cybersecurity

https://archive.ph/g1RBd

cross-posted from: https://scribe.disroot.org/post/4943635

Archived version

Here is the technical report: CN APT targets Serbian Government

A suspected China-linked cyber-espionage campaign has targeted a Serbian government department overseeing aviation, as well as other European institutions, according to new research from the cybersecurity firm StrikeReady.

The campaign began in late September with phishing emails sent to a Serbian government office. Further analysis uncovered similar malicious activity in Hungary, Belgium, Italy and the Netherlands.

Victims who clicked on links in the phishing emails were redirected to fake Cloudflare verification pages — a tactic often used to make malicious sites appear legitimate before delivering malware.

The decoy documents used in the campaign included files themed around European government business, such as a study plan from Serbia’s National Academy of Public Administration, a European Commission meeting agenda, and an invitation to the European Political Community summit.

...

Similar tools and tactics have been seen in other China-linked operations, according to StrikeReady. In August, Google researchers uncovered an espionage campaign attributed to the Chinese group UNC6384, which targeted diplomats in Southeast Asia using Sogu to steal data and execute remote commands. The hackers also deployed PlugX through decoy documents mimicking EU Council meeting agendas.

...

Researchers said China-linked actors also used PlugX last year to spy on European healthcare organizations, and that PlugX infections were detected in more than 170 countries in 2024.

It remains unclear what information was accessed in the latest campaign reported by StrikeReady, or whether the attackers achieved their objectives.

cross-posted from: https://scribe.disroot.org/post/4925454

Archived version

Broadcom has patched a high-severity privilege escalation vulnerability in its VMware Aria Operations and VMware Tools software, which has been exploited in zero-day attacks since October 2024.

While the American technology giant didn't tag this security bug (CVE-2025-41244) as exploited in the wild, it thanked NVISO threat researcher Maxime Thiebaut for reporting the bug in May.

However, yesterday, the European cybersecurity company disclosed that this vulnerability was first exploited in the wild beginning mid-October 2024 and linked the attacks to the UNC5174 Chinese state-sponsored threat actor.

"To abuse this vulnerability, an unprivileged local attacker can stage a malicious binary within any of the broadly-matched regular expression paths. A simple common location, abused in the wild by UNC5174, is /tmp/httpd," Thiebaut explained.

"To ensure the malicious binary is picked up by the VMware service discovery, the binary must be run by the unprivileged user (i.e., show up in the process tree) and open at least a (random) listening socket."

NVISO also released a proof-of-concept exploit that demonstrates how attackers can exploit the CVE-2025-41244 flaw to escalate privileges on systems running vulnerable VMware Aria Operations (in credential-based mode) and VMware Tools (in credential-less mode) software, ultimately gaining root-level code execution on the VM.

...

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for September 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, and more. For further details, please visit this page.

The Month at a Glance

September 2025 has been marked by a diverse set of vulnerability sightings across multiple platforms and software ecosystems. The data collected through Vulnerability-Lookup indicates that both newly disclosed and previously known vulnerabilities continued to see active exploitation and discussion in the wild.

CVE-2025-10585, affecting Google Chrome, dominated the reports with 94 sightings. Other frequently sighted vulnerabilities include CVE-2025-10035 in Fortra’s GoAnywhere MFT and CVE-2025-42957 in SAP S/4HANA, both of which reflect persistent enterprise-level risks. These instances underscore the continued need for rapid patch deployment and robust monitoring in enterprise environments.

Network and infrastructure devices also remained a focus for adversaries. Vulnerabilities such as CVE-2023-51767 in OpenSSH and several router-specific CVEs like CVE-2017-18368 highlight the ongoing relevance of securing network endpoints against unauthorized access and exploitation. Similarly, Linux-based vulnerabilities, including CVE-2024-50264, accounted for a significant number of sightings, reinforcing the importance of kernel updates and system hardening practices.

From a severity perspective, most sightings fell into the High and Critical categories, with VLAI confidence scores often exceeding 0.95. This aligns with global observations of attackers prioritizing high-impact targets, such as widely used browsers, enterprise software, and critical network infrastructure. For example, Adobe Commerce, Sitecore Experience Manager, and Microsoft Entra were all associated with vulnerabilities of critical severity, underlining the necessity for organizations to prioritize patching and risk mitigation.

September 2025 reinforces several key trends in the cybersecurity landscape: high-severity vulnerabilities remain prevalent across browsers, enterprise software, and networking devices; unpublished vulnerabilities are actively exploited; and community-driven data aggregation plays a critical role in timely awareness and response. Organizations are encouraged to review patch management processes, monitor community sightings, and leverage threat intelligence feeds to mitigate exposure to these ongoing threats.

