All articles tagged with #threat intelligence
ThreatsDay flags AI-enhanced threats accelerating breaches and blurring into everyday activity: Kali Linux now integrates Claude via MCP for natural-language command execution; campaigns include Bitpanda phishing, four-minute lateral movement, and Mac/WinRAR exploits, aided by ad cloaking, typosquatting, and social engineering, as threat actors fragment post-RAMP and increasingly use AI-driven tactics.
Microsoft reveals a new DNS-based variant of the ClickFix social-engineering tactic that tricks users into running commands via the Windows Run dialog to perform a DNS lookup with a hard-coded external server. The output’s Name: field becomes the second-stage payload, followed by a ZIP download from azwsappdev[.]com that leads to a Python script, a VBScript launcher for ModeloRAT, and persistence through a startup LNK. The campaign Fos’s broader ecosystem includes loaders and stealers (CastleLoader, Lumma Stealer, RenEngine Loader, Hijack Loader) across Windows and macOS, leveraging fake CAPTCHA pages, social-engineering lures, and aged domains to blend into normal traffic and evade detections.}
This weekly cybersecurity digest flags a busy threat landscape: Google disrupted the IPIDEA residential proxy network, shrinking attackers’ exit nodes; Microsoft patched a critical Office zero-day (CVE-2026-21509) and Ivanti fixed EPMM flaws (CVE-2026-1281/1340); CERT Polska linked destructive attacks on wind/solar facilities to Static Tundra; new campaigns include Operation Bizarre Bazaar targeting exposed AI endpoints and a surge of MongoDB extortion against over 1,400 exposed databases; other notes cover Exfil Out&Look via Outlook add-ins, PyRAT’s cross‑platform capabilities, TA584’s evolving attack chain with Tsundere Bot and XWorm, and related cybercrime trends.
Google’s Threat Intelligence Group reports active exploitation of WinRAR CVE-2025-8088 by both state-backed and financially motivated actors, even after a patch (WinRAR 7.13, July 30, 2025). The flaw is used for initial access via a path-traversal method that drops a malicious LNK in the Windows Startup folder/ADS, with campaigns tied to RomCom/UNC4895, UNC2596 (Cuba ransomware), Sandworm, Gamaredon, Turla, and a China-based actor delivering Poison Ivy, deploying payloads such as SnipBot, AsyncRAT, and XWorm and even browser extensions for Brazilian banking sites. The widespread activity underscores an active underground market for exploits and persistent defense gaps, with a separate flaw CVE-2025-6218 also being exploited by multiple groups.
Hackers linked to Cl0p exploited a zero-day flaw in Oracle's E-Business Suite to breach dozens of organizations, using sophisticated malware and extortion tactics, with ongoing assessments of the full scope of the attack.
Oracle released an emergency patch for a critical vulnerability (CVE-2025-61882) in its E-Business Suite, which has been exploited by the Cl0p ransomware group in recent data theft attacks. The flaw allows remote code execution without authentication, and indicators suggest involvement of the LAPSUS$ group. Organizations are advised to check for compromises, as exploitation has already occurred.
Microsoft has linked recent exploits of SharePoint Server vulnerabilities to three Chinese hacker groups—Linen Typhoon, Violet Typhoon, and Storm-2603—who are leveraging these flaws to gain unauthorized access and deploy web shells, with ongoing risks for unpatched on-premises SharePoint systems. The company urges immediate security updates and mitigations to prevent further attacks.
Microsoft warns that APT29, a Russian state-sponsored threat actor, has been targeting global organizations, primarily in the U.S. and Europe, using tactics such as compromised accounts and OAuth applications to gather sensitive information. The scale of the campaign may be larger than previously thought, with the threat actor using diverse initial access methods and residential proxies to obfuscate connections. Organizations are advised to defend against rogue OAuth applications and password spraying.
CISA has issued an emergency directive to Federal agencies to address actively exploited zero-day flaws in Ivanti Connect Secure and Ivanti Policy Secure products, allowing threat actors to execute arbitrary commands and compromise information systems. Ivanti is expected to release an update next week, but has provided a temporary workaround. Organizations are urged to apply mitigations, run integrity checks, and take additional security measures. Cybersecurity firms have observed attacks exploiting the flaws, with as many as 2,100 devices compromised globally. The initial attack wave has been attributed to a Chinese nation-state group, with indications of opportunistic exploitation for financial gain by other threat actors.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified six known exploited vulnerabilities, including high-severity flaws affecting Apple, Apache, Adobe, D-Link, and Joomla, with evidence of active exploitation. These vulnerabilities pose risks such as remote code execution and improper access control. CISA has urged federal agencies to apply patches to secure their networks against these active threats by January 29, 2024.
Android phone users are being warned to watch out for malicious apps that can cause chaos in their digital and real life. Cybersecurity expert Kristina Balaam has highlighted three warning signs that an Android app may be unsafe: unusual requests for permissions, strange behavior after downloading, and seemingly innocent requests for Accessibility Services that can be abused by threat actors to monitor everything a user does on their device. Users are advised to keep a close eye on any apps they install, even from the Google Play Store, to avoid being spied on, defrauded, stolen from, blackmailed, and more.
Microsoft has launched Security Copilot, an AI-powered cybersecurity tool that combines the company's threat intelligence with industry expertise to help security professionals detect and respond to threats. The tool will simplify complexity and amplify the capabilities of security teams by summarizing and making sense of threat intelligence, helping defenders see through the noise of web traffic and identify malicious activity. Security Copilot is currently available through private preview.