Heroes, another wild week is wrapping up. Here's a detailed look at the current cybersecurity landscape for September 19, 2025.
Date & Time: 2025-09-19T04:10:00
CISA has detailed two new malware sets discovered on an organization's network, deployed after threat actors exploited two vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). This indicates active, in-the-wild exploitation of these flaws, posing an immediate threat to organizations using this software for mobile device management. The malware includes loaders and backdoors, enabling persistent access and further compromise.
CVE Details: CVE-2025-4427, CVE-2025-4428
Source: The Hacker News ↗
Date & Time: 2025-09-18T11:38:00
Two malicious packages have been found in the Python Package Index (PyPI) repository, designed to infect developers' Windows systems with the SilentSync Remote Access Trojan (RAT). This supply chain attack targets the trust developers place in open-source repositories. The RAT enables attackers to execute commands, exfiltrate files, and capture screen activity, posing a serious risk to development environments and intellectual property.
CVE Details: n/a
Source: The Hacker News ↗
Date & Time: 2025-09-18T20:52:38
Following research on "Last Mile Reassembly" attacks, Palo Alto is highlighting new threats capable of bypassing major SASE/SSE solutions and Secure Web Gateways. These sophisticated evasion techniques allow attackers to smuggle malicious content past network defenses that are considered state-of-the-art. This challenges the effectiveness of existing security architectures and requires organizations to re-evaluate their web security posture.
CVE Details: n/a
Source: Last Watchdog ↗
Date & Time: 2025-09-18T08:58:00
Salesforce and Google Cloud have announced a major partnership to integrate Google's Gemini AI models into Salesforce's platform. This collaboration signals a significant push towards embedding advanced generative AI into core business and CRM workflows, impacting how organizations manage customer data and interactions.
Source: Security Boulevard ↗
Date & Time: 2025-09-18T13:56:08
This analysis confirms that adversary tactics, techniques, and procedures (TTPs) are evolving at an accelerated pace in 2025, funded by profits from cybercrime. Security leaders must ensure their Security Operations Centers (SOCs) are adapting beyond static indicators of compromise (IOCs) to a more dynamic, TTP-based defense strategy to counter increasingly sophisticated threats.
Source: Tidal Cyber ↗
Date & Time: 2025-09-18T17:00:00
A Forrester Total Economic Impact (TEI) study reports that organizations using Microsoft Defender saw a 242% ROI over three years. This data point is significant for security leaders evaluating vendor consolidation and justifying security budgets, highlighting the financial benefits of an integrated security platform in reducing costs and improving efficiency.
Source: Microsoft Security Blog ↗
Date & Time: 2025-09-18T18:00:43
This article from Talos addresses the critical but often overlooked issue of mental health and burnout within the cybersecurity profession. It advocates for security professionals to create personal incident response (IR) playbooks for their own wellbeing. This is a crucial read for leaders aiming to build sustainable and resilient security teams.
Source: Cisco Talos Intelligence Blog ↗
Spotlight Rationale: In response to the active exploitation of endpoint management systems like Ivanti EPMM ([CVE-2025-4427](https://nvd.nist.gov/vuln/detail/CVE-2025-4427), [CVE-2025-4428](https://nvd.nist.gov/vuln/detail/CVE-2025-4428)), a Zero Trust approach that continuously authorizes access based on real-time endpoint health is critical to prevent lateral movement. This spotlight focuses on a CrowdStrike integration that strengthens this model by using endpoint telemetry to make dynamic network access decisions.
Threat Context: CISA Warns of Two Malware Strains Exploiting Ivanti EPMM
Platform Focus: CrowdStrike Falcon platform integrated with Dispersive's Zero Trust Networking
The Dispersive and CrowdStrike integration creates a dynamic, continuous authorization model. CrowdStrike Falcon provides rich endpoint telemetry, including threat detections and device posture. Dispersive uses this data via API to make real-time decisions about network access, automatically isolating or quarantining a device if CrowdStrike detects a threat, such as malware deployed via the Ivanti EPMM exploits. This prevents a compromised endpoint from accessing other network resources, effectively containing the breach at the point of entry.
