Heroes, late breaking critical news. Here's a detailed look at the current cybersecurity landscape for September 23, 2025.
CRITICAL ITEMSDate & Time: 2025-09-23T10:59:17
Cyble's global honeypot network has detected active, in-the-wild exploitation attempts targeting nearly two dozen distinct vulnerabilities. This indicates that multiple threat actors are actively scanning and attacking internet-facing systems with known flaws. Organizations should prioritize patching for publicly known vulnerabilities as they are being actively targeted.
CVE Details: n/a
Source: cyble.com β
Date & Time: 2025-09-23T11:07:17
Apple has introduced a new hardware and software security feature in the iPhone 17 called βMemory Integrity Enforcement.β This feature is designed to mitigate memory safety vulnerabilities, a class of bugs that accounts for a majority of critical exploits. This represents a significant step forward in platform-level security, making it substantially more difficult for attackers to execute arbitrary code through memory corruption.
CVE Details: n/a
Source: www.schneier.com β
Date & Time: 2025-09-22T13:20:58
The Australian government has issued a high-priority alert urging organizations to begin transitioning to post-quantum cryptography (PQC). The warning highlights the imminent threat from Cryptographically Relevant Quantum Computers (CRQC), which will be capable of breaking current encryption standards. This is a strategic threat that requires immediate long-term planning to protect sensitive data from future decryption.
CVE Details: n/a
Source: cyble.com β
Date & Time: 2025-09-22T14:44:03
A cross-site scripting (XSS) vulnerability has been disclosed in Lectora Desktop and Lectora Online courseware authoring tools. The flaw affects courses published with the Seamless Play Publish feature enabled, potentially allowing attackers to inject malicious scripts into the course content. Organizations using Lectora should immediately identify and update affected software and published materials to prevent exploitation.
CVE Details: n/a
Source: kb.cert.org β
HIGH SEVERITY ITEMSDate & Time: 2025-09-22T15:40:00
A previously undocumented threat group, tracked as ComicForm, has been observed targeting industrial, financial, and research organizations in Belarus, Kazakhstan, and Russia. The campaign, active since at least April 2025, uses phishing emails to deliver the Formbook information-stealing malware. This highlights the continued use of commodity malware in targeted attacks against specific geopolitical regions and sectors.
CVE Details: n/a
Source: thehackernews.com β
Date & Time: 2025-09-22T21:42:14
This quarterly review provides a retrospective on key security topics and popular posts from Anton on Security and the Google Cloud Security blog. It serves as a useful summary of trends and discussions within the cloud security community over the past quarter. While not an alert, it offers valuable context on evolving security paradigms.
Source: medium.com β
Date & Time: 2025-09-23T09:25:29
A juvenile suspect allegedly linked to the Scattered Spider cybercrime group has been arrested in the United States on charges of computer intrusion, extortion, and identity theft. Scattered Spider is known for its sophisticated social engineering tactics and SIM-swapping attacks targeting large corporations. This arrest marks a significant law enforcement action against a highly active and disruptive threat actor.
CVE Details: n/a
Source: www.securityweek.com β
EXECUTIVE INSIGHTSDate & Time: 2025-09-23T07:18:21
As threat actors continue to leverage stolen credentials, a strategic shift to passwordless authentication is becoming critical for enterprise security. This overview explores mature options like Windows Hello, FIDO2 hardware keys, and certificate-based authentication that can significantly enhance security posture. Adopting these technologies reduces the attack surface related to phishing and credential stuffing, directly mitigating risks highlighted in today's threat reports.
Source: mojoauth.com β
VENDOR SPOTLIGHTSpotlight Rationale: Today's intelligence from Cyble confirms widespread, active exploitation attempts against dozens of vulnerabilities. These campaigns often rely on compromised credentials for initial access. Strengthening authentication is a primary defense, and MojoAuth's focus on passwordless solutions directly addresses this critical entry vector.
