Cybersecurity Latest Rundown

Compliance Impact Scoreboard

SOX: 12 HIPAA: 5 General Enterprise: 4 FISMA: 3 SOC 2: 1

CyberSecurity Latest Rundown

Heroes, we have some threats where Here's a detailed look at the current cybersecurity landscape for October 4, 2025.

CRITICAL ITEMS

Vigor Routers Vulnerable to RCE via EasyVPN and LAN Web Interface
Date & Time: 2025-10-03T11:35:31

Draytek Vigor routers running DrayOS are affected by a critical remote code execution vulnerability in their EasyVPN and LAN web administration interfaces. An attacker can exploit an uninitialized variable to send specially crafted data and achieve RCE, compromising network integrity and potentially gaining access to internal resources.

CVE: CVE-2025-10547 | Compliance: FISMA, SOX | Source: CERT/CC ↗
Salesforce Providing Support to Customers Listed on Scattered Spider Extortion Site
Date & Time: 2025-10-03T20:07:31

The cybercriminal group Scattered Spider has launched a new extortion campaign, publishing a leak site listing dozens of large companies and claiming to have stolen their data via Salesforce. This represents a significant supply chain risk, where a compromise in a major vendor's ecosystem is used to extort its customers, impacting brand trust and data security across multiple organizations.

CVE: n/a | Compliance: General Enterprise | Source: The Record ↗

HIGH SEVERITY ITEMS

New Cavalry Werewolf Attack Hits Russian Agencies with FoalShell and StallionRAT
Date & Time: 2025-10-03T10:30:00

A threat actor dubbed Cavalry Werewolf, with overlaps to the YoroTrooper group, is actively targeting the Russian public sector. The campaign utilizes custom malware including the FoalShell backdoor and StallionRAT, indicating a persistent and targeted espionage effort against government entities.

CVE: n/a | Compliance: HIPAA, SOX | Source: The Hacker News ↗
Rhadamanthys Stealer Evolves with New Evasion and Fingerprinting Techniques
Date & Time: 2025-10-03T15:58:00

The Rhadamanthys information stealer malware has been updated with advanced capabilities, including device fingerprinting and the use of PNG steganography to hide malicious payloads. This evolution demonstrates the continuous effort by malware authors to improve evasion techniques, making detection more challenging for traditional security tools.

CVE: n/a | Compliance: General Enterprise | Source: The Hacker News ↗

OTHER NOTEWORTHY ITEMS

Oracle Says Known Vulnerabilities Possibly Exploited in Recent Extortion Attacks
Date & Time: 2025-10-03T09:55:49

Oracle has acknowledged that vulnerabilities patched in its July 2025 update may have been exploited in recent extortion attacks. This serves as a critical reminder for organizations to apply patches promptly, as threat actors actively target known but unpatched vulnerabilities for financial gain.

Source: SecurityWeek ↗
What a Rogue Package, a Ransomware Hit, and One Mistake Say About Cyber Risk Right Now
Date & Time: 2025-10-03T14:44:40

A review of major September 2025 incidents highlights diverse and persistent cyber risks, including a worm-style npm supply chain attack, a major healthcare ransomware incident in Brazil, and an insider breach. This analysis underscores the multifaceted nature of the modern threat landscape, requiring a defense-in-depth strategy that addresses software supply chains, ransomware, and insider threats.

Source: ColorTokens ↗

EXECUTIVE INSIGHTS

12 Questions to Ask Before Investing in a PAM Solution
Date & Time: 2025-10-03T13:32:06

With stolen privileged credentials accounting for 61% of data breaches, strategic investment in Privileged Access Management (PAM) is crucial. This guidance provides executives and security leaders with twelve essential questions to evaluate PAM solutions, ensuring the chosen technology aligns with the organization's risk posture and operational needs to mitigate credential-based attacks.

Source: 12port.com ↗

VENDOR SPOTLIGHT

Spotlight Rationale: With the emergence of critical remote code execution vulnerabilities and ongoing extortion campaigns by groups like Scattered Spider, organizations require advanced threat intelligence to prioritize response. Mandiant specializes in tracking such threat actors and vulnerabilities, providing the necessary context to defend against these specific, active threats.

