SOC GoulashAlright team, it's been a pretty packed 24 hours in the cyber world! We've got a mix of active nation-state campaigns, critical vulnerabilities under exploitation, some interesting cybercrime trends, and a few head-scratchers on the regulatory front. Let's dive in:
Recent Cyber Attacks & Breaches 🚨
- US Municipalities Under Attack: Several US local governments, including Kaufman County (TX) and La Vergne (TN), have suffered cyber incidents disrupting public services. This highlights the ongoing vulnerability of local government infrastructure, exacerbated by recent lapses in federal cybersecurity funding and support.
- Insider Threat at L3Harris: A former L3Harris Technologies executive is accused of stealing highly sensitive trade secrets from the company's cyber division and selling them to a Russian buyer for $1.3 million. This underscores the persistent and severe risk posed by insider threats, especially in defence and intelligence sectors.
- Starlink Used by Myanmar Fraudsters: SpaceX has proactively disabled over 2,500 Starlink terminals in Myanmar that were found to be powering human trafficking and cyber-fraud operations in lawless border zones. This move follows a military raid on a major scam compound and highlights the dual-use nature of advanced technologies and the challenges of preventing their misuse by criminal groups.
🗞️ The Record | https://therecord.media/cyber-incidents-texas-tennessee-indiana
🤫 CyberScoop | https://cyberscoop.com/ex-l3harris-executive-accused-of-selling-trade-secrets-to-russia/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/23/spacex_starlink_myanmar/
New Threat Research & Tradecraft 🛡️
- MuddyWater's Phoenix Backdoor: Iranian state-sponsored group MuddyWater (aka Static Kitten, Mercury, Seedworm) has been observed targeting over 100 government and international organisations in the Middle East and North Africa. They're using phishing emails with malicious Word documents (macros) to deploy the Phoenix v4 backdoor, which includes COM-based persistence and a custom browser infostealer. This marks a return to older macro-based techniques, suggesting a blend of old and new tradecraft.
- Jingle Thief's Cloud Gift Card Fraud: A financially motivated group, "Jingle Thief" (CL-CRI-1032, Atlas Lion, Storm-0539), is exploiting cloud infrastructure to steal millions in gift cards. They use phishing/smishing to gain initial access, then conduct extensive reconnaissance within compromised cloud environments, leveraging identity misuse rather than custom malware for stealth and persistence, often maintaining access for over a year.
- Lazarus Group Targets UAV Sector: North Korean Lazarus hackers are back with "Operation DreamJob," using fake recruitment lures to compromise three European defense companies involved in unmanned aerial vehicle (UAV) technology. The attack chain involves DLL sideloading via trojanised open-source applications, ultimately deploying the sophisticated ScoringMathTea RAT or BinMergeLoader.
- Smishing Triad's Massive Phishing Operation: Researchers have uncovered "Smishing Triad," a large-scale, Chinese-managed phishing campaign using text messages. It leverages ~195,000 malicious domains, impersonating a wide range of services from toll roads and postal services to financial institutions, with a focus on harvesting sensitive data for future attacks. The operation is highly modular and rapidly churns through infrastructure.
- YouTube Ghost Network Spreads Malware: Google and Check Point have dismantled a "YouTube Ghost Network" that spread password-stealing malware (Rhadamanthys, Lumma) through over 3,000 hijacked YouTube accounts. The campaign used fake tutorials for cracked software and game cheats, leveraging social credibility with fake comments and likes to trick users into disabling AV and downloading infostealers from cloud storage.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/iranian-hackers-targeted-over-100-govt-orgs-with-phoenix-backdoor/
🗞️ The Record | https://therecord.media/iran-muddywater-phishing-campaign-north-africa-middle-east
📰 The Hacker News | https://thehackernews.com/2025/10/jingle-thief-hackers-exploit-cloud.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-targeted-european-defense-companies/
🤫 CyberScoop | https://cyberscoop.com/unit-42-chinese-language-phishing-operation-smishing-triad/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/23/youtube_ghost_network_malware/
Actively Exploited Vulnerabilities & Mitigations ⚠️
- Adobe Commerce (Magento) Flaw Exploited: Threat actors are actively exploiting CVE-2025-54236 (CVSS 9.1), an improper input validation flaw in Adobe Commerce and Magento Open Source. This "SessionReaper" vulnerability allows account takeovers via the Commerce REST API, leading to PHP webshell deployment. A staggering 62% of Magento stores remain unpatched, making immediate action critical.
