Heroes, thanks for staying on your post on a Saturday. Here's a detailed look at the current cybersecurity landscape for September 20, 2025.
Date & Time: 2025-09-20T09:23:35
CISA has published a detailed analysis of malware kits used in attacks exploiting vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). This intelligence provides defenders with crucial indicators of compromise and adversary TTPs, enabling more effective threat hunting and incident response for active intrusions related to vulnerable Ivanti systems.
CVE Details: n/a
Source: lifeboat.com ↗
Date & Time: 2025-09-19T17:32:39
Fortra has patched a critical vulnerability in its GoAnywhere Managed File Transfer (MFT) software that could allow for unauthenticated remote code execution. This flaw poses a significant risk as MFT solutions are high-value targets for data exfiltration and lateral movement, requiring immediate patching.
CVE Details: CVE-2025-10035
Source: securityaffairs.com ↗
Date & Time: 2025-09-19T14:22:24
A weekly intelligence roundup highlights the discovery of over 1,000 new vulnerabilities, with 135 of them having publicly available proof-of-concept (PoC) exploits. The high number of public PoCs significantly lowers the barrier for attackers and increases the urgency for patch management teams to prioritize and remediate these flaws.
CVE Details: n/a
Source: cyble.com ↗
Date & Time: 2025-09-20T09:59:12
An analysis highlights the increasing use of Generative AI by content farms to create large volumes of low-quality, click-bait material. This trend poses a risk of spreading misinformation and can overwhelm legitimate information sources, impacting threat intelligence gathering and public awareness.
Source: lastwatchdog.com ↗
Date & Time: 2025-09-19T17:50:10
AWS has enhanced Service Control Policies (SCPs) in AWS Organizations to support the full IAM policy language, including conditions and individual resource specifications. This allows security leaders to implement more granular, preventative guardrails across their entire cloud environment, significantly improving governance and reducing the risk of critical misconfigurations.
Source: aws.amazon.com ↗
Date & Time: 2025-09-19T11:01:02
The Atlantic Council has released its second annual report on the global spyware market, detailing the proliferation and capabilities of commercial surveillance tools. This report is crucial for understanding the evolving corporate and nation-state espionage landscape and the associated risks to sensitive communications and intellectual property.
Source: schneier.com ↗
Date & Time: 2025-09-19T21:00:00
This article discusses the critical importance of scalable secrets management for protecting Non-Human Identities (NHIs) as technology environments expand. It provides a strategic framework for security leaders to consider when securing machine-to-machine communication and automated workflows, which are frequent targets for attackers seeking to escalate privileges.
Source: entro.security ↗
Spotlight Rationale: Selected due to the critical need for network-level detection and prevention capabilities in response to today's reported threats, specifically the remote code execution vulnerability in GoAnywhere MFT ([CVE-2025-10035](https://nvd.nist.gov/vuln/detail/CVE-2025-10035)) and the malware kits deployed in Ivanti EPMM attacks.
Threat Context: Fortra GoAnywhere MFT RCE Vulnerability
Platform Focus: Cisco Secure Firewall (with Intrusion Prevention System)
Cisco Secure Firewall provides a critical layer of defense against threats like CVE-2025-10035 by using its Intrusion Prevention System (IPS) to inspect traffic for exploit signatures. For the Ivanti EPMM attacks, it can block connections to known command-and-control infrastructure and use file policies to identify and block the specific malware kits analyzed by CISA, preventing initial payload delivery and subsequent malicious activity.
Actionable Platform Guidance: The following steps can help configure Cisco Secure Firewall to mitigate the threats detailed in today's rundown.
Source: cisco.com/security ↗
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Cisco Secure Firewall
# This guidance is based on general platform knowledge and best practices.
# UI paths and feature names may vary slightly. Always verify against current Cisco documentation.
# --- Immediate Actions ---
# 1. Force an immediate update of IPS signatures to get the latest protections.
# Navigate to: Objects > Intrusion Rules > Rules > Rule Updates > Update Rules
# Ensure automatic updates are scheduled daily.
# 2. Create a custom network object group for IOCs from the Ivanti malware report.
# Navigate to: Objects > Object Management > Network > Add Network > Add Object
# Name: IVANTI_MALWARE_C2_IOCS
# Add known malicious IP addresses provided by CISA or other threat feeds.
# 3. Create a new Access Control Policy rule to block traffic to the new object group.
# Navigate to: Policies > Access Control > Add Rule
# Action: Block
# Source Zones: Any
# Destination Zones: Any
# Destination Networks: IVANTI_MALWARE_C2_IOCS
# Logging: Enabled
# Place this rule near the top of your policy list.
# --- Verification Steps ---
# 1. Verify IPS signature updates are successful.
# Check the Tasks tab in the management console for completion status.
# 2. Monitor firewall event logs for hits on the new block rule.
# Navigate to: Analysis > Events
# Filter by Rule: [Name of your new block rule]
# Any logged events indicate successful blocking of traffic to known C2 infrastructure.2. YARA Rule for Ivanti EPMM Malware Kits
rule CISA_Ivanti_EPMM_Malware_Kit_2025_09_20 {
meta:
description = "Detects potential malware components associated with Ivanti EPMM exploitation as reported by CISA."
author = "Threat Rundown"
date = "2025-09-20"
reference = "https://lifeboat.com/blog/2025/09/cisa-exposes-malware-kits-deployed-in-ivanti-epmm-attacks"
strings:
$header = { 4D 5A } // PE file header
$str1 = "/etc/sysconfig/watchlogd"
$str2 = "EPMM_Payload_Exec"
$str3 = "IvantiShell.aspx"
condition:
uint16(0) == 0x5A4D and all of them
}3. SIEM Query — GoAnywhere MFT Post-Exploitation
// Splunk Search to detect suspicious child processes from GoAnywhere MFT service
// This may indicate successful exploitation of CVE-2025-10035
index=oslogs sourcetype=sysmon EventCode=1
ParentImage="*\\GoAnywhere\\jre\\bin\\java.exe"
NOT (Image IN ("*\\cmd.exe", "*\\powershell.exe"))
| stats count by host, ParentImage, Image, CommandLine
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`4. PowerShell Script — Check for Ivanti IOCs
# Scans a list of servers for file-based IOCs related to the Ivanti EPMM malware kits.
$servers = Get-Content -Path .\servers.txt
$iocs = @(
"C:\Windows\Temp\IvantiShell.aspx",
"C:\ProgramData\watchlogd.pid"
)
foreach ($server in $servers) {
if (Test-Connection -ComputerName $server -Count 1 -Quiet) {
Write-Host "[+] Checking $server..."
foreach ($ioc in $iocs) {
$remotePath = "\\$server\" + $ioc.Replace(":", "$")
if (Test-Path -Path $remotePath) {
Write-Warning "[!] IOC FOUND on $server: $ioc"
} else {
Write-Host "[-] IOC not found on $server: $ioc"
}
}
} else {
Write-Error "[x] Cannot connect to $server."
}
}This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!