Threat Context: Salesforce Providing Support to Customers Listed on Scattered Spider Extortion Site

Platform Focus: Mandiant Advantage Threat Intelligence

Mandiant Advantage provides organizations with direct access to Mandiant's nation-state grade threat intelligence. This platform allows security teams to proactively research threat actors like Scattered Spider, understand their TTPs, and access detailed vulnerability intelligence for flaws like the Vigor router RCE ([CVE-2025-10547](https://nvd.nist.gov/vuln/detail/CVE-2025-10547)). By operationalizing this intelligence, defenders can move from a reactive to a proactive security posture, anticipating attacker moves and hardening defenses accordingly.

Actionable Platform Guidance: See Detection & Response Kit below for specific configuration steps within the Mandiant platform to address today's threats.

Source: Mandiant ↗

DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment. This guidance is based on general platform knowledge and a representative threat scenario. UI paths and threat actor names may vary. Always verify against current Mandiant documentation and the latest threat intelligence.

1. Vendor Platform Configuration - Mandiant

# Mandiant Advantage: Proactive Threat Search & Triage

# --- IMMEDIATE ACTIONS ---
# 1. Search for Active Threats:
#    - Navigate to the main dashboard and use the top search bar or go to 'Threat Intelligence > Search'.
#    - Execute searches for key terms from today's rundown:
#      - "Scattered Spider"
#      - "CVE-2025-10547"
#      - "Cavalry Werewolf"

# 2. Review Threat Actor and Vulnerability Profiles:
#    - From the search results, click on the relevant Actor and Vulnerability profiles.
#    - Analyze associated TTPs, malware (StallionRAT, FoalShell), and indicators of compromise (IOCs).

# --- VERIFICATION STEPS ---
# 1. Correlate IOCs with Internal Telemetry:
#    - Export relevant IOCs (hashes, IPs, domains) from the Mandiant profiles.
#    - Use your SIEM or EDR to search for these indicators within your environment to identify potential exposure.

# 2. Create and Assign an Investigation Case:
#    - Within Mandiant Advantage, create a new case to track the investigation into these threats.
#    - Assign the case to your incident response team with findings and recommended actions from the platform.

2. YARA Rule for StallionRAT (Cavalry Werewolf)

rule MAL_StallionRAT_CavalryWerewolf {
meta:
description = "Detects potential StallionRAT malware associated with the Cavalry Werewolf campaign."
author = "Threat Rundown"
date = "2025-10-04"
reference = "https://thehackernews.com/2025/10/new-cavalry-werewolf-attack-hits.html"
severity = "high"
tlp = "white"
strings:
$ua = "Stallion/1.0 Client" ascii wide
$s1 = "StallionRAT_Mutex_Unique" ascii wide
$s2 = "/gate.php?id=" ascii
$s3 = "FoalShell_Loader" ascii wide
condition:
uint16(0) == 0x5a4d and any of them
}

3. SIEM Query — Vigor Router Exploit Attempt (CVE-2025-10547)

sourcetype IN (pan:traffic, cisco:asa, web_proxy) action=allowed dest_port IN (80, 443)
NOT (src_ip IN (192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12))
(url="*/cgi-bin/*" OR url="*/api/auth*" OR url="*EasyVPN*")
(http_method=POST OR url IN ("*wget*", "*curl*", "*bash*", "*exec*"))
| eval risk_score=case(
match(url, "(?i)(wget|curl|bash|exec|;|&&)"), 100,
http_method=="POST" AND bytes_in > 1024, 75,
1==1, 50)
| where risk_score >= 75
| table _time, src_ip, dest_ip, url, user_agent, risk_score
| sort -_time

4. PowerShell Script — Hunt for win-cli-mcp-server Post-Exploitation

# Hunt for suspicious child processes of win-cli-mcp-server.exe, an indicator for ZDI-CAN-27787 exploitation.

$lookbackDays = 1
$parentProcess = "win-cli-mcp-server.exe"
$suspiciousChildren = @("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "sh.exe", "bash.exe")

Write-Host "[*] Searching for suspicious child processes of '$parentProcess' in the last $lookbackDays day(s)..."

$processEvents = Get-WinEvent -FilterHashtable @{
LogName = 'Microsoft-Windows-Security-Auditing'
ID = 4688
StartTime = (Get-Date).AddDays(-$lookbackDays)
} -ErrorAction SilentlyContinue

if ($null -eq $processEvents) {
Write-Warning "Could not retrieve process creation events (ID 4688). Ensure process auditing is enabled."
exit
}

foreach ($event in $processEvents) {
$processName = $event.Properties[5].Value
$parentProcessName = $event.Properties[13].Value

if ($parentProcessName -like "*$parentProcess*") {
foreach ($child in $suspiciousChildren) {
if ($processName -like "*$child*") {
Write-Host "[!] POTENTIAL COMPROMISE DETECTED on $($event.MachineName) at $($event.TimeCreated)"
Write-Host "    - Parent: $parentProcessName"
Write-Host "    - Child:  $processName"
}
}
}
}

Write-Host "[*] Search complete."

