Heroes, we are in beta for 'Compliance Realm' assessment, which will allow for a quick look at GDPR, HIPAA, etc, for threat correlation. Threats with broad scope will receive the 'General Enterprise' assessment.
Here's a detailed look at the current cybersecurity landscape for September 27, 2025.
Date & Time: 2025-09-26T23:18:06
Cisco has disclosed and patched three vulnerabilities in its Secure Firewall ASA and FTD software, with two being actively exploited in the wild. These flaws impact the VPN web server, and CISA has issued an emergency advisory urging immediate patching to prevent unauthorized access and system compromise. The widespread use of these devices in enterprise networks makes this a critical threat requiring immediate attention.
CVE Details: CVE-2025-20333, CVE-2025-20362
Compliance Realm: General Enterprise
Date & Time: 2025-09-27T13:23:30
Microsoft is enhancing Edge security by introducing a feature to block malicious extensions that are sideloaded, a common method for malware to bypass official store vetting processes. This proactive measure aims to protect users from unverified add-ons installed locally for testing or malicious purposes. The feature will help mitigate risks associated with this prevalent attack vector.
CVE Details: n/a
Compliance Realm: General Enterprise
Source: lifeboat.com ↗
Date & Time: 2025-09-26T21:35:20
The notorious Lazarus Group is reportedly sharing a sophisticated remote access trojan (RAT) with another North Korean threat actor specializing in fake IT job recruitment scams. This collaboration enhances the technical capabilities of the social engineering campaigns, increasing the threat to organizations targeted by these elaborate schemes. The shared tooling indicates a higher level of coordination among state-sponsored actors.
CVE Details: n/a
Compliance Realm: General Enterprise
Source: Healthcare InfoSecurity ↗
Date & Time: 2025-09-26T20:50:57
Recent research from UC San Diego indicates that traditional cybersecurity training programs do little to prevent employees from falling for phishing scams. This finding challenges the reliance on user education as a primary defense and underscores the importance of robust technical controls to detect and block malicious emails. Organizations should re-evaluate their security strategies to focus more on layered technical defenses rather than solely on user awareness.
CVE Details: n/a
Compliance Realm: General Enterprise
Source: Hacker News / UC San Diego ↗
Date & Time: 2025-09-26T21:00:00
Security experts are highlighting the growing risk associated with Non-Human Identities (NHIs), such as API keys, service accounts, and machine identities. As cloud and automated environments expand, these NHIs are becoming prime targets for attackers seeking to move laterally and access sensitive systems. Proactively managing and securing these identities is crucial to mitigating an evolving and often overlooked threat vector.
CVE Details: n/a
Compliance Realm: General Enterprise
Source: Entro Security ↗
Date & Time: 2025-09-26T18:39:45
China is leveraging its Belt and Road Initiative to fuel the adoption of surveillance technology across Latin America, raising significant data privacy and security concerns. This expansion of surveillance infrastructure, often without robust local data protection laws, creates new risks for both individuals and organizations operating in the region. The trend highlights the geopolitical dimensions of cybersecurity and the potential for state-level data aggregation.
CVE Details: n/a
Compliance Realm: General Enterprise
Source: Security Boulevard ↗
Date & Time: 2025-09-26T16:22:13
In light of the ongoing zero-day attacks and the flood of vulnerability information, the ability to prioritize critical security issues is paramount. AWS Security Hub provides a mechanism to correlate and enrich security signals into actionable insights, enabling streamlined response. For executives, this represents a strategic capability to cut through the noise of alerts and focus finite security resources on the most pressing threats, such as the actively exploited Cisco vulnerabilities, rather than getting lost in a sea of low-priority findings.
Source: AWS ↗
Spotlight Rationale: With actively exploited zero-days like the Cisco ASA/FTD vulnerabilities ([CVE-2025-20333](https://nvd.nist.gov/vuln/detail/CVE-2025-20333), [CVE-2025-20362](https://nvd.nist.gov/vuln/detail/CVE-2025-20362)) creating a high-pressure patching environment, organizations need a centralized way to identify affected assets and track remediation. AWS Security Hub directly addresses this challenge by aggregating vulnerability data and providing a unified view of security posture.
Threat Context: Cisco Firewall and VPN Zero Day Attacks
Platform Focus: AWS Security Hub
AWS Security Hub acts as a central aggregation point for security findings from various AWS services (like Amazon Inspector for vulnerability scanning) and third-party tools. This allows security teams to quickly identify which of their cloud assets are impacted by critical vulnerabilities like CVE-2025-20333 without needing to manually query disparate systems. By correlating findings, it helps prioritize remediation efforts on internet-facing or business-critical systems first, enabling a more efficient and risk-based response to zero-day threats.
