Cyber OSINT Overview, Aug 11 - Aug 17, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Microsoft’s August 2025 Patch Tuesday was a major focus, addressing 107 to 111 vulnerabilities across its product suite. Key patches were released for critical remote code execution (RCE) and elevation of privilege (EoP) flaws in Microsoft Exchange, SharePoint, Windows Kerberos, and various graphics components. The update included a fix for a publicly disclosed zero-day in Windows Kerberos (CVE-2025-53779, “BadSuccessor”) and a critical RCE in SharePoint (CVE-2025-49712). Despite warnings, tens of thousands of Exchange servers remained unpatched for a related critical vulnerability (CVE-2025-53786).

• Vulnerabilities in Industrial Control Systems (ICS) and Operational Technology (OT) were widely reported, with dozens of advisories released for Siemens and Rockwell Automation products. Flaws ranged from denial-of-service and remote code execution to privilege escalation in critical systems like SIMATIC, SINUMERIK, RUGGEDCOM, and ControlLogix. The significant number of alerts highlights increasing risks to critical manufacturing and energy sectors. In response, CISA and its partners issued comprehensive guidance for OT asset inventory management to help organizations improve visibility and security posture.

• Multiple critical vulnerabilities were disclosed for Fortinet products, with a significant focus on a pre-authentication command injection flaw in FortiSIEM (CVE-2025-25256), which has a CVSS score of 9.8. Fortinet confirmed that proof-of-concept exploit code exists for this vulnerability, and it is reportedly being actively exploited. This disclosure coincided with a separate report of a significant spike in coordinated brute-force attacks targeting Fortinet SSL VPNs, suggesting a heightened threat focus on Fortinet appliances.

• Cisco released patches for numerous vulnerabilities across its product line, including a critical remote code execution flaw (CVE-2025-20265) in its Secure Firewall Management Center (FMC) software with a CVSS score of 10.0. This vulnerability allows an unauthenticated, remote attacker to inject and execute arbitrary shell commands. Other advisories covered multiple denial-of-service (DoS) vulnerabilities in Cisco IOS, IOS XE, ASA, and Secure Firewall Threat Defense software, affecting the IKEv2 and RADIUS subsystems.

• The use of AI in cybercrime is a rapidly growing trend, with threat actors leveraging generative AI tools like Evil-GPT and WolfGPT to create sophisticated phishing content, malware, and deepfakes. These tools lower the barrier to entry for less skilled attackers and increase the scale and effectiveness of campaigns. Security researchers are also using AI for defense, with applications in malware analysis, code security reviews, and patch diffing to accelerate vulnerability discovery. However, security models for new AI systems like GPT-5 are still being tested, with researchers successfully jailbreaking the model shortly after its release.

• Numerous advisories addressed multiple vulnerabilities in the Linux Kernel, affecting major distributions including Red Hat Enterprise Linux and Ubuntu. The flaws could allow local or remote attackers to cause a denial-of-service (DoS) condition, escalate privileges, or achieve other unspecified impacts. The high volume of kernel-related patches underscores the continuous effort required to secure the foundational component of many enterprise and cloud systems. Organizations are urged to apply the latest kernel updates provided by their respective Linux distribution vendors.

Critical Vulnerabilities #

• Fortinet disclosed CVE-2025-25256, a critical (CVSS 9.8) pre-authentication OS command injection vulnerability in FortiSIEM. The flaw allows a remote, unauthenticated attacker to execute arbitrary commands via crafted CLI requests to the phMonitor service on TCP port 7900. Fortinet confirmed that practical exploit code exists in the wild and that the vulnerability is under active exploitation. Due to the lack of distinct indicators of compromise, organizations are strongly urged to upgrade to a patched version or restrict access to the affected service immediately.

• Cisco revealed CVE-2025-20265, a maximum-severity (CVSS 10.0) unauthenticated, remote command injection vulnerability in its Secure Firewall Management Center (FMC) software. The flaw exists in the RADIUS subsystem and allows an attacker to inject and execute arbitrary shell commands with high privileges during the authentication phase. The vulnerability affects specific versions of the software where RADIUS authentication is enabled for the web interface or SSH. Cisco has released patches and urges customers to upgrade immediately as there are no workarounds.