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!

{ "type": "bundle", "id": "bundle--09036692-7bfe-4348-bbe0-62b163f1213c", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "created": "2022-10-01T00:00:00.000Z", "definition_type": "tlp:2.0", "name": "TLP:CLEAR", "definition": { "tlp": "clear" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--9922b639-e24d-4f02-a716-d4e0ac5a1729", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "name": "MikeGPT Intelligence Platform", "description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds", "identity_class": "organization", "sectors": [ "technology", "defense" ], "contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "report", "spec_version": "2.1", "id": "report--cd0ae3a8-0c65-43ae-9384-b720904f86f0", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "name": "Threat Intelligence Report - 2025-10-04", "description": "Threat Intelligence Report - 2025-10-04\n\nThis report consolidates actionable cybersecurity intelligence from 92 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• ZDI-25-930: win-cli-mcp-server resolveCommandPath Command Injection Remote Code Execution Vulnerabil (Score: 100)\n• ZDI-25-931: MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerab (Score: 100)\n• ZDI-25-932: MLflow Weak Password Requirements Authentication Bypass Vulnerability (Score: 100)\n• VU#294418: Vigor routers running DrayOS are vulnerable to RCE via EasyVPN and LAN web administration (Score: 100)\n• New \"Cavalry Werewolf\" Attack Hits Russian Agencies with FoalShell and StallionRAT (Score: 100.0)\n\nEXTRACTED ENTITIES:\n• 25 Attack Pattern(s)\n• 6 Campaign(s)\n• 6 Course Of Action(s)\n• 3 Domain Name(s)\n• 6 Indicator(s)\n• 1 Intrusion Set(s)\n• 1 Malware(s)\n• 1 Marking Definition(s)\n• 24 Relationship(s)\n• 1 Threat Actor(s)\n• 3 Url(s)\n• 6 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n", "published": "2025-10-04T13:21:01.705Z", "object_refs": [ "identity--9922b639-e24d-4f02-a716-d4e0ac5a1729", "identity--37a6c73b-081d-4c71-a467-5ccabd7ab329", "malware--fa4c643a-e54a-4f71-aa1c-4bb424bb6db5", "threat-actor--1c24883b-5440-48be-89b4-b0c9d2b0646b", "identity--78652a32-1d49-42fb-a7b1-5c6f8bfb3581", "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e", "attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9", "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "attack-pattern--01df90e4-619d-4268-90c9-6e2aa84079d9", "attack-pattern--f33f5834-6a9a-4727-88a5-9d35eeba1cff", "attack-pattern--2d26e3d0-4bbf-44c3-aa9e-5aeab4937638", "attack-pattern--d5229cf6-f11b-41bc-8aca-0df713047400", "attack-pattern--9ba6495b-e273-4e8d-a4ce-dbcd56ec33f2", "attack-pattern--9f6c52f6-cc63-4397-b485-099a2ca6acf9", "attack-pattern--dd0edf90-8f96-4a15-852b-ba611cd81716", "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "attack-pattern--f1669470-d352-4943-bd4a-70c7740b6d39", "attack-pattern--75a38270-146f-445a-bb30-589accfe0eb3", "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "vulnerability--5ccd741b-10b5-479d-92b9-cdc3eb3b599a", "vulnerability--b167d898-c404-43b4-bd50-db2afd304b75", "vulnerability--f128a7b1-62ad-4387-a84a-81a9432bdc5a", "vulnerability--9968b396-a461-4008-aaab-addd0e6e4eb6", "vulnerability--2c344ff8-fef3-453e-a755-699ffdd7afdb", "vulnerability--34315f8d-afed-4968-9cbf-9e209154929c", "campaign--688118ce-d0bd-4a35-8e42-12a506441207", "campaign--ca8e9efc-a887-4c41-a481-2f1128f3e50d", "campaign--ba2a60c9-a114-485f-abc9-c4f9d5f6fbaf", "campaign--23ca3d3b-0fb9-440b-aed0-6486c25e2cc9", "campaign--05764aae-712c-434a-9c0f-f0c6b1459060", "campaign--61e6c492-6e9a-4225-8c44-9e4e123e0c8b", "course-of-action--138384d0-aee4-4928-a051-0c8745630647", "course-of-action--21617f22-d90c-4c74-9d75-7f74fa8057d4", "course-of-action--a5933805-e88a-494d-9458-8bd3e093cc68", "course-of-action--824a4f4f-f778-4399-b18f-1662279cce41", "course-of-action--4b257858-5d6e-472d-9527-acec00c6e687", "course-of-action--a7809b8a-5499-4c26-b837-e9648f806a5e", "relationship--c5238ab5-30dc-42dd-97be-fdb24dcf65ef", "relationship--397e6a17-6004-4319-bad9-cccee771eb28", "relationship--bfc890a8-e4ea-48f4-a3a5-1ee90dcda003", "relationship--82f25eda-563d-449a-a008-dccc56b404e2", "relationship--1ddc322c-8df7-45fc-8cae-8e76e897a99a", "relationship--0943aaa3-0382-4fe9-9eac-69dbdc4a2e73", "domain-name--b241a2d6-f3df-4bc9-b6c4-830c46df2da2", "url--e964bdeb-f9bf-4e95-909d-857b25c13b00", "domain-name--ceea3d30-e2e1-4ab8-a257-4ac591340429", "url--17f9fc57-e970-493a-abb6-f32fc4ea8ba4", "domain-name--5ceb37ca-29d2-4b53-be40-b48f9dcc722f", "url--eb687af5-0362-4f6e-9e27-0d0d185aee22", "indicator--60b08c59-fcb4-4534-a16a-977d711906ca", "relationship--f7b0e18e-2e67-4c51-beb8-003c9ab95134", "indicator--b1a04d24-41ba-4a46-b485-8c14c62183ce", "relationship--0b829ccc-48ee-46ea-a173-764852fe3288", "indicator--dc4180f3-270d-40e1-a6af-76f455d14bc0", "relationship--3f71e86d-a370-48a7-9b2a-8cf7a87a54e6", "indicator--7e0b3e24-ce36-400c-a50f-f4292c530ced", "relationship--7cacc10f-1b1e-4ddf-96c8-26a9e7757c15", "indicator--d6d0953a-4fcd-41ea-84f1-4d5adbee3241", "relationship--57e82027-e198-40f8-96c2-88ee9557ce0a", "indicator--f5115312-4bdd-41b7-a5ed-31af8afb6350", "relationship--c890aa62-6571-4dbb-aea9-8bf520215547", "relationship--de4355bd-c80b-43db-8851-05187733f3a5", "relationship--5618f147-f469-4b1f-b918-2e59106bd5cb", "relationship--b91d5b32-650b-4173-8f85-ee070a06ba11", "relationship--9abc7404-54d4-4029-90df-226a701a9e1d", "relationship--04a2f1af-15cc-4c44-8335-586dd4478ddd", "relationship--cdc01636-b427-4c2b-926c-e96057dad448", "relationship--64c506ae-14af-49fc-8e22-6c397f940dc5", "relationship--2f5790b9-0bc6-4e6d-880d-53398731e7fd", "relationship--fdc2caee-abca-4620-b485-d01d60487aad", "relationship--2e0cf94a-e227-405d-8302-d79183318747", "relationship--c284abae-5266-4266-a3d5-a3b2644a8b8a", "relationship--baa2b9d4-1e65-4476-857b-7901caed12e2" ], "labels": [ "threat-report", "threat-intelligence" ], "created_by_ref": "identity--9922b639-e24d-4f02-a716-d4e0ac5a1729", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.108Z", "modified": "2025-10-04T13:21:01.108Z", "confidence": 95, "type": "identity", "id": "identity--37a6c73b-081d-4c71-a467-5ccabd7ab329", "name": "ZDI", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.108Z", "modified": "2025-10-04T13:21:01.108Z", "confidence": 95, "type": "malware", "id": "malware--fa4c643a-e54a-4f71-aa1c-4bb424bb6db5", "name": "Rhadamanthys", "is_family": true, "malware_types": [ "trojan" ], "labels": [ "malicious-activity" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.108Z", "modified": "2025-10-04T13:21:01.108Z", "confidence": 95, "type": "threat-actor", "id": "threat-actor--1c24883b-5440-48be-89b4-b0c9d2b0646b", "name": "ShinyHunters", "threat_actor_types": [ "hacker" ], "labels": [ "threat-actor" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.108Z", "modified": "2025-10-04T13:21:01.108Z", "confidence": 95, "type": "identity", "id": "identity--78652a32-1d49-42fb-a7b1-5c6f8bfb3581", "name": "CISA", "identity_class": "organization", "labels": [ "organization" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.108Z", "modified": "2025-10-04T13:21:01.108Z", "confidence": 95, "type": "intrusion-set", "id": "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "name": "Scattered Spider", "labels": [ "intrusion-set" ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.108Z", "modified": "2025-10-04T13:21:01.108Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "name": "Exploit Public-Facing Application", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1190", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1190/", "external_id": "T1190" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.704Z", "modified": "2025-10-04T13:21:01.704Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "name": "Exploitation for Client Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1203", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1203/", "external_id": "T1203" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.704Z", "modified": "2025-10-04T13:21:01.704Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "name": "Command and Scripting Interpreter", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1059", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1059/", "external_id": "T1059" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.704Z", "modified": "2025-10-04T13:21:01.704Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "name": "Supply Chain Compromise", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/", "external_id": "T1195" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.704Z", "modified": "2025-10-04T13:21:01.704Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--4a2578d4-fdf6-48d3-b66a-93c681e1e21e", "name": "Application Layer Protocol", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1071", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1071/", "external_id": "T1071" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.704Z", "modified": "2025-10-04T13:21:01.704Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--68a5c7b8-09b4-49b1-8149-bc23ed0260c9", "name": "Non-Application Layer Protocol", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1095", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1095/", "external_id": "T1095" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.704Z", "modified": "2025-10-04T13:21:01.704Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--27b36b6d-ae90-4767-b07a-563ecef589ea", "name": "Scheduled Task", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1053.