CTO at NCSC Summary: week ending October 12th
Strengthening national cyber resilience through observability and threat hunting..
Welcome to the weekly highlights and analysis of the blueteamsec (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week nothing overly of note beyond Oracle Security Alert Advisory - CVE-2025-61882. More generally though you will see from the below there is still a lot going on.
In the high-level this week:
Strengthening national cyber resilience through observability and threat hunting - NCSC UK call to arms - “we urge organisations and their external providers to develop and/or optimise both their observability and threat hunting capabilities, and set out how they can achieve this.”
Cyber security consultancy support, plus assessment and certification - UK Space Agency outlines - “Successful applicants can receive up to 3 days consultation from a cyber security professional funded by the UK Space Agency. This can be virtual or at a place of business (UK) depending on requirements.”
AI will ‘pain whole swathe of UK economy before providing net benefit’ - The Independent via the Press Association reports on comments I made - “Mr Whitehouse told the event hosted by Harmonic Security: “It is the one where AI gets very effective at surfacing what our vulnerability truly is, and us simply not having the capacity to be able to triage and respond to that.”
ETSI Security Conference 2025 – Insights into the Global Cybersecurity Landscape with NCSC’s Ollie Whitehouse - Cyber Security Magazine publishes - from the ETSI conference in France this week..
Foreign Secretary to put boosting security and tackling illegal migration at the heart of foreign policy during meeting of European partners - Foreign, Commonwealth & Development Office and The Rt Hon Yvette Cooper MP announce - “The summit will discuss the importance of building resilience in the Western Balkans to combat the constant flood of Russian hybrid threats aimed at destabilising the region, and fanning ethnic tensions. The Foreign Secretary will unveil a new £4 million project to reinforce cyber defences in the region, and share expertise in countering disinformation and other malign activity from hostile actors.”
Ukraine’s parliament backs creation of cyber forces in first reading - The Kyiv Independent reports - “The Ukrainian parliament supported the creation of the Cyber Forces within Ukraine’s military in the first reading on Oct. 9, underscoring the growing importance of this domain in the war with Russia. The bill, backed by 255 lawmakers, aims to establish the Cyber Forces as a military command body responsible for Ukraine’s defense and security capabilities in cyberspace.”
Qantas among nearly 40 companies facing ransom demand from hacker group - The Guardian reports - “The hackers claimed to have stolen records from the Salesforce databases of 39 companies including Toyota, Disney, McDonald’s, Puma, Cartier, Adidas, Qantas, Air France-KLM, Google Adsense, Chanel and Ikea.”
NIRS fire destroys government’s cloud storage system, no backups available - Korean JoongAng Daily reports - “However, due to the system’s large-capacity, low-performance storage structure, no external backups were maintained — meaning all data has been permanently lost. The scale of damage varies by agency. The Ministry of Personnel Management, which had mandated that all documents be stored exclusively on G-Drive, was hit hardest.”
North Korean agents pretending to be IT guys have funneled up to $1 billion into Kim Jong Un’s nuclear program - Fortune reports and understates - “The scheme is one of the most spectacular international fraud enterprises in history, and it creates layer upon layer of risks for companies that fall for it. First, there’s the corporate security danger posed by agents of a foreign government being within a company’s internal systems.”
Cybercrime affects three quarters of the Dutch population, but not everyone keeps their smart devices up to date - National Government of the Netherlands launches - “This is evident from the recently published Cybersecurity study Alert Online 2025 by the Ministry of Economic Affairs. To raise awareness among the Dutch public about the importance of updating their smart devices, the ministry is relaunching its “ Do Your Updates” campaign today .”
UK National Security Advantage from Disruptive Technologies - RUSI think tanks - “This paper underscores the need for focused priorities, cultural change within the national security community and strategic partnerships to ensure the UK remains competitive in the global technology landscape.”
Fake cellphone tower scams Aucklanders - New Zealand Telecommunications Forum reports - “The good news is the mobile network operators, Police and DIA worked together to swiftly triangulate the signal bubble and police officers caught a young man driving this SMS blaster around. He pleaded guilty and was sentenced last month.”
Reporting on/from China
China’s Vulnerability Research: What’s Different Now? - Eugenio Benincasa Natto Team analyze - “As this ecosystem has evolved, the Chinese state moved to harness the vulnerability research for national priorities through both formal and informal channels. From the top down, it imposed institutional mechanisms such as direct oversight of researchers and regulations that mandate or incentivize reporting to state-run entities. From the bottom up, informal networks among prominent researchers, who exchange insights and acquisition opportunities in private forums, create parallel acquisition channels that the state can use. Together, these mechanisms form what can be thought of as China’s “vulnerability pipeline.””
Chinese Hackers Said to Target U.S. Law Firms - The New York Times reports - “Williams & Connolly, one of the country’s most prominent law firms, has told clients that Chinese hackers infiltrated some of its computer systems as part of a broader effort by the Chinese to target American law firms, according to two people briefed on the matter.”
BIETA: A Technology Enablement Front for China’s MSS - Isikt Group alleges - ”The Beijing Institute of Electronics Technology and Application (BIETA), a communications technology and information security research organization previously unexplored in public reporting, is almost certainly affiliated with China’s principal civilian intelligence service, the Ministry of State Security (MSS).”
China Hacked South Korea’s Government, But Was It Really North Korea? - The Diplomat asks whilst we all think of Betteridge’s law of headlines - “Proponents of this view include Saber, who told The Diplomat that they believe the hacked hacker “is a Chinese national working from China and for both Chinese and North Korean government interests.”