• CISA added two vulnerabilities in N-able N-central (CVE-2025-8875 and CVE-2025-8876) to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. These flaws include an insecure deserialization vulnerability and a command injection vulnerability, both of which could allow an attacker to execute unauthorized commands. Although the vulnerabilities require authentication to exploit, their presence in the KEV catalog indicates they pose a significant risk. N-able has released version 2025.3.1 to address the issues.

• Microsoft’s August Patch Tuesday addressed several critical remote code execution vulnerabilities, including CVE-2025-50165 in the Windows Graphics Component and CVE-2025-53766 in GDI+, both with CVSS scores of 9.8. These flaws could be exploited by tricking a user into opening a specially crafted file or visiting a malicious webpage, allowing an attacker to execute code without user interaction. Another critical RCE, CVE-2025-49712 (CVSS 8.8), affects Microsoft SharePoint and can be exploited by an authenticated attacker over the network.

• A zero-day path traversal vulnerability in WinRAR (CVE-2025-8088) was discovered being actively exploited by at least two distinct threat groups, including the Russia-aligned RomCom group. Attackers used phishing emails with malicious archives to exploit the flaw, allowing them to drop files into arbitrary locations like startup folders to achieve code execution. Rarlab released version 7.13 to patch the vulnerability, and CISA has added it to its KEV catalog, urging users to update immediately.

• A zero-day vulnerability (CVE-2025-32433) in Erlang/OTP’s SSH daemon is being actively exploited, allowing unauthenticated remote code execution. This flaw, rated with a CVSS score of 10.0, affects versions prior to OTP-27.3.3 and is particularly concerning for OT and 5G networks where Erlang/OTP is widely used for remote management. Unit 42 observed a significant spike in exploitation attempts, with 70% of detections on firewalls protecting OT networks in sectors like healthcare and agriculture.

• Security researchers disclosed a new denial-of-service vulnerability named “MadeYouReset” (CVE-2025-8671) affecting multiple HTTP/2 implementations. The attack exploits malformed HTTP/2 control frames to cause stream resets, leading to server resource exhaustion and potential DoS conditions. The vulnerability is conceptually similar to the “Rapid Reset” attack from 2023. Major vendors like F5 and Cloudflare have issued advisories, with Cloudflare confirming its existing mitigations for Rapid Reset also protect against this new threat.

Major Incidents #

• Hackers breached the booking systems of at least ten Italian hotels, stealing tens of thousands of high-resolution scans of guest ID documents, including passports and national ID cards. A threat group named ‘mydocs’ is selling the stolen data on dark web forums, with prices ranging from $1,000 to $10,000. Italian cybersecurity authorities warn that the compromised information could be used for identity theft, fraud, and creating new documents, posing serious legal and financial risks to affected individuals.

• The US Federal Judiciary confirmed a significant cyberattack on its electronic case management system (CM/ECF), with investigators suspecting Russian state-sponsored actors are responsible. The multi-year intrusion reportedly targeted sensitive, sealed court documents, especially those with overseas connections, raising concerns about the compromise of confidential informants and national security information. At least eight district courts were targeted, prompting new procedures for handling highly sensitive filings to prevent further exposure.

• The Interlock ransomware group has escalated its activities, claiming responsibility for the July 2025 attack against the City of St. Paul, Minnesota. The group, first observed in September 2024, operates without affiliates and uses a double extortion model, exfiltrating data before encryption. It is known for using compromised websites and a social engineering technique called ‘ClickFix’ for initial access, and has targeted sectors including education, healthcare, technology, and government across North America and Europe.

• Turkish cryptocurrency exchange BTCTurk experienced a significant security incident, leading to the theft of approximately $49 million worth of various cryptocurrencies. The attack prompted the platform to temporarily suspend all crypto deposits and withdrawals while an investigation is underway. The company assured users that its financial structure is robust and customer assets would not be affected, as the vast majority of funds are held in secure cold wallets.

• Norway’s police security service (PST) suspects pro-Russian hackers were behind the sabotage of a dam in April. The attackers breached the dam’s control system, reportedly via a weak password, and opened a valve for four hours, causing a significant water release. Although the incident did not cause major damage, officials view it as a demonstration of capability and part of a broader hybrid warfare strategy by Russia to create fear and disrupt critical infrastructure.

