CTO at NCSC Summary: week ending September 28th
NCSC warns of persistent malware campaign targeting Cisco devices ...
Welcome to the weekly highlights and analysis of the blueteamsec Lemmy (and my wider reading). Not everything makes it in, but the best bits do.
Operationally obviously events in the UK continue to drive the tempo from airports, to manufacturing to nursery’s - NCSC statement following reports of nursery data incident - NCSC’s CEO Richard Horne was also on BBC Radio 4 Today (today - Saturday)
In the high-level this week:
NCSC warns of persistent malware campaign targeting Cisco devices - NCSC UK warns - “Latest malware analysis report helps organisations detect and mitigate malicious activity targeting certain Cisco devices.”
Putting people at the heart of an organisation’s approach to cyber security - NCSC UK guides - “How to create the right cultural conditions in an organisation that support and encourage people to carry out the desired cyber security behaviours.”
Post-Quantum Cryptography - NCSC UK podcasts - “In this episode of Cyber Series, Darragh sits down with Dr Jeremy Bradley (Principal TD for Crypt and High Threat Technologies), and Flo D (Deputy CTO for Cyber Policy, NCSC-CAP) to explore what “the quantum threat” really means and how organisations should prepare”
ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices - CISA issues - an emergency directive - “CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service.”
Planning for post-quantum cryptography - Australian Signals Directorate’s Australian Cyber Security Centre publishes - timelines align with the the UK/US and they provided estimates on a Cryptographically Quantum Relevant Computer (CQRC)
Co-op’s Financial Impact of Cyber Breach - Co-Op publish annual results - shows that the impact of their cyber event was ~£280 million - £206 million on revenue and £80 million on operating profit and cash.
Ransomware Rising - Digital Front Lines outlines - “Ransomware attacks have surged nearly five-fold in the past five years, driven by increasingly sophisticated tools, rapid digitalization, and the emergence of safe havens where threat actors operate. Extortions through ransomware — malicious software that blocks access to computer data until a ransom is paid — increased almost five times from 474 publicly reported incidents between 2015 and 2019 to 2,326 public incidents between 2020 and 2024, making it the fastest-growing form of cybercrime.”
Bipartisan Bill to Combat Foreign Cyberattacks Targeting American Agriculture - Senators Budd and Cortez Masto introduce - “America’s adversaries are seeking to exploit agricultural technologies and jeopardize our national security. As North Carolina’s top industry, I have seen the benefits that precision technology has on increasing agricultural output and boosting exports, but it takes just one bad actor to stop our producers from feeding America. I teamed up with Senator Cortez Masto to mitigate cyber vulnerabilities by developing defense technologies and training our workforce to eliminate threats targeting American agriculture,”
Hackers target supply chains’ weak links in growing threat to companies - Financial Times reports - “About 30 per cent of 7,965 cyber attacks in 2024 originated via a third party, double the amount from a year earlier, according to Verizon’s 2025 Data Breach Investigations Report. In 2023, these type of hacks represented 14.9 per cent of 7,268 cyber attacks.”
Minister of Digital Affairs: Poland did not fall victim to Saturday’s cyberattack, but we have the capabilities to effectively repel them - Portal Samorządowy reports - “If Poland were to become the target of an attack that would effectively overwhelm critical infrastructure, affecting every citizen, we would be able to respond in kind, Deputy Prime Minister and Minister of Digital Affairs Krzysztof Gawkowski said on Sunday on TVN24.”
National Security Uncertainties: A New Era of Business Risk - Dow Jones Risk Journal publishes - “Businesses are facing a new era of surging national security threats and uncertainties stemming from escalating geopolitical tensions, state-sponsored cyberattacks, trade wars”
KT reports another suspected data breach case to authorities for investigation - Korea Times reports - “The investigation of servers was a separate task that had been carried out for four months and was not related to the mobile payment issue. We became aware of it Thursday night,” said Koo Jae-hyung, who heads KT Corp.’s network technology division, during a government press conference Friday.”
Leaked data reveals the daily lives of North Korean IT workers, from their management systems to their English-speaking habits - WIRED Japan publishes - “Interestingly, all of their communication is in English, not the Korean language,” StttyK said. Researchers and other experts speculate there are several reasons for this: first, to blend in with legitimate activities; and second, to improve their English for job applications and interviews.”
Reporting on/from China
The PLA Goes Back to School: Mapping New Developments in China’s Military Cyber Education System - Margin Research research - “Over the past six months, Beijing has overhauled its military cyber education system in step with broader reforms to the force itself. The PLA’s cyber forces, which were once grouped together under the Strategic Support Force (SSF), have now been split into three components: the Information Support Force (ISF), the Cyberspace Force (CSF), and the Aerospace Force (ASF). The education system has followed suit, with new campuses and specialized programs aligned to each of the successor organizations.”
