Cyber OSINT Overview, Sep 1 - Sep 7, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Artificial intelligence (AI) is a dual-use technology in cybersecurity, extensively discussed for both offensive and defensive applications. On the offensive side, AI is used in sophisticated phishing, deepfakes, autonomous ransomware, and malware like DarkBard and PromptLock. Defensively, AI assists in threat detection, vulnerability tracking, AI Security Posture Management (AI-SPM), and LLM-powered threat hunting to combat machine-speed adversaries and manage the growing volume of CVEs.

• Effective vulnerability and patch management is crucial given the continuous stream of newly discovered flaws. Advisories highlight widespread vulnerabilities in critical software and platforms, including Sitecore, Android, Linux Kernel, Cisco, VMware, and SAP. Organizations are urged to apply patches promptly, as evidenced by CISA’s KEV Catalog which mandates rapid remediation for actively exploited vulnerabilities.

• Supply chain security and managing third-party risk remain critical challenges. Several articles report on the Salesloft Drift integration compromise, which led to mass data exfiltration from numerous customers across multiple integrated services like Salesforce, Google Workspace, and cloud providers. This incident highlights how vulnerabilities in one component can cascade through an organization’s entire digital ecosystem, emphasizing the need for robust third-party risk management and the adoption of tools like Software Bill of Materials (SBOMs) to enhance transparency.

• Phishing and social engineering attacks continue to be a primary vector for cybercriminals, with evolving tactics such as smishing (SMS phishing), vishing (voice phishing), and advanced email cloaking techniques. Attackers are increasingly leveraging AI to craft more convincing and tailored messages, making it harder for users to distinguish legitimate communications from malicious ones. Organizations and individuals must maintain high vigilance and implement robust security awareness training.

• Linux Kernel vulnerabilities are a persistent and high-impact concern, with numerous advisories detailing flaws that can lead to Denial of Service (DoS), privilege escalation, and unspecified system impacts. These vulnerabilities are frequently identified across different Linux distributions, including Red Hat Enterprise Linux and Ubuntu. Continuous patching and system updates are essential to mitigate these pervasive risks.

Critical Vulnerabilities #

• An actively exploited critical vulnerability (CVE-2025-53690) in Sitecore Experience Manager, Platform, and Commerce allows remote code execution due to the use of publicly exposed sample machine keys. This flaw can lead to initial server compromise, privilege escalation, and full system control. CISA has added this to its Known Exploited Vulnerabilities (KEV) Catalog, mandating federal agencies to remediate it immediately.

• Google’s September 2025 Android Security Bulletin includes patches for two actively exploited zero-day vulnerabilities: CVE-2025-38352 (Linux Kernel Time-of-Check Time-of-Use race condition) and CVE-2025-48543 (Android Runtime unspecified vulnerability). Both are high-severity Elevation of Privilege (EoP) flaws that do not require user interaction for exploitation. Users are strongly advised to apply the necessary updates to their Android devices immediately.

• A zero-click authorization vulnerability (CVE-2025-55177) in WhatsApp for iOS and Mac, in conjunction with an Apple OS-level flaw (CVE-2025-43300) in the ImageIO framework, has been actively exploited in targeted attacks. This allowed remote code execution by processing malicious content from arbitrary URLs via abused linked device synchronization messages. WhatsApp and Apple have released patches, urging users to update their devices and perform factory resets if compromised.

• Two actively exploited vulnerabilities in end-of-life TP-Link routers (Archer C7 and TL-WR841N/ND), CVE-2023-50224 (authentication bypass/password theft) and CVE-2025-9377 (OS command injection), are being chained by the Quad7 botnet. This botnet weaponizes infected routers to launch widespread password spraying attacks against Microsoft 365 accounts. CISA has added these to its KEV catalog, urging users to update firmware or replace devices.