China Blacklists Researcher That Exposed Huawei Chip Secrets - Bloomberg reports - “China has added prominent research firm TechInsights to its Unreliable Entity list, shutting out the Canadian teardown specialist that helped expose the inner workings of Huawei Technologies Co.’s AI chips.”
Selling the Forges of the Future - The Select Committee on the CCP publish - “The findings discussed below do not claim or posit that any Toolmaker has violated applicable U.S., Dutch, or Japanese laws. To be effective, SME export controls must apply to all of the PRC, not just individual entities, and must encompass any components or other inputs that support the production of advanced or foundational semiconductors.”
AI
the dam on AI Security automation will break - Joshua Saxe keynotes are OffensiveAICon
Disrupting malicious uses of AI: October 2025 - OpenAI detail - “We banned ChatGPT accounts that were attempting to use the model to help develop and refine malware, including a remote‑access trojan, credential stealers, and features to evade detection. These accounts appear to be affiliated with Russian-speaking criminal groups, as we observed them posting evidence of their activities in a Telegram channel dedicated to those actors”
APT Meets GPT: Targeted Operations with Untamed LLMs - Callum Roxan, Killian Raimbaud, and Steven Adair detail - “This blog post outlines technical details of various UTA0388 campaigns, and the evidence that led Volexity to assess with a high degree of confidence that UTA0388 employs Large Language Models (LLMs) to assist with their operations.”
Alignment A small number of samples can poison LLMs of any size - Anthropic disclose - “In a joint study with the UK AI Security Institute and the Alan Turing Institute, we found that as few as 250 malicious documents can produce a “backdoor” vulnerability in a large language model—regardless of model size or training data volume.”
Introducing CodeMender: an AI agent for code security - Raluca Ada Popa and Four Flynn announce - “Over the past six months that we’ve been building CodeMender, we have already upstreamed 72 security fixes to open source projects, including some as large as 4.5 million lines of code.” - how this scales in practice is now the point of interest to understand the real world applicability.
Building the Leading Open-Source Pentesting Agent: Architecture Lessons from XBOW Benchmark - Aaron Brown publishes, including code - “After three releases and 245+ commits in release 0.1.3, we’ve built exactly that: an autonomous cyber agent that achieved 84.62% success rate on the XBOW benchmark, making it the leading open-source solution to reach XBOW baseline performance. It outperforms previous state-of-the-art systems like MAPTA (~75%) by nearly 10 percentage points and rivals expert human pentesters.”
AI-Powered CAPTCHA Solver - Yinus Aydin publishes - “The tool can solve the following CAPTCHA types
Text Captcha: Simple text recognition.
Complicated Text Captcha: Text with more distortion and noise.
reCAPTCHA v2: Google’s “I’m not a robot” checkbox with image selection challenges.
Puzzle Captcha: Slider puzzles where a piece must be moved to the correct location.
Audio Captcha: Transcribing spoken letters or numbers from an audio file.”
How we enhance cybersecurity defences before the attackers in an AGI world - World Economic Forum think tank - “Countering cyber threats will involve responding to campaigns of malicious attacks using the same tools; however, success depends on whether attackers or defenders adopt the tools more quickly.”
Cyber proliferation
Lawfare Daily: The State of the Spyware Industry - Justin Sherman, Jen Roberts and Sarah Graham podcast - “Jen Roberts, Associate Director of the Atlantic Council’s Cyber Statecraft Initiative, and Sarah Graham, Research Consultant with the Atlantic Council’s Cyber Statecraft Initiative, who are coauthors along with Nitansha Bansal of the recent paper, “Mythical Beasts: Diving Into the Depths of the Global Spyware Market,” join Lawfare’s Justin Sherman to discuss the global spyware industry, how it has evolved in recent years, and what its future holds.”
Italian businessman’s phone reportedly targeted with Paragon spyware - TechCrunch report - “On Thursday, Italian online investigative website IrpiMedia and newspaper La Stampa reported that Francesco Gaetano Caltagirone was among around 90 people who received a notification from WhatsApp in January, alerting him that he had been targeted with spyware made by Paragon Solutions.”
Bounty Hunting
Two arrested by the Met following nursery cyber-attack - The Metropolitan Police announce - “On Tuesday, 7 October, specialist officers from the Met conducted a proactive operation at a number of residential properties in Bishop’s Stortford, Hertfordshire, where two people were arrested on suspicion of computer misuse as well as blackmail. Two boys, both aged 17, were arrested at the scene and taken to custody. They remain there for questioning.”
Market Incentives
Policyholder Plot Twist: Cyber Insurer Sues Policyholder’s Cyber Pros - National Law Review reports - “Last month, Ace American Insurance Company filed a subrogation action against its insured’s cybersecurity and technology vendors, alleging missteps by the technology companies”
Cyber security resilience 2025 – Claims and risk management trends - Allianz Commercial details - “Analysis of Allianz Commercial cyber claims shows the overall frequency of notifications during the first half of 2025 was in line with a year earlier after a significant year-on-year increase during 2023 compared with 2022. Despite the increasing sophistication and volume of attacks companies face, claims severity has declined by more than 50% while the frequency of large loss claims (> €1mn) is down around 30%, driven by larger companies’ cumulative investments in cyber security, detection and response. … Ransomware attacks remain the top driver of cyber incidents, but in this year’s report, contingent business interruption, technology failures and privacy litigation emerge as main sources of losses – incidents such as wrongful collection or processing of data, and outages accounted for a record 28% of the value of large claims in 2024”
Clinical Labs fined $5.8m in Privacy Act first - Innovation Aus reports - “Australian Clinical Labs has been fined $5.8 million over a 2022 data breach that exposed the personal information of more than 223,000 people and saw the Office of the Australian Information Commissioner exercise its enforcement powers for the first time. The Federal Court found that the company’s Medlab Pathology business failed to take reasonable steps to secure the data, assess the breach promptly, or report it to regulators. It is the first time civil penalties have been imposed under the Privacy Act.”