Inside China’s Surveillance and Propaganda Industries: Where Profit Meets Party - The Diplomat reports - “The products they sell differ, though they complement each other within the larger control system. Geedge is an infrastructure builder. Its flagship product, the Tiangou Secure Gateway, is essentially a turnkey firewall in a box…. GoLaxy operates further up the stack, in the realm of perception and influence. Its systems ingest open-source social media data, map relationships among political actors and influencers, and use artificial intelligence to generate content for orchestrated campaigns.”
China bans tech companies from buying Nvidia’s AI chips - Financial Times reports - “The Cyberspace Administration of China (CAC) told companies, including ByteDance and Alibaba, this week to end their testing and orders of the RTX Pro 6000D, Nvidia’s tailor-made product for the country, according to three people with knowledge of the matter.”
Huawei’s AI chip road map bolsters China’s tech self-sufficiency efforts - South China Morning Post reports - “Huawei Technologies’ recent unveiling of a three-year road map for its Ascend artificial intelligence processors has provided fresh momentum for China’s tech self-sufficiency efforts, according to analysts.”
The Evolution of China’s Semiconductor Industry under U.S. Export Controls - American Affairs Journal publishes - “in 2023, no one in the U.S. government thought Huawei and SMIC would be able to produce a 7 nanometer SoC-based smartphone as they did with the Mate 60. Next year, Huawei and the Chinese semiconductor industry could once again astonish the world.
Alienation perhaps: the entanglement of suffering and agency of young employees in Chinese internet companies - Inter-Asia Cultural Studies publishes - “Highly educated young employees in Chinese internet companies experience profound alienation, yet many refuse to identify as alienated because alienation is often seen as preferable to unemployment or failure.”
AI
First Malicious MCP in the Wild: The Postmark Backdoor That’s Stealing Your Emails - Idan Dardikman details - but noteworthy that whilst AI related, not AI specific - i.e. we have lots of this type of challenge in software eco-systems and supply chains generally..
ForcedLeak: AI Agent risks exposed in Salesforce AgentForce - Noma detail - stemming from an expired DNS domain!
Commission launches consultation to develop guidelines and Code of Practice on transparent AI systems - European Commission announces - “The European Commission will help deployers and providers of generative AI systems to detect and label AI generated or manipulated content.”
Google DeepMind: Frontier Safety Framework 3.0 - Four Flynn, Helen King and Anca Dragan outline - “This update builds upon our ongoing collaborations with experts across industry, academia and government. We’ve also incorporated lessons learned from implementing previous versions and evolving best practices in frontier AI safety”
AI to boost trade by nearly 40% by 2040 if gaps are bridged, World Trade Report 2025 finds - World Trade Organisation asserts - “In a scenario in which low- and middle-income economies narrow their digital infrastructure gap with high-income economies by 50% and adopt AI more widely, these economies are projected to see incomes rising by 15% and 14% respectively”
DeepMind and OpenAI achieve gold at ‘coding Olympics’ in AI milestone - Financial Times reports - “The ChatGPT maker’s AI models would have placed first in the competition, the company said on Wednesday. Its latest GPT-5 model solved all 12 problems, 11 of which it got on the first try. OpenAI and DeepMind were not official competitors.”
International Collegiate Programming Contest (ICPC) press release on GDM - “The Google DeepMind team was able to explore solutions and iterate faster than ever before, which was key to reaching the 10-problem milestone.”
International Collegiate Programming Contest (ICPC) press release on OpenAI - “OpenAI’s models successfully solved all 12 problems – a milestone akin to achieving a gold medal at the highest level of achievement!”
Nvidia AI chip challenger Groq raises even more than expected, hits $6.9B valuation - Tech Crunch reports - “Groq’s chips are not GPUs, the graphics processing units that typically power AI systems. Instead, Groq calls them LPUs (language processing units) and calls its hardware an inference engine”
The road to commercial success for neuromorphic technologies - Nature published earlier in the year - “The intriguing combination of neurobiological inspiration for hardware, and engineered optimisation for application building methods, promises to overcome the final hurdles that have held Neuromorphic processors back from widespread commercial success”
Cyber proliferation
Phone spyware scandal in Greece moves to court as critics claim cover-up - BBC reports - “Despite criticism that the common targets by EYP and Predator implied a common strategy of surveillance, the government insisted that this was a coincidence and that no law enforcement agency had ever used Predator, the use of which was illegal in Greece at that time. A new law passed in 2022 has since legalised state security use of surveillance software under strict conditions.”
Bounty Hunting
Netherlands: Two teenagers arrested in spying case linked to Russia - BBC reports - BBC reports - “One of the boys allegedly walked past the offices of Europol, Eurojust and the Canadian embassy in The Hague carrying a “wi-fi sniffer” - a device designed to identify and intercept wi-fi networks.”
