Cybersecurity Latest Rundown

Compliance Impact Scoreboard

SOX: 18 HIPAA: 2 General Enterprise: 1 PCI DSS: 1 SOC 2: 1

CyberSecurity Latest Rundown

Heroes, late breaking critical news. Here's a detailed look at the current cybersecurity landscape for October 1, 2025.

CRITICAL ITEMS

Apple urges users to update iPhone and Mac to patch font bug
Date & Time: 2025-10-01T11:00:02

Apple has released emergency updates for iOS and macOS to address a vulnerability in the font processing component. The flaw could allow an attacker to trigger a denial-of-service condition or achieve memory corruption, potentially leading to arbitrary code execution. All users are strongly advised to apply the patches immediately to mitigate the risk.

CVE: CVE-2025-43400 | Compliance: SOX | Source: securityaffairs.com ↗
Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability
Date & Time: 2025-10-01T09:25:59

A privilege escalation vulnerability impacting VMware Aria Operations and VMware Tools is reportedly being exploited as a zero-day. The flaw allows an attacker to elevate privileges on a virtual machine, posing a significant risk to virtualized environments. The lack of immediate disclosure from Broadcom complicates patching and defense efforts for organizations relying on these products.

CVE: n/a | Compliance: SOX | Source: www.securityweek.com ↗
WestJet confirms cyberattack exposed IDs, passports in June incident
Date & Time: 2025-10-01T06:38:18

Canadian airline WestJet has confirmed a June cyberattack resulted in a data breach, exposing sensitive customer information including passports and government-issued IDs. This incident highlights the persistent threat to the travel industry and the significant risk of identity theft for affected customers. The disclosure underscores the long tail of breach investigation and reporting.

CVE: n/a | Compliance: PCI DSS, SOX | Source: securityaffairs.com ↗
Security researchers say G1 humanoid robots are secretly sending information to China and can easily be hacked
Date & Time: 2025-10-01T09:22:41

Researchers have identified severe security flaws in the Unitree G1 humanoid robot, which is already in use in labs and some police departments. The vulnerabilities could allow the robots to be used for covert surveillance, data exfiltration to foreign servers, and launching cyberattacks on internal networks. This represents a significant physical and cyber threat convergence in IoT and robotics.

CVE: n/a | Compliance: SOX | Source: lifeboat.com ↗
Rhadamanthys Stealer Malware Receives Significant Updates
Date & Time: 2025-10-01T08:32:37

The multi-modular information stealer known as Rhadamanthys has been updated to version 0.9.2, featuring significant enhancements. This malware is actively used in multiple campaigns to steal credentials, financial information, and other sensitive data. The continuous evolution of this stealer indicates a persistent and adaptive threat to both corporate and individual users.

CVE: n/a | Compliance: SOX | Source: research.checkpoint.com ↗

HIGH SEVERITY ITEMS

LLM security agent finds vulnerability in LLM engineering platform
Date & Time: 2025-09-30T22:14:01

An authorization flaw has been discovered in a prominent LLM engineering platform, highlighting a common security blind spot in emerging AI infrastructure. The vulnerability could allow unauthorized access to sensitive data or manipulation of model behavior. This discovery, made by an LLM-based security agent, showcases both the risks and potential security benefits of AI.

CVE: CVE-2025-59305 | Compliance: SOX | Source: news.ycombinator.com ↗
New MatrixPDF toolkit turns PDFs into phishing and malware lures
Date & Time: 2025-10-01T09:18:08

A new toolkit named MatrixPDF enables threat actors to easily convert standard PDF files into interactive lures for phishing and malware distribution. These weaponized PDFs are designed to bypass traditional email security gateways and trick users into visiting credential harvesting sites or downloading malware. This lowers the barrier to entry for sophisticated social engineering attacks.