Actionable Platform Guidance: Based on general platform knowledge for API-driven Zero Trust integrations. Verify against current CrowdStrike and Dispersive documentation for specific API scopes and configuration details.
Source: Dispersive Blog ↗
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - CrowdStrike & Dispersive Integration
# This guidance is based on general platform knowledge for API-driven Zero Trust integrations.
# Verify against current CrowdStrike and Dispersive documentation for specific API scopes and configuration details.
# --- Immediate Actions --- #
# 1. Generate CrowdStrike API Credentials:
# - In the CrowdStrike Falcon console, navigate to 'Support' > 'API Clients and Keys'.
# - Create a new API client with at least 'Host: Read' and 'Zero Trust Assessment: Read' scopes.
# - Securely record the Client ID and Client Secret.
# 2. Configure Dispersive with CrowdStrike API:
# - In the Dispersive management console, navigate to the 'Integrations' or 'Identity Providers' section.
# - Add a new 'CrowdStrike' integration.
# - Input the CrowdStrike API Base URL, Client ID, and Client Secret.
# 3. Define Access Policies Based on CrowdStrike ZTA Score:
# - Create or modify network access policies within Dispersive.
# - Set a condition that requires a minimum CrowdStrike Zero Trust Assessment (ZTA) score for access to critical resources.
# - Example Policy: 'DENY access to 'Production Servers' IF CrowdStrike_ZTA_Score < 75'.
# --- Verification Steps --- #
# 1. Test Policy Enforcement:
# - Use a test endpoint and manually lower its ZTA score in CrowdStrike (e.g., by disabling the sensor).
# - Verify that Dispersive revokes network access for that endpoint according to the defined policy.
# 2. Review Integration Logs:
# - Check the API integration logs in both the Dispersive and CrowdStrike consoles.
# - Confirm that API calls are successful (HTTP 200) and that ZTA scores are being polled correctly.2. YARA Rule for SilentSync RAT
rule Detect_PyPI_SilentSync_RAT {
meta:
description = "Detects potential strings associated with the SilentSync RAT delivered via malicious PyPI packages."
author = "Threat Rundown"
date = "2025-09-19"
reference = "https://thehackernews.com/2025/09/silentsync-rat-delivered-via-two.html"
strings:
$s1 = "SilentSync"
$s2 = "screen_capture.exe"
$s3 = "exfiltrate_data.py"
$s4 = "/tmp/.synclog"
condition:
uint16(0) == 0x5a4d and filesize < 2MB and (2 of ($s*))
}3. SIEM Query — Detecting Potential C2 Beaconing
-- This query identifies repetitive outbound connections to the same destination, a common pattern for C2 beaconing.
-- Adjust time window and count threshold based on your environment's baseline.
index=firewall OR index=proxy
| bucket _time span=1h
| stats count by src_ip, dest_ip, dest_port, _time
| where count > 100
| eventstats avg(count) as avg_hourly_conn, stdev(count) as stdev_hourly_conn by src_ip, dest_ip, dest_port
| where count > (avg_hourly_conn + 2 * stdev_hourly_conn)
| lookup known_malicious_ips dest_ip OUTPUT
| search is_malicious=true4. PowerShell Script — Check for Ivanti Exploit IOCs
# This script checks for the presence of specific files or directories associated with post-exploitation malware.
# Replace placeholder IOCs with specific indicators from CISA alerts.
$potentialIocs = @(
"C:\Windows\Temp\loader.exe",
"C:\ProgramData\NetSvc\update.dll"
)
$computers = Get-Content -Path .\servers.txt
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Write-Host "Checking $computer..." -ForegroundColor Yellow
foreach ($ioc in $potentialIocs) {
if (Invoke-Command -ComputerName $computer -ScriptBlock { Test-Path -Path $using:ioc }) {
Write-Host "[ALERT] Found potential IOC on $computer: $ioc" -ForegroundColor Red
}
}
} else {
Write-Host "Could not connect to $computer." -ForegroundColor Gray
}
}This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!