This month’s report features a new section dedicated to Known Exploited Vulnerabilities catalogs.

Top 10 Vendors of the Month

Top 15 vulnerabilities of the Month

Vulnerability	Sighting Count	Vendor	Product	VLAI Severity
CVE-2025-10585	94	Google	Chrome	High (confidence: 0.9945)
CVE-2025-10035	79	Fortra	GoAnywhere MFT	Critical (confidence: 0.9076)
CVE-2025-42957	71	SAP_SE	SAP S/4HANA (Private Cloud or On-Premise)	Critical (confidence: 0.9849)
CVE-2025-55241	68	Microsoft	Microsoft Entrac	High (confidence: 0.4512)
CVE-2025-54236	64	Adobe	Adobe Commerce	Critical (confidence: 0.9679)
CVE-2024-50264	60	Linux	Linux	High (confidence: 0.9854)
CVE-2015-2051	58	dlink	dir-645	High (confidence: 0.4993)
CVE-2023-51767	57	openssh	openssh	High (confidence: 0.5824)
CVE-2017-18368	57	zyxel	p660hn-t1a_v2	Critical (confidence: 0.9679)
CVE-2025-43300	54	Apple	iOS and iPadOS	High (confidence: 0.9548)
CVE-2025-55177	53	Facebook	WhatsApp Desktop for Mac	High (confidence: 0.5006)
CVE-2018-10562	51	dasannetworks	gpon_router	Critical (confidence: 0.9522)
CVE-2016-1555	49	netgear	wnap320	Critical (confidence: 0.9159)
CVE-2025-20333	48	code-projects	Blood Bank Management System	Medium (confidence: 0.9945)
CVE-2025-53690	44	Sitecore	Experience Manager (XM)	Critical (confidence: 0.9573)

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2025-59689	29/09/25	Cisco	IOS	Medium (confidence: 0.8045)
CVE-2025-10035	29/09/25	Fortra	GoAnywhere MFT	Critical (confidence: 0.9076)
CVE-2025-32463	29/09/25	Sudo project	Sudo	High (confidence: 0.5599)
CVE-2021-21311	29/09/25	vrana	adminer	High (confidence: 0.6111)
CVE-2025-20352	29/09/25	Cisco	IOS	High (confidence: 0.9912)
CVE-2025-20333	25/09/25	Cisco	Cisco Adaptive Security Appliance (ASA) Software	Critical (confidence: 0.9823)
CVE-2025-20362	25/09/25	Cisco	Cisco Adaptive Security Appliance (ASA) Software	Medium (confidence: 0.9948)
CVE-2025-10585	23/09/25	Google	Chrome	High (confidence: 0.9945)
CVE-2025-5086	11/09/25	Dassault Systèmes	DELMIA Apriso	Critical (confidence: 0.9632)
CVE-2025-53690	04/09/25	Sitecore	Experience Manager (XM)	Critical (confidence: 0.9573)
CVE-2025-48543	04/09/25	Google	Android	High (confidence: 0.9709)
CVE-2025-38352	04/09/25	Linux	Linux	High (confidence: 0.8176)
CVE-2023-50224	03/09/25	TP-Link	TL-WR841N	Medium (confidence: 0.9651)
CVE-2025-9377	03/09/25	TP-Link Systems Inc.	Archer C7(EU) V2	High (confidence: 0.9895)
CVE-2020-24363	02/09/25	TP-Link	tl-wa855re	High (confidence: 0.9407)

ENISA

CVE ID	Date Added	Vendor	Product	VLAI Severity
CVE-2025-25231	09/09/25	Omnissa	Omnissa Workspace ONE UEM	High (confidence: 0.8877)

Top 10 Weaknesses of the Month

Click the image for more information.

Unpublished Vulnerabilities in the Wild

Sightings detected between 2025-09-01 and 2025-09-30 that are associated with unpublished vulnerabilities.

Vulnerability ID	Occurrences	Comment
CVE-2023-42344	15	OpenCMS Unauthenticated XXE Vulnerability
CVE-2025-30333	2
CVE-2025-27225	1	Nuclei template
CVE-2025-27222	1
CVE-2025-14414	1	Oracle
CVE-2011-2553	1	Exploit (SPLOITUS) source code not published
CVE-2025-56708	1	Exploit (SPLOITUS)
CVE-2025-55817	1	Exploit (SPLOITUS)

Continuous Exploitation

• CVE-2024-28995 - SolarWinds Serv-U
• CVE-2023-42344
• CVE-2019-1653 - Cisco Small Business RV Series Router Firmware

Insights from Contributors

• SAP Security Patch Day - September 2025
• npm.js - account qix and duckdb_admin compromised and associated CVEs allocated
• Cisco AnyConnect/ASA - vulnerabilities
• Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release

cross-posted from: https://scribe.disroot.org/post/4877381

Archived version

Asahi Group Holdings, Japan’s largest brewing company, has suspended ordering, shipping, and customer service functions after a cyberattack disrupted its domestic operations. The company, best known for its Asahi Super Dry beer, also produces soft drinks and other beverages, with a strong footprint across Europe and Asia.