Actionable Platform Guidance: To specifically track the Cisco vulnerabilities, enable AWS Security Hub and ensure Amazon Inspector is scanning your EC2 instances and container images. Use Security Hub's filter capabilities to create a custom view for findings related to CVE-2025-20333 and CVE-2025-20362. This allows for immediate visibility into the affected asset inventory and can be used to trigger automated remediation workflows via Amazon EventBridge.
Source: AWS Security Hub ↗
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - AWS Security Hub
# Action: Create a custom filter in AWS Security Hub to isolate findings for the Cisco CVEs.
1. Navigate to the AWS Security Hub console.
2. In the left navigation pane, choose 'Findings'.
3. In the filter bar at the top, add the following filters:
- Record State = ACTIVE
- Vulnerabilities > ID = CVE-2025-20333
4. Click the '+' button to add an 'OR' condition.
5. In the new filter group, add:
- Record State = ACTIVE
- Vulnerabilities > ID = CVE-2025-20362
6. Review the filtered results to see all assets with findings related to these CVEs.
7. Click 'Save insight' to save this filter for quick access and dashboarding.
8. Name the insight 'CRITICAL: Cisco ASA/FTD Zero-Day Vulnerabilities'.
# Verification: The saved insight should now appear on your Security Hub dashboard, providing a real-time count of affected resources.2. YARA Rule for Potential Cisco ASA Webshell
rule Potential_Cisco_ASA_Webshell_CVE_2025_20333 {
meta:
description = "Detects potential web shell artifacts on Cisco ASA/FTD devices, which could indicate post-exploitation activity related to CVE-2025-20333 and CVE-2025-20362."
author = "Threat Rundown"
date = "2025-09-27"
reference = "https://www.zscaler.com/blogs/security-research/cisco-firewall-and-vpn-zero-day-attacks-cve-2025-20333-and-cve-2025-20362"
severity = "high"
tlp = "white"
strings:
$s1 = "passthru($_REQUEST['cmd'])" ascii wide
$s2 = "system($_GET['c'])" ascii wide
$s3 = "exec($_POST['command'])" ascii wide
$s4 = "eval(base64_decode(" ascii wide
$s5 = "/+CSCOE+/" ascii wide // Part of a legitimate path, but can be used to find anomalous scripts
condition:
uint32(0) != 0x464c457f and // Not an ELF binary
(1 of ($s1, $s2, $s3, $s4) or (filesize < 20KB and $s5 and 1 of ($s1, $s2, $s3, $s4)))
}3. SIEM Query — Anomalous Cisco VPN Web Server Access
index=firewall sourcetype="cisco:asa" OR sourcetype="cisco:ftd"
url IN ("/+CSCOE+/logon.html", "/+CSCOE+/portal.html")
| stats count by src_ip, user_agent, url
| lookup known_good_user_agents user_agent OUTPUT is_known
| lookup trusted_ip_ranges src_ip OUTPUT is_trusted
| eval risk_score=case(
is_known!=true AND is_trusted!=true, 80,
is_known!=true, 50,
is_trusted!=true, 40,
1==1, 10)
| where risk_score >= 50
| table _time, src_ip, user_agent, url, risk_score
| sort -risk_score, -_time4. PowerShell Script — Hunt for Post-Exploitation IoCs
<#
.SYNOPSIS
A template script to hunt for Indicators of Compromise (IoCs) on a list of Windows servers that may be connected to a compromised network segment.
.DESCRIPTION
This script checks for the existence of a specific file (a placeholder IoC) on a list of remote computers.
Analysts should replace '$iocFile' with a known-bad filename from verified threat intelligence.
#>
$computers = (Get-Content .\servers.txt)
$iocFile = "C:\Windows\Temp\payload.exe" # <-- REPLACE WITH ACTUAL IOC FILENAME
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
try {
Write-Host "Checking $computer..." -ForegroundColor Cyan
$filePath = "\\$computer\" + $iocFile.Replace(":", "$")
if (Test-Path -Path $filePath -ErrorAction Stop) {
Write-Host "[ALERT] IoC Found on $computer at path: $filePath" -ForegroundColor Red
} else {
Write-Host "[OK] IoC not found on $computer." -ForegroundColor Green
}
} catch {
Write-Warning "Could not access $computer. Error: $_.Exception.Message"
}
} else {
Write-Warning "Cannot connect to $computer."
}
}This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!