Teen Suspect Surrenders in 2023 Las Vegas Casino Cyberattack Case - Casino.org reports - “A teenage boy suspected of involvement in the 2023 cyberattacks that disrupted the two largest Las Vegas casino companies has surrendered to authorities, according to the Las Vegas Metropolitan Police Department (LVMPD).”
‘I Was a Weird Kid’: Jailhouse Confessions of a Teen Hacker - Bloomberg interviews - “Noah Urban’s role in the notorious Scattered Spider gang was talking people into unwittingly giving criminals access to sensitive computer systems.”
Thalha Jubair DOJ complaint - US District Court of District of New Jersey publishes - “Based on the investigation, the FBI believes the Cyber ThreatGroup has been involved with at least approximately 120 network intrusions,resulting in at least approximately $115,000,000 in ransom payments as well asmillions of dollars in damages to the victims.”
Market Incentives
IT service provider NTT removes all Ivanti products from its portfolio - Born’s IT and Windows blog reports - “I’ve received information from a source who wishes to remain anonymous that IT service provider NTT has apparently removed all Ivanti products from its portfolio. As far as I understand, those responsible at NTT are dissatisfied with how Ivanti communicates with its customers about security vulnerabilities.”
Qantas cutting CEO pay signals new era of cyber accountability - CSO Online asserts - “Despite the strong [financial] performance, the Board decided to reduce annual bonuses by 15 percentage points as a result of the impact the cyber incident had on our customers. This reflects their shared accountability, while acknowledging the ongoing efforts to support customers and put in place additional protections for customers.”
Optus to face ‘significant consequences’ over fatal outage - Sydney Morning Herald reports - “Prime Minister Anthony Albanese said he would be “surprised” if Optus chief executive Stephen Rue was not considering resigning from his position after last week’s outage.”
No reflections this week..
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday…
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
COLDRIVER Updates Arsenal with BAITSWITCH and SIMPLEFIX
Sudeep Singh and Yin Hong Chang detail this alleged Russian campaign which is noteworthy for victimology even if the tradecraft is basic.
In September 2025, Zscaler ThreatLabz discovered a new multi-stage ClickFix campaign potentially targeting members of Russian civil society. Based on multiple overlapping tactics, techniques and procedures (TTPs), ThreatLabz attributes this campaign with moderate confidence to the Russia-linked advanced persistent threat (APT) group, COLDRIVER. COLDRIVER (also known as Star Blizzard, Callisto, and UNC4057) is a group known to leverage social-engineering techniques to target NGOs, think tanks, journalists, and human rights defenders, both in Western countries and in Russia.
In September 2025, ThreatLabz discovered a multi-stage ClickFix campaign that is likely affiliated with the nation-state threat group known as COLDRIVER.
COLDRIVER is a Russia-linked APT group that has mainly targeted dissidents and their supporters through phishing campaigns.
ThreatLabz discovered two new lightweight malware families used by the group: a downloader that we named BAITSWITCH, and a PowerShell backdoor that we named SIMPLEFIX.
The continued use of ClickFix suggests that it is an effective infection vector, even if it is neither novel nor technically advanced.
COLDRIVER remains active in targeting members of civil society, both in the Western regions and Russia.
COLDRIVER employs server-side checks to selectively deliver malicious code based on the user-agent and characteristics of the infected machine.
https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix
The Evolution of RomCom
AttackIQ provides a retrospective of the evolution of this alleged Russian capability. If nothing else it shows the doubling down on investment in it which raises the value in detecting..
RomCom isn’t a genre... It’s a weapon. More specifically, it is a commodity malware operated as a polyvalent payload leveraged in state-aligned geopolitical espionage and financially motivated operations. Since its emergence, RomCom has demonstrated progressive adaptability, evolving through five distinct iterations, each introducing increased sophistication, modularity, and functionality.
What began with a report from the United Kingdom’s National Cyber Security Centre (NCSC) quickly unraveled into a sprawling investigation.
As a result, we reconstructed the operational footprint of its operator, an eponymous criminal adversary whose operations are consistently aligned with the geopolitical interests of the Russian Federation, as demonstrated by sustained targeting of Ukraine and NATO-aligned nations
https://www.attackiq.com/resources/romcom-threat-report-2/
Reporting on China
Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors
Sarah Yoder, John Wolfram, Ashley Pearson, Doug Bienstock, Josh Madeley, Josh Murchie, Brad Slaybaugh, Matt Lin, Geoff Carstairs and Austin Larsen detail this alleged Chinese campaign showing intensity, focus and technical sophistication. Should serve as a reminder to all the targeted sectors…
Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology. The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims.
..