“At this time, there has been no confirmed leakage of personal information or customer data to external parties,” Asahi wrote in a notice on its website. “However, due to the system failure, the following operations have been suspended – order and shipment operations at group companies in Japan and call center operations, including customer service desks."

The company added that it is actively investigating the cause and working to restore operations; however, there is currently no estimated timeline for recovery. “The system failure is limited to our operations within Japan. We sincerely apologize for any inconvenience caused to our customers and business partners.”

...

Market research specialist Teikoku Databank conducted an online survey into cyberattacks at Japanese firms from March 11 to 14, 2022. It found that, of 1,547 businesses responding, 36.1% of companies had experienced a cyberattack in the past year. Around 80% of these, or 28.4% overall, faced a cyberattack in the past month.

In May, Japan’s National Parliament passed the Active Cyber Defense Law, marking a pivotal shift in the country’s cybersecurity strategy. The scope of the legislation extends significantly beyond its title, encompassing a range of provisions aimed at modernizing government institutions and enhancing Japan’s overall cybersecurity framework. The law requires operators of critical infrastructure, designated under the 2022 Economic Security Promotion Act, to report cybersecurity incidents to the government, though the scope and timing of those reports remain undefined.

...

[The Asahi case is another one in a line of cyber attacks against supply chains. For example, UK's Bridgestone or Jaguar Land Rover, along with many others, suffered similar incidents forcing them to halt production.]

cross-posted from: https://scribe.disroot.org/post/4876841

Canada is confronting an expanding and complex cyber threat landscape with a growing cast of malicious and unpredictable state and non-state cyber threat actors, from cybercriminals to hacktivists, that are targeting our critical infrastructure and endangering our national security, the Canadian Centre for Cyber Security (Cyber Centre) says in its National Cyber Threat Assessment 2025-2026. The threat assessment is based on information available as of September 20, 2024.

Key judgements:

• Canada’s state adversaries are using cyber operations to disrupt and divide. State-sponsored cyber threat actors are almost certainly combining disruptive computer network attacks with online information campaigns to intimidate and shape public opinion. State-sponsored cyber threat actors are very likely targeting critical infrastructure networks in Canada and allied countries to pre-position for possible future disruptive or destructive cyber operations.
• The People’s Republic of China’s (PRC) expansive and aggressive cyber program presents the most sophisticated and active state cyber threat to Canada today. The PRC conducts cyber operations against Canadian interests to serve high-level political and commercial objectives, including espionage, intellectual property (IP) theft, malign influence, and transnational repression. Among our adversaries,** the PRC cyber program’s scale, tradecraft, and ambitions in cyberspace are second to none**.
• Russia’s cyber program furthers Moscow’s ambitions to confront and destabilize Canada and our allies. Canada is very likely a valuable espionage target for Russian state-sponsored cyber threat actors, including through supply chain compromises, given Canada’s membership in the North Atlantic Treaty Organization, support for Ukraine against Russian aggression, and presence in the Arctic. Pro-Russia non-state actors, some of which we assess likely have links to the Russian government, are targeting Canada in an attempt to influence our foreign policy.
• Iran uses its cyber program to coerce, harass, and repress its opponents, while managing escalation risks. Iran’s increasing willingness to conduct disruptive cyber attacks beyond the Middle East and its persistent efforts to track and monitor regime opponents through cyberspace present a growing cyber security challenge for Canada and our allies.
• The Cybercrime-as-a-Service (CaaS) business model is almost certainly contributing to the continued resilience of cybercrime in Canada and around the world. The CaaS ecosystem is underpinned by flourishing online marketplaces where specialized cyber threat actors sell stolen and leaked data and ready-to-use malicious tools to other cybercriminals. This has almost certainly enabled a growing number of actors with a range of capabilities and expertise to carry out cybercrime attacks and evade law enforcement detection.
• Ransomware is the top cybercrime threat facing Canada’s critical infrastructure. Ransomware directly disrupts critical infrastructure entities’ ability to deliver critical services, which can put the physical and emotional wellbeing of victims in jeopardy. In the next two years, ransomware actors will almost certainly escalate their extortion tactics and refine their capabilities to increase pressure on victims to pay ransoms and evade law enforcement detection.___

cross-posted from: https://lemmy.sdf.org/post/43404420

Archived

[...]

