Cyber OSINT Overview, Sep 8 - Sep 14, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Artificial Intelligence is extensively discussed for its transformative role in cybersecurity operations, including automating threat analysis, detection, and code auditing. Both the beneficial applications for defenders and the weaponization by attackers (e.g., for phishing, malware generation, and disinformation) are prominent themes. Discussions also touch upon the challenges of integrating and managing AI agents within existing security frameworks like Zero Trust. This widespread adoption introduces new attack surfaces and necessitates evolving security strategies.

• The ransomware threat remains a significant concern, with new groups emerging, diverse attack tactics, and an increasing focus on data theft alongside encryption. Organizations continue to face pressure to pay ransoms due to potential business interruption, reputational damage, and regulatory exposure. The evolution of ransomware includes cross-platform targeting (e.g., Linux, VMware ESXi) and the use of sophisticated evasion techniques.

• Supply chain attacks, particularly those involving compromised third-party vendors and open-source components, represent a significant and recurring risk. OAuth token management is highlighted as a critical aspect of supply chain security, with incidents demonstrating how stolen tokens can bypass traditional defenses and lead to widespread data exfiltration across customer systems. The difficulty in fully controlling all elements contributing to such attacks within the third-party supply chain underscores the need for robust vendor risk management.

• Securing cloud and hybrid environments faces significant challenges due to fragmented visibility, insecure identities, and a reactive security posture. Many organizations are rapidly adopting AI and cloud technologies without adequate security controls, leading to preventable breaches. The need for a unified view of risk, robust identity governance, and proactive security measures is critical to effectively manage expanding attack surfaces and mitigate exposures.

• There is a continuous stream of vulnerability disclosures and patch releases from major vendors like Microsoft, Adobe, SAP, and various industrial control systems (ICS) providers. These monthly updates often include critical and high-severity flaws, with a notable number of privilege escalation vulnerabilities. Organizations must prioritize timely patching and implement robust vulnerability management processes to mitigate risks effectively, especially for publicly disclosed or actively exploited vulnerabilities.

• Data privacy is a growing concern, with legal actions and regulatory scrutiny targeting tech giants for misleading users about data collection practices. New regulations, such as those promoting Global Privacy Control (GPC), aim to give consumers more control over their personal data. Additionally, AI-driven misinformation campaigns and deepfake scams highlight the evolving threats to information integrity and the need for robust verification processes.

Critical Vulnerabilities #

• A maximum-severity deserialization vulnerability (CVE-2025-42944) exists in SAP NetWeaver’s RMI-P4 module. This flaw allows remote, unauthenticated attackers to execute arbitrary OS commands, posing a significant threat to critical business functions. SAP has released security updates to address this, and organizations are urged to apply them promptly. SAP products are attractive targets due to their management of critical business functions and sensitive data.

• A critical remote code execution vulnerability (CVE-2025-55232) has been identified in Microsoft High Performance Compute (HPC) Pack. This deserialization of untrusted data flaw allows unauthenticated remote attackers to execute code without user interaction. Microsoft advises deploying HPC Pack clusters in secure enclaves and blocking TCP port 5999 to mitigate the risk of exploitation, which could potentially be wormable.

• Microsoft has released patches for multiple elevation of privilege (EoP) vulnerabilities in Windows SMB (CVE-2025-55234) and NTLM (CVE-2025-54918). The SMB flaw was publicly disclosed before a fix was available and could lead to relay attacks. The NTLM vulnerability allows an authorized attacker to gain SYSTEM privileges remotely without user interaction. These critical vulnerabilities highlight the ongoing risks associated with Windows authentication protocols and the importance of implementing hardening measures.

• The Dassault Systèmes DELMIA Apriso manufacturing operations management software is vulnerable to a deserialization of untrusted data flaw (CVE-2025-5086). This critical vulnerability allows remote code execution and has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, with public exploits already available. Its exploitation could disrupt critical manufacturing processes, underscoring the urgency for immediate patching and mitigation.

• Ivanti products, including Endpoint Manager, Connect Secure, and Policy Secure, are affected by multiple critical vulnerabilities, some allowing remote code execution without authentication. Other flaws include authorization bypass, Cross-Site Request Forgery (CSRF), Server-Side Request Forgery (SSRF), and Denial of Service (DoS) conditions. These vulnerabilities pose significant risks to endpoint management and VPN solutions, requiring urgent updates and mitigations.

• ABB Cylon Aspect BMS/BAS products are affected by critical vulnerabilities, including an authentication bypass (CVE-2025-53187) and missing authentication for critical functions (CVE-2025-7679). These flaws, caused by debugging code left in production, allow attackers to assume full control of the device, alter system time, access files, or perform Denial-of-Service attacks. Immediate updates and network isolation are recommended to protect these Building Management Systems.