We attribute this activity to UNC5221 and closely related, suspected China-nexus threat clusters that employ sophisticated capabilities, including the exploitation of zero-day vulnerabilities targeting network appliances. While UNC5221 has been used synonymously with the actor publicly reported as Silk Typhoon, GTIG does not currently consider the two clusters to be the same.
https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign
RedNovember Targets Government, Defense, and Technology Organizations
Insikt Group® provide a comprehensive analysis an alleged Chinese campaign which is extensive and notable for edge device initial access tradecraft.
Between June 2024 and July 2025, RedNovember (which overlaps with Storm-2077) targeted perimeter appliances of high-profile organizations globally and used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions. The group has expanded its targeting remit across government and private sector organizations, including defense and aerospace organizations, space organizations, and law firms.
We observed RedNovember reconnoitering and likely compromising edge devices for initial access, including SonicWall, Cisco Adaptive Security Appliance (ASA), F5 BIG-IP, Palo Alto Networks GlobalProtect, Sophos SSL VPN, and Fortinet FortiGate instances, as well as Outlook Web Access (OWA) instances and Ivanti Connect Secure (ICS) VPN appliances. RedNovember’s activity exemplifies the ability to combine weaponized proof-of-concept (PoC) exploits with open-source post-exploitation frameworks such as Pantegana, lowering the entry barrier for less-capable threat actors.
RedNovember continues to rely on command-and-control (C2) frameworks (Pantegana and Cobalt Strike) and open-source backdoors (SparkRAT) for its operations.
The threat group has significantly broadened its targeting, including by conducting spearphishing and vulnerability exploitation attempts against entities in the US defense industrial base (DIB) and space organizations in Europe.
At least some of the RedNovember activity that Insikt Group observed, including in Taiwan and Panama, took place in close proximity to geopolitical and military events of key strategic interest to China.
RedNovember has also increasingly focused its initial access efforts on targeting edge devices, including security solutions such as VPNs, firewalls, load balancers, virtualization infrastructure, and email servers.
In April 2025, the threat group conducted a campaign focused on the reconnaissance and targeting of Ivanti Connect Secure (ICS) VPN devices across multiple countries. Specific targets included a major US newspaper and a specialized US engineering and military contractor.
https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-cn-2025-0924.pdf
Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign
Yoav Zemah provides further details and analysis of this allege China originating set of activity. Noteworthy for focusing on East and Southeast Asia.
We track this cluster of activity as CL-UNK-1037. Our analysis revealed infrastructure and architectural overlaps with the publicly tracked “Group 9” threat cluster and the “DragonRank” campaign.
To perform SEO poisoning, attackers manipulate search engine results to trick people into visiting unexpected or unwanted websites (e.g., gambling and porn websites) for financial gain. This attack used a malicious native Internet Information Services (IIS) module called BadIIS. This module intercepts and alters web traffic, using legitimate compromised servers to serve malicious content to visitors. The compromised web server then acts as a reverse proxy — an intermediary server getting content from other servers and presenting it as its own.
Analysis of the malware’s configuration reveals a clear geographic focus on East and Southeast Asia. This targeting is evident in the module’s code, which includes specific logic for regional search engines.
https://unit42.paloaltonetworks.com/operation-rewrite-seo-poisoning-campaign/
How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking
Joey Chen and Takahiro Takeda details the evolution and cross-over of with various other implants in these alleged China originating capability. Noteworthy for that reason..
Talos discovered that the new variant’s features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL sideloading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used.
The configuration associated with this new variant of PlugX differs significantly from the standard PlugX configuration format. Instead, it adopts the same structure as RainyDay, enabling us to assess with medium confidence that this variant of PlugX can be attributed to Naikon.
Although these malware families have historically been associated with campaigns attributed to Naikon or BackdoorDiplomacy, our analysis of the victimology and technical malware implementation has uncovered evidence that indicates a potential connection between the two threat actors and suggests that they are the same group or that both are sourcing their tools from the same vendor.
Who is Salt Typhoon Really? Unraveling the Attribution Challenge
Natto Team pose and answer some questions based on their analysis of alleged Chinese linked Salt Typhoon companies..
After examining these three Chinese companies and their possible roles in Salt Typhoon-related cyber operations, we presented a few questions worth further exploration. In this post, we will address questions about the involvement of Chinese companies in state-sponsored cyber operations and share some observations on threat attribution from the joint advisory.
nattothoughts.substack.com/p/who-is-salt-typhoon-really-unraveling
Inside Salt Typhoon: China’s State-Corporate Advanced Persistent Threat
Domain Tools provide their analysis of this alleged Chinese threat actor which shows of potential use of the private sector to support state goals.
Salt Typhoon operates with both direct MSS oversight and the support of pseudo-private contractor ecosystems, leveraging front companies and state-linked firms to obscure attribution.
https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat/
Reporting on North Korea
DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception
Peter Kálnai and Matěj Havránek detail an alleged North Korean campaign which is of note due to the subtle complexities and different intents.