CVE: n/a | Compliance: HIPAA, SOX | Source: lifeboat.com ↗
Google Patches Gemini AI Hacks Involving Poisoned Logs, Search Results
Date & Time: 2025-09-30T14:59:40

Google has addressed several vulnerabilities in its Gemini AI assistant that could be exploited for sensitive data theft. Researchers demonstrated methods to trick the AI using poisoned logs and manipulated search results, causing it to exfiltrate data. This underscores the unique attack vectors facing Large Language Models and the importance of securing their data inputs.

CVE: n/a | Compliance: SOX | Source: www.securityweek.com ↗

OTHER NOTEWORTHY ITEMS

Docker APIs Targeted for Malicious Purposes
Date & Time: 2025-09-30T14:53:15

Attackers are increasingly targeting exposed Docker APIs for purposes beyond cryptomining, including deploying malicious containers and gaining initial access to corporate networks. Misconfigured or unsecured Docker APIs represent a significant entry point for threat actors. This trend highlights the need for robust API security and proper configuration of container orchestration platforms.

Source: www.firetail.ai ↗

EXECUTIVE INSIGHTS

Defending LLM applications against Unicode character smuggling
Date & Time: 2025-09-30T16:22:14

A novel attack vector against Large Language Models (LLMs) involves using Unicode characters to smuggle malicious instructions past security filters. This technique can lead to prompt injection, data leakage, and other security breaches in AI applications. This research from AWS emphasizes that securing the AI supply chain requires deep inspection of all inputs, as even seemingly benign elements like character encoding can be weaponized.

Source: aws.amazon.com ↗

VENDOR SPOTLIGHT

Spotlight Rationale: Selected due to multiple intelligence items today highlighting active threats against AI/LLM systems and APIs, including the **Google Gemini hacks**, the **Docker API targeting** campaign, and the discovery of **CVE-2025-59305** in an LLM platform. FireTail.ai specializes in securing these exact attack surfaces.

Threat Context: Docker APIs Targeted

Platform Focus: FireTail.ai API Security Platform

FireTail.ai provides a dedicated security solution for APIs and AI applications, which is directly relevant to today's reported threats. The platform offers real-time detection and blocking of malicious requests targeting APIs, which could prevent the unauthorized access seen in the Docker API attacks. For AI systems like Gemini, its capabilities can help identify and mitigate prompt injection, data exfiltration, and other OWASP Top 10 LLM risks by analyzing the behavior and content of API calls to the model.

Actionable Platform Guidance: Organizations can use FireTail to create specific policies to harden their AI and container infrastructure. For instance, a rule can be configured to detect and block prompts containing suspicious Unicode character sequences or patterns associated with system prompt leakage. For Docker, the platform can be used to enforce strict access controls on the Docker API endpoint, flag anomalous requests from untrusted IP ranges, and alert on attempts to launch containers from non-approved repositories.

Source: www.firetail.ai ↗

DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

1. Vendor Platform Configuration - FireTail.ai

# Policy to detect potential LLM Prompt Leakage
# This rule inspects API responses from the LLM for sensitive keywords.

- rule: detect_llm_system_prompt_leak
description: "Alert on responses containing common system prompt keywords."
requests:
- method: [POST]
path: "/api/v1/chat/completions"
responses:
- status: 200
body:
contains:
- "You are a helpful assistant."
- "Your instructions are confidential."
- "INTERNAL_SYSTEM_PROMPT_MARKER"
action: alert
tags: [llm, prompt-leakage, owasp-llm07]

# Policy to restrict Docker API access
# This rule blocks non-internal requests to the Docker API management port.

- rule: block_external_docker_api_access
description: "Block external access to Docker API endpoints."
requests:
- path_glob: "/v*/containers/*"
- client_ip:
not_in_rfc1918: true
action: block
tags: [docker, api-abuse, initial-access]

