Cybersecurity Morning Rundown

CyberSecurity Morning Rundown

Heroes, Happy Earth, Wind & Fire Day. Ba-dee-yah, y'all. Also, a call to action. We need to name the mascot. Details below. Here's a detailed look at the current cybersecurity landscape for September 21, 2025.

🔴 CRITICAL ITEMS

Fortra Releases Critical Patch for CVSS 10.0 GoAnywhere MFT Vulnerability
Date & Time: 2025-09-19T14:12:00

Fortra has patched a critical deserialization vulnerability in its GoAnywhere Managed File Transfer (MFT) software. The flaw, with a maximum CVSS score of 10.0, could allow an unauthenticated attacker to achieve remote code execution. Given the history of MFT solutions being targeted by ransomware groups, immediate patching is essential to prevent widespread compromise.

CVE Details: CVE-2025-10035

Source: The Hacker News ↗
CISA Warns of Malware Deployed Through Ivanti EPMM Flaws
Date & Time: 2025-09-20T14:06:05

CISA has issued an alert detailing two new malware strains discovered on a network compromised via vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). This indicates active and ongoing exploitation of Ivanti products, a frequent target for sophisticated threat actors. Organizations using Ivanti EPMM should assume compromise and initiate threat hunting activities immediately.

CVE Details: n/a

Source: Security Affairs ↗

Name the Mascot

Heroes, send your suggestions to info@mikegptai.com

🟠 HIGH SEVERITY ITEMS

The Silent Threat: How Misconfigurations Fuel the Cyber Crime Economy
Date & Time: 2025-09-21T09:11:00

This report highlights that billions of records are breached annually due to simple misconfigurations in servers, firewalls, and cloud services. This serves as a critical reminder that foundational security hygiene is as important as defending against zero-day exploits. Misconfigurations represent a low-cost, high-reward entry point for attackers and are a primary driver of data breaches.

CVE Details: n/a

Source: Security Boulevard ↗

OTHER NOTEWORTHY ITEMS

AWS Summer 2025 SOC 1 Report Now Available
Date & Time: 2025-09-19T16:28:41

AWS has released its Summer 2025 System and Organization Controls (SOC) 1 report, covering 183 services. This is a key resource for compliance and risk management teams to verify the control environment of AWS services their organizations rely on.

Source: AWS ↗

🟢 EXECUTIVE INSIGHTS

The Week in Vulnerabilities: 1000+ Bugs with 135 Publicly Known PoCs
Date & Time: 2025-09-19T14:22:24

This weekly summary underscores the immense volume and velocity of vulnerability disclosures, with over 1,000 new bugs and 135 with public proof-of-concept exploits. This data highlights the critical need for automated, risk-based vulnerability management programs that can prioritize patching based on exploitability and potential impact, as patching everything is not feasible.

Source: Cyble ↗
Enhancing Security for Non-Human Identities and Secrets
Date & Time: 2025-09-20T21:00:00

Recent analysis emphasizes the growing risk posed by unmanaged Non-Human Identities (NHIs), such as API keys, service accounts, and machine identities. As cloud-native and DevOps environments expand, the number of NHIs often exceeds human identities, creating a massive and often overlooked attack surface. Leaders must invest in strategies for discovering, managing, and securing these identities to prevent breaches.

Source: Entro Security ↗, Aembit ↗

📣 VENDOR SPOTLIGHT

Spotlight Rationale: Addresses the persistent threat of unpatched firmware in network hardware, a long-tail risk that often falls outside the scope of traditional endpoint management. This is directly relevant to the threat of legacy exploits remaining active for years, as highlighted in the user-provided context.

Threat Context: A wireless device exploit uncovered 11 years ago still hasn't been fixed by some manufacturers

Platform Focus: Tenable.io Vulnerability Management

Tenable.io provides comprehensive asset discovery and vulnerability assessment across the entire attack surface, including IT, cloud, and OT environments. Its platform is particularly effective at identifying network devices like routers, switches, and access points that are often unmanaged. It can detect outdated firmware and specific vulnerabilities, such as legacy WPS flaws, enabling security teams to uncover hidden risks within their network infrastructure that standard tools might miss.