While constituting a fraction of total incident volume, their potential for strategic disruption remains a primary concern for the Union, according to the ENISA Threat Landscape report, covering incidents documented between July 2024 and June 2025, to provide actionable intelligence for EU policymakers and defenders.

Key statistics from the analysis reveal a concentrated threat:

• 7.2% of total incidents recorded were identified as cyberespionage campaigns, the primary objective of state-aligned activities.
• 46 distinct state-aligned intrusion sets were observed to be active against targets within the European Union.
• The top five targeted NIS2 sectors were public administration, transport, digital infrastructure, energy, and health, demonstrating a clear focus on sectors vital to national and EU-level functioning.

A persistent challenge in countering these threats is the difficulty of definitive attribution. The source material highlights that "cyberespionage campaigns are typically documented with a delay spanning from 6 months to more than 4 years," meaning defenders operate with a historical, incomplete picture of the threat. This is reflected in a significant attribution gap, with unidentified intrusion sets accounting for 47% of Russia-nexus, 43% of China-nexus, and 36% of DPRK-nexus activities. This gap hinders the development of precise situational awareness and complicates the formulation of effective, tailored defensive strategies.

[...]

Russia-Nexus Adversaries

Intrusion sets aligned with Russia were the most active state-aligned threat actors targeting the EU, conducting sustained cyberespionage campaigns designed to undermine European security and support Moscow's strategic objectives. The most frequently documented groups were APT29, APT28, and Sandworm. Their targeting patterns indicate a concerted intelligence effort to map and disrupt NATO's logistical supply lines to Ukraine and to gauge the political resolve of key Member States like Germany and France.

[...]

China-Nexus Adversaries

China-nexus intrusion sets executed a consistent operational mission to acquire strategic data and intellectual property. This demonstrates a systematic, state-directed campaign of industrial espionage designed to close China's technological gap and erode the EU's competitive advantage in key high-tech sectors. The top five most active groups were UNC5221, Mustang Panda, APT41, Flax Typhoon, and Salt Typhoon.

[...]

DPRK-Nexus Adversaries

DPRK-nexus intrusion sets pursued a dual mission of cyberespionage and illicit revenue generation to fund the regime. The most active groups targeting the EU were Famous Chollima, Lazarus, and Kimsuky. Their campaigns focused on Belgium, Italy, Germany, and France, with a heavy emphasis on private sector organizations in the Human Resources, financial services (including cryptocurrency), and technology sectors.

[...]

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

cross-posted from: https://lemmy.sdf.org/post/43277000

Here is the technical analyses by Unit42-Paloaltonetworks: Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite

The group’s primary objective is cyberespionage, with a focus on stealing sensitive, non-public information from high-value targets. Over the past two and a half years, Unit 42 has observed Phantom Taurus focusing its efforts on ministries of foreign affairs, embassies, and military operations, often timing its activities to coincide with geopolitical events in those regions.

[...]

Unit42 writes:

Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests. Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia.

[The] observations show that Phantom Taurus’ main focus areas include ministries of foreign affairs, embassies, geopolitical events and military operations. The group’s primary objective is espionage. Its attacks demonstrate stealth, persistence and an ability to quickly adapt their tactics, techniques and procedures (TTPs).

[...]

Cross-posted from: https://lemmy.sdf.org/post/43105573

Archived

Telecommunications and manufacturing sectors in Central and South Asian countries have emerged as the target of an ongoing campaign distributing a new variant of a known malware called PlugX (aka Korplug or SOGU).

"The new variant's features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL side-loading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used," Cisco Talos researchers Joey Chen and Takahiro Takeda said in an analysis published this week.

The cybersecurity company noted that the configuration associated with the PlugX variant diverges significantly from the usual PlugX configuration format, instead adopting the same structure used in RainyDay, a backdoor associated with a China-linked threat actor known as Lotus Panda (aka Naikon APT). It's also likely tracked by Kaspersky as FoundCore and attributed to a Chinese-speaking threat group it calls Cycldek.

[...]

https://archive.ph/O2RmG

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

cross-posted from: https://lemmy.sdf.org/post/42855947

Archived

Here is the technical report: Nimbus Manticore Deploys New Malware Targeting Europe

A group of Iranian hackers known as Nimbus Manticore is expanding its operations, now focusing on major companies across Europe. According to new research from the cybersecurity firm Check Point Research (CPR), the group is targeting businesses in the defence, telecommunications, and aerospace sectors to steal sensitive information.

Nimbus Manticore, also called UNC1549 or Smoke Sandstorm, has been actively tracked since early 2025 and previously ran the Iranian Dream Job campaign. These campaigns align with the strategic intelligence-gathering goals of Iran’s IRGC, especially during times of heightened geopolitical tension.

[...]

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!