Heroes, late breaking critical news. Here's a detailed look at the current cybersecurity landscape for September 22, 2025.
Date & Time: 2025-09-22T12:59:34
Check Point Research has identified a long-running campaign by the Iranian state-sponsored actor Nimbus Manticore (UNC1549). The group is actively deploying new, previously unseen malware against targets in Europe, indicating an evolution of their tactics and a persistent threat to the region. Organizations should be on high alert for sophisticated phishing and exploitation attempts from this actor.
CVE Details: n/a
Source: Check Point Research ↗
Date & Time: 2025-09-22T04:00:00
In response to threats against the electric grid from extreme weather and physical/cyber attacks, U.S. military bases are conducting power-outage exercises. This highlights the critical intersection of cybersecurity and physical security for national infrastructure. A successful cyberattack on the grid could have significant national security implications, making these resilience exercises essential.
CVE Details: n/a
Source: MIT News ↗
Date & Time: 2025-09-22T07:31:27
Three major cybersecurity vendors—Microsoft, SentinelOne, and Palo Alto—have withdrawn from the 2026 MITRE ATT&CK Evaluations. This decision reduces the availability of independent, third-party validation of their platforms' capabilities against simulated adversary techniques. Security leaders must now rely more heavily on internal testing and other evaluation methods when assessing these vendors.
CVE Details: n/a
Source: Reddit ↗
Date & Time: 2025-09-21T21:00:00
This analysis emphasizes the critical security risk posed by unmanaged Non-Human Identities (NHIs) and their associated secrets (e.g., API keys, tokens). As cloud and automated environments expand, these machine identities represent a massive and often overlooked attack surface. Failure to properly manage NHI secrets can lead to catastrophic breaches, making it a critical focus area for security programs.
CVE Details: n/a
Source: Entro Security ↗
Date & Time: 2025-09-22T04:00:58
This discussion highlights the importance of situational awareness in the face of increasing public violence, a topic with direct parallels to cybersecurity. The principles of recognizing anomalies, understanding environmental baselines, and acting decisively are as crucial for personal safety as they are for a SOC analyst detecting a breach. This underscores the convergence of physical and digital security awareness.
CVE Details: n/a
Source: Shared Security Podcast ↗
Date & Time: 2025-09-21T16:03:00
A cyberattack targeting software from Collins Aerospace has caused significant flight disruptions across European airports. The attack impacted passenger check-in, baggage handling, and dispatch systems, demonstrating the fragility of critical infrastructure reliant on specialized software. This incident serves as a high-severity reminder of the cascading, real-world consequences of supply chain cyberattacks.
CVE Details: n/a
Source: SecurityWeek ↗
Date & Time: 2025-09-22T07:46:30
The UK's MI6 has launched a dark web portal to securely recruit agents and gather intelligence, specifically targeting individuals in Russia. This move represents a significant shift in nation-state intelligence operations, fully embracing anonymized infrastructure for human intelligence gathering. It also signals that the dark web is a contested operational environment for global powers, not just criminals.
CVE Details: n/a
Source: HackRead ↗
Date & Time: 2025-09-22T11:30:00
This article critiques the historical shortcomings of compliance automation tools, arguing that most have failed to deliver on their promises at enterprise scale. It posits that modern AI may finally provide the context-aware capabilities needed to overcome these challenges. For organizations struggling with compliance overhead, this is a high-priority topic for strategic planning and tool evaluation.
CVE Details: n/a
Source: CyberSaint ↗
Date & Time: 2025-09-22T06:25:39
This piece explores the evolution of Multi-Factor Authentication (MFA) beyond simple one-time codes, especially in environments heavily utilizing AI. As threat actors develop more sophisticated methods to bypass traditional MFA, the need for advanced, frictionless, and context-aware authentication methods is becoming paramount. This is a key consideration for future-proofing identity and access management (IAM) strategies.
CVE Details: n/a
Source: SSOJet ↗
Date & Time: 2025-09-20T21:00:00
Reinforcing the critical need for Non-Human Identity Detection and Response (NHIDR), this article focuses on the vast number of machine identities within organizations. Each identity carries sensitive secrets that require robust management to prevent misuse by attackers. Building team capabilities in this area is a high-priority task for mitigating advanced threats in cloud and DevOps environments.
CVE Details: n/a
Source: Entro Security ↗
Date & Time: 2025-09-22T07:31:27
The decision by Microsoft, SentinelOne, and Palo Alto to forgo the next round of MITRE ATT&CK Evaluations presents a strategic challenge for CISOs and security leadership. These evaluations have served as a crucial, independent benchmark for comparing EDR/XDR platform effectiveness. This shift necessitates a re-evaluation of vendor assessment strategies, placing a greater burden on internal teams to conduct rigorous proof-of-concept testing and demanding more transparent, verifiable performance data directly from vendors.