2. YARA Rule for Rhadamanthys Stealer

rule Detect_Malware_Stealer_Rhadamanthys_0_9 {
meta:
description = "Detects artifacts associated with the Rhadamanthys info-stealer v0.9.x."
author = "Threat Rundown"
date = "2025-10-01"
reference = "https://research.checkpoint.com/?p=31953"
severity = "high"
tlp = "white"
strings:
$s1 = "/c C:\Windows\System32\netsh.exe advfirewall firewall add rule name=\"Block_Stealer\" dir=out action=block program=" ascii wide
$s2 = "Rhadamanthys"
$s3 = "grabber.exe" ascii
$s4 = "wallet.dat" ascii
$s5 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
condition:
uint16(0) == 0x5a4d and filesize < 10MB and (2 of ($s*))
}

3. SIEM Query — Detecting Anomalous Docker API Access

// Splunk SPL Query
index=firewall OR index=proxy sourcetype=pan:traffic OR sourcetype=zscaler
(dest_port=2375 OR dest_port=2376)
// Filter out known-good internal management subnets
NOT (src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16))
| stats count by src_ip, dest_ip, dest_port, user
| where count > 5
| `comment("This query identifies external IP addresses making repeated connections to standard Docker API ports, a key indicator from today's intelligence on Docker API abuse.")`

4. PowerShell Script — Hunt for Malicious AmCache Entries

<#
.SYNOPSIS
Scans the local AmCache hive for suspicious executables based on keywords.
This is relevant to the forensic analysis techniques discussed in today's intelligence.
Reference: https://kasperskycontenthub.com/securelist/?p=117622
#>

#Requires -RunAsAdministrator

$suspiciousKeywords = @("mimikatz", "procdump", "rhadamanthys", "grabber.exe")

try {
$amcache = Get-ChildItem "C:\Windows\appcompat\Programs\Amcache.hve"
if (-not $amcache) {
Write-Warning "AmCache.hve not found. System may not use it or it has been cleared."
return
}

Write-Host "[+] Found AmCache.hve. Searching for suspicious entries..."

# In a real scenario, you would use a dedicated parser.
# This is a simplified string search for demonstration.
$content = Get-Content -Path $amcache.FullName -Encoding Byte -Raw
$stringContent = [System.Text.Encoding]::ASCII.GetString($content)

foreach ($keyword in $suspiciousKeywords) {
if ($stringContent -match $keyword) {
Write-Error "[!!!] Suspicious keyword '$keyword' found in AmCache.hve on $env:COMPUTERNAME. Further investigation required."
}
}
Write-Host "[+] Scan complete. No suspicious keywords found."
}
catch {
Write-Error "An error occurred: $_"
}

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!