No reflections this week..
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday…
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Anatomy of a Hacktivist Attack: Russian-Aligned Group Targets OT/ICS
Forescout Research detail an alleged Russian hacktivist campaign which is interesting for both showing the value of cyber deception and then the comedy of them claiming success against said synthetic environment.
Our honeypot caught hacktivist activity targeting a decoy water treatment plant in Sept. 2025.
A Russian-aligned group, TwoNet, claimed responsibility for the attack.
The group logged into the human-machine interface (HMI) for: defacement, process disruption, manipulation, and evasion.
We also discovered additional attacks targeting programmable logic controllers (PLCs) and the Modbus protocol linked to Russia and Iran.
https://www.forescout.com/blog/anatomy-of-a-hacktivist-attack-russian-aligned-group-targets-otics/
The Evolution of Russian Physical-Cyber Espionage
Ryan Slaney tracks the alleged evolution of Russian close access activities including the suggested use of local teenage proxies.
The first known wave of Russian state-sponsored close access activity unfolded during the 2016 Rio Olympics. APT28 spear-phished officials at the World Anti-Doping Agency (WADA), gaining access to the ADAMS database of athlete therapeutic use exemptions. Soon after, medical records of U.S. and international athletes were leaked in an apparent attempt to discredit anti-doping enforcement and cast doubt on competitors’ legitimacy. Two years later, in April 2018, Dutch authorities closely watched as a team of four Russian close access operators arrived by air in The Hague. They followed the team from the shadows as they rented a car, picked up supplies, and began driving around the city, taking pictures of various international organization
..
Fast-forward to 2025, and it would appear that Russian intelligence has returned to The Hague, albeit in a much different form. Dutch media recently reported that two 17-year-old boys were arrested in The Hague, accused of operating a Wi-Fi sniffer near the offices of Europol, Eurojust, and the Canadian embassy. The reports suggest they may have been recruited or paid by Russian handlers to collect signals intelligence and information on Wi-Fi networks in support of or to facilitate a nearest-neighbor style operation.
..
While investigations are ongoing, the case is striking. Instead of GRU officers flying in with antennas and cash, local teenagers with commodity hardware are now allegedly serving as Moscow’s forward collectors. If true, it demonstrates how Russia continues its history of outsourcing the riskiest elements of its cyber operations to expendable, deniable proxies.
https://www.trellix.com/blogs/research/the-evolution-of-russian-physical-cyber-espionage/
Reporting on China
The Crown Prince, Nezha: A New Tool Favored by China-Nexus Threat Actors
Jai Minton, James Northey and Alden Schmidt details an alleged Chinese campaign which frankly should never have happen due to the travesty of the security misconfiguration. Also shows the value of External Attack Surface Management to detect such situations.
Analysis of the Apache web server access logs indicates that the threat actor’s initial point of entry was via the phpMyAdmin panel.
Retrospective analysis of the web server configuration revealed flaws in the default phpMyAdmin configuration file, which doesn’t require any authentication and wasn’t intended to be exposed to the internet, but was due to a DNS record change just months before the incident.
..
Analysis of victim machines that call back to this Nezha server showed that most victims appeared to be in Taiwan, Japan, South Korea, and Hong Kong, with only a single offline system being seen in Mainland China. This is interesting, as it aligns with geopolitical conflict between the regions, such as the East China Sea exclusive economic zone disputes, and disputes between Hong Kong and Mainland China.
https://www.huntress.com/blog/nezha-china-nexus-threat-actor-tool
CN APT targets Serbian Government
StrikeReady Labs details this alleged Chinese campaign. The tradecraft is run of the mill, the victimology is what is of note.
Last week, a targeted spearphish was sent to a governmental department in Serbia related to aviation. Upon further pivoting, we found similar activity at other European nations from the same threat actor. A core infosec truth, often overlooked, is that only CN threat actors leverage the sogu/plugx/korplug toolset for live intrusions, with rare exceptions of red teams/researchers playing around with builders on VT. Occasionally, an outlier motivation is financial, but the vast majority of the time it is espionage. These linkages have been reliable for over a decade.
https://strikeready.com/blog/cn-apt-targets-serbian-government/
Mustang Panda Employ Publoader Through ClaimLoader: Yes.. another DLL Side-Loading Technique Delivery via Phishing
0x0d4y works through the infection chain of a campaign from earlier in the year which had an alleged Chinese nexus. The tradecraft was heavily socially engineering focused.
a campaign by Threat Actor Mustang Panda, identified in June 2025 by IBM’s X-Force, which targets the Tibetan community for obviously political reasons. The initial loader is delivered via a .ZIP file containing a decoy named ‘Voice for the Voiceless Photos.exe‘, a clear reference to the Dalai Lama’s book, and a DLL that doesn’t appear in Windows Explorer through the dir and ls commands.
..
