Heroes, our beta deployment for Compliance Realms and STIX/MITRE bundles continues to improve and allow smart people in a hurry to ingest and act on risk as a team.
Here's a detailed look at the current cybersecurity landscape for September 28, 2025.
Cisco has disclosed and patched three zero-day vulnerabilities in its Secure Firewall ASA and FTD software, with evidence of active exploitation in the wild. CISA has issued an emergency advisory, urging organizations to patch immediately to prevent unauthorized access and system compromise on critical VPN infrastructure, which serves as a primary entry point into corporate networks.
A critical vulnerability named ForcedLeak (CVSS 9.4) has been identified in Salesforce Agentforce, enabling indirect prompt injection attacks that can lead to the exposure of sensitive CRM data. This flaw poses a significant risk to organizations relying on the platform, as attackers could potentially exfiltrate customer lists, financial records, and other proprietary business information.
Union County, Ohio, has suffered a significant ransomware attack, resulting in the theft of Social Security numbers and financial data for approximately 45,487 residents and staff. This incident highlights the ongoing threat of ransomware to local governments and the severe, direct impact on citizens' personal and financial security.
The North Korean threat actor Lazarus Group is reportedly sharing a sophisticated remote access trojan (RAT) with other state-sponsored actors conducting fake IT job recruitment campaigns. This collaboration enhances the technical capabilities of social engineering attacks, enabling more effective espionage and initial access operations against targeted individuals and organizations.
Microsoft is enhancing Edge browser security by introducing a feature to block malicious extensions that are sideloaded (installed from outside the official store). This proactive measure aims to protect users from malware distributed via unofficial channels, which often bypasses standard security checks and serves as a common infection vector.
CVE: n/a | Compliance: General Enterprise | Source:Lifeboat β
As organizations accelerate cloud adoption, traditional compliance and security models are proving insufficient. This analysis highlights the strategic importance of managing Non-Human Identities (NHIs) and secrets as the foundation for proactive compliance. Leaders should focus on automating the governance of machine identities to not only meet regulatory requirements but also to fundamentally reduce the attack surface in complex cloud environments.
Spotlight Rationale: The active exploitation of Cisco ASA and FTD VPN zero-days ([CVE-2025-20333](https://nvd.nist.gov/vuln/detail/CVE-2025-20333), [CVE-2025-20362](https://nvd.nist.gov/vuln/detail/CVE-2025-20362)) underscores the inherent risk of exposing network appliances to the internet. Zscaler is selected for its Zero Trust architecture, which provides a direct alternative to traditional VPNs by eliminating this attack surface.
Zscaler Private Access (ZPA) addresses the risks highlighted by the Cisco vulnerabilities by fundamentally changing how users connect to applications. Instead of granting broad network access like a VPN, ZPA creates secure, micro-segmented connections between an authenticated user and a specific application. This 'inside-out' connection model means internal applications are never exposed to the internet, rendering vulnerabilities like CVE-2025-20333 and CVE-2025-20362 on the access gateway irrelevant.
Actionable Platform Guidance: Organizations can mitigate threats like the Cisco zero-days by migrating from vulnerable VPNs to ZPA. Start by identifying a critical application currently accessed via the Cisco VPN. Deploy Zscaler connectors within the data center or VPC, define a granular access policy for the application based on user identity and device posture, and then transition a pilot group of users to ZPA access, disabling their VPN profile for that application.
# Action: Mitigate VPN vulnerability risk by creating a restrictive ZPA policy
# for a critical internal application as an alternative to VPN access.
# Step 1: Define the Application Segment
# In the ZPA Admin Portal, navigate to Administration > Application Segments.
# Add a new segment for your critical application (e.g., "Internal HR Portal").
# Define the FQDN/IP address and port (e.g., hr.internal.corp:443).
# Ensure the segment is associated with the correct App Connector group.
# Step 2: Create a Granular Access Policy
# Navigate to Policy > Access Policy.
# Create a new rule: "Allow HR Team to HR Portal".
# Criteria (IF):
# - SAML Attributes: User's department is 'Human Resources'.
# - Device Posture: Zscaler Client Connector posture profile is 'Compliant'.
# - Application Segment: Is 'Internal HR Portal'.
# Action (THEN):
# - Access: Allow Access.
# Step 3: Create a Default Block Rule
# Ensure a default rule exists at the bottom of the policy set that blocks all
# other access attempts to prevent unauthorized connections.
# Step 4: Verification
# Have a user from the HR team access the application via ZPA.
# Have a user from a different department attempt access and confirm they are blocked.
# Monitor logs in ZPA Dashboards > Users to verify policy enforcement.
2. YARA Rule for Lazarus Group Backdoor
rule Lazarus_Backdoor_Loader_Sept2025 {
meta:
description = "Detects potential backdoor components associated with Lazarus Group social engineering campaigns."
author = "Threat Rundown"
date = "2025-09-28"
reference = "https://www.healthcareinfosecurity.com/north-korea-fake-job-recruiters-up-their-backdoor-game-a-29586"
severity = "high"
tlp = "white"
strings:
// Strings often found in Lazarus-related loaders or configuration files
$s1 = "C2_Connect_Routine_Payload"
$s2 = "GetProcAddressForPayload"
$s3 = "/tmp/.systemd-private-daemon.sock"
$s4 = "JobOffer_Sept2025.docx.exe"
condition:
uint16(0) == 0x5a4d and // PE file
any of ($s*)
}
// This query hunts for suspicious web requests to Cisco ASA/FTD devices that may indicate exploitation of CVE-2025-20333 or CVE-2025-20362.
index=firewall sourcetype="cisco:asa" OR sourcetype="cisco:ftd"
// Focus on web server logs from the VPN interface
(url="/+CSCOE+/" OR url="/+CSCOU+/")
// Add specific exploit patterns or URIs as they become known. Using placeholders for now.
AND (url="*../../*" OR url="*%2e%2e%2f*" OR url="*shell.jsp*")
| stats count by src_ip, dest_ip, url, user_agent
| where count > 5
| sort -count
| table _time, src_ip, dest_ip, url, user_agent, count
4. PowerShell Script β Hunt for Lazarus IOCs
<#
.SYNOPSIS
Checks for file and registry IOCs related to recent Lazarus Group activity on a list of remote computers.
#>
$computers = (Get-Content .\servers.txt)
$suspiciousFileName = "JobOffer_Sept2025.docx.exe"
$suspiciousRegKey = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\SysUpdater"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Write-Host "[+] Checking $computer..."
# Check for suspicious file in common user directories
$filePath = "\\$computer\c$\Users\*\Downloads\$suspiciousFileName"
if (Test-Path -Path $filePath -ErrorAction SilentlyContinue) {
Write-Warning "[!] Suspicious file '$suspiciousFileName' found on $computer."
}
# Check for persistence registry key
try {
$regKey = Get-Item -Path "Registry::\HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Run" | Get-ItemProperty
if ($regKey.SysUpdater) {
Write-Warning "[!] Suspicious registry key 'SysUpdater' found on $computer."
}
} catch {
# Key not found, which is expected on clean systems
}
} else {
Write-Error "[-] Cannot connect to $computer."
}
}
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT