xHunt APT campaign targets Kuwait using Exchange & IIS exploits.
Custom PowerShell backdoors like Hisoka & TriFive enable stealth C2 via email drafts.
https://www.technadu.com/xhunt-apt-group-spies-on-kuwait-leveraging-microsoft-exchange-iis-and-custom-backdoors/613022/

#CyberSecurity #APT #xHunt #Kuwait #ExchangeServer

Da wollen schon Firmen ihre #ExchangeServer behalten, und dann aktualisieren sie die nicht. Jaja, die Kosten und ein paar Fragen dazu sind mir durchaus klar. Nicht umsonst mache ich den Bums lang genug. Jedenfalls habe ich da ein paar Worte dazu geschrieben.

https://www.henning-uhle.eu/informatik/schutzlose-exchange-server?pk_campaign=mastodon

Was lese ich da? Es gibt noch tausende schutzlose Exchange Server, weil diese halt veraltet sind? Darüber müssen wir hier mal diskutieren. Ich meine, mir ist schon klar, dass so eine extrem wichtige Server-Anwendung wie der Exchange Server nicht einfach so übers Knie gebrochen auf eine neue Version gehoben werden kann. Aber mal ehrlich: Diese extrem wichtige Server-Anwendung in einer veralteten Version ist dann halt auch ein extrem großes Sicherheitsrisiko.

[…]

https://www.henning-uhle.eu/informatik/schutzlose-exchange-server

Alright team, it's been a busy 24 hours in the cyber world! We've got a fair bit to cover today, from significant breaches and nation-state activity to new malware techniques and critical vulnerability patches. Let's dive in:

Recent Cyber Attacks & Breaches 🚨

- BPO giant Conduent confirmed a 2024 data breach impacting over 10.5 million individuals, exposing names, SSNs, DOBs, and health information. The Safepay ransomware gang claimed responsibility, with the compromise dating back to October 2024.
- The UK's People's Postcode Lottery experienced a "technical error" that briefly exposed customer names, addresses, emails, and dates of birth to other users. While quickly contained and affecting only 0.1% of players, it highlights the risks of internal system misconfigurations.
- Canadian critical infrastructure, including municipal water, oil & gas, and farm systems, was breached by hacktivists who manipulated operational controls, creating potentially unsafe conditions. These opportunistic attacks targeted internet-accessible industrial control systems (ICS) and highlight the persistent vulnerability of OT environments.
- Telecom services provider Ribbon Communications disclosed a nation-state breach of its IT network, active since December 2024. Attackers accessed customer files on two non-networked laptops, with the incident bearing resemblance to China's Salt Typhoon campaigns.
- A former L3Harris Trenchant general manager, Peter Williams, pleaded guilty to stealing eight US government-exclusive cyber exploit components and selling them for $1.3 million in cryptocurrency to a Russian broker, likely Operation Zero. This insider threat directly armed Russian cyber actors against US interests.
- China-affiliated UNC6384 (aka Mustang Panda) launched a cyber-espionage campaign targeting diplomatic entities in Belgium, Hungary, Italy, Netherlands, and Serbian government aviation. They used spearphishing with European conference lures, exploiting an unpatched Windows shortcut vulnerability (ZDI-CAN-25373 / CVE-2025-9491) to deploy PlugX malware.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/bpo-giant-conduent-confirms-data-breach-impacts-105-million-people/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/30/peoples_postcode_lottery_breach/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/30/cyberpunks_mess_with_canada_s_water_energy_and_farm_systems/
🗞️ The Record | https://therecord.media/canada-ics-hacktivists-tampering-cyber-centre-alert
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/major-telecom-services-provider-ribbon-breached-by-state-hackers/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/ex-l3harris-exec-guilty-of-selling-cyber-exploits-to-russian-broker/
🗞️ The Record | https://therecord.media/diplomatic-entities-in-belgium-and-hungary-hacked-in-china-linked-spy-campaign
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/30/suspected_chinese_snoops_abuse_unpatched/

New Threat Research & Malware 🛡️

- Researchers discovered 10 malicious npm packages using typosquatting to distribute a multi-platform infostealer targeting Windows, Linux, and macOS. These packages, with nearly 10,000 downloads, used multi-layered obfuscation and fake CAPTCHA challenges to steal credentials, browser data, SSH keys, and API tokens.
- A new supply chain attack, "PhantomRaven," injected 126 credential-stealing packages into the npm registry. These packages use "Remote Dynamic Dependencies" (RDD) to fetch malicious payloads post-installation, bypassing static analysis tools and stealing sensitive developer tokens and credentials.
- The open-source command-and-control framework AdaptixC2, designed for red teamers, is being actively abused by Russia-linked cybercriminals in ransomware campaigns, including distributing CountLoader malware. This highlights the ongoing challenge of dual-use tools in the cyber ecosystem.
- NFC relay malware is seeing a massive surge in Eastern Europe, with over 760 malicious Android apps identified. These apps abuse Android's Host Card Emulation (HCE) to steal or emulate contactless payment data, often impersonating legitimate banking apps or Google Pay.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/malicious-npm-packages-fetch-infostealer-for-windows-linux-macos/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/30/phantomraven_npm_malware/
🗞️ The Record | https://therecord.media/open-source-adaptixc2-red-teaming-tool-russian-cybercrime
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/massive-surge-of-nfc-relay-malware-steals-europeans-credit-cards/