When we open the decoy present in the .ZIP, we can observe some information that has already been seen and identified in previous Threat Actors China-Nexus campaigns, in addition to a pseudo product name among other information unique to this sample.
Reporting on North Korea
DPRK IT Workers: Inside North Korea’s Crypto Laundering Network
Chainalysis give a sense of how the crypto assets get washed and moved around.
Once their salaries are paid, DPRK IT workers transfer cryptocurrency through a variety of different money laundering techniques. One of the ways in which IT workers, as well as their money laundering counterparts, break the link between source and destination of funds on-chain, is through chain-hopping and/or token swapping. They leverage smart contracts such as decentralized exchanges and bridge protocols to complicate the tracing of funds.
https://www.chainalysis.com/blog/dprk-it-workers-north-korea-crypto-laundering-networks/
North Korea’s crypto hackers have stolen over $2 billion in 2025
Elliptic give a sense of the alleged scale of the operations from North Korea in 2025. If accurate it inevitably provides an ability to invest..
Elliptic analysis reveals that North Korea-linked hackers have already stolen over $2 billion in cryptoassets in 2025, the largest annual total on record, with three months still to go.
https://www.elliptic.co/blog/north-korea-linked-hackers-have-already-stolen-over-2-billion-in-2025
Reporting on Iran
Charming Kitten
Kitten Busters are back with this disclosure of alleged Iranian capability..
Following through on our promise, this time adding new information regarding IRGC-IO , the counterintelligence division (unit 1500) “department 40” malware activity and source code.
https://github.com/KittenBusters/CharmingKitten
An Insider Look At The IRGC-linked APT35 Operations: Ep1 & Ep2
CloudSEK analyze the Kitten Busters leaks of alleged IRGC operations showing what their initial access tradecraft involved and what they allegedly achieved. The diversity of initial access is of note..
Operational Timeline
Bahman 1402 (Jan-Feb 2024):
SQL injection campaigns on Israeli targets (simania.co.il, bonimonline.co.il)
Mass network device exploitation (GoAhead devices, TP-Link)
DNS server manipulation (580+ modems)
Esfand 1402 (Feb-Mar 2024):
ConnectWise CVE-2024-1709 exploitation
Rapid response to vulnerability disclosure (within 24 hours)
Multi-country scanning campaigns
Mehr-Aban 1403 (Sep-Nov 2024):
Social engineering campaign infrastructure development
Domain purchases and template creation
SMS panel research and acquisition
Payment system setup (cryptocurrency, document forgery)
Dey 1403 (Dec 2024-Jan 2025):
Active Directory exploitation focus
EDR evasion development
Supply chain attack execution (Qistas partner penetration)
Continuous data exfiltration (74GB+ from single target)
https://www.cloudsek.com/blog/an-insider-look-at-the-irgc-linked-apt35-operations
Reporting on Other Actors
Investigating targeted “payroll pirate” attacks affecting US universities
Microsoft detail arguably cyber enabled crime here..
Microsoft Threat Intelligence has observed a financially motivated threat actor that we track as Storm-2657 compromising employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. These types of attacks have been dubbed “payroll pirate” by the industry. Storm-2657 is actively targeting a range of US-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday.
SideWinder Expands Phishing and Malware Operations in South Asia
Hunt.io detail this alleged state backed campaign which gives a sense of scale and tradecraft.
The actor leverages free hosting platforms (Netlify, pages.dev, workers.dev, b4a.run) to deploy credential-harvesting portals and weaponized lure documents, then stages malware in open directories for later retrieval.
Phishing Infrastructure at Scale: Over 50+ malicious domains uncovered across Netlify, pages.dev, workers.dev, and b4a.run, hosting fake Outlook/Zimbra portals and credential harvesting pages.
Regional Targeting: Campaigns were distributed across 5 South Asian nations (Bangladesh, Nepal, Myanmar, Pakistan, Sri Lanka), with Pakistan accounting for 40% of the total domains identified.
Lure Documents: At least 12 weaponized documents were observed between August and September 2025, themed around ministerial committees, bilateral visits, and defense procurements.
Exposed Malware Repositories: Open directories revealed 8 distinct samples linked to Pakistan’s marine sector.
Infrastructure Overlap: Campaign tied back to SideWinder’s legacy C2 assets (e.g., govmm[.]org, govnp[.]org, andc[.]govaf[.]org), confirming infrastructure recycling across multiple years.
Credential Theft Campaign: Fake portals successfully captured inputs via direct POST requests (no redirects), with logs tied to technologysupport[.]help infrastructure.
Persistent Operations: On average, new phishing domains emerged every 3--5 days, indicating rapid pivoting and a high operational tempo.
https://hunt.io/blog/operation-southnet-sidewinder-south-asia-maritime-phishing
TamperedChef: Malvertising to Credential Theft
Bert Steppe details a criminal campaign which has been covered here before in detail. Noteworthy for the misuse of the advertising eco-system and apparently inability of that sector to get a handle on it.
TamperedChef is a sophisticated malware campaign that leveraged a convincing advertising campaign strategy and a fully functional decoy application to target European organizations. Disguised as a legitimate application such as a PDF editor, the malware operated with expected functionality for nearly two months before activating its payload to harvest browser credentials, impacting a significant number of systems.
