Heroes, late breaking critical news. Here's a detailed look at the current cybersecurity landscape for September 17, 2025.
COMMENTARY: Why AI projects fail
Beyond the usual "AI isn't ready" excuses, two real reasons matter.
AI is being asked to boil the ocean
This one is probably easy enough to digest. At first glance, it looks like AI is extremely capable, but when it comes to orchestration of business processes, you still need an architect to oversee it all. Until the coding community themselves up-skill to having managerial and architecture skills commensurate with complex projects, you'll have the same outcome as hiring dozens of coders but having no competent leadership.
Some problems are simply beyond the scope of being 'solvable'
The short story is that AI does not overcome math, and some problems can't be solved in a reasonable time. The classic case is the 'traveling salesman problem' (you have 1 salesmen but must visit 50 customers. What is the optimal path? If you look at a map, the options seem infinite to calculate). In these cases, we apply heuristics (shortcuts) that get us to a 'good enough' answer, but we don't really know for sure we chose the most optimal one. But it works and is profitable, and we move on.
If you're looking for AI to optimize supply chain costs, it's gonna be a slog. Too many moving parts outside of your control. Technologies like AGI still won't overcome math.
But AI can be an amazing tool to sort through the noise and give stakeholders options for high-level decisions, and solving smaller problems quite well (for example, how to load a truck optimally, etc).
The takeaway: AI amplifies good decisions. It doesn't make them for you.
A green flag when selecting an AI solution is they emphasize empowerment of the human-in-the-loop. These people are still the ones that can adjust for dirty or outdated data, new requirements, and corner cases.
Date & Time: 2025-09-16T08:53:40
A new ransomware strain named 'Yurei' has emerged, reportedly operated by a Moroccan-based cybercrime group. The ransomware is a modified version of the Prince-Ransomware binary and contains a flaw that may allow for partial data recovery. Despite this flaw, the extortion threat to release stolen data remains, posing a significant risk to affected organizations.
CVE Details: n/a
Source: Dark Reading ↗ Check Point Research ↗
Date & Time: 2025-09-17T11:05:59
Security researchers have identified significant vulnerabilities in electronic safes utilizing Securam Prologic locks. The undisclosed techniques represent glaring security flaws that could allow unauthorized physical access to the contents of these safes. This highlights the critical intersection of physical and cybersecurity, as digital vulnerabilities can directly compromise physical security controls.
CVE Details: n/a
Source: Schneier on Security ↗ Wired ↗
Date & Time: 2025-09-16T05:00:00
A widespread software supply chain attack is targeting the npm registry, compromising over 180 packages with a self-replicating worm designed to steal credentials. The malicious code modifies package tarballs to propagate itself, posing a severe risk to development environments and downstream applications that depend on these packages. This attack underscores the persistent and evolving threat of supply chain compromises.
CVE Details: n/a
Source: The Hacker News ↗
Date & Time: 2025-09-16T23:00:55
Palo Alto Networks' Unit 42 is highlighting the significant dangers posed by seemingly harmless user actions, such as clicking a link or visiting a website. These actions can expose users and organizations to drive-by downloads, credential theft, and other malicious activities without further interaction. This serves as a critical reminder that user awareness and endpoint protection are essential layers of defense against initial access attempts.
CVE Details: n/a
Source: Unit 42 ↗
Date & Time: 2025-09-16T22:22:25
Announced at Fal.Con 2025, Seraphic's Secure Enterprise Browser (SEB) solution is now available in the CrowdStrike Marketplace. This integration aims to provide enhanced security visibility and control directly at the browser level, an increasingly targeted vector for attacks. The partnership allows organizations to better protect against web-based threats that traditional network and endpoint security may miss.
CVE Details: n/a
Source: LastWatchdog ↗
Date & Time: 2025-09-17T10:00:27
As threats like ransomware and data breaches become inevitable, Cisco Talos highlights the strategic importance of having an Incident Response (IR) retainer. Proactive planning and having an expert team on standby can significantly reduce the impact, recovery time, and financial cost of a security breach. This is a crucial consideration for executive leadership and boards in managing organizational cyber risk.
Source: Cisco Talos Intelligence Blog ↗
Date & Time: 2025-09-17T03:55:30
AWS has introduced a feature to automate the rotation of OIDC client secrets for its Application Load Balancer, simplifying a critical security task. By offloading authentication and automating credential management, developers can reduce the risk of secret leakage and focus on application logic. This represents a valuable operational security improvement for organizations using AWS infrastructure.
Source: AWS Elastic Load Balancing ↗
Date & Time: 2025-09-16T18:24:34
The Japanese government plans to subsidize up to half the cost of new undersea cable-laying and maintenance vessels, citing serious national security concerns. This strategic move aims to bolster the security and resilience of critical data infrastructure against potential sabotage or espionage. The decision reflects a growing global recognition of the geopolitical importance of physical internet infrastructure.