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1053/005/", "external_id": "T1053.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.704Z", "modified": "2025-10-04T13:21:01.704Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "name": "Spearphishing Attachment", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/001/", "external_id": "T1566.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.704Z", "modified": "2025-10-04T13:21:01.704Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "name": "Spearphishing Link", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/002/", "external_id": "T1566.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.704Z", "modified": "2025-10-04T13:21:01.704Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "name": "Spearphishing via Service", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/003/", "external_id": "T1566.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.704Z", "modified": "2025-10-04T13:21:01.704Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--01df90e4-619d-4268-90c9-6e2aa84079d9", "name": "PowerShell", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1059.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1059/001/", "external_id": "T1059.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.704Z", "modified": "2025-10-04T13:21:01.704Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--f33f5834-6a9a-4727-88a5-9d35eeba1cff", "name": "Abuse Elevation Control Mechanism", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1548", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1548/", "external_id": "T1548" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.704Z", "modified": "2025-10-04T13:21:01.704Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2d26e3d0-4bbf-44c3-aa9e-5aeab4937638", "name": "Access Token Manipulation", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1134", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1134/", "external_id": "T1134" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.704Z", "modified": "2025-10-04T13:21:01.704Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--d5229cf6-f11b-41bc-8aca-0df713047400", "name": "Boot or Logon Autostart Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1547", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1547/", "external_id": "T1547" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.704Z", "modified": "2025-10-04T13:21:01.704Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--9ba6495b-e273-4e8d-a4ce-dbcd56ec33f2", "name": "Scheduled Task/Job", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "privilege-escalation" } ], "x_mitre_id": "T1053", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1053/", "external_id": "T1053" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--9f6c52f6-cc63-4397-b485-099a2ca6acf9", "name": "Compromise Hardware Supply Chain", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/003/", "external_id": "T1195.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--dd0edf90-8f96-4a15-852b-ba611cd81716", "name": "Python", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1059.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1059/006/", "external_id": "T1059.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "confidence": 84, "type": "attack-pattern", "id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719", "name": "Vulnerabilities", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1588.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1588/006/", "external_id": "T1588.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "confidence": 83, "type": "attack-pattern", "id": "attack-pattern--f1669470-d352-4943-bd4a-70c7740b6d39", "name": "Compromise Software Supply Chain", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/002/", "external_id": "T1195.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "confidence": 79, "type": "attack-pattern", "id": "attack-pattern--75a38270-146f-445a-bb30-589accfe0eb3", "name": "System Shutdown/Reboot", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_id": "T1529", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1529/", "external_id": "T1529" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "name": "Archive via Utility", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1560.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1560/001/", "external_id": "T1560.