This campaign demonstrates how even well-defined organizations can be compromised by convincing, legitimate-looking software. The consequences are severe: credential theft, potential backdoor access, and the need for full remediation. Organizations must act quickly to identify and remove this threat.
https://labs.withsecure.com/publications/tamperedchef
look mom HR application look mom no job
Martijn Grooten details an attack flow using Zoom which is noteworthy due to its prevalence. Will be interesting to see how Zoom wrangle this and eradicate the malicious use of their platform.
Use a trusted platform (Zoom) to deliver the initial link. People click because it looks like a shared document.
Redirect to a “bot protection” gate. Two jobs:
keep automated analysis and sandboxes away, and
increase perceived legitimacy for the victim.
If the user passes the gate, show a credential harvest page that mimics Gmail login UI and asks for username and password.
On submit, open a WebSocket back to the attacker server and push the credentials in real time to C2. The server can validate them and mark hits.
They likely run a backend that validates credentials so they know which ones work. That is why the response felt slower than a static phishing page.
https://blog.himanshuanand.com/2025/10/look-mom-hr-application-look-mom-no-job/
The Exploitation of Legitimate Remote Access Tools in Modern Ransomware Campaigns
Matin Tadvi walks through some the foundations which serve as a good reminder on the attack surface to identify and get under control.
Attackers gain legitimate access using stolen or brute-forced credentials, bypassing defences while appearing as trusted users. Targeting administrator accounts provides maximum control and enables later stages like Remote Access Tool deployment and lateral movement.
Common Attack Pathways:
Brute-force attacks against RDP/SMB endpoints
Credential reuse from leaks or past breaches
Targeting administrator accounts for maximum privileges
https://www.seqrite.com/blog/exploiting-legitimate-remote-access-tools-in-ransomware-campaigns/
GhostSocks: From Initial Access to Residential Proxy
Synthient Research show how part of the residential proxy eco-system works and also how resilient it has been to disruption attempts by authorities. This is where companies who can identify these and supply as indicators add value in enrichment.
On October 15th, 2023, a threat actor going by the handle GhostSocks would make a sales post on the Russian cybercrime forum xss[.]is selling GhostSocks. The thread detailed a new Malware-as-a-service (MAAS) that enables threat actors to convert compromised devices into residential proxies. The post then promoted the MAAS’s ability to bypass anti-fraud mechanisms, allowing threat actors to capitalize on the victim’s machine.
..
GhostSocks shows no signs of halting development. They continue to maintain their platform, Malware, and support channels. Even with Law Enforcement’s seizure of XSS and LummaStealer infrastructure, GhostSocks has shown no signs of shutting down.
https://synthient.com/blog/ghostsocks-from-initial-access-to-residential-proxy
Discovery
How we find and understand the latent compromises within our environments.
Identifying and Mitigating Potential Velociraptor Abuse
Christiaan Beek details the vendors recommendations here..
Rapid7 recommends verifying the legitimacy of any Velociraptor deployments in your environment. Ensure that servers and agents are under your administrative control, monitor for unsigned binaries, and alert on unexpected network connections to Velociraptor service ports. Review endpoint logging for newly created services or scheduled tasks referencing “velociraptor.exe”.
Restrict execution of unknown Velociraptor binaries.
Review endpoint telemetry for new outbound connections to uncommon ports used by Velociraptor (:8000, :8001, or :8889).
Rotate API and authentication keys if any server compromise is suspected.
This is based on reporting from Michael Szeliga, Aliza Johnson and Jaeson Schultz on Velociraptor leveraged in ransomware attacks
https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/
OneDrive. Let’s take this offline
Brian Maloney walks through one of the OneDrive artefacts.
At the beginning of this year, I started adding data from the offline databases into OneDrive Explorer. This data enhanced other artifacts that were being parsed. One thing that was lacking is a dedicated parser for the offline database (Microsoft.ListSync.db). The latest version of OneDriveExplorer now allows for parsing this data, giving a better representation of OneDrive from an offline perspective.
By reconstructing the folders in Microsoft.ListSync.db, we can get a better view of what the user has access to when working offline. This data returns slightly different results when compared to what is synced on the endpoint.
https://malwaremaloney.blogspot.com/2025/09/onedrive-lets-take-this-offline.html
Don’t Sweat the *Fix Techniques
Tyler Bohlmann identifies a number of choke points to allow detection of the various fix techniques which are being employed.
In this blog, we’ll cover the evolution of the ClickFix techniques and how to apply detection chokepoints to detect current and future iterations.
..
The initial payload for each variation includes some form of scripting interpreter to execute malicious code. Three of them have a parent process of explorer.exe or a web browser process. Since all versions contain a secondary payload that’s being hosted remotely, we can add an outbound network connection to our chokepoint.
https://www.huntress.com/blog/dont-sweat-clickfix-techniques
Inside the Unified Log 3: Log storage and attrition
Howard Oakley walks through the macOS unified log and some of the intricacies which will be of interest to detection and incident response teams.
By far the most common problem experienced with the Unified log isn’t its large number of entries, but a lack of entries. You go to check your Mac’s security using SilentKnight, or Skint runs its automatic daily check, and they can’t find any log entries recording XProtect Remediator scans. Since those are obtained by analysing the log for the previous 36 hours, when your Mac’s logs only go back 8-12 hours, entries for the last set of scans are likely to be missing. This article looks at why that happens, and how macOS maintains its log.
https://eclecticlight.co/2025/09/29/inside-the-unified-log-3-log-storage-and-attrition/
Defence
How we proactively defend our environments.
Adding Determinism and Safety to Uber IAM Policy Changes
Avinash Srivenkatesh, Zi Wen and Zakir Akram show what exquisite security engineering looks like with this approach.