• Multiple high-severity vulnerabilities, including a memory buffer overflow (CVE-2025-2521) and an integer underflow (CVE-2025-2523), have been identified in Honeywell OneWireless Wireless Device Manager (WDM). These remotely exploitable flaws, with low attack complexity, could lead to remote code execution, information exposure, or denial of service. Users and administrators are urged to review advisories and apply necessary updates to affected versions.

• A critical and actively exploited code injection vulnerability (CVE-2025-42957) exists in SAP S/4HANA, SAP NetWeaver Application Server ABAP, and other related SAP products. This flaw, with a CVSS score of 9.9, allows a low-privileged user to execute arbitrary code and gain full control of the SAP system and its host OS. SAP released patches in August 2025, which organizations must apply immediately to prevent system compromise.

• A critical security flaw (CVE-2025-8067) in the Linux UDisks daemon, an out-of-bounds read vulnerability, allows local, unprivileged users to access files and data owned by privileged accounts. Red Hat classified this flaw as ‘Important’ with a CVSS v3.1 base score of 8.5. This can lead to system crashes (DoS) or the disclosure of sensitive memory, including cryptographic keys and PII.

• Multiple vulnerabilities are reported in widely used software and hardware. These include a local escalation of privilege in HPE M-Series Switches, various flaws in Atlassian’s Bamboo, Bitbucket, and Crowd, and vulnerabilities in VMware Tanzu products. Cisco also released advisories for numerous phone, network, and collaboration products. Google Chrome, IBM, Dell, and Qualcomm also released security updates for their respective products. Drupal’s Acquia DAM had an access bypass/information disclosure flaw. Jenkins plugins and HashiCorp Vault also required security updates, including a DoS vulnerability in Vault.

• Industrial Control Systems (ICS) and Operational Technology (OT) environments face ongoing critical vulnerabilities. CISA released advisories for various products, including Delta Electronics EIP Builder (XML External Entity Reference, CVE-2025-57704), Fuji Electric FRENIC-Loader 4 (Deserialization of Untrusted Data, CVE-2025-9365), and SunPower PVS6 (Hard-Coded Credentials, CVE-2025-9696). These flaws can lead to information disclosure, arbitrary code execution, and full device access. Users are advised to apply updates and implement robust network segmentation and secure remote access.

Major Incidents #

• A widespread supply chain attack targeted Salesloft’s Drift AI chatbot integration, leading to mass exfiltration of OAuth tokens and sensitive data from hundreds of customer Salesforce instances and integrated services. This impacted major organizations including Google, Cloudflare, Zscaler, Palo Alto Networks, and Tenable. Attackers, tracked as UNC6395, actively deleted forensic evidence after obtaining credentials like AWS keys, Snowflake tokens, VPN credentials, and API keys.

• Luxury automaker Jaguar Land Rover (JLR) experienced a cyberattack that severely disrupted its global IT systems, leading to factory closures and significant operational halts. A group identified as ‘Scattered Lapsus$ Hunters’ claimed responsibility for the incident, asserting data exfiltration. The UK Information Commissioner’s Office confirmed a data breach, prompting JLR to proactively take down systems to mitigate impact.

• The Texas Attorney General has filed a lawsuit against PowerSchool, an education technology provider, following a data breach in December 2024. This incident exposed sensitive personal information of over 880,000 Texas school children and teachers, including names, addresses, Social Security Numbers, and medical details. The breach originated from a subcontractor’s account that allegedly lacked adequate security protections.

• American consumer credit reporting agency TransUnion suffered a data breach resulting in the exposure of sensitive personal information for over 4.4 million individuals in the United States. The compromised data included names, billing addresses, phone numbers, email addresses, dates of birth, unredacted Social Security Numbers, transaction reasons, and customer support messages. This highlights the ongoing risks associated with large-scale data custodians.