The invention and focus of the operations are on the social-engineering methods.
DeceptiveDevelopment’s toolset is mostly multiplatform and consists of initial obfuscated malicious scripts in Python and JavaScript, basic backdoors in Python and Go, and a dark web project in .NET.
We provide insights into operational details of North Korean IT workers, like work assignments, schedules, communication with clients, etc., gathered from public sources.
Native, more complex Windows backdoors are an occasional addition in the execution chain and are likely shared by other North Korea-aligned actors.
DeceptiveDevelopment and North Korean IT workers have different objectives and means, but we consider them as tightly connected.
Kimsuky Attack Disguised as Sex Offender Notification Information
Hwang Min-kyung details an alleged North Korean campaign leading to a stealer. The notable aspect is the nature of the lure, the actual tradecraft is rather basic.
Distribution method
Attackers distribute decoy compressed files
성범죄자 신상정보 고지.zipsuch as ,국세 고지서.pdf.zip,sexoffender.zipetc.
문서암호.txt.lnkWhen unzipped, you will find a shortcut file disguised as text, along with encrypted decoy documents .
https://logpresso.com/ko/blog/2025-09-18-Kimsuky-Attack
Reporting on Iran
Nimbus Manticore Deploys New Malware Targeting Europe
Check Point Research detail this alleged Iranian operation which hints at a small incremental evolution low-level implant functionality. The victimology is of note..
Check Point Research is tracking a long‑running campaign by the Iranian threat actor Nimbus Manticore, which overlaps with UNC1549, Smoke Sandstorm, and the “Iranian Dream Job” operations. The ongoing campaign targets defense manufacturing, telecommunications, and aviation that are aligned with IRGC strategic priorities.
Nimbus Manticore’s recent activity indicates a heightened focus on Western Europe, specifically Denmark, Sweden, and Portugal. The threat actor impersonates local and global aerospace, defense manufacturing, and telecommunications organizations.
The threat actor uses tailored spear‑phishing from alleged HR recruiters directing victims to fake career portals. Each target receives a unique URL and credentials, enabling tracking and controlled access of each victim. This approach demonstrates strong OPSEC and credible pretexting.
The attacker uses previously undocumented low-level APIs to establish a multi-stage DLL side-loading chain. This causes a legitimate process to sideload a malicious DLL from a different location and override the normal DLL search order.
The Nimbus Manticore toolset includes the MiniJunk backdoor and the MiniBrowse stealer. The tools continuously evolve to remain covert, leveraging valid digital signatures, inflate binary sizes, and use multi-stage sideloading and heavy, compiler‑level obfuscation that renders samples be “irreversible” for regular advanced static analysis.
https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/
Reporting on Other Actors
ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
Cisco Talos detail this implant found on perimeter network devices. A reminding of why having true signals flowing through logging infrastructure is valuable..
UAT4356 deployed two backdoors as components of this campaign, “Line Runner” and “Line Dancer,” which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.
Line Dancer is used to execute commands on the compromised device. During our investigation, Talos was able to observe the threat actors using the Line Dancer malware implant to:
Disable syslog.
Run and exfiltrate the command show configuration.
Create and exfiltrate packet captures.
Execute CLI commands present in shellcode; this includes configuration mode commands and the ability to save them to memory (write mem).
Hook the crash dump process, which forces the device to skip the crash dump generation and jump directly to a device reboot. This is designed to evade forensic analysis, as the crash dump would contain evidence of compromise and provide additional forensic details to investigators.
Hook the AAA (Authentication, Authorization and Accounting) function to allow for a magic number authentication capability. When the attacker attempts to connect to the device using this magic number, they are able to establish a remote access VPN tunnel bypassing the configured AAA mechanisms. As an alternate form of access, a P12 blob is generated along with an associated certificate and exfiltrated to the actor along with a certificate-based tunnel configuration.
BlockBlasters: Infected Steam game downloads malware disguised as patch
G DATA Security Lab details what would otherwise be considered a run of the mill stealer campaign but via Steam..
A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information are lifted from the PC the game is running on - including crypto wallet data. Hundreds of users are potentially affected.
https://www.gdatasoftware.com/blog/2025/09/38265-steam-blockblasters-game-downloads-malware
But this particular case was hyper abhorrent as a cancer fund raising stream was impacted live on air leading to the loss of $32,000
SystemBC – Bringing the Noise
The Black Lotus Labs team at Lumen Technologies gives identify the scale and complexity here of a contemporary botnet.
