Heroes. Let's get right to it. In Australia, their Monday is behind them. If they made it, so can the rest of us. Here's a detailed look at the current cybersecurity landscape for Monday, August 18, 2025.
CRITICAL ITEMSDate & Time: 2025-08-18T07:08:39
Xerox has released patches for two critical vulnerabilities in its FreeFlow Core software. The flaws, a path traversal and an XML External Entity (XXE) injection, could be combined by an unauthenticated remote attacker to achieve remote code execution. Organizations using this software should patch immediately to prevent potential system compromise.
CVE Details: CVE-2025-8355, CVE-2025-835
Source: securityaffairs.com
Date & Time: 2025-08-18T09:00:10
Kaspersky researchers have detailed the evolution of the PipeMagic backdoor, connecting its use to the exploitation of CVE-2025-29824. This vulnerability was reportedly being used in real-world attacks at the time Microsoft released a patch in April 2025. The connection to a known backdoor used by ransomware groups like RansomExx highlights the urgency for organizations to ensure this specific CVE has been patched.
CVE Details: CVE-2025-29824
Source: kasperskycontenthub.com
Date & Time: 2025-08-17T07:14:34
The full source code for the ERMAC 3.0 Android banking trojan has been obtained by researchers at Hunt.io. This version, an evolution of the Cerberus and Hook malware families, targets over 700 banking, shopping, and cryptocurrency applications. The leak will likely lead to a proliferation of new, customized variants of this malware, increasing the threat to mobile banking users worldwide.
CVE Details: n/a
Source: securityaffairs.com
Date & Time: 2025-08-18T10:17:07
Check Point Research reports that the Canadian House of Commons has experienced a data breach. While specific details on the scope and impact are not yet fully available in the provided intelligence, any breach of a national legislative body is a critical event with potential national security implications. Further details are expected as the investigation unfolds.
CVE Details: n/a
Source: research.checkpoint.com
HIGH SEVERITY ITEMSDate & Time: 2025-08-18T09:33:23
A Chinese Advanced Persistent Threat (APT) group, tracked as UAT-7237, has been identified targeting web infrastructure and hosting firms in Taiwan. The objective of the campaign is to gain long-term access to high-value downstream targets that use the compromised hosting services. This supply-chain-style attack poses a significant risk to government, technology, and other key sectors in the region.
CVE Details: n/a
Source: securityweek.com
Date & Time: 2025-08-17T15:00:00
A presentation from BSides San Francisco 2025 by Jack Cable highlights key lessons from CISA regarding the product security imperative. The talk provides valuable insights for developers, manufacturers, and security professionals on building more secure products from the ground up. This reflects a growing industry focus on shifting security left in the development lifecycle.
Source: securityboulevard.com
EXECUTIVE INSIGHTSDate & Time: 2025-08-17T21:00:00
As data breaches escalate, a strategic shift towards securing Non-Human Identities (NHIs) and secrets is becoming critical for enterprise security programs. NHIs, such as API keys, service accounts, and machine identities, are prime targets for attackers seeking to move laterally and access sensitive data, as seen in sophisticated APT campaigns. Executives should evaluate their organization's maturity in Non-Human Identity and Data Rights (NHIDR) to mitigate this growing attack surface.
Source: entro.security, entro.security
VENDOR SPOTLIGHTSpotlight Rationale: Entro Security is selected due to the increasing relevance of Non-Human Identity (NHI) security, a critical defense layer against sophisticated attacks like the Chinese APT campaign targeting Taiwanese infrastructure, which often relies on compromised service accounts and API keys for persistence and lateral movement.
Threat Context: Web Hosting Firms in Taiwan Attacked by Chinese APT for Access to High-Value Targets
Platform Focus: Entro Security - Non-Human Identity and Secrets Security Platform
Entro Security provides a platform designed to discover, manage, and secure non-human identities and secrets across cloud and on-premise environments. By providing a centralized inventory and enforcing security policies, the platform helps prevent the misuse of service accounts, API keys, and other machine-to-machine credentials. This directly addresses the tactics used by APTs to infiltrate networks through trusted, non-human channels, which often have overly permissive access and are poorly monitored.
Actionable Platform Guidance: Organizations should leverage such a platform to first gain full visibility of all NHIs and their permissions. Next, implement automated lifecycle management and just-in-time access policies to reduce the attack surface. Finally, integrate with SIEM and SOAR tools to detect and respond to anomalous NHI behavior, such as an API key being used from an unusual geographic location.
Source: entro.security
DETECTION & RESPONSE KIT⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. YARA Rule for ERMAC 3.0 Android Trojan
rule Android_Trojan_ERMAC_3_0 {
meta:
description = "Detects strings associated with the leaked ERMAC 3.0 Android banking trojan."
author = "Threat Rundown"
date = "2025-08-18"
reference = "https://securityaffairs.com/?p=181217"
strings:
$s1 = "/inject/activity/AutoInjectActivity" ascii
$s2 = "com.example.cerberus" ascii
$s3 = "grabbing/card" ascii
$s4 = "grabbing/bank" ascii
condition:
uint32(0) == 0x04034b50 and filesize < 20MB and (2 of ($s*))
}2. SIEM Query — Detecting Potential Web Server Compromise by APT
// Splunk Search
source="*firewall*" OR source="*proxy*" (src_ip IN [list_of_your_web_servers]) NOT (dest_ip IN [known_good_destinations])
| stats count by src_ip, dest_ip, dest_port, user
| where count > 5 and dest_port NOT IN (80, 443, 53)
| `comment("This query looks for outbound connections from web servers to non-standard ports and destinations, a potential indicator of C2 activity from a compromised host.")`3. PowerShell Script — Check for Xerox FreeFlow Path Traversal Indicators
# This script checks for suspicious file access patterns in IIS logs that may indicate CVE-2025-8355 exploitation.
$logPath = "C:\inetpub\logs\LogFiles\W3SVC1\*.log"
$suspiciousPattern = "..\\"
Get-Content -Path $logPath | ForEach-Object {
if ($_ -match $suspiciousPattern) {
Write-Warning "Potential Path Traversal attempt found in IIS logs: $_"
}
}
Write-Host "Log check complete. Review any warnings above."This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!