Actionable Platform Guidance: Implement a dedicated scanning policy within Tenable.io to audit network infrastructure. This involves creating a credentialed scan targeting the management interfaces of routers, switches, and wireless access points. The scan policy should enable plugins specific to network device vendors (Cisco, Juniper, etc.) and generic firmware version checks to identify devices that have not been patched for known, decades-old vulnerabilities.

Source: Tenable.io ↗

⚫ DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

1. Vendor Platform Configuration - Tenable.io

# Tenable.io Scan Policy for Legacy Network Device Vulnerabilities

1.  **Create a New Scan:** In Tenable.io, navigate to Scans > My Scans > New Scan.
2.  **Select a Template:** Choose the 'Advanced Network Scan' template.
3.  **Basic Settings:**
- Name: 'Network Hardware Firmware Audit'
- Targets: Define IP ranges for your network infrastructure (e.g., 192.168.1.0/24, 10.10.0.0/16).
4.  **Credentials:**
- Add SSH and/or SNMP credentials for your network devices. Credentialed scanning provides the most accurate firmware and vulnerability data.
5.  **Plugins:**
- In the 'Plugins' tab, disable all families first.
- Enable the following plugin families specifically:
- 'CISCO'
- 'Firewalls'
- 'NetScreen'
- 'Junos'
- 'Palo Alto Networks'
- 'SNMP'
- 'General'
- Search for and ensure plugins related to 'Firmware' and specific legacy vulnerabilities (e.g., 'WPS') are enabled.
6.  **Save and Launch:** Save the policy and launch the scan against your network infrastructure segments.

2. YARA Rule for CVE-2025-10035 (GoAnywhere MFT Deserialization)

rule GoAnywhere_MFT_Deserialization_CVE_2025_10035 {
meta:
description = "Detects potential artifacts related to the GoAnywhere MFT deserialization vulnerability CVE-2025-10035."
author = "Threat Rundown"
date = "2025-09-21"
reference = "https://thehackernews.com/2025/09/fortra-releases-critical-patch-for-cvss.html"
strings:
$java_header = {ac ed 00 05} // Java serialization magic bytes
$gadget_class1 = "org.apache.commons.collections.functors.InvokerTransformer"
$gadget_class2 = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"
condition:
$java_header at 0 and (1 of ($gadget_class*))
}

3. SIEM Query — Suspicious Outbound Connections from MFT Server

// Splunk Search
index=firewall OR index=proxy host="[GoAnywhere_MFT_Server_IP]"
| search action=allowed
| stats count by dest_ip, dest_port, user
| lookup known_good_destinations dest_ip OUTPUT
| where isnull(known_good_destinations) AND dest_port NOT IN (80, 443, 21, 22, 25)
// Filter for connections to non-standard ports and unknown destinations, which could indicate C2 activity post-exploitation.

4. PowerShell Script — Check GoAnywhere MFT File Version (Illustrative)

# This script checks for an example file's version to infer patch status.
# NOTE: The file path and version number are illustrative and must be verified.

$goAnywherePath = "C:\Program Files\Fortra\GoAnywhere MFT\lib\goanywhere.jar"

if (Test-Path $goAnywherePath) {
try {
$fileInfo = Get-Item $goAnywherePath
$version = $fileInfo.VersionInfo.ProductVersion

# Replace '7.4.1' with the first patched version number
if ([System.Version]$version -lt [System.Version]'7.4.1') {
Write-Host "VULNERABLE: GoAnywhere MFT version $version on $env:COMPUTERNAME is outdated and may be vulnerable to CVE-2025-10035."
} else {
Write-Host "PATCHED: GoAnywhere MFT version $version on $env:COMPUTERNAME appears to be patched."
}
} catch {
Write-Host "Could not determine version for $goAnywherePath on $env:COMPUTERNAME."
}
} else {
Write-Host "GoAnywhere MFT path not found on $env:COMPUTERNAME."
}

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!