{ "type": "bundle", "id": "bundle--f4886dfe-f296-47f8-b0b8-6aeb4e672469", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "created": "2022-10-01T00:00:00.000Z", "definition_type": "tlp:2.0", "name": "TLP:CLEAR", "definition": { "tlp": "clear" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--4d1b416c-caea-48d0-8751-adbf5c94ae3a", "created": "2025-10-01T13:40:13.524Z", "modified": "2025-10-01T13:40:13.524Z", "name": "MikeGPT Intelligence Platform", "description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds", "identity_class": "organization", "sectors": [ "technology", "defense" ], "contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "report", "spec_version": "2.1", "id": "report--02a0d225-8d97-45dd-ac53-8bddd1f8c7de", "created": "2025-10-01T13:40:13.524Z", "modified": "2025-10-01T13:40:13.524Z", "name": "Threat Intelligence Report - 2025-10-01", "description": "Threat Intelligence Report - 2025-10-01\n\nThis report consolidates actionable cybersecurity intelligence from 91 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• Apple urges users to update iPhone and Mac to patch font bug (Score: 100)\n• Forensic journey: hunting evil within AmCache (Score: 100)\n• Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability (Score: 100)\n• Rhadamanthys 0.9.x – walk through the updates (Score: 100)\n• Top CVEs & Vulnerabilities of September 2025 (Score: 100)\n\nEXTRACTED ENTITIES:\n• 32 Attack Pattern(s)\n• 2 Campaign(s)\n• 2 Course Of Action(s)\n• 1 Domain Name(s)\n• 2 Indicator(s)\n• 1 Intrusion Set(s)\n• 1 Location(s)\n• 5 Malware(s)\n• 1 Marking Definition(s)\n• 9 Relationship(s)\n• 1 Tool(s)\n• 1 Url(s)\n• 2 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n", "published": "2025-10-01T13:40:13.524Z", "object_refs": [ "identity--4d1b416c-caea-48d0-8751-adbf5c94ae3a", "identity--78652a32-1d49-42fb-a7b1-5c6f8bfb3581", "malware--4267370b-1057-49a4-942f-fcb4c563aacc", "identity--37a6c73b-081d-4c71-a467-5ccabd7ab329", "tool--8296b0e0-ae1f-45b6-8de0-1c1a4a5e05c5", "malware--c1213cab-cfa6-47a2-b43b-7af4967ec05a", "malware--3e45ebc9-bae3-4704-86a9-44abdb347667", "malware--d1b982de-9a91-4b3f-afe9-f09f8d466881", "location--554766a1-5093-4b60-9732-aa6d14becb18", "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "malware--622d89f5-39ec-4c12-9e59-72477cefd1ab", "vulnerability--960fba5c-f3c4-4800-8756-f284eec96652", "identity--ce2e69c6-c194-4ca1-8ccd-65c1ce21af1b", "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "attack-pattern--f33f5834-6a9a-4727-88a5-9d35eeba1cff", "attack-pattern--2d26e3d0-4bbf-44c3-aa9e-5aeab4937638", "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "attack-pattern--c3286059-b33e-4b64-9fda-22075baf9afa", "attack-pattern--ce39e6f2-b20f-421e-83e1-242a773e1927", "attack-pattern--d5229cf6-f11b-41bc-8aca-0df713047400", "attack-pattern--01df90e4-619d-4268-90c9-6e2aa84079d9", "attack-pattern--4a8885dc-c05b-48e8-b6eb-f4fee78de603", "attack-pattern--dd0edf90-8f96-4a15-852b-ba611cd81716", "attack-pattern--7e97f3fa-7b6d-4c57-84b4-ebd596b535ff", "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "attack-pattern--990e5d8f-fe96-4e5d-b9e6-efa9d339a00c", "attack-pattern--8fa12b40-8610-4259-b608-4d4bfd0e8d44", "attack-pattern--fcb3d170-b982-4921-8a85-e3d46829554e", "attack-pattern--b863fbfb-5683-4f21-8c51-9323c0303278", "attack-pattern--805150b2-5c05-4153-8da5-ae32c666eb50", "attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6", "attack-pattern--49163bd0-0095-494a-9880-405ec6f59a29", "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "attack-pattern--a907e721-990f-42d9-bf85-1e776140509a", "attack-pattern--7290c559-48e6-4e5f-be78-51876ed8c82c", "attack-pattern--612b1a32-c6e2-4b9b-8c05-1691c6c73fab", "vulnerability--a4de35c0-f387-44e9-8060-aa2509daf373", "campaign--5f15a8ed-bd57-4829-a0a5-41a3eb23c1c3", "campaign--cf7263fc-f9d4-474e-822f-4e7f204d4321", "course-of-action--4550c93c-d3e0-4a31-9815-b489940ad781", "course-of-action--1bf504f2-895f-4cc2-b1e7-3056b2715368", "relationship--f59a2ab3-fabe-4628-bb24-f5d0155570d2", "relationship--ee9bffc6-dde7-4dcc-afe3-1e674f9f360c", "relationship--48cdfb24-2090-43a1-92e0-1efbf00ea7b5", "domain-name--724d4074-6487-4460-8369-addae21dc37d", "url--a5126656-1e0a-4b16-93b5-c795004cd36b", "indicator--a7056163-4ec1-46b4-92ad-e47ec29c7b4e", "relationship--7ed2bd2d-912f-41db-a036-c42fadda8bbc", "indicator--042bebd8-5ed6-43af-9e43-4c4b0c942ae0", "relationship--ffc5f402-ef53-4d0a-ad15-8a1ed6222235", "relationship--e035f1b6-d290-4d58-af47-c4c8f507a479", "relationship--af0ae8c1-9e39-469e-a9a3-65c703512f73", "relationship--973568f9-9add-4b90-a4f2-95fa977ff02b", "relationship--e09f2b5d-53ff-459a-b513-0d188473613f" ], "labels": [ "threat-report", "threat-intelligence" ], "created_by_ref": "identity--4d1b416c-caea-48d0-8751-adbf5c94ae3a", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:12.293Z", "modified": "2025-10-01T13:40:12.293Z", "confidence": 