Incremental IAM policy deployment across availability zones has been widely adopted to contain such risks but it is not sufficient in the case of IAM policy changes. Misconfigured rollback triggers or specific traffic patterns during rollout can lead to undetected problematic policies being fully deployed, causing widespread outages.
To address this problem at an even early stage, we introduced a Policy Simulator. This tool helps policy authors preview the impact of their proposed changes in real time when the policy change is made. By understanding the exact effects of a policy change beforehand, authors can confidently deploy the change or choose to stop it.
https://www.uber.com/en-GB/blog/adding-determinism-and-safety-to-uber-iam-policy-changes/
Sigma rules validator
Nasreddine Bencherchali released this Github action last year, but worth highlighting as a good example of detection engineering quality to ensure you do not break production.
This action is used to validate Sigma rules using the JSON schema. It is used to ensure that the rules are correctly formatted and that they will work with the Sigma converte
https://github.com/SigmaHQ/sigma-rules-validator
Defending against supply chain attacks like Chalk/Debug and the Shai-Hulud worm
Chi Tran, Charlie Bacon, and Nirali Desai detail how Amazon Inspector may be used to try and manage some of this risk.. or at least until some of the adversaries start testing their operations and attempt to subvert.
Starting with static analysis using an extensive library of YARA rules, Amazon Inspector can identify suspicious code patterns, obfuscation techniques, and known malicious signatures within package contents. Building on that, the system uses dynamic analysis and behavioral monitoring to identify threats, despite their use of evasion techniques. The final set of analysis is conducted using AI and machine learning models to analyze code semantics and determine the intended purpose versus suspicious functionality within packages.
Securing Microsoft Entra ID: Lessons from the Field
Christos Gourzoulidis walks through the practical steps of securing Microsoft Entra ID..
we explored the core identity foundations that directly influence security outcomes in Microsoft Entra ID, starting with hybrid identity configurations, which remain common in today’s modern workplace, and moving into common pitfalls and the strategic use of Conditional Access policies to enforce Zero Trust principles.
https://blog.nviso.eu/2025/09/25/securing-microsoft-entra-id-lessons-from-the-field-part-1/
A2AS: Standard for Agentic AI Security
Industry effort here by AWS, Meta, Cisco, ByteDance, JPMorganChase, Google, Salesforce and others.
Behavior Certification and Runtime Security Framework For LLM Models and Agent-to-Agent Security Similar to How HTTPS Secures HTTP
https://hmdhiqqomsdmtwjq.public.blob.vercel-storage.com/a2as-framework-1.0.pdf
NetworkHound
Mor David releases a took which grows the graph…
NetworkHound connects to Active Directory Domain Controllers, discovers computer objects, resolves hostnames to IP addresses using multiple DNS methods, performs comprehensive network scanning (port scanning, HTTP/HTTPS validation), and discovers shadow-IT devices. It then builds a detailed network topology graph in OpenGraph JSON format compatible with BloodHound.
https://github.com/mordavid/NetworkHound
Incident Writeups & Disclosures
How they got in and what they did.
MySonicWall Cloud Backup File Incident
SonicWall disclose..
The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service.
Discord Update on a Security Incident Involving Third-Party Customer Service
Discord discloses and highlights the supply change challenge once more..
Discord recently discovered an incident where an unauthorised party compromised one of our third-party vendors.
This was not a breach of Discord, but rather a breach of a third party service provider, 5CA, that we used to support our customer service efforts.
This incident impacted a limited number of users who had communicated with our Customer Support or Trust & Safety teams.
Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals.
No messages or activities were accessed beyond what users may have discussed with Customer Support or Trust & Safety agents.
We immediately revoked the customer support provider’s access to our ticketing system and continue to investigate this matter.
SBI Crypto
Rekt News walk through this event..
Six months after positioning itself as the white knight rescuing DMM Bitcoin’s customers after a $308 million North Korean hack, SBI Crypto discovered that playing savior doesn’t grant immunity from the same attackers.
September 24th turned into a $24 million disappearing act across five blockchains while Japan’s “safe and secure” mining giant marketed its stability to institutional clients.
By the time ZachXBT flagged the bleeding on October 1st, the funds had already hopscotched through instant exchanges and vanished into Tornado Cash’s digital fog.
SBI’s response? A corporate haiku of non-information two days later, confirming an “unauthorized outflow” while promising only a “minor impact” on consolidated results.
https://rekt.news/sbi-crypto-rekt
Vulnerability
Our attack surface.
pull_request_nightmare Part 1 and 2: Exploiting GitHub Actions for RCE and Supply Chain Attacks
Roi Nisimi walks through the attack surface and what they were able to achieve. This type of vulnerability is one of those you would hope the platform can eradicate at scale..
[We] uncovered critical security risks across several high-profile open source repositories that relied on GitHub Actions.
By abusing misconfigured workflows triggered via pull_request_target, adversaries could escalate from an untrusted forked pull request into remote code execution (RCE) on GitHub-hosted or even self-hosted runners.
We investigated and exploited projects maintained by Google, Microsoft, and other Fortune-500 companies. Each contained insecure workflows that allowed attackers to:
Run arbitrary code on Actions runners
Exfiltrate sensitive secrets such as API keys
Push malicious code or dependencies to trusted branches
Abuse overly permissive GitHub tokens for package uploads, PR manipulation, and branch control
These flaws highlight the systemic risk of misconfigured CI/CD pipelines: a single forked pull request can become a supply chain compromise.