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "name": "Screen Capture", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1113", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1113/", "external_id": "T1113" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "name": "Adversary-in-the-Middle", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1557", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1557/", "external_id": "T1557" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--ed3369e1-8515-458a-99e3-cb9283fb73d1", "name": "Socket Filters", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "command-and-control" } ], "x_mitre_id": "T1205.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1205/002/", "external_id": "T1205.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e03eb8e0-183c-4351-82cb-2d9c193d1530", "name": "Malicious Shell Modification", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1156", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1156/", "external_id": "T1156" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5ccd741b-10b5-479d-92b9-cdc3eb3b599a", "created": "2025-10-04T13:21:01.091Z", "modified": "2025-10-04T13:21:01.091Z", "name": "CVE-2025-11202", "description": "Vulnerability CVE-2025-11202", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-11202", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11202" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--b167d898-c404-43b4-bd50-db2afd304b75", "created": "2025-10-04T13:21:01.098Z", "modified": "2025-10-04T13:21:01.098Z", "name": "CVE-2025-11201", "description": "Vulnerability CVE-2025-11201", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-11201", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11201" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--f128a7b1-62ad-4387-a84a-81a9432bdc5a", "created": "2025-10-04T13:21:01.098Z", "modified": "2025-10-04T13:21:01.098Z", "name": "CVE-2025-11200", "description": "Vulnerability CVE-2025-11200", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-11200", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11200" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--9968b396-a461-4008-aaab-addd0e6e4eb6", "created": "2025-10-04T13:21:01.099Z", "modified": "2025-10-04T13:21:01.099Z", "name": "CVE-2025-10547", "description": "Vulnerability CVE-2025-10547", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-10547", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10547" }, { "source_name": "article", "url": "https://kb.cert.org/vuls/id/294418", "description": "VU#294418: Vigor routers running DrayOS are vulnerable to RCE via EasyVPN and LAN web administration interface" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--2c344ff8-fef3-453e-a755-699ffdd7afdb", "created": "2025-10-04T13:21:01.099Z", "modified": "2025-10-04T13:21:01.099Z", "name": "CVE-2025-11203", "description": "Vulnerability CVE-2025-11203", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-11203", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11203" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--34315f8d-afed-4968-9cbf-9e209154929c", "created": "2025-10-04T13:21:01.100Z", "modified": "2025-10-04T13:21:01.100Z", "name": "CVE-2025-4008", "description": "Vulnerability CVE-2025-4008 | CVSS Score: 8.7", "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-4008", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4008" }, { "source_name": "article", "url": "https://thehackernews.com/2025/10/cisa-flags-meteobridge-cve-2025-4008.html", "description": "CISA Flags Meteobridge CVE-2025-4008 Flaw as Actively Exploited in the Wild" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--688118ce-d0bd-4a35-8e42-12a506441207", "created": "2025-10-04T13:21:01.101Z", "modified": "2025-10-04T13:21:01.101Z", "name": "CVE-2025-11202 Exploitation Campaign", "description": "Coordinated exploitation activity targeting CVE-2025-11202", "first_seen": "2025-10-03T05:00:00.000Z", "last_seen": "2025-10-03T05:00:00.000Z", "objective": "Exploitation of CVE-2025-11202 for unauthorized access", "confidence": 75, "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--ca8e9efc-a887-4c41-a481-2f1128f3e50d", "created": "2025-10-04T13:21:01.101Z", "modified": "2025-10-04T13:21:01.101Z", "name": "CVE-2025-11201 Exploitation Campaign", "description": "Coordinated exploitation activity targeting CVE-2025-11201", "first_seen": "2025-10-03T05:00:00.000Z", "last_seen": "2025-10-03T05:00:00.000Z", "objective": "Exploitation of CVE-2025-11201 for unauthorized access", "confidence": 75, "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--ba2a60c9-a114-485f-abc9-c4f9d5f6fbaf", "created": "2025-10-04T13:21:01.101Z", "modified": "2025-10-04T13:21:01.101Z", "name": "CVE-2025-11200 Exploitation Campaign", "description": "Coordinated exploitation activity targeting