Vulnerabilities & Patches 🩹

- Docker Compose has a high-severity path traversal vulnerability (CVE-2025-62725, CVSS 8.9) in its OCI artifact handling, allowing attackers to write arbitrary files on the host. Additionally, the Docker Desktop Windows Installer was patched for a DLL injection flaw (EUVD-2025-36191, CVSS 8.8). Users should upgrade to Compose v2.40.2 and Desktop 4.49.0 immediately.
- CISA has ordered US federal agencies to patch a high-severity privilege escalation vulnerability in Broadcom's VMware Aria Operations and VMware Tools (CVE-2025-41244). This flaw, exploited by Chinese state-sponsored threat actors (UNC5174) since October 2024, allows local non-admin users to gain root privileges on VMs.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/30/docker_compose_desktop_flaws/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-vmware-tools-flaw-exploited-since-october-2024/

Threat Landscape & Defenses 📊

- Google's AI defenses on Android are blocking over 10 billion suspected malicious calls and messages monthly, including 100 million suspicious numbers from using RCS. Scammers primarily use employment fraud and financial lures, employing "Spray and Pray" or "Bait and Wait" tactics, often via group chats to appear more legitimate.
- CISA and NSA, joined by Australian and Canadian partners, released comprehensive guidance for hardening Microsoft Exchange servers. Key recommendations include robust authentication (MFA, Modern Auth, OAuth 2.0), minimizing attack surface, strong network encryption (TLS, Extended Protection), and decommissioning end-of-life servers. This follows a CISA directive on a high-severity Exchange hybrid vulnerability (CVE-2025-53786).

🚨 The Hacker News | https://thehackernews.com/2025/10/googles-built-in-ai-defenses-on-android.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-and-nsa-share-tips-on-securing-microsoft-exchange-servers/

Data Privacy & Policy 🔒

- WhatsApp is rolling out passkey-encrypted chat backups for iOS and Android, allowing users to secure their chat history with biometrics, PIN, or screen lock. This significantly enhances security by keeping private keys on the device, preventing theft in data breaches.
- Proton launched its Data Breach Observatory to publicly expose corporate infosec cover-ups by monitoring dark web sources for breaches not disclosed to regulators. The service aims to increase transparency and help SMBs understand and mitigate risks, having already identified 300 million records across 794 attacks this year.
- A coalition of over 30 advocacy groups has urged the FTC to block Meta from using chatbot interactions for targeted advertising and content personalization without opt-in consent. They argue this constitutes illegal unfair and deceptive practices, highlighting the growing "AI trust crisis."

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/whatsapp-adds-passwordless-chat-backups-on-ios-and-android/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/30/proton_data_breach_observatory/
🗞️ The Record | https://therecord.media/coalition-calls-on-ftc-to-block-meta-chatbot-privacy

Regulatory & Government Issues 🏛️

- Despite the expiration of the 2015 Cybersecurity Information Sharing Act (CISA 2015), a senior CISA official noted that cyber threat information sharing between the US government and industry remains steady. However, CISA is pushing for a 10-year reauthorization, calling the law "core and critical" for managing risk across the ecosystem.
- France is embracing the decentralised Matrix network for its secure instant messaging service, Tchap, used by over 600,000 public officials. This move, including becoming the first country to pay for Matrix.org Foundation membership, reflects a broader European trend towards digital sovereignty and reducing reliance on closed, potentially insecure platforms.

🗞️ The Record | https://therecord.media/cyber-info-sharing-holding-steady-official-says
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/30/france_matrix/

#CyberSecurity #ThreatIntelligence #DataBreach #NationState #Hacktivism #Malware #SupplyChainAttack #NPM #Vulnerability #Docker #VMware #ExchangeServer #DataPrivacy #AI #Scams #InfoSec #IncidentResponse

BSI warnt: Zehntausende Exchange-Server ohne Schutz - Support ist weg, Risiko bleibt

https://techupdate.io/microsoft/bsi-warnt-zehntausende-exchange-server-ohne-schutz-support-ist-weg-risiko-bleibt/50610/

#bsi #itsecurity #exchangeserver #migration #owa

Copilot for Exchange Server On-Premises? Microsoft Tests Waters

#Microsoft #Copilot #ExchangeServer #OnPremise #DataSovereignty #Cloud #EnterpriseIT #AI #Microsoft365 #HybridCloud #DataPrivacy #ITAdmins #CyberSecurity #BigTech

https://winbuzzer.com/2025/10/23/copilot-for-exchange-on-premises-microsoft-tests-waters-xcxwbn

Chinese APT #PhantomTaurus breached MS Exchange servers over 3 years, using fileless backdoors and memory loaders to spy on diplomatic and military data.

Read: https://hackread.com/chinese-apt-phantom-taurus-ms-exchange-servers/

#Cybersecurity #China #APT #ExchangeServer #IIServerCore #Infosec