We’ve reported our findings to the affected organizations via a responsible disclosure.
https://orca.security/resources/blog/pull-request-nightmare-github-actions-rce/
https://orca.security/resources/blog/pull-request-nightmare-part-2-exploits/
WireTap: Breaking Server SGX via DRAM Bus Interposition
Alex Seto, Oytun Kuday Duran, Samy Amer, Jalen Chuang, Stephan van Schaik, Daniel Genkin and Christina Garman show that insider threat to confidential compute is viable..
In this work we show that SGX is not impervious. More specifically, we show how one can build a device to physically inspect all memory traffic inside a computer cheaply and easily, in environments with only basic electrical tools, and using equipment easily purchased on the internet. Using our interposer device against SGX’s attestation mechanism, we are able to extract an SGX secret attestation key from a machine in fully trusted status, thereby breaching SGX’s security.
https://wiretap.fail/files/wiretap.pdf
Battering RAM: Low-Cost Interposer Attacks on Confidential Computing
Jesse De Meulemeester, David Oswald, Ingrid Verbauwhede and Jo Van Bulck also show that insider threat to confidential compute is viable..
With Battering RAM, we show that even the latest defenses on Intel and AMD cloud processors can be bypassed. We built a simple, $50 interposer that sits quietly in the memory path, behaving transparently during startup and passing all trust checks. Later, with just a flip of a switch, our interposer turns malicious and silently redirects protected addresses to attacker-controlled locations, allowing corruption or replay of encrypted memory.
Battering RAM fully breaks cutting-edge Intel SGX and AMD SEV-SNP confidential computing processor security technologies designed to protect sensitive workloads from compromised hosts, malicious cloud providers, or rogue employees.
Fixed Supermicro BMC Bug Gains a New Life in Two New Vulnerabilities
Anton Ivanov evidences once again patching can be hard unless you comprehensively understand the root cause..
In January 2025, the Supermicro security team released an advisory with patches for three vulnerabilities found in the BMC firmware validation logic.
One of these issues, CVE-2024-10237, was caused by a flaw in the BMC firmware image authentication design, and could allow a potential attacker to perform a malicious firmware update.
The Binarly Research Team discovered a bypass for the vendor’s CVE-2024-10237 fix, resulting in the issue of CVE-2025-7937. A similar vulnerability with the same impact was found in the firmware of other Supermicro products and was assigned the identifier CVE-2025-6198.
The exploitation of CVE-2025-6198 has revealed that it can be used not only to update the BMC system with a specially crafted image, but also to bypass the BMC RoT (Root of Trust) security feature.
CVE-2025-4275 - More Than Insyde H2O Based UEFI Firmware SecureBoot Bypass Part 2
CodeRush from China analyses this vulnerability and release to the world..
The PoC package for the MateBook 14 2023 (X), the modified BIOS area image, the SecureFlash PoC driver source code and binaries signed with a custom certificate, and Intel FPT 16.0 signed with a custom certificate are all available on GitHub.
https://mp.weixin.qq.com/s/rtaWBkerzY5e6DUxu5pQ_g
RediShell: Critical Remote Code Execution Vulnerability (CVE-2025-49844) in Redis, 10 CVSS score
Benny Isaacs and Nir Brakha show that lack of memory safety (i.e that bought by CHERI, RUST, Go etc.) still presents a material risk..
The vulnerability exploits a Use-After-Free (UAF) memory corruption bug that has existed for approximately 13 years in the Redis source code. This flaw allows a post auth attacker to send a specially crafted malicious Lua script (a feature supported by default in Redis) to escape from the Lua sandbox and achieve arbitrary native code execution on the Redis host. This grants an attacker full access to the host system, enabling them to exfiltrate, wipe, or encrypt sensitive data, hijack resources, and facilitate lateral movement within cloud environments.
https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844
Several Security Vulnerabilities have been discovered in IBM Security Verify Access and IBM Verify Identity Access products. (CVE-2025-36354, CVE-2025-36355, CVE-2025-363546)
…
IBM Security Verify Access could allow an unauthenticated user to execute arbitrary commands with lower user privileges on the system due to improper validation of user supplied input.
https://www.ibm.com/support/pages/node/7247215
Offense
Attack capability, techniques and trade-craft.
A Thousand Sails, One Harbor - C2 Infra on Azure
Paranoid Ninja details how they use Azure to mast Brute Ratel infrastructure.
This blog is a mini-consolidated post on various ways to set up the C2 Infra and explains how Microsoft Azure is the leading C2 infrastructure provider today :). Services explained here might be found in a similar fashion in Amazon as well as Google cloud, but since almost all major organizations use one or more Microsoft services, our aim will only be exploiting various legitimate features of Azure.
https://0xdarkvortex.dev/c2-infra-on-azure/
Active Directory domain (join)own accounts revisited 2025
Shelltrail details this enduring attack surface..
13 times out of 12 we end up compromising the Active Directory some way or another through the Active Directory domain join-account. By the looks of it, this account is nothing fancy. It is a regular active directory user account which is provided some additional permissions in order to create computer accounts and join/re-join computers to the Active Directory domain.
The reason it is such a common way to compromise the Active Directory is the combination of its exposure and the way Access Control Entries (ACE) works in Active Directory.
https://www.shelltrail.com/research/active-directory-domain-ownjoin-accounts-revisited/
SekkenEnum
Nomad releases this BOF which detection engineering teams will want to ensure coverage of..