95, "type": "identity", "id": "identity--78652a32-1d49-42fb-a7b1-5c6f8bfb3581", "name": "CISA", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:12.294Z", "modified": "2025-10-01T13:40:12.294Z", "confidence": 95, "type": "malware", "id": "malware--4267370b-1057-49a4-942f-fcb4c563aacc", "name": "MatrixPDF", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:12.294Z", "modified": "2025-10-01T13:40:12.294Z", "confidence": 95, "type": "identity", "id": "identity--37a6c73b-081d-4c71-a467-5ccabd7ab329", "name": "ZDI", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:12.294Z", "modified": "2025-10-01T13:40:12.294Z", "confidence": 95, "type": "tool", "id": "tool--8296b0e0-ae1f-45b6-8de0-1c1a4a5e05c5", "name": "Kali", "tool_types": [ "exploitation", "vulnerability-scanning", "network-capture" ], "labels": [ "tool" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:12.294Z", "modified": "2025-10-01T13:40:12.294Z", "confidence": 95, "type": "malware", "id": "malware--c1213cab-cfa6-47a2-b43b-7af4967ec05a", "name": "XMRig", "is_family": true, "malware_types": [ "crypto-miner" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:12.294Z", "modified": "2025-10-01T13:40:12.294Z", "confidence": 95, "type": "malware", "id": "malware--3e45ebc9-bae3-4704-86a9-44abdb347667", "name": "Mirai", "is_family": true, "malware_types": [ "bot" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:12.294Z", "modified": "2025-10-01T13:40:12.294Z", "confidence": 95, "type": "malware", "id": "malware--d1b982de-9a91-4b3f-afe9-f09f8d466881", "name": "AtomicStealer", "is_family": true, "malware_types": [ "stealer" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:12.294Z", "modified": "2025-10-01T13:40:12.294Z", "confidence": 95, "type": "location", "id": "location--554766a1-5093-4b60-9732-aa6d14becb18", "name": "South Korea", "country": "KR", "labels": [ "location" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:12.294Z", "modified": "2025-10-01T13:40:12.294Z", "confidence": 95, "type": "intrusion-set", "id": "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "name": "Scattered Spider", "labels": [ "intrusion-set" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:12.294Z", "modified": "2025-10-01T13:40:12.294Z", "confidence": 95, "type": "malware", "id": "malware--622d89f5-39ec-4c12-9e59-72477cefd1ab", "name": "DCRat", "is_family": true, "malware_types": [ "remote-access-trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:12.294Z", "modified": "2025-10-01T13:40:12.294Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--960fba5c-f3c4-4800-8756-f284eec96652", "name": "CVE-2025-59305", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-59305", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59305" }, { "source_name": "nvd", "external_id": "CVE-2025-59305", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59305" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:12.294Z", "modified": "2025-10-01T13:40:12.294Z", "confidence": 95, "type": "identity", "id": "identity--ce2e69c6-c194-4ca1-8ccd-65c1ce21af1b", "name": "Mend.io", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:12.294Z", "modified": "2025-10-01T13:40:12.294Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "name": "Command and Scripting Interpreter", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1059", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1059/", "external_id": "T1059" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "name": "Exploitation for Client Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1203", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1203/", "external_id": "T1203" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "name": "Exploit Public-Facing Application", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1190", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1190/", "external_id": "T1190" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "name": "Adversary-in-the-Middle", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1557", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1557/", "external_id": "T1557" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--f33f5834-6a9a-4727-88a5-9d35eeba1cff", "name": "Abuse Elevation Control Mechanism", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1548", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1548/", "external_id": "T1548" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2d26e3d0-4bbf-44c3-aa9e-5aeab4937638", "name": "Access Token Manipulation", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1134", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1134/", "external_id": "T1134" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "name": "Spearphishing Attachment", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/001/", "external_id": "T1566.