Threat Context: Cyble Honeypots Detect Exploit Attempts of Nearly Two Dozen Vulnerabilities
Platform Focus: MojoAuth Passwordless Authentication Platform
MojoAuth provides a platform to replace traditional passwords with more secure methods like FIDO2, biometrics, and magic links. By eliminating the password, organizations can neutralize the threat of credential theft from phishing campaigns, such as those used to deploy Formbook malware by the ComicForm group. This hardens the perimeter and internal systems against unauthorized access, raising the bar for attackers trying to gain an initial foothold.
Actionable Platform Guidance: To mitigate credential-based threats, organizations can integrate MojoAuth by: 1) Defining a phased rollout strategy starting with high-risk applications. 2) Integrating the MojoAuth SDK into web and mobile application login flows. 3) Configuring and enabling multiple passwordless methods (e.g., FIDO2/WebAuthn for highest security, email magic links for accessibility). 4) Enrolling users and decommissioning legacy password-based authentication where possible.
Source: mojoauth.com β
DETECTION & RESPONSE KITβ οΈ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - MojoAuth
# MojoAuth Integration Checklist
# 1. Initial Setup
# - Register for a MojoAuth account and create a new project.
# - Securely store your API Key and API Secret.
# 2. Web SDK Integration
# - Add the MojoAuth JavaScript SDK to your login page.
# - Initialize the SDK with your API Key.
# - Implement the MojoAuth `login()` function to replace your existing password form.
# 3. Configure Authentication Methods in MojoAuth Dashboard
# - Enable FIDO2/WebAuthn for hardware key and biometric support.
# - Enable Email Magic Link or SMS OTP as fallback options.
# - Customize email/SMS templates to align with corporate branding.
# 4. Backend Verification
# - Create a server-side endpoint to receive the MojoAuth token upon successful login.
# - Use a MojoAuth server-side SDK (e.g., Node.js, Python) to verify the token's integrity using your API Secret.
# - Upon successful verification, create a session for the user in your application.2. YARA Rule for Formbook Malware
rule Detect_Malware_Formbook_Strings {
meta:
description = "Detects strings commonly associated with Formbook info-stealer malware, as used by groups like ComicForm."
author = "Threat Rundown"
date = "2025-09-23"
reference = "https://thehackernews.com/2025/09/comicform-and-sectorj149-hackers-deploy.html"
strings:
$str1 = "/gate.php"
$str2 = "cmd.exe /c ping 127.0.0.1 -n 2 && del"
$str3 = "Content-Disposition: form-data; name=\"m1\""
$str4 = "Formbook v4.1"
$str5 = "NetPass.exe"
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and 3 of ($str*)
}3. SIEM Query β Detecting Widespread Exploit Scanning
// Splunk SPL Query to detect a single source scanning multiple destinations, inspired by Cyble honeypot findings.
index=firewall OR index=network earliest=-1h
| stats dc(dest_port) as distinct_ports, dc(dest_ip) as distinct_hosts, values(dest_port) as ports_scanned by src_ip
| where distinct_ports > 15 AND distinct_hosts > 10
| `comment("This query identifies source IPs scanning more than 10 unique hosts across more than 15 unique ports in the last hour, indicating potential exploit scanning.")`4. PowerShell Script β Find Lectora XSS Vulnerability Indicators
# This script searches for file patterns in a web root that may indicate vulnerable Lectora courseware.
# Define the web root directory to search.
$webRoot = "C:\inetpub\wwwroot"
# Define a pattern that might be present in vulnerable published course files.
# This is a conceptual pattern; a real one would require analysis of the vulnerable component.
$vulnerablePattern = "trivantis-seamless.js"
Write-Host "Searching for potentially vulnerable Lectora course files in $webRoot..."
Get-ChildItem -Path $webRoot -Recurse -Filter "*.html" | ForEach-Object {
if (Get-Content $_.FullName | Select-String -Pattern $vulnerablePattern -Quiet) {
Write-Warning "Potential vulnerable file found: $($_.FullName)"
# Add remediation or deeper inspection logic here.
}
}
Write-Host "Search complete."This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!