A Beacon Object File (BOF) for Active Directory enumeration through Active Directory Web Services (ADWS) compatible with BOFHound
https://github.com/Nomad0x7/sekken-enum
Exploitation
What is being exploited..
Campaign Targeting Oracle E-Business Suite via Zero-Day Vulnerability (now tracked as CVE-2025-61882)
CrowdStrike begin the reporting around the exploitation of the vulnerability covered last week..
On September 29, 2025, GRACEFUL SPIDER emailed multiple organizations and claimed they had accessed and exfiltrated data from the victim’s Oracle EBS applications.
In an October 3, 2025 post in one of the Telegram channels insinuating collaboration between SCATTERED SPIDER, SLIPPY SPIDER, and ShinyHunters — a channel participant posted a purported Oracle EBS exploit (SHA256 hash:
76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d). In their post, the member criticized GRACEFUL SPIDER’s tactics.How the poster obtained the exploit and whether this actor or any other actors associated with the channel have leveraged this exploit is unclear. Oracle published this POC as an indicator of compromise (IOC) in its CVE-2025-61882 disclosure, suggesting the vendor assesses that the POC has been or may be used for CVE-2025-61882 exploitation. While analysis is ongoing, the purported POC appears to align with at least some of the observed exploitation, including activity leveraging
Java Servletsfor exploitation.
We also have Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign
and Well, Well, Well. It’s Another Day. (Oracle E-Business Suite Pre-Auth RCE Chain - CVE-2025-61882)
Coordinated Grafana Exploitation Attempts on 28 September
Noah Stone details what looks like a speculative global exploitation attempt (tm)
On 28 September 2025, GreyNoise observed a sharp one-day surge of exploitation attempts targeting CVE-2021-43798 — a Grafana path traversal vulnerability that enables arbitrary file reads. Over the course of the day, 110 unique IPs attempted exploitation against GreyNoise’s Global Observation Grid (GOG). All 110 IPs are classified as malicious.
Grafana exploitation had been largely quiet in recent months. On 28 September, activity spiked sharply:
110 unique IPs observed in a single day.
Destinations targeted: United States, Slovakia, and Taiwan — the only three destinations observed.
Top three source countries: Bangladesh (107 IPs), China (2 IPs), Germany (1 IP).
Of the Bangladesh-based IPs, 105 of 107 targeted U.S. endpoints.
The majority of IPs were first seen on 28 September, the same day they attempted exploitation.
https://www.greynoise.io/blog/coordinated-grafana-exploitation-attempts
0day .ICS attack in the wild
StrikeReady Labs discloses the slightly origins of the exploitation of this vulnerability. Also provides some good detection / discovery tradecraft.
Earlier in 2025, an apparent sender spoofed the Libyan Navy’s Office of Protocol to send a then-zero-day exploit in Zimbra’s Collaboration Suite, CVE-2025-27915, targeting Brazil’s military. This leveraged a malicious .ICS file, a popular calendar format.
..
A Russian-linked group is especially prolific, responsible for the bulk of the above references, although recently UNC1151 also used similar TTPs.
…
TLDR: we discovered this by watching for ICS files > 10kb that contain javascript. This is a rare enough occurrence that you can put an eyeball on every one.
https://strikeready.com/blog/0day-ics-attack-in-the-wild/
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Gepetto
Ivan Kwiatkowski provides another AI productivity enhancer to the normies..
Gepetto is a Python plugin which uses various large language models to provide meaning to functions decompiled by IDA Pro (≥ 7.6). It can leverage them to explain what a function does, and to automatically rename its variables.
https://github.com/JusticeRage/Gepetto
Surveyor
Wsxqaz release this tool for Windows which is a research enabler..
Advanced Windows kernel analysis and system profiling tool. Provides comprehensive visibility into kernel callbacks, ETW sessions, driver analysis, and system state through both userland APIs and optional kernel driver integration.
https://github.com/eSentire-Labs/surveyor
Arm MTE and Speculative Oracles
John breaks down the residual viability of attacks..
This isn’t intended to be a comprehensive review of MTE or memory safety, but since people have been talking about it, I thought it would be a good excuse to write something about microarchitectural attacks against MTE.
AWS IAM actions list
Michael Lawler provides a resource which will have a variety of resources..
A list of all known Amazon Web Services’ IAM actions; and a way of updating that list.
https://github.com/TryTryAgain/aws-iam-actions-list
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Annual, quarterly and monthly reports
Nothing overly of note this week… NCSC annual review out next week!
Taming 2,500 compiler warnings with CodeQL, an OpenVPN2 case study
Invisible Ears at Your Fingertips: Acoustic Eavesdropping via Mouse Sensors
Communications in Cryptology - Volume 2, Issue 3 - October, 2025
VehicleSec ‘25 Technical Sessions - was from August, 2025 but I had missed
Two Paths to Memory Safety: CHERI and OMA in the Fight Against Cyber Threats - using examples of attacks like M&S, JLR and Co-Op are not useful when discussing memory safety - however the direction of intent is useful.
Artificial intelligence
Books
Nothing overly of note this week…
Events
Cyber Accountability in Asia: Navigating Norms and Legal Frameworks - October 22nd, Singapore Cyber Week
JSAC2026 – Call for Papers, Tokyo January 21-26
Hack the Silicon - including because I wasn’t aware it was a think
This goes out on Sunday…
Finally finally the NCSC’s podcast series.
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.