• Tire manufacturing giant Bridgestone Americas confirmed a cyberattack that disrupted some of its North American manufacturing facilities, leading to operational pauses for employees. While the company stated the incident was contained and no customer data was compromised, the nature of the attack is under investigation. The ‘Scattered Lapsus$ Hunters’ group, known for data theft and extortion, is suspected to be involved.

• Chess.com, a major online chess platform, experienced a limited data breach affecting 4,541 users, including residents of Maine and Vermont. The breach occurred in June 2025 through a compromised third-party file transfer tool, exposing names and other non-sensitive identifiers. No passwords or financial information were affected, and federal law enforcement agencies are involved in the ongoing investigation.

• A major cyberattack on Miljödata, a Swedish IT provider, disrupted services for over 200 municipalities. The incident raised significant concerns regarding the potential theft of sensitive personal data, including medical certificates, rehabilitation cases, and occupational injury reports. This highlights the critical impact on public services and sensitive data when core IT infrastructure providers are compromised.

Emerging Threats #

• Cybercriminals are increasingly leveraging AI to automate and scale offensive operations. Research demonstrates that Large Language Models (LLMs) can autonomously plan, adapt, and execute ransomware attacks, performing reconnaissance, credential harvesting, network penetration, and generating personalized extortion demands and notes. New malicious AI tools like ‘DarkBard,’ an ’evil twin’ to Google Bard, are also marketed for misinformation, deepfakes, and sophisticated phishing campaigns, enabling a single attacker to operate like an entire cybercrime team.

• A sophisticated malvertising campaign, dubbed ‘GPUGate,’ is leveraging Google Ads and manipulated GitHub repositories to trick users into downloading malicious software. This malware employs a unique GPU-gated decryption routine that only activates on systems with a genuine Graphics Processing Unit (GPU), designed to evade traditional security sandboxes. The campaign targets IT professionals in Western Europe, with evidence suggesting Russian-speaking threat actors are behind it.

• The Russian state-sponsored hacking group APT28 (Fancy Bear) is deploying a new backdoor, ‘NotDoor,’ by abusing Microsoft Outlook. This malware operates as a Visual Basic for Applications (VBA) macro within Outlook, activated by specific email trigger phrases. It is deployed via DLL sideloading of a malicious ‘SSPICLI.dll’ through Microsoft’s signed OneDrive.exe to disable macro security and exfiltrate data covertly. This tactic blends with trusted binaries and normal mail flow, bypassing basic perimeter tools.

• The Quad7 botnet is actively exploiting two vulnerabilities (CVE-2023-50224 for password theft and CVE-2025-9377 for OS command injection) in end-of-life TP-Link Archer C7 and TL-WR841N/ND routers. This botnet weaponizes infected routers by turning them into nodes for widespread password spraying attacks against Microsoft 365 accounts. The distributed nature of the botnet, using thousands of residential IP addresses, makes detection particularly challenging for defenders.

• A new, potentially China-based, threat actor group dubbed ‘GhostRedirector’ is compromising Windows servers with Rungan and Gamshen backdoors. Gamshen is a malicious IIS module designed to manipulate Google search rankings, driving traffic to gambling websites through an ‘SEO fraud-as-a-service’ scheme. This operation has affected at least 65 Windows servers globally across various industries, emphasizing opportunistic attacks rather than specific targeting.

• The secretive Malware-as-a-Service (MaaS) group TAG-150 is rapidly developing and deploying self-developed malware families, including CastleLoader, CastleBot, and the newly documented remote access trojan (RAT) CastleRAT. Initial infections often stem from Cloudflare-themed ‘ClickFix’ phishing attacks or fraudulent GitHub repositories. This group operates a multi-tiered infrastructure with sophisticated command-and-control (C2) mechanisms, showing advanced operational security and redundancy planning.

• North Korea-aligned threat actors are actively monitoring cyber threat intelligence (CTI) platforms like Validin, VirusTotal, and Maltrail to assess their infrastructure exposure and scout for new assets. These actors operate in coordinated teams, demonstrate real-time collaboration, and rapidly deploy new infrastructure in response to service provider takedowns, indicating a strategic focus on sustaining operations and high victim engagement rather than preventing detection.