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "name": "Spearphishing Link", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/002/", "external_id": "T1566.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "name": "Spearphishing via Service", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/003/", "external_id": "T1566.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--c3286059-b33e-4b64-9fda-22075baf9afa", "name": "Ingress Tool Transfer", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1105", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1105/", "external_id": "T1105" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--ce39e6f2-b20f-421e-83e1-242a773e1927", "name": "Create or Modify System Process", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1543", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1543/", "external_id": "T1543" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--d5229cf6-f11b-41bc-8aca-0df713047400", "name": "Boot or Logon Autostart Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1547", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1547/", "external_id": "T1547" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--01df90e4-619d-4268-90c9-6e2aa84079d9", "name": "PowerShell", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1059.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1059/001/", "external_id": "T1059.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--4a8885dc-c05b-48e8-b6eb-f4fee78de603", "name": "Email Account", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_id": "T1087.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1087/003/", "external_id": "T1087.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--dd0edf90-8f96-4a15-852b-ba611cd81716", "name": "Python", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1059.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1059/006/", "external_id": "T1059.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--7e97f3fa-7b6d-4c57-84b4-ebd596b535ff", "name": "System Time Discovery", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "discovery" } ], "x_mitre_id": "T1124", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1124/", "external_id": "T1124" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 83, "type": "attack-pattern", "id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "name": "Vulnerabilities", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/006/", "external_id": "T1588.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 83, "type": "attack-pattern", "id": "attack-pattern--990e5d8f-fe96-4e5d-b9e6-efa9d339a00c", "name": "Replication Through Removable Media", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" }, { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1091", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1091/", "external_id": "T1091" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 77, "type": "attack-pattern", "id": "attack-pattern--8fa12b40-8610-4259-b608-4d4bfd0e8d44", "name": "Data from Removable Media", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1025", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1025/", "external_id": "T1025" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 74, "type": "attack-pattern", "id": "attack-pattern--fcb3d170-b982-4921-8a85-e3d46829554e", "name": "Disable or Modify System Firewall", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1562.004", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1562/004/", "external_id": "T1562.004" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 73, "type": "attack-pattern", "id": "attack-pattern--b863fbfb-5683-4f21-8c51-9323c0303278", "name": "Exclusive Control", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1668", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1668/", "external_id": "T1668" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 72, "type": "attack-pattern", "id": "attack-pattern--805150b2-5c05-4153-8da5-ae32c666eb50", "name": "Add-ins", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1137.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1137/006/", "external_id": "T1137.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 72, "type": "attack-pattern", "id": "attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6", "name": "Artificial Intelligence", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.007", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/007/", "external_id": "T1588.007" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 72, "type": "attack-pattern", "id": "attack-pattern--49163bd0-0095-494a-9880-405ec6f59a29", "name": "Remote Email Collection", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1114.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1114/002/", "external_id": "T1114.