korea, Iran, Russia, and China are leveraging this exploit to conduct cyber espionage and financial crimes, particularly targeting cryptocurrency platforms and sensitive government data. To mitigate the risk, please take the following immediate actions: •Monitor for suspicious .lnk files: Scan systems for shortcut files that may contain embedded malicious commands. •Restrict execution of unknown shortcuts: Prevent the automatic execution of .lnk files from untrusted sources. •Use endpoint detection and response (EDR) solutions: Deploy advanced security tools to detect anomalous behavior linked to shortcut exploitation. •Educate employees: Train staff to recognize suspicious files and avoid executing unknown shortcuts. Given the severity and active exploitation of ZDI-CAN-25373, it is imperative to assess your exposure and strengthen defenses accordingly.