• Samsung has patched a critical image parsing vulnerability (CVE-2025-21043) in its Android devices, actively exploited in live attacks. This zero-click flaw in the libimagecodec.quram.so library allows remote code execution via specially crafted image files. Users are strongly urged to install the September 2025 security update to mitigate this high-impact risk.

• A Linux Kernel ksmbd zero-click RCE exploit has been demonstrated using N-day vulnerabilities, highlighting that even less-common services can harbor critical flaws. Additionally, an arbitrary file read vulnerability (CVE-2025-9556) in LangChainGo, due to Jinja2 syntax support, allows server-side template injection via malicious prompt content, exposing sensitive files. Both underscore risks from complex software interactions and open-source components.

Major Incidents #

• The Great Firewall of China has reportedly suffered its largest internal document leak, comprising 600 GB of source code, internal communications, and operational details. This data also reveals the export of censorship and surveillance technology to several autocratic regimes. The leak provides a rare glimpse into the infrastructure and operations of China’s extensive digital control system.

• A supply chain attack leveraged compromises of Salesloft’s GitHub account and Drift’s AWS environment. This led to the theft of OAuth tokens, which allowed threat actors (UNC6395) to bypass MFA and exfiltrate sensitive customer data from hundreds of Salesforce instances, including those of major companies like Google and Cisco. The attackers reportedly deleted logs to evade forensics, highlighting the stealth and impact of such breaches.

• Both Vietnam’s National Credit Information Center and Panama’s Ministry of Economy and Finance have suffered significant cyber incidents. The Vietnamese entity saw 160 million records leaked by Scattered Spider/Shiny Hunters, reportedly due to an end-of-life software vulnerability. Panama’s ministry was hit by the INC ransomware gang, claiming 1.5 TB of data theft. These breaches underscore the ongoing vulnerability of government infrastructure to sophisticated cybercriminal groups.

• A new surge in Akira ransomware attacks is exploiting CVE-2024-40766 in SonicWall SSL VPN devices. Many victim organizations had misconfigurations, such as unreset local passwords after firmware upgrades or overprovisioned LDAP group access, enabling attackers to gain unauthorized network access. These incidents, observed globally including in Australia, sometimes resulted in firewalls crashing, highlighting the critical importance of secure configurations alongside patching.

• The New York Blood Center suffered a ransomware attack resulting in the theft of personal data for tens of thousands of individuals. Compromised information includes names, Social Security numbers, driver’s licenses, and financial account details. Clinical information was also accessed, highlighting the severe impact on healthcare organizations and the need for robust data protection for sensitive patient records.

• American furniture maker Lovesac confirmed a data breach in early 2025, where the RansomHub ransomware gang allegedly stole 40 GB of customer data, including names. The incident highlights the lag between initial compromise and customer notification, as the breach was confirmed six months after RansomHub’s claim. This poses ongoing risks to affected customers, who are advised to monitor for identity theft threats.

• Financial data from Poland and Central European financial institutions has been listed for sale on DarkForums, including sensitive customer and offshore corporate data. Separately, the D4RK 4RMY ransomware group claimed an attack on a Japanese financial holding company, stealing approximately 845 GB of data. These incidents underscore the persistent threat to the global financial sector from data breaches and ransomware, with potential widespread jurisdictional impact.

Emerging Threats #

• Malicious AI tools, such as ‘PoisonGPT’, are emerging as a new vector for disinformation and AI supply-chain attacks. These tools can subtly alter an AI model’s knowledge base to inject false facts while maintaining normal behavior, making misinformation difficult to detect. Such poisoned models could be distributed via popular AI repositories, potentially leveraged by nation-state actors or extremist groups for influence operations.

• Sophisticated phishing and social engineering campaigns are evolving, with new Phishing-as-a-Service (PhaaS) platforms like VoidProxy capable of bypassing MFA through Adversary-in-the-Middle (AitM) techniques. Attackers are also abusing legitimate platforms, such as iCloud Calendar invites and Google AppSheet, to deliver phishing messages that bypass traditional email filters. These tactics exploit inherent trust and require advanced detection methods beyond authentication checks.

• China-backed APT groups, including Salt Typhoon and Volt Typhoon, are deploying increasingly stealthy and patient tactics to target critical infrastructure. They utilize “living off the land” techniques to blend into legitimate system activities, complicating detection and IOC sharing. These groups are also actively targeting cloud environments and edge devices, developing advanced fileless malware frameworks like EggStreme for long-term espionage campaigns in the Asia-Pacific region.