Emerging Threats #

• Security researchers have demonstrated a new FIDO downgrade attack that can bypass phishing-resistant authentication in Microsoft Entra ID. The technique uses a custom phishlet in an Adversary-in-the-Middle (AiTM) framework to spoof a browser user agent that does not support FIDO. This causes Entra ID to disable FIDO authentication and offer weaker fallback methods, such as authenticator apps or SMS codes, which can then be intercepted by the AiTM proxy to capture credentials and session cookies.

• Threat actors are increasingly exploiting legitimate enterprise tools for initial access and persistence, with Microsoft Teams being a key target. The EncryptHub group impersonates IT support staff and uses Teams connection requests to initiate social engineering attacks. They guide victims to execute PowerShell commands that exploit a Windows Management Console vulnerability (CVE-2025-26633, “MSC EvilTwin”) to deploy malware, including the Fickle Stealer infostealer.

• A sophisticated phishing campaign is exploiting the visual similarity of the Japanese Hiragana character ‘ん’ to a forward slash (’/’) to create deceptive and authentic-looking URLs. This homograph attack makes it difficult for users to spot malicious links, as the character mimics a legitimate path separator in a URL. This technique represents an evolution in phishing tactics aimed at bypassing user scrutiny and security filters that inspect URL structures for suspicious patterns.

• The Muddled Libra threat group (also known as Scattered Spider) is evolving from a monolithic entity into a loose collective of specialized ‘strike teams’. These teams exhibit varied tactics and objectives, from cryptocurrency theft and intellectual property espionage to data extortion using ransomware. This fluid structure complicates tracking and attribution, as members move between teams and share successful tradecraft, making their attacks on industries like finance, retail, and telecommunications more dynamic and unpredictable.

• A new malware framework named PS1Bot is being distributed through malvertising campaigns that use SEO poisoning to lure victims searching for legitimate documents. Written in PowerShell, PS1Bot is a modular framework capable of keylogging, screen capture, and stealing sensitive data like passwords, browser cookies, and cryptocurrency wallet seed phrases. The malware uses in-memory execution to evade detection and is part of an ongoing campaign that shows similarities to other malware families like AHK Bot and Skitnet.

Regulatory and Policy Updates #

• The U.S. Treasury Department has expanded sanctions against the Russian cryptocurrency exchange Garantex and its successor, Grinex. These platforms are accused of facilitating over $100 million in illicit transactions since 2019, including laundering proceeds for ransomware groups like Conti and LockBit, as well as designated terrorist groups. The sanctions were updated following a law enforcement operation in March that seized Garantex servers and domains, demonstrating a continued international effort to disrupt financial networks supporting cybercrime.

• A US federal court upheld new FCC data breach reporting rules that expand the definition of reportable information to include Personally Identifiable Information (PII), not just network-related data. The court rejected a challenge from telecom industry groups, affirming the FCC’s authority to regulate data privacy practices in the sector. This decision reinforces stricter notification requirements for telecommunications carriers when customer PII is exposed in a data breach.

• Recent executive orders from the Trump administration could significantly alter the US cybersecurity landscape by shifting disaster preparedness responsibilities, including for cyberattacks, to state and local governments. These orders also aim to roll back some cybersecurity and identity verification provisions established under previous administrations. The changes have drawn mixed reactions, with some experts concerned about the resource constraints of state governments, while others note the preservation of certain key policies.

• Russia has initiated restrictions on voice calls over WhatsApp and Telegram, citing their use in criminal and terrorist activities. The country’s telecommunications agency, Roskomnadzor, stated that the platforms ignored demands for countermeasures. This move coincides with Russia’s efforts to promote its own national messaging app, raising concerns about increased state surveillance and control over digital communications.

• The Indian Ministry of Defence has formally released its declassified Joint Doctrine for Cyberspace Operations. This doctrine aims to create a unified strategy for defending national interests in cyberspace by integrating offensive and defensive capabilities across all military services. Key focus areas include threat-informed planning, building resilience, real-time intelligence integration, and the development of joint cyber capabilities to enhance national security.