Source: Hacker News ↗
Spotlight Rationale: Today's intelligence highlights the emergence of the Yurei ransomware and a Unit 42 report on how "innocent clicks" lead to compromise. These threats underscore the critical role of the human element as the initial access vector. Veriato is selected for its ability to provide deep visibility into user activity, which is essential for detecting the precursor behaviors that lead to ransomware incidents and for conducting effective post-breach forensics.
Threat Context: Emerging 'Yurei' Ransomware Claims First Victims
Platform Focus: Veriato Cerebral (Insider Threat and User Activity Monitoring)
Veriato Cerebral addresses the threats posed by ransomware like Yurei by monitoring, recording, and analyzing all user activity. While not a preventative EDR, it provides the critical context that other tools miss. By capturing screen recordings, keystrokes, file movements, and web activity, security teams can identify anomalous behavior—such as an employee accessing suspicious websites, downloading unusual files, or attempting to disable security software—that often precedes a ransomware payload execution. This data is invaluable for early detection of a compromised user and for tracing the root cause of an incident back to the initial "innocent click."
Actionable Platform Guidance: Configure Veriato Cerebral to specifically detect ransomware precursors. Create keyword alerts for terms like "decrypt," "bitcoin," "ransomware note," and file extension names associated with Yurei. Implement anomaly detection policies to flag sudden spikes in file renaming, deletion, or encryption activity on endpoints and file shares, which are strong indicators of a ransomware attack in progress.
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Veriato Cerebral
# Veriato Cerebral Alert Configuration for Ransomware Precursors
# 1. Navigate to Alerts > Alert Rules and create a new rule.
# 2. Rule Name: "Ransomware Activity Detected"
# 3. Recorded Activity to Watch: Select "Keystrokes" and "File Transfers".
# 4. Keyword Alert Configuration:
# - In the Keystroke criteria, add the following keywords:
# "yurei", "ransomware", "decrypt files", "bitcoin payment", ".yurei"
# - Set sensitivity to trigger on a single instance.
# 5. File Activity Anomaly Configuration:
# - Create a separate Anomaly Alert rule for "File Activity".
# - Set the rule to trigger when file modifications (rename, create, delete) on a device exceed the established baseline by 300% in a 5-minute window.
# - Focus monitoring on critical file shares and user document folders.
# 6. Action: Configure the rule to send an immediate email notification to the SOC/IR team and optionally enable screen capture recording for the affected user.2. YARA Rule for Yurei Ransomware
rule Yurei_Ransomware_Generic {
meta:
description = "Detects potential indicators associated with the Yurei ransomware strain."
author = "Threat Rundown"
date = "2025-09-17"
reference = "https://www.darkreading.com/threat-intelligence/emerging-yurei-ransomware-claims-first-victims"
strings:
$text1 = "Your files have been encrypted by Yurei" ascii wide
$text2 = "Prince-Ransomware" ascii wide // Based on the reported origin binary
$hex1 = { 45 6E 63 72 79 70 74 69 6F 6E 20 4B 65 79 } // "Encryption Key"
condition:
uint16(0) == 0x5a4d and (1 of ($text*) or 1 of ($hex*))
}3. SIEM Query — Detecting Mass File Renaming (Ransomware Behavior)
// Splunk SPL Query
index=*
(sourcetype="wineventlog:security" EventCode=4663 Accesses="*WriteData*" OR sourcetype=sysmon EventType=11)
| rex field=ObjectName "(?.*\\\\)(?.*)"
| rex field=file_name "(?.*)\.(?.*)"
| where file_ext = "yurei" OR isnotnull(file_ext)
| transaction user maxspan=1m
| where eventcount > 100
| stats count by user, dest_host
| where count > 5
| sort - count
| rename dest_host as Endpoint, user as Account, count as SuspiciousFileRenameCount 4. PowerShell Script — Check for Shadow Copy Deletion
# This script checks the Windows event logs for evidence of shadow copy deletion, a common ransomware TTP.
$eventID = 7045 # Service Creation
$vssAdminCommands = @(
"vssadmin.exe delete shadows",
"vssadmin.exe resize shadowstorage"
)
Write-Host "Checking for evidence of shadow copy deletion..."
# Check for vssadmin.exe commands in process creation logs (requires command line auditing)
Try {
$processEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -ErrorAction Stop
foreach ($event in $processEvents) {
$commandLine = $event.Properties[5].Value
foreach ($command in $vssAdminCommands) {
if ($commandLine -like "*$command*") {
Write-Warning "Potential shadow copy deletion detected via command: $commandLine"
$event | Format-List
}
}
}
} Catch {
Write-Error "Could not query Security event log. Ensure auditing is enabled or run as Administrator."
}
Write-Host "Check complete."This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!