- Motex Lanscope Endpoint Manager Zero-Day: CISA has added CVE-2025-61932 (CVSS 9.3) in Motex Lanscope Endpoint Manager to its KEV catalog, confirming active exploitation as a zero-day. This critical flaw allows unauthenticated attackers to execute arbitrary code by sending specially crafted packets to vulnerable client programs and detection agents. Patching is the only solution, with a federal deadline of November 12, 2025.
- AI Browser Sidebar Spoofing: OpenAI's Atlas and Perplexity's Comet AI browsers are vulnerable to "AI Sidebar Spoofing" attacks. Researchers demonstrated how a malicious browser extension can inject JavaScript to create a fake, identical AI sidebar, tricking users into executing dangerous commands like crypto theft or reverse shell installations. Users should be cautious and limit sensitive activities on these browsers.
- Microsoft Blocks NTLM Theft via File Explorer: Microsoft has implemented a crucial security update, disabling File Explorer's preview pane for files downloaded from the internet (marked with Mark of the Web). This change, part of the October 2025 Patch Tuesday, prevents NTLM hash theft attacks that previously required no user interaction beyond selecting a malicious file for preview.
📰 The Hacker News | https://thehackernews.com/2025/10/over-250-magento-stores-hit-overnight.html
📰 The Hacker News | https://thehackernews.com/2025/10/critical-lanscope-endpoint-manager-bug.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-warns-of-lanscope-endpoint-manager-flaw-exploited-in-attacks/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/spoofed-ai-sidebars-can-trick-atlas-comet-users-into-dangerous-actions/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-preview-pane-for-downloads-to-block-ntlm-theft-attacks/
Threat Landscape Commentary 🌐
- CDM Program's Visibility Gaps: CISA's Continuous Diagnostics and Mitigation (CDM) program, despite significant investment, struggles with visibility into edge devices like F5 BIG-IP load balancers. This was highlighted by a recent F5 vulnerability, underscoring that CDM's traditional focus on internal networks leaves gaps for modern attack vectors like OT/IoT and cloud-native resources.
- Managed Identities Over Static Secrets: Organisations are increasingly moving away from static secrets (API keys, passwords) towards managed identities for machine authentication. This shift dramatically reduces credential management overhead and leakage risks, offering short-lived, auto-rotated credentials. While not a complete replacement for secret managers, it's a strategic move to reduce the "secret footprint" by 70-80%.
🤫 CyberScoop | https://cyberscoop.com/f5-vulnerability-highlights-weak-points-in-dhss-cdm-program/
📰 The Hacker News | https://thehackernews.com/2025/10/why-organizations-are-abandoning-static.html
Regulatory & Legal Updates ⚖️
- UK Cyber Law Delays: British MPs are "deeply concerned" about ongoing delays to the UK's Cyber Security and Resilience Bill and proposed ransomware policies. These policies aim to ban ransomware payments for public sector/critical infrastructure and mandate reporting, but legislative inertia is seen as increasing national vulnerability.
- Polish Official Indicted for Spyware Purchase: Poland's former deputy justice minister, Michał Woś, has been indicted for illegally diverting $6.9 million from a crime victim fund to purchase NSO Group's Pegasus spyware. This is part of a broader investigation into the controversial use of Pegasus against opposition politicians.
- NY DFS Updates Third-Party Risk Guidance with AI: The New York Department of Financial Services (DFS) has updated its third-party risk guidance for financial services, adding provisions for AI. While not imposing new requirements, it clarifies expectations for managing risks associated with vendors, particularly regarding AI model training and data handling, in light of increasing reliance on third-party cloud services.
- Trump Pardons Former Binance CEO: Former Binance CEO Changpeng Zhao (CZ) has received a presidential pardon from Donald Trump, following his guilty plea in 2023 for failing to report illicit cryptocurrency transactions. This controversial move, framed as ending the "war on cryptocurrency," raises questions about the future of Binance's compliance obligations and the broader regulatory landscape for crypto.
🗞️ The Record | https://therecord.media/britain-cyber-law-delays-opposition-mps-warning
🗞️ The Record | https://therecord.media/former-polish-official-indicted-spyware-probe
🤫 CyberScoop | https://cyberscoop.com/new-york-third-party-risk-guidance-ai-update-financial-services/
🗞️ The Record | https://therecord.media/changpeng-zhao-former-binance-ceo-pardoned-donald-trump
#CyberSecurity #ThreatIntelligence #Vulnerabilities #APT #Ransomware #Malware #ZeroDay #ActiveExploitation #Smishing #Phishing #CloudSecurity #ManagedIdentities #RegulatoryCompliance #Cybercrime #InfoSec #IncidentResponse
Bjompen
AdrianRamos.es
Gareth Emslie 🇿🇦 🇪🇦 🇨🇭