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "name": "Archive via Utility", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1560.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1560/001/", "external_id": "T1560.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "name": "Screen Capture", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1113", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1113/", "external_id": "T1113" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "name": "Scheduled Task", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1053.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1053/005/", "external_id": "T1053.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "name": "Socket Filters", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1205.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1205/002/", "external_id": "T1205.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "name": "Malicious Shell Modification", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1156", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1156/", "external_id": "T1156" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 68, "type": "attack-pattern", "id": "attack-pattern--a907e721-990f-42d9-bf85-1e776140509a", "name": "TFTP Boot", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1542.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1542/005/", "external_id": "T1542.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 68, "type": "attack-pattern", "id": "attack-pattern--7290c559-48e6-4e5f-be78-51876ed8c82c", "name": "Exfiltration over USB", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "exfiltration" } ], "x_mitre_id": "T1052.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1052/001/", "external_id": "T1052.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "confidence": 65, "type": "attack-pattern", "id": "attack-pattern--612b1a32-c6e2-4b9b-8c05-1691c6c73fab", "name": "Device Registration", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1098.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1098/005/", "external_id": "T1098.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--a4de35c0-f387-44e9-8060-aa2509daf373", "created": "2025-10-01T13:40:12.270Z", "modified": "2025-10-01T13:40:12.270Z", "name": "CVE-2025-43400", "description": "Vulnerability CVE-2025-43400", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-43400", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43400" }, { "source_name": "article", "url": "https://securityaffairs.com/?p=182835", "description": "Apple urges users to update iPhone and Mac to patch font bug" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--5f15a8ed-bd57-4829-a0a5-41a3eb23c1c3", "created": "2025-10-01T13:40:12.288Z", "modified": "2025-10-01T13:40:12.288Z", "name": "CVE-2025-43400 Exploitation Campaign", "description": "Coordinated exploitation activity targeting CVE-2025-43400", "first_seen": "2025-10-01T11:00:02.000Z", "last_seen": "2025-10-01T11:00:02.000Z", "objective": "Exploitation of CVE-2025-43400 for unauthorized access", "confidence": 75, "external_references": [ { "source_name": "article", "url": "https://securityaffairs.com/?p=182835", "description": "Apple urges users to update iPhone and Mac to patch font bug" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--cf7263fc-f9d4-474e-822f-4e7f204d4321", "created": "2025-10-01T13:40:12.289Z", "modified": "2025-10-01T13:40:12.289Z", "name": "CVE-2025-59305 Exploitation Campaign", "description": "Coordinated exploitation activity targeting CVE-2025-59305", "first_seen": "2025-09-30T22:14:01.000Z", "last_seen": "2025-09-30T22:14:01.000Z", "objective": "Exploitation of CVE-2025-59305 for unauthorized access", "confidence": 75, "external_references": [ { "source_name": "article", "url": "https://news.ycombinator.com/item?id=45431877", "description": "LLM security agent finds vulnerability in LLM engineering platform" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--4550c93c-d3e0-4a31-9815-b489940ad781", "created": "2025-10-01T13:40:12.291Z", "modified": "2025-10-01T13:40:12.291Z", "name": "Mitigate CVE-2025-43400", "description": "Apply security updates and patches to address CVE-2025-43400", "action_type": "remediate", "external_references": [ { "source_name": "nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43400", "description": "NVD entry with patch information" }, { "source_name": "article", "url": "https://securityaffairs.com/?p=182835", "description": "Apple urges users to update iPhone and Mac to patch font bug" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--1bf504f2-895f-4cc2-b1e7-3056b2715368", "created": "2025-10-01T13:40:12.291Z", "modified": "2025-10-01T13:40:12.291Z", "name": "Mitigate CVE-2025-59305", "description": "Apply security updates and