Security Operations #

• CISA, alongside several international partners including the NSA and FBI, released comprehensive guidance for Operational Technology (OT) owners and operators on creating and maintaining asset inventories. The guide, “Foundations for OT Cybersecurity,” emphasizes that a detailed inventory is fundamental to designing a defensible architecture and reducing cyber risk. It provides a structured approach, aligned with ISA/IEC 62443 standards, for identifying, classifying, and tracking all hardware, software, and network components to improve visibility and security in critical infrastructure environments.

• NIST has finalized a new standard for “Lightweight Cryptography” designed to secure resource-constrained devices like IoT sensors and medical monitors. This standard provides a set of cryptographic algorithms that offer robust security with a smaller computational footprint than traditional algorithms. The goal is to enable strong encryption and authentication on small electronic devices that are increasingly integrated into critical systems, addressing a significant security gap in the IoT ecosystem.

• VirusTotal has expanded its AI-powered Code Insight feature to analyze a broader range of file types critical to the software supply chain. The tool can now analyze browser extensions (CRX, XPI, VSIX), software packages from repositories like NPM and PyPI, and Model Context Protocol (MCP) files used by LLMs. This enhancement aims to provide deeper security analysis by examining code logic to identify malicious behavior in components that traditional signature-based detection might miss, thereby strengthening defenses against supply chain attacks.

• The rise of generative and agentic AI is compelling security teams to adopt new defensive frameworks. Agentic systems, which can act autonomously to analyze alerts and orchestrate responses, offer a way to move beyond static playbooks and augment human analysts. Elastic’s Security Labs outlined practical considerations for building AI-augmented security systems, emphasizing the need for robust input/output schemas, infrastructure integration, and quality assurance mechanisms like critique loops to ensure trust in automated decisions.

• Security researchers are increasingly leveraging Large Language Models (LLMs) to automate and scale complex tasks like patch diffing. A study by Bishop Fox demonstrated that LLMs, particularly models like Claude Sonnet 3.7, can significantly reduce the time needed to analyze binary differences and pinpoint vulnerable functions from security advisories. This approach streamlines vulnerability research by automating the initial analysis of decompiled code, allowing human experts to focus on the most relevant changes and accelerate exploit development or defensive patching.

• Palo Alto Networks has introduced PAN-OS 12.1 Orion, which includes new features aimed at preparing organizations for the threat of quantum computing. The update provides a Quantum Readiness assessment tool to inventory cryptography usage across the enterprise and identify non-compliant algorithms. It also introduces cipher translation to instantly upgrade legacy applications to be quantum-safe and supports new fifth-generation firewalls designed to decrypt and inspect PQC-encrypted traffic at scale.

Wins #

• An international law enforcement operation successfully disrupted the infrastructure of the BlackSuit ransomware gang, which has strong links to the former Royal and Conti operations. The action, which involved agencies from the US and Europe, resulted in the seizure of four servers and nine domains. Additionally, the US Department of Justice announced the seizure of over $1 million in Bitcoin that had been paid as a ransom by a victim of the group.

• The two Estonian founders of the HashFlare cryptocurrency Ponzi scheme have been sentenced to prison for their roles in a fraud that swindled hundreds of thousands of victims out of more than $577 million. The court ordered the forfeiture of over $450 million in assets, including cryptocurrency, real estate, and luxury vehicles. These seized assets will be used to compensate the victims of the fraudulent crypto mining operation.

• Four Ghanaian nationals were extradited to the United States for their alleged leadership roles in a criminal organization that stole over $100 million. The group primarily conducted romance scams and business email compromise schemes targeting individuals and businesses across the US. The successful extradition highlights international cooperation in combating large-scale online fraud operations.

• Law enforcement in Thailand conducted successful operations against two separate cybercrime rings. In one bust, police arrested two men operating an SMS blaster used for smishing scams that could send over 20,000 fraudulent messages per day. In a separate operation named “Skyfall,” authorities dismantled a major cross-border money laundering network that was moving over $30 million per month from fake investment schemes into cryptocurrency.

• Google awarded a record-breaking $250,000 bounty to a security researcher for discovering a critical remote code execution vulnerability in Chrome. The flaw was located in Chrome’s IPCZ driver transport mechanism and allowed a malicious website to escape the browser’s sandbox and execute arbitrary code on the host system. The high payout reflects the complexity of the exploit and the severity of the threat, highlighting the value of bug bounty programs in securing widely used software.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.