Heroes, a rundown of the current cybersecurity landscape for September 14, 2025.
CRITICAL ITEMSDate & Time: 2025-09-14T08:06:38
The threat actor group ShinyHunters has reportedly attacked Vietnamβs National Credit Information Center (CIC). Vietnam's national cybersecurity authority (VNCERT) has confirmed signs of unauthorized access intended to steal personal data. This incident represents a significant nation-state-level data breach, potentially exposing sensitive financial information of citizens and businesses.
CVE Details: n/a
Source: Security Affairs
Date & Time: 2025-09-14T16:09:28
Details have been released about a new executive security dashboard powered by Xano and the Cisco Umbrella backend. The project's SQL schemas have been made available on GitHub, providing a resource for security and data engineering teams. The release of such tools and schemas can help organizations build more sophisticated internal dashboards for monitoring and threat intelligence.
CVE Details: n/a
Source: Reddit r/cybersecurity
HIGH SEVERITY ITEMSDate & Time: 2025-09-12T23:00:40
Palo Alto Networks' Unit 42 highlights the critical security risks associated with OAuth token management in third-party software supply chains. Dormant integrations, insecure token storage, and a lack of token rotation can lead to significant breaches, allowing attackers to pivot through trusted connections. This serves as a strong reminder for organizations to audit and enforce strict policies on all third-party application integrations.
CVE Details: n/a
Source: Unit 42
Date & Time: 2025-09-12T15:05:00
This report details the tactics of criminal syndicates using "machine rooms" filled with iPhones to conduct large-scale iMessage phishing campaigns. This TTP (Tactic, Technique, and Procedure) bypasses traditional email-based spam filters and leverages the trusted nature of iMessage. Understanding this methodology is crucial for developing defenses against mobile-centric phishing attacks.
CVE Details: n/a
Source: Security Boulevard
Date & Time: 2025-09-14T15:02:23
An analysis of the security challenges posed by the widespread adoption of HTTP/3 and the underlying QUIC protocol is gaining attention. While offering performance benefits, the encrypted-by-default nature of QUIC can blind traditional network security monitoring tools, complicating traffic inspection and threat detection. Security teams must adapt their tools and strategies to maintain visibility into this new wave of web traffic.
CVE Details: n/a
EXECUTIVE INSIGHTSDate & Time: 2025-09-12T21:04:34
Bruce Schneier's blog highlights an analysis proposing a standardized framework for notifying victims of cyberattacks. The core principle is that victims must be notified in a timely manner to assess their risk and take protective measures. For executives and security leaders, this discussion is critical for shaping incident response plans, legal compliance strategies, and public communications during a crisis.
Source: Schneier on Security
VENDOR SPOTLIGHTSpotlight Rationale: In light of emerging threats that operate at a level below the traditional operating system, such as the recently reported HybridPetya ransomware, technologies that provide visibility into the pre-boot environment are critical.
Threat Context: HybridPetya ransomware bypasses UEFI Secure Boot to infect EFI partitions
Platform Focus: ESET PROTECT Platform with ESET Endpoint Security
ESET addresses threats like HybridPetya with its UEFI Scanner, a component integrated into its endpoint security solutions. This scanner runs during the pre-boot sequence, inspecting the Unified Extensible Firmware Interface (UEFI) for malware, rootkits, or unauthorized modifications. This capability is crucial for detecting and blocking threats that traditional antivirus scans would miss because they load before the operating system and its security controls are active.
Actionable Platform Guidance: Based on the provided intelligence, ESET's UEFI scanning capabilities are a key defense against boot-level threats. Ensure this feature is enabled and properly configured across your fleet.
Source: Security Affairs
DETECTION & RESPONSE KITβ οΈ Disclaimer: Test all detection logic in non-production environments before deployment. This guidance is based on general platform knowledge. Verify against current ESET documentation for your specific product versions.
1. Vendor Platform Configuration - ESET
# ESET PROTECT Policy Configuration for UEFI Threat Detection
# Immediate Actions:
# 1. Enable UEFI Scanner: Navigate to Policies > New Policy > Settings > Detection Engine > Malware Scans.
# Ensure 'Enable UEFI firmware scan' is turned ON.
# - Target: Select 'Boot sectors/UEFI' to ensure it runs on startup.
# 2. Set Cleaning Level: In the same policy section, under 'ThreatSense Engine Parameter Setup' > 'Cleaning'.
# - Set the cleaning level to 'Strict Cleaning' for endpoints in high-risk groups to ensure
# automatic removal of detected boot-level threats.
# Verification Steps:
# 1. Policy Application Verification: In the ESET PROTECT console, go to Computers. Select a target machine,
# click 'Details' > 'Configuration'. Use the search filter to find 'UEFI' and confirm the policy
# has been applied and the setting is active.
# 2. Scan Log Review: After a reboot/scan cycle, check the logs for a target machine.
# Go to 'Threats and Quarantine' or 'Scan Logs' and filter for scan type 'Boot Scan'.
# Verify that the scans are completing without errors.2. YARA Rule for HybridPetya-like UEFI Threats
rule Detect_UEFI_Bootkit_HybridPetya_Variant {
meta:
description = "Detects suspicious strings associated with HybridPetya-like ransomware that targets EFI partitions."
author = "Threat Rundown"
date = "2025-09-14"
reference = "https://securityaffairs.com/?p=182149"
strings:
$s1 = "UEFI Secure Boot bypass"
$s2 = { 45 46 49 20 50 41 52 54 } // "EFI PART" ASCII
$s3 = "bootmgfw.efi.bak" // Common indicator of bootloader replacement
$s4 = "Your files are encrypted."
condition:
(uint32(0) == 0x5A4D) and (filesize < 2MB) and (1 of ($s*))
}3. SIEM Query β Anomalous OAuth Token Activity
# Splunk SPL Query to detect potential OAuth token abuse from the supply chain
# Tactic Reference: https://unit42.paloaltonetworks.com/?p=157013
(index=cloud_logs OR index=sso_logs) sourcetype=oauth_events event_type=token_refresh OR event_type=api_call
| bucket _time span=1h
# Count distinct countries accessing with the same token within an hour
| stats dc(src_country) as country_count, values(src_ip) as source_ips by user, oauth_token_id, _time
# Alert if a single token is used from more than 2 countries in an hour
| where country_count > 2
| `anomalous_oauth_token_activity`4. PowerShell Script β Check for Unauthorized Local Admins
# Post-breach check for newly added local administrators, relevant to incidents like the ShinyHunters breach.
# Tactic Reference: https://securityaffairs.com/?p=182189
$servers = Get-Content -Path .\servers.txt
$thresholdDays = 7
$cutoffDate = (Get-Date).AddDays(-$thresholdDays)
foreach ($server in $servers) {
if (Test-Connection -ComputerName $server -Count 1 -Quiet) {
Write-Host "[+] Checking for new local admins on $server..."
try {
$admins = Get-LocalGroupMember -ComputerName $server -Group "Administrators" -ErrorAction Stop
foreach ($admin in $admins) {
if ($admin.ObjectClass -eq 'User') {
$user = Get-LocalUser -ComputerName $server -Name $admin.Name
if ($user.PasswordLastSet -gt $cutoffDate -or $user.LastLogon -gt $cutoffDate) {
Write-Warning "[!] POTENTIAL UNAUTHORIZED ADMIN: User '$($user.Name)' on server '$server' was recently active or had password set."
}
}
}
} catch {
Write-Error "[-] Could not query local admins on $server. Error: $_"
}
} else {
Write-Error "[-] Server $server is not reachable."
}
}This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!