patches to address CVE-2025-59305", "action_type": "remediate", "external_references": [ { "source_name": "nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59305", "description": "NVD entry with patch information" }, { "source_name": "article", "url": "https://securityaffairs.com/?p=182835", "description": "Apple urges users to update iPhone and Mac to patch font bug" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f59a2ab3-fabe-4628-bb24-f5d0155570d2", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "relationship_type": "uses", "source_ref": "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: scattered spider uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ee9bffc6-dde7-4dcc-afe3-1e674f9f360c", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "relationship_type": "uses", "source_ref": "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: scattered spider uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--48cdfb24-2090-43a1-92e0-1efbf00ea7b5", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "relationship_type": "uses", "source_ref": "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "target_ref": "attack-pattern--01df90e4-619d-4268-90c9-6e2aa84079d9", "confidence": 75, "description": "MITRE ATT&CK mapping: scattered spider uses powershell (T1059.001)", "x_validation_method": "mitre-mapper" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--724d4074-6487-4460-8369-addae21dc37d", "value": "nexusrouter.com" }, { "type": "url", "spec_version": "2.1", "id": "url--a5126656-1e0a-4b16-93b5-c795004cd36b", "value": "https://nexusrouter.com/blog/securing-your-ai-stack-how-nexus-addresses-critical-mcp-security-challenges" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a7056163-4ec1-46b4-92ad-e47ec29c7b4e", "created": "2025-10-01T13:40:12.266Z", "modified": "2025-10-01T13:40:12.266Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'nexusrouter.com']", "pattern_type": "stix", "valid_from": "2025-10-01T13:40:12.266Z", "labels": [ "malicious-activity" ], "confidence": 90 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7ed2bd2d-912f-41db-a036-c42fadda8bbc", "created": "2025-10-01T13:40:12.266Z", "modified": "2025-10-01T13:40:12.266Z", "relationship_type": "based-on", "source_ref": "indicator--a7056163-4ec1-46b4-92ad-e47ec29c7b4e", "target_ref": "domain-name--724d4074-6487-4460-8369-addae21dc37d" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--042bebd8-5ed6-43af-9e43-4c4b0c942ae0", "created": "2025-10-01T13:40:12.267Z", "modified": "2025-10-01T13:40:12.267Z", "name": "Malicious url indicator", "description": "Malicious url identified in threat intelligence", "pattern": "[url:value = 'https://nexusrouter.com/blog/securing-your-ai-stack-how-nexus-addresses-critical-mcp-security-challenges']", "pattern_type": "stix", "valid_from": "2025-10-01T13:40:12.267Z", "labels": [ "malicious-activity" ], "confidence": 90 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ffc5f402-ef53-4d0a-ad15-8a1ed6222235", "created": "2025-10-01T13:40:12.267Z", "modified": "2025-10-01T13:40:12.267Z", "relationship_type": "based-on", "source_ref": "indicator--042bebd8-5ed6-43af-9e43-4c4b0c942ae0", "target_ref": "url--a5126656-1e0a-4b16-93b5-c795004cd36b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e035f1b6-d290-4d58-af47-c4c8f507a479", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "relationship_type": "mitigated-by", "source_ref": "vulnerability--960fba5c-f3c4-4800-8756-f284eec96652", "target_ref": "course-of-action--1bf504f2-895f-4cc2-b1e7-3056b2715368", "description": "CVE-2025-59305 is mitigated by Mitigate CVE-2025-59305" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--af0ae8c1-9e39-469e-a9a3-65c703512f73", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "relationship_type": "mitigated-by", "source_ref": "vulnerability--a4de35c0-f387-44e9-8060-aa2509daf373", "target_ref": "course-of-action--4550c93c-d3e0-4a31-9815-b489940ad781", "description": "CVE-2025-43400 is mitigated by Mitigate CVE-2025-43400" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--973568f9-9add-4b90-a4f2-95fa977ff02b", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "relationship_type": "targets", "source_ref": "campaign--5f15a8ed-bd57-4829-a0a5-41a3eb23c1c3", "target_ref": "vulnerability--a4de35c0-f387-44e9-8060-aa2509daf373", "description": "CVE-2025-43400 Exploitation Campaign targets CVE-2025-43400" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e09f2b5d-53ff-459a-b513-0d188473613f", "created": "2025-10-01T13:40:13.523Z", "modified": "2025-10-01T13:40:13.523Z", "relationship_type": "targets", "source_ref": "campaign--cf7263fc-f9d4-474e-822f-4e7f204d4321", "target_ref": "vulnerability--960fba5c-f3c4-4800-8756-f284eec96652", "description": "CVE-2025-59305 Exploitation Campaign targets CVE-2025-59305" } ] }

Playbook for the Secure Enterprise