• New ransomware groups such as Obscura, Yurei, The Gentlemen, Radar, CyberVolk, BlackNevas, and DragonForce are emerging with evolving tactics. These include double encryption, targeting specific geopolitical regions or industries, exploiting vulnerable drivers to disable security software, and utilizing cross-platform languages like Rust and Go. Attackers often employ anti-analysis features and advanced evasion techniques, making detection and recovery challenging for victims.

• SEO poisoning campaigns are a prevalent method for distributing malware to unsuspecting users. Attackers create fraudulent websites that mimic legitimate software providers, manipulating search engine results to appear at the top. These fake sites then deliver malicious payloads like Hiddengh0st and Winos malware, often bundled with legitimate applications and equipped with sandbox evasion techniques to avoid detection.

• Web server scans for various archive and backup file types (.zip, .rar, .7z, .gz, .tar, .sql, .json, .bak, .sh) are being conducted with malicious intent. These scans do not originate from research entities and indicate attempts by attackers to discover and exploit exposed sensitive data. Organizations should ensure such files are not accessible on public web servers and implement policies to prevent their exposure.

• A new open-source C2 framework named AdaptixC2 is being leveraged in real-world attacks for post-exploitation activities like command execution, file transfer, and data exfiltration. This modular framework supports sophisticated tunneling capabilities (SOCKS4/5 proxy, port forwarding) and can be customized with extenders and Beacon Object Files (BOFs) to evade detection. Its observed use in campaigns, including those employing AI-based code generation, highlights the increasing sophistication of attacker tools.

• The prevalent Vidar infostealer has evolved, incorporating new evasion techniques and covert data exfiltration methods. Similarly, MostereRAT malware is using phishing and remote access tools like AnyDesk and TightVNC to evade defenses and maintain persistent access. These evolving threats underscore the need for continuous vigilance against sophisticated information-stealing and remote access malware.

Regulatory and Policy Updates #

• CISA officials are urging Congress to renew the 2015 Cybersecurity Information Sharing Act (CISA 2015) before its expiration. This law provides crucial incentives for private entities to voluntarily share digital threat intelligence with the federal government, underscoring the importance of public-private collaboration for national cybersecurity. Despite reported budget and personnel cuts, CISA emphasizes its strong operational capabilities and commitment to its core mission.

• Senator Ron Wyden has called for an FTC investigation into Microsoft’s “gross cybersecurity negligence.” He cites the company’s continued default support for insecure encryption technologies like RC4, which facilitates Kerberoasting attacks and contributes to major incidents like the 2024 Ascension hospital ransomware breach. This highlights concerns about vendor responsibility in critical infrastructure security and the impact of outdated security defaults.

• Several U.S. states, including California, Colorado, and Connecticut, are jointly investigating companies that fail to comply with data opt-out laws, particularly those not honoring Global Privacy Control (GPC) signals. This initiative aims to enforce consumer privacy rights and reduce unwanted data collection. It signifies an increasing trend of state-level regulatory actions and consortiums to standardize and enforce privacy laws across borders.

• ASEAN member states have adopted a 10-year action plan (ADOP 2026-2035) to counter the rising threat of cybercrime and online scams, which are now considered the primary regional security concern. This strategic roadmap emphasizes strengthening cooperation, information-sharing, and targeted responses among member nations to address sophisticated cross-border cybercriminal activities that have surpassed traditional threats like sea piracy in urgency.

• The U.S. Federal Trade Commission (FTC) has initiated a formal inquiry into AI chatbots designed as “companions” for children and teens. The investigation seeks detailed disclosures from major tech companies like Alphabet, Meta, and OpenAI regarding how these chatbots are monetized, designed, and monitored for negative impacts on young users. This action underscores growing regulatory concerns about the emotional and privacy risks associated with AI systems that mimic interpersonal communication.

• The DHS Inspector General’s audit revealed mismanagement within CISA’s Cybersecurity Retention Incentive program, which allocated over $138 million. The agency reportedly paid employees lacking ‘mission critical’ cybersecurity skills and failed to maintain proper records or adhere to federal regulations. This mismanagement raises concerns about efficient use of taxpayer funds and the effective retention of essential cyber talent within federal agencies.

• The FBI and the American Bankers Association have issued a joint advisory warning of the increasing threat posed by AI-generated deepfake scams. This official guidance underscores the growing recognition of sophisticated AI manipulation techniques as a significant cybersecurity risk. It highlights the need for heightened awareness and improved verification methods to counter these evolving forms of fraud and social engineering.

Security Operations #

• Security operations centers (SOCs) are increasingly integrating AI agents and advanced data lake architectures to enhance threat detection and response. Solutions like SymantecAI, powered by Google’s Gemini, automate threat analysis, summarize incidents, and correlate risks across entire security portfolios. This shift aims to reduce manual effort, improve efficiency, and enable continuous autonomous threat hunting to address rapidly evolving cyber threats.