Source: Reddit ↗
Spotlight Rationale: Today's intelligence features two separate reports on the critical risks associated with Non-Human Identities (NHIs) and secrets management. As threat actors increasingly target machine identities to bypass traditional security controls, a specialized approach to NHI Detection and Response (NHIDR) is essential. Entro Security is selected for its direct focus on this often-overlooked but critical attack surface.
Threat Context: Budget-Friendly Secrets Management Strategies
Platform Focus: Entro Security Non-Human Identity and Secrets Security Platform
The Entro platform addresses the threats highlighted in today's rundown by providing comprehensive discovery, classification, and management of non-human identities and their associated secrets across multi-cloud and on-premise environments. Unlike traditional IAM tools focused on human users, Entro provides visibility into the sprawling landscape of service accounts, API keys, and tokens. This allows security teams to enforce least-privilege access, detect anomalous behavior, and remediate vulnerabilities like exposed secrets or excessive permissions before they can be exploited by actors like Nimbus Manticore or others.
Actionable Platform Guidance: Based on the platform's core function, initial steps would involve mapping the NHI attack surface and establishing governance. This guidance provides a starting point for internal assurance.
Source: Entro Security ↗, Entro Security ↗
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Entro Security
# Entro Security - Initial Configuration for NHI Governance
# Disclaimer: This guidance is based on general platform knowledge.
# Verify against current Entro Security documentation.
# --- Immediate Actions ---
# 1. Initiate Discovery Scans:
# - Connect primary cloud environments (AWS, Azure, GCP) and code repositories (GitHub, GitLab).
# - Run a full discovery scan to map all existing non-human identities and secrets.
# - Goal: Establish a comprehensive inventory as a baseline.
# 2. Prioritize Critical Findings:
# - Filter the discovery results for high-risk issues like publicly exposed secrets,
# over-privileged identities, and secrets with no rotation policy.
# - Assign these findings to the appropriate application or infrastructure teams for immediate remediation.
# 3. Establish Basic Governance Policies:
# - Create an initial policy to alert on any new secret that does not have an owner assigned.
# - Configure a policy to flag NHIs with administrative privileges that have not been used in over 90 days.
# --- Verification Steps ---
# 1. Review the NHI Inventory Dashboard:
# - Verify that the dashboard accurately reflects the known services and applications in your environment.
# - Cross-reference the count of discovered secrets with estimates from key development teams.
# 2. Test an Alerting Policy:
# - Manually create a test secret in a connected repository that violates a configured policy.
# - Confirm that an alert is generated and routed to the correct security channel (e.g., email, Slack, SIEM).2. YARA Rule for Nimbus Manticore Indicators
rule T_Nimbus_Manticore_Generic_Loader {
meta:
description = "Detects potential string artifacts associated with Nimbus Manticore malware loaders. Populate with specific intel."
author = "Threat Rundown"
date = "2025-09-22"
reference = "https://research.checkpoint.com/?p=31916"
strings:
// Placeholder strings - replace with actual intelligence from Check Point
$s1 = "ManticoreLoader.dll" ascii
$s2 = { 6A 00 68 [4] E8 [4] 83 C4 08 C3 } // Example push/call sequence
$s3 = "C2_Connect_Pipe_Name" wide
condition:
uint16(0) == 0x5A4D and filesize < 500KB and all of them
}3. SIEM Query — Anomalous Airport System Communication
# Use Case: Detects potential compromise of airport check-in systems, inspired by the Collins Aerospace incident.
# Platform: Splunk (adaptable to other SIEMs)
(index=firewall OR index=netflow) source_category="airport_systems" dest_category!="internal_trusted"
| stats count, dc(dest_ip) as unique_destinations by src_ip, user, application
| where unique_destinations > 5 AND count > 100
| `comment("Looks for a single check-in terminal or baggage system (src_ip) communicating with an abnormally high number of external destinations, which could indicate C2 or data exfiltration.")`4. PowerShell Script — Detect Recently Created Scheduled Tasks
# Use Case: Scans for recently created scheduled tasks, a common persistence technique for new malware like that from Nimbus Manticore.
$lookbackDays = 7
$recentDate = (Get-Date).AddDays(-$lookbackDays)
Write-Host "Searching for scheduled tasks created in the last $lookbackDays days..."
Get-ScheduledTask | ForEach-Object {
$taskInfo = Get-ScheduledTaskInfo $_
if ($taskInfo.TimeCreated -ge $recentDate) {
[PSCustomObject]@{
TaskName = $_.TaskName
TaskPath = $_.TaskPath
Author = $taskInfo.Author
TimeCreated = $taskInfo.TimeCreated
Action = ($_.Actions | ForEach-Object { $_.Execute + ' ' + $_.Arguments }) -join '; '
}
}
} | Format-Table -AutoSize
Write-Host "Scan complete."This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!