Regulatory and Policy Updates #

• CISA, in collaboration with the NSA and 19 international partners, released joint guidance on ‘A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity.’ This initiative aims to strengthen software supply chain transparency, improve vulnerability management, and enhance global cybersecurity resilience through standardized SBOM adoption. SBOMs act as an ‘ingredients list’ for software, providing essential visibility into dependencies to identify risks and proactively mitigate vulnerabilities.

• A U.S. House panel advanced legislation to reauthorize the 2015 Cybersecurity and Information Sharing Act and the State and Local Cybersecurity Grant Program, both nearing expiration. These bills, known as the WIMWIG Act and the PILLAR Act respectively, aim to update legal definitions for hacking tactics, preserve privacy protections, and encourage the use of secure AI, strengthening cybersecurity for state and local governments and critical infrastructure.

• The Federal Trade Commission (FTC) announced a settlement with Chinese robot toy manufacturer Apitor Technology for illegally collecting geolocation data of US children via its companion app, violating the Children’s Online Privacy Protection Act (COPPA). Apitor is required to pay a $500,000 civil fine, delete illegally collected data, obtain explicit parental consent, and undergo ten years of compliance monitoring. This emphasizes stringent enforcement of children’s online privacy regulations.

• A regional cyber alliance has been formed by Ukraine, Romania, and Moldova to enhance cooperation against cyber and hybrid threats, particularly those from Russia, aiming to strengthen collective cyber defense. Concurrently, Romania has established a dedicated Computer Security Incident Response Team (CSIRT) for its energy sector, underscoring efforts to bolster regional energy security in the face of escalating geopolitical cyber risks.

• The UK Department for Science, Innovation and Technology is consulting on proposals to update the Telecommunications Security Code of Practice 2022. These updates are intended to help public telecoms providers protect UK telecommunications networks and services against evolving threats and emerging technologies. This proactive measure aims to enhance national infrastructure resilience in a dynamic threat landscape.

• Czechia’s National Cyber and Information Security Agency (NÚKIB) issued a ‘High’ threat warning concerning Chinese data transfers and remote administration of technical assets from China. The advisory urges both government bodies and private businesses in Czechia to bolster their defenses against state-sponsored espionage campaigns, citing China’s national security laws that compel data assistance to state authorities, potentially compromising data security for critical infrastructure.

• France’s data watchdog, the CNIL, fined Google €325 million (approximately $381 million) for inserting promotional messages directly into Gmail inboxes without prior consent and for cookie consent practices deemed coercive. This action, part of Europe’s stricter privacy framework (GDPR), highlights an ongoing friction between Google’s advertising business model and regulatory demands for explicit, unambiguous user consent regarding data collection and targeted advertising.

Security Operations #

• Robust incident response capabilities and advanced XDR (Extended Detection and Response) platforms are essential for effective cybersecurity. These platforms provide rapid detection, verification, containment, and eradication of threats by integrating telemetry from endpoints, networks, emails, and identity systems. Continuous monitoring and a multi-tool approach, as demonstrated at Black Hat, are crucial for triaging incidents and swiftly responding to advanced threats.

• AI and Large Language Models (LLMs) are transforming threat hunting and vulnerability management by automating traditionally manual processes. Tools like VirusTotal’s Code Insight use LLMs for malware analysis across diverse file formats (SWF, SVG), summarizing suspicious logic and identifying campaigns. CISA also highlights AI’s potential to track the rapidly expanding CVE catalog, enabling faster identification of anomalies and more proactive threat responses.