• Unified Extended Detection and Response (XDR) and Exposure Management platforms are crucial for modern security. Barracuda Managed XDR is expanding its Automated Threat Response capabilities to include Microsoft Defender for Endpoint and Google Workspace, offering real-time threat containment. Tenable’s unified CNAPP and Exposure Management Platform provide holistic visibility, risk correlation, and prioritized remediation across hybrid and multi-cloud environments, helping to overcome fragmented security and tool sprawl.

• Cisco’s SnortML, an innovative machine learning engine for Snort IPS, is receiving upgrades to proactively detect evolving exploits like SQL Injection, Command Injection, and XSS. This engine operates entirely on-device, ensuring data privacy by processing packets within the network perimeter. Decisions are computed locally in real-time, without reliance on cloud resources, making it suitable for critical infrastructure with strict data residency requirements.

• The operationalization of threat intelligence is moving beyond reactive ‘intelligence theater’ to proactive ‘intelligence operations’. This involves automating workflows to correlate indicators across multiple sources, generate custom detection rules, and deploy protections without human intervention. Continuous autonomous threat hunting and real-time impact measurement are key goals, enabling significant savings in threat analysis and alert investigation time.

• CISA has released Thorium, an open-source malware analysis platform designed to streamline incident response, triage, and file analysis. Thorium provides secure file ingestion and storage, automated analysis, and utilizes CaRT (Compressed and RC4 Transport) for safely sharing malicious files. The platform helps consolidate tools into a single interface, making it easier for analysts to review results and search for information.

• Estonian RIA is actively improving national cybersecurity through a multi-pronged approach. This includes publishing detailed cybersecurity guidelines for election candidates to ensure secure digital campaigns and conducting expert assessments of election technology security, addressing risks from AI and quantum computing. Additionally, RIA is holding public cybersecurity workshops for older demographics and providing clear guidance on identifying official government communications versus phishing attempts.

• Security operations teams are adapting to new challenges, including performing zero-hour defense against live exploits in high-stakes environments like Black Hat’s NOC. This involves rapid development and deployment of custom detections, often requiring immediate collaboration between threat intelligence teams and partners. Implementing highly segmented network architectures and contextual security models is key to managing controlled chaos and protecting critical infrastructure.

Wins #

• Apple introduced Memory Integrity Enforcement (MIE) in its new iPhone 17 and A19/A19 Pro chips, a hardware-backed memory safety system. This engineering effort aims to combat sophisticated zero-click mercenary spyware by dramatically reducing attackers’ ability to exploit memory corruption vulnerabilities. Apple states MIE redefines the landscape of memory safety for consumer operating systems.

• A widespread NPM supply chain attack, where a developer’s account was phished and 18 popular code packages were briefly compromised with crypto-stealing malware, was quickly contained. The attacker’s poor operational security, including the use of a poorly known obfuscator, led to immediate detection. Rapid response from the open-source community and NPM mitigated the financial impact, which was minimal despite the potential scale.

• The U.S. Department of Justice has unsealed charges against Volodymyr Viktorovich Tymoshchuk, a Ukrainian national, for administering the LockerGoga, MegaCortex, and Nefilim ransomware operations. These operations allegedly targeted over 250 U.S. companies and hundreds more globally. Europol has added Tymoshchuk to its ‘Most Wanted’ fugitives list, offering a $10 million bounty for information leading to his capture and conviction.

• An alleged cyberattack on Kazakhstan’s largest oil company, KazMunaiGas, initially suspected to be a Russian APT, was confirmed by the company to be a planned internal cybersecurity exercise. This “simulation” was conducted to evaluate employee awareness and the efficiency of their Operational Information Security Center, demonstrating a proactive approach to enhancing their cyber resilience.

• Ethical hackers uncovered significant vulnerabilities in the platforms hosted by Restaurant Brands International (RBI) for its brands like Burger King, Tim Hortons, and Popeyes. These included open user signups in AWS Cognito, email verification bypasses, access to drive-thru audio recordings, and employee account management. Remarkably, RBI fixed all identified vulnerabilities on the same day they were discovered, demonstrating swift remediation capabilities.

• The Scattered Lapsus$ Hunters hacker group, linked to high-profile data breaches including the Jaguar Land Rover cyberattack and compromises of Google and Salesforce, announced its shutdown. While experts are skeptical about the permanence of this exit and anticipate some members will resurface, the declaration suggests the group may be fracturing under pressure and has paused its operations.

• The open-source CISO Assistant platform has released a major version 3 update, incorporating a Cyber Risk Quantification (CRQ) module. This enhancement provides security professionals with improved tools for governance, risk, and compliance management, enabling better assessment and quantification of cyber risks. This initiative empowers the community with more robust and accessible GRC capabilities.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.