[We] uncovered new infrastructure behind the “SystemBC” botnet, a network composed of over 80 C2s with a daily average of 1,500 victims, nearly 80% of which are compromised VPS systems from several large commercial providers. The victims are made into proxies that enable high volumes of malicious traffic for use by a host of criminal threat groups. By manipulating VPS systems instead of devices in residential IP space as is typical in malware-based proxy networks, SystemBC can offer proxies with massive amounts of volume for longer periods of time. Similar, high-bandwidth proxies in residential IP space would alert and disrupt users of smaller, lower bandwidth devices.
https://blog.lumen.com/systembc-bringing-the-noise/
Unmasking Akira: The ransomware tactics you can’t afford to ignore
Zensec summarise this criminal threat actor and their methods. Noteworthy the initial access methods..
Their primary method of entry is through SSL VPN exploitation (Cisco ASA, SonicWall, WatchGuard), often taking advantage of missing MFA or unpatched vulnerabilities.
https://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/
Elons (Proxima/Black Shadow related) ransomware attack via Oracle DBS External Jobs
Yarix details the initial access vector by this ransomware group.
The entry point detected was the use of a function of Oracle DBS, an exposed service active on their Database Server, which allowed the execution of commands remotely. The service was exploited to obtain abusive access to the infrastructure after several attempts to access it, evidenced by the numerous events related to logins, part of which we highlight for example in the following figure.
GOLD SALEM’s Warlock operation joins busy ransomware landscape
Sophos Counter Threat Unit Research Team summarise the activities based on public information of this ransomware group.
The group’s 60 published victims through mid-September 2025 rank it in the middle when compared to other ransomware operations during the same period. GOLD SALEM’s victims have ranged from small commercial or government entities to large multinational corporations spread throughout North America, Europe, and South America. Like most ransomware groups, GOLD SALEM has largely avoided compromising organizations located in China and Russia despite the large pool of potential targets. However, the group posted the name of a Russia-based victim to its dedicated leak site (DLS) on September 8. The commercial entity provides engineering services and equipment to the electricity generation industry. Despite harboring a large contingent of global ransomware distributors, the Russian Federation is known to aggressively pursue groups that attack organizations in Russia and its “near-abroad” neighbors. GOLD SALEM’s listing of a Russian victim suggests that the group may operate from outside of this jurisdiction.
Discovery
How we find and understand the latent compromises within our environments.
ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices
CISA issued the emergency directive..
CISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA). The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks. Cisco assesses that this campaign is connected to the ArcaneDoor activity identified in early 2024 and that this threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024. These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower. Firepower appliances’ Secure Boot would detect the identified manipulation of the ROM.
Supplemental Direction ED 25-03: Core Dump and Hunt Instructions
CISA detailed how to collect the required core dumps..
The following guidance is being provided to help entities check the status of their Cisco devices. It is prudent that all network defenders follow the listed guidance and contact CISA, if signs of compromise are observed.
IMDS Abused: Hunting Rare Behaviors to Uncover Exploits
Hila Ramati and Gili Tikochinski detail a technique which allowed them to uncover in-the-wild exploitation..
Using the process described above, we uncovered exploitation in the wild of a previously unknown zero-day vulnerability in a popular web service stemming from insecure use of
pandoc.The hunt began with a process named
pandocmaking an unusual IMDS request. While this binary can be found in numerous environments, in less than 2% of those environments it was consistently accessing sensitive IMDS endpoints, including/latest/meta-data/iam/info. This immediately raised a red flag.
https://www.wiz.io/blog/imds-anomaly-hunting-zero-day
Defence
How we proactively defend our environments.
Cyber Threat Intelligence Communication & Reporting Techniques
Bank Security publishes their principles..
This article aims to outline some of the key principles for structuring and delivering CTI notifications — providing a practical reference not only for junior analysts learning best practices but also for experienced professionals who may benefit from a fresh perspective.
Our plan for a more secure npm supply chain
Xavier René-Corail outlines the plan given the recent rash of incidents..
Local publishing with required two-factor authentication (2FA).
Granular tokens which will have a limited lifetime of seven days.
https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/
Linux Kernel Runtime Guard (LKRG) 1.0 (Nullcon Berlin 2025)
Solar Designer outlines that LKRG has hit 1.0 - go forth ensure kernel integrity.
Linux Kernel Runtime Guard (LKRG) is a Linux kernel module that performs runtime integrity checking of the kernel and detection of security vulnerability exploits against the kernel, prevention of and response to successful attacks, and encrypted remote logging. The project was founded by Adam ‘pi3’ Zabrocki, who invited Solar Designer to join and we released version 0.0 publicly in 2018 under Openwall umbrella (announced as Openwall’s most controversial project to date). We have been extending and maintaining it since (as an independent project supported at various times by Binarly and CIQ). While we had a userbase using it in production (and did so ourselves) during all this time, now we’re finally ready to call it mature and release 1.0.
https://www.openwall.com/presentations/NullconBerlin2025-LKRG/
Beyond Sandbox Domains: Rendering Untrusted Web Content with SafeContentFrame
Jan Gora outlines how they web security is continuing to evolve..
we’ve developed SafeContentFrame, a new TypeScript library that not only solves the aforementioned problems but also significantly increases content isolation. SafeContentFrame provides a secure way to render untrusted content of various formats – anything a browser can render, including HTML, PDF, XML, SVG, and more – inside an iframe.