CVE-2025-11200", "first_seen": "2025-10-03T05:00:00.000Z", "last_seen": "2025-10-03T05:00:00.000Z", "objective": "Exploitation of CVE-2025-11200 for unauthorized access", "confidence": 75, "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--23ca3d3b-0fb9-440b-aed0-6486c25e2cc9", "created": "2025-10-04T13:21:01.101Z", "modified": "2025-10-04T13:21:01.101Z", "name": "CVE-2025-10547 Exploitation Campaign", "description": "Coordinated exploitation activity targeting CVE-2025-10547", "first_seen": "2025-10-03T11:35:31.000Z", "last_seen": "2025-10-03T11:35:31.000Z", "objective": "Exploitation of CVE-2025-10547 for unauthorized access", "confidence": 75, "external_references": [ { "source_name": "article", "url": "https://kb.cert.org/vuls/id/294418", "description": "VU#294418: Vigor routers running DrayOS are vulnerable to RCE via EasyVPN and LAN web administration interface" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--05764aae-712c-434a-9c0f-f0c6b1459060", "created": "2025-10-04T13:21:01.101Z", "modified": "2025-10-04T13:21:01.101Z", "name": "CVE-2025-11203 Exploitation Campaign", "description": "Coordinated exploitation activity targeting CVE-2025-11203", "first_seen": "2025-10-03T05:00:00.000Z", "last_seen": "2025-10-03T05:00:00.000Z", "objective": "Exploitation of CVE-2025-11203 for unauthorized access", "confidence": 75, "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "campaign", "spec_version": "2.1", "id": "campaign--61e6c492-6e9a-4225-8c44-9e4e123e0c8b", "created": "2025-10-04T13:21:01.104Z", "modified": "2025-10-04T13:21:01.104Z", "name": "CVE-2025-4008 Exploitation Campaign", "description": "Coordinated exploitation activity targeting CVE-2025-4008", "first_seen": "2025-10-03T08:23:00.000Z", "last_seen": "2025-10-03T08:23:00.000Z", "objective": "Exploitation of CVE-2025-4008 for unauthorized access", "confidence": 75, "external_references": [ { "source_name": "article", "url": "https://thehackernews.com/2025/10/cisa-flags-meteobridge-cve-2025-4008.html", "description": "CISA Flags Meteobridge CVE-2025-4008 Flaw as Actively Exploited in the Wild" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--138384d0-aee4-4928-a051-0c8745630647", "created": "2025-10-04T13:21:01.105Z", "modified": "2025-10-04T13:21:01.105Z", "name": "Mitigate CVE-2025-11202", "description": "Apply security updates and patches to address CVE-2025-11202", "action_type": "remediate", "external_references": [ { "source_name": "nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11202", "description": "NVD entry with patch information" }, { "source_name": "article", "url": "https://www.securityweek.com/?p=43849", "description": "Oracle Says Known Vulnerabilities Possibly Exploited in Recent Extortion Attacks" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--21617f22-d90c-4c74-9d75-7f74fa8057d4", "created": "2025-10-04T13:21:01.105Z", "modified": "2025-10-04T13:21:01.105Z", "name": "Mitigate CVE-2025-11201", "description": "Apply security updates and patches to address CVE-2025-11201", "action_type": "remediate", "external_references": [ { "source_name": "nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11201", "description": "NVD entry with patch information" }, { "source_name": "article", "url": "https://www.securityweek.com/?p=43849", "description": "Oracle Says Known Vulnerabilities Possibly Exploited in Recent Extortion Attacks" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--a5933805-e88a-494d-9458-8bd3e093cc68", "created": "2025-10-04T13:21:01.105Z", "modified": "2025-10-04T13:21:01.105Z", "name": "Mitigate CVE-2025-11200", "description": "Apply security updates and patches to address CVE-2025-11200", "action_type": "remediate", "external_references": [ { "source_name": "nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11200", "description": "NVD entry with patch information" }, { "source_name": "article", "url": "https://www.securityweek.com/?p=43849", "description": "Oracle Says Known Vulnerabilities Possibly Exploited in Recent Extortion Attacks" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--824a4f4f-f778-4399-b18f-1662279cce41", "created": "2025-10-04T13:21:01.105Z", "modified": "2025-10-04T13:21:01.105Z", "name": "Mitigate CVE-2025-10547", "description": "Apply security updates and patches to address CVE-2025-10547", "action_type": "remediate", "external_references": [ { "source_name": "nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10547", "description": "NVD entry with patch information" }, { "source_name": "article", "url": "https://www.securityweek.com/?p=43849", "description": "Oracle Says Known Vulnerabilities Possibly Exploited in Recent Extortion