• Zero Trust Architecture (ZTA) and Automated Moving Target Defense (AMTD) are critical for modern security strategies, especially in hybrid and cloud environments. ZTA principles like continuous verification and adaptive access minimize attack surfaces, while AMTD dynamically shifts the attack surface to disrupt reconnaissance and proactively neutralize threats before execution. This prevention-first approach strengthens endpoint protection and enhances overall resilience against sophisticated, fileless, and in-memory attacks.

• Software Bill of Materials (SBOM) are being promoted as a fundamental tool for proactive cybersecurity defense and software supply chain transparency. Joint guidance from CISA, NSA, and international partners highlights SBOMs’ role in providing critical visibility into software dependencies, improving vulnerability management, and supporting secure-by-design principles. Widespread adoption is seen as essential for enhancing resilience and measurably reducing risks and costs across the global software ecosystem.

• Consistent and up-to-date cyber hygiene training is crucial for mitigating human risk, particularly against insider threats and sophisticated social engineering attacks like phishing. Organizations, including educational institutions, must prioritize revisiting training programs to address known weaknesses and emerging digital threats. This emphasis on security awareness training is proven to reduce insider threats and represents a cost-effective investment in overall cybersecurity posture.

• Enhanced packet-level analysis is transforming firewall investigations in Security Operations Centers (SOCs). The integration of advanced packet capture (PCAP) platforms, such as Endace Vision with Cisco’s Firepower Management Center, enables SOC analysts to instantly access definitive network traffic data. This capability drastically reduces the time for forensic analysis, accelerates root cause identification, and allows for more precise and rapid containment of security incidents, turning hours of manual effort into moments.

• Organizations using Amazon Web Services (AWS) should implement a comprehensive cloud security strategy that combines native AWS tools with Cloud-Native Application Protection Platforms (CNAPPs). Native tools cover identity (IAM, Access Analyzer), network security (Security Groups, WAF), and data protection (KMS, Macie). CNAPPs augment these by providing multi-cloud support, identity-centric security, and unified risk reduction, correlating identity data with runtime behavior and asset sensitivity to uncover ’toxic combinations’ and reduce overall risk.

Wins #

• Egyptian authorities, in collaboration with the Alliance for Creativity and Entertainment (ACE), successfully dismantled Streameast, the world’s largest illicit live sports streaming network. This operation led to the arrest of two operators in Egypt and the seizure of infrastructure and significant funds. Streameast had amassed over 1.6 billion visits across 80 domains, impacting sports leagues and entertainment companies globally.

• A significant step in international cyber cooperation has been achieved with the formation of a regional cyber alliance between Ukraine, Romania, and Moldova. This alliance aims to bolster collective cyber defense and enhance cooperation against cyber and hybrid threats, particularly from Russia. Furthermore, Romania has established a dedicated Computer Security Incident Response Team (CSIRT) for its energy sector, strengthening regional energy security.

• The U.S. Department of Justice (DOJ) successfully initiated a civil forfeiture action to seize $848,247 in Tether (USDT). These funds were identified as proceeds from elaborate cryptocurrency confidence scams that defrauded victims across several states. This action highlights ongoing efforts by law enforcement to combat crypto-related fraud and recover stolen assets.

• The RapperBot DDoS botnet, which notably leveraged DNS TXT records for covert command-and-control (C2) communications and employed multi-architecture payloads, has been successfully disrupted. This takedown was a result of law enforcement efforts, specifically the DOJ’s Operation PowerOFF. The success demonstrates effective collaboration in combating sophisticated botnet operations.

• Panoptic, with support from Cantina and SEAL911, conducted a successful whitehat rescue in the DeFi space. This operation highlights the effectiveness of collaborative efforts within bug bounty programs to identify and mitigate vulnerabilities, thereby strengthening the security and resilience of blockchain and decentralized finance ecosystems.

• A hacker in Spain was arrested for accessing a government website to alter high school and university entrance exam grades for himself and classmates. This swift law enforcement action underscores the importance of securing educational systems and holding individuals accountable for exploiting digital platforms for fraudulent purposes.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.