Incident Writeups & Disclosures
How they got in and what they did.
CISA Shares Lessons Learned from an Incident Response Engagement
CISA publish lessons..
CISA began incident response efforts at a U.S. federal civilian executive branch (FCEB) agency following the detection of potential malicious activity identified through security alerts generated by the agency’s endpoint detection and response (EDR) tool. CISA identified three lessons learned from the engagement that illuminate how to effectively mitigate risk, prepare for, and respond to incidents: vulnerabilities were not promptly remediated, the agency did not test or exercise their incident response plan (IRP), and EDR alerts were not continuously reviewed.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-266a
Vulnerability
Our attack surface.
Libraesva ESG Command injection vulnerability (CVE-2025-59689)
Notable because a malicious email can trigger it..
Libraesva ESG is affected by a command injection flaw that can be triggered by a malicious e-mail containing a specially crafted compressed attachment, allowing potential execution of arbitrary commands as a non-privileged user. This occurs due to an improper sanitization during the removal of active code from files contained in some compressed archive formats.
Project Rain:L1TF
Mathé Hertogh, Eduardo Vela Nava, Dave Quakkelaar and Matteo Rizzo
This blog provides a detailed overview of the L1TF vulnerability, a CPU vulnerability on some Intel CPUs (Skylake and older), how it could be exploited, as well as different mitigation strategies. We also explain how Google responded to this issue and the work we have done to fix this vulnerability together with the Linux Kernel community as part of developing Address Space Isolation. This blog is written together with VUSec, the Systems and Network Security Group at Vrije Universiteit Amsterdam who did the research on the L1TF Reloaded exploit (paper) but had to remain anonymous until last month in order to go through the double blind review process, which is now over.
https://bughunters.google.com/blog/4684191115575296/project-rain-l1tf
Chypnosis: Undervolting-based Static Side-channel Attacks
Kyle Mitard, Saleh Khalaj Monfared, Fatemeh Khojasteh Dana, Robert Dumitru, Yuval Yarom and Shahin Tajik
Static side-channel analysis attacks, which rely on a stopped clock to extract sensitive information, pose a growing threat to embedded systems’ security. To protect against such attacks, several proposed defenses aim to detect unexpected variations in the clock signal and clear sensitive states. In this work, we present Chypnosis, an undervolting attack technique that indirectly stops the target circuit clock, while retaining stored data. Crucially, Chypnosis also blocks the state clearing stage of prior defenses, allowing recovery of secret information even in their presence. However, basic undervolting is not sufficient in the presence of voltage sensors designed to handle fault injection via voltage tampering.
https://arxiv.org/abs/2504.11633
Offense
Attack capability, techniques and trade-craft.
The Phantom Extension: Backdooring chrome through uncharted pathways
Riadh Bouchahoua details a technique that all defensive teams will want to ensure they have coverage of.
Our research, initiated on Chromium version 130 and valid up to the latest release available at the time of writing, introduces a backdooring and post‑exploitation technique. By leveraging a simple disk write primitive, it becomes possible to silently install custom extensions on Chromium‑based browsers deployed within Windows environments.
Domain Fronting is Dead. Long Live Domain Fronting!
Adam Crosser highlights why all network defenders need to take their network traffic analysis tradecraft to the next level..
What if we could perform tunneling not just through web conferencing applications, but through the very backbone of the Internet, Google’s own infrastructure? Services like Google Meet, YouTube, Chrome’s update servers, and even Google Cloud Platform (GCP) form part of the daily workflow and backbone for billions of users worldwide. They’re too critical for defenders to simply block, making them an ideal cover for stealthy adversary operations.
https://www.praetorian.com/blog/domain-fronting-is-dead-long-live-domain-fronting/
From Abstract Terms to Acumen: SEO Poisoning
Cyb3rhawk details the technique which can be used for the multitude of offensive use cases.
https://medium.com/@cyb3r-hawk/from-abstract-terms-to-acumen-seo-poisoning-b4152ee21594
EDR-Freeze
Two Seven One Three releases a capability that hopefully Microsoft will mitigate but either way defensive teams will want to detect. Also highlights why having positive signal coming through your EDR is a good idea.
This is a tool that exploits the software vulnerability of WerFaultSecure to suspend the processes of EDRs and antimalware without needing to use the BYOVD (Bring Your Own Vulnerable Driver) attack method.
EDR-Freeze operates in user mode, so you don’t need to install any additional drivers. It can run on the latest version of Windows.
The experiment was conducted with the latest version of Windows at the time of the project creation: Windows 11 24H2
https://github.com/TwoSevenOneT/EDR-Freeze
ByteCaster
Print3M release this tool.. which will be helpful to train our AI overlords on detection..
Swiss Army Knife for payload encryption, obfuscation, and conversion to byte arrays
It supports 3 encryption algorithms, 4 encoding / obfuscation algorithms and 14 output formats.
https://github.com/Print3M/ByteCaster
Exploitation
What is being exploited..
Deserialization Vulnerability in GoAnywhere MFT’s License Servlet
Fortra alerted ..
A deserialization vulnerability in the License Servlet of Fortra’s GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.
https://www.fortra.com/security/advisories/product-security/fi-2025-012
A Nuclei template was released to enable detection
https://github.com/rxerium/CVE-2025-10035
watchTowr did their thing..
Below, we have summarised the sequence of exploitation and follow-on activity observed in-the-wild.
The threat actor triggers the pre-auth deserialization vulnerability in GoAnywhere MFT, achieving Remote Code Execution (RCE).
With the RCE, they create an GoAnywhere user, a backdoor admin account named admin-go.
Using the admin-go account, they create a web user. Now they have “legitimate” access to the solution itself.
Via that new web user, the threat actor uploads and executes multiple secondary payloads.
https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/
https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2/
Tea continued - Unauthenticated access to 150+ Firebase databases, storage buckets and secrets
Mike Oude Reimer highlights there are some substantial low hanging fruits..
Think the Tea data breach was bad? Multiply it by about 150, and most likely by 4,800. That is the current state of the Firebase landscape, which about 80% of mobile apps use in one way or another. I reviewed the ~400 most popular (worldwide) mobile apps from only 3 app categories (~1200 in total) and was able to gain unauthenticated access to 150+ different Firebase services. This included access to Realtime Databases, Storage Buckets, Firestore (databases), and secrets defined in Remote Configs.
What do these Firebase services have in common? All of them can easily be left exposed and often contain critical data. If you can think of a type of data, I probably came across it: everything from payment details, user data, millions of IDs, private messages, cleartext passwords, user prompts, GitHub and AWS tokens with the highest privileges and much more.
These aren’t just random mobile apps with a few hundred or thousand downloads. Most of them have over 100K+, 1M+, 5M+, 10M+, 50M+, or even 100M+ downloads (Tea app only has 500K+ downloads).
https://ice0.blog/docs/openfirebase
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Titanis
Codewhisperer84 release this protocol stack which will enable various tooling development..
Titanis is a library of protocol implementations and command line utilities, written in C#, for interacting with Windows environments. It uses .NET 8 and is cross-platform (Windows and Linux).
https://github.com/trustedsec/Titanis/
Time Travel Debugging (TTD) SDK
Microsoft release…
Time Travel Debugging (TTD) is a powerful debugging technology that records the complete execution of a program, allowing you to replay and analyze it deterministically. TTD enables developers and researchers to:
Navigate backwards and forwards through program execution with precision
Capture complete execution traces including memory accesses, register states, and API calls
Debug intermittent and hard-to-reproduce issues with perfect reproducibility
Perform post-mortem analysis on crashes and complex failures
Analyze malware and security vulnerabilities in a safe, controlled environment
Extract detailed insights from program behavior without source code
https://github.com/microsoft/WinDbg-Samples/blob/master/TTD/README.md
FlareProx
MrTurvey releases this which may be useful but also cause headaches..
FlareProx automatically deploys HTTP proxy endpoints on Cloudflare Workers for easy redirection of all traffic to any URL you specify. It supports all HTTP methods (GET, POST, PUT, DELETE, etc.) and provides IP masking through Cloudflare’s global network. 100k requests per day are free!
https://github.com/MrTurvey/flareprox
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Annual, quarterly and monthly reports
Nothing overly of note this week
The Beginner’s Textbook for Fully Homomorphic Encryption
more resources on fhe.org
ESSI “Information Systems Security Expert” training - “The ESSI “Information Systems Security Expert” training course is probably the oldest Bac+5 level training course in France in the field of cybersecurity. It was created in 1957 by the cipher service, under the name BECS “Brevet d’Études Cryptographiques Supérieures” training course.”
Artificial intelligence
ATLANTIS: AI-driven Threat Localization, Analysis, and Triage Intelligence System
Signed-Prompt: A New Approach to Prevent Prompt Injection Attacks Against LLM-Integrated Applications - not signing cryptographically
The protection of AI-based space systems from a data-driven governance perspective
AI Is Learning to Predict the Future—And Beating Humans at It
Books
Nothing overly of note this week
Events
m0leCon 2025 - videos
From Research to Reality: The Security by Design Project - Lawfare Institute, October 1st, virtual
Finally finally the NCSC’s podcast series.
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.