Attacks" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--4b257858-5d6e-472d-9527-acec00c6e687", "created": "2025-10-04T13:21:01.105Z", "modified": "2025-10-04T13:21:01.105Z", "name": "Mitigate CVE-2025-11203", "description": "Apply security updates and patches to address CVE-2025-11203", "action_type": "remediate", "external_references": [ { "source_name": "nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11203", "description": "NVD entry with patch information" }, { "source_name": "article", "url": "https://www.securityweek.com/?p=43849", "description": "Oracle Says Known Vulnerabilities Possibly Exploited in Recent Extortion Attacks" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--a7809b8a-5499-4c26-b837-e9648f806a5e", "created": "2025-10-04T13:21:01.105Z", "modified": "2025-10-04T13:21:01.105Z", "name": "Mitigate CVE-2025-4008", "description": "Apply security updates and patches to address CVE-2025-4008", "action_type": "remediate", "external_references": [ { "source_name": "nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4008", "description": "NVD entry with patch information" }, { "source_name": "article", "url": "https://www.securityweek.com/?p=43849", "description": "Oracle Says Known Vulnerabilities Possibly Exploited in Recent Extortion Attacks" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c5238ab5-30dc-42dd-97be-fdb24dcf65ef", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "uses", "source_ref": "threat-actor--1c24883b-5440-48be-89b4-b0c9d2b0646b", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: shinyhunters uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--397e6a17-6004-4319-bad9-cccee771eb28", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "uses", "source_ref": "threat-actor--1c24883b-5440-48be-89b4-b0c9d2b0646b", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: shinyhunters uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bfc890a8-e4ea-48f4-a3a5-1ee90dcda003", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "uses", "source_ref": "threat-actor--1c24883b-5440-48be-89b4-b0c9d2b0646b", "target_ref": "attack-pattern--01df90e4-619d-4268-90c9-6e2aa84079d9", "confidence": 75, "description": "MITRE ATT&CK mapping: shinyhunters uses powershell (T1059.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--82f25eda-563d-449a-a008-dccc56b404e2", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "uses", "source_ref": "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "target_ref": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "confidence": 75, "description": "MITRE ATT&CK mapping: scattered spider uses command and scripting interpreter (T1059)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1ddc322c-8df7-45fc-8cae-8e76e897a99a", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "uses", "source_ref": "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "target_ref": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "confidence": 75, "description": "MITRE ATT&CK mapping: scattered spider uses spearphishing attachment (T1566.001)", "x_validation_method": "mitre-mapper" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0943aaa3-0382-4fe9-9eac-69dbdc4a2e73", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "uses", "source_ref": "intrusion-set--7ff82b53-a7ae-4331-be8f-9624439d3106", "target_ref": "attack-pattern--01df90e4-619d-4268-90c9-6e2aa84079d9", "confidence": 75, "description": "MITRE ATT&CK mapping: scattered spider uses powershell (T1059.001)", "x_validation_method": "mitre-mapper" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--b241a2d6-f3df-4bc9-b6c4-830c46df2da2", "value": "humblebundle.com" }, { "type": "url", "spec_version": "2.1", "id": "url--e964bdeb-f9bf-4e95-909d-857b25c13b00", "value": "https://www.humblebundle.com/books/cybersecurity-month-oreilly-books?hmb_source=&hmb_medium=product_tile&hmb_campaign=mosaic_section_1_layout_index_1_layout_type_threes_tile_index_2_c_cybersecuritymonthoreilly_bookbundle" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--ceea3d30-e2e1-4ab8-a257-4ac591340429", "value": "discord.com" }, { "type": "url", "spec_version": "2.1", "id": "url--17f9fc57-e970-493a-abb6-f32fc4ea8ba4", "value": "https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--5ceb37ca-29d2-4b53-be40-b48f9dcc722f", "value": "unity.com" }, { "type": "url", "spec_version": "2.1", "id": "url--eb687af5-0362-4f6e-9e27-0d0d185aee22", "value": "https://unity.com/security/sept-2025-01" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--60b08c59-fcb4-4534-a16a-977d711906ca", "created": "2025-10-04T13:21:01.081Z", "modified": "2025-10-04T13:21:01.081Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'humblebundle.com']", "pattern_type": "stix", "valid_from": "2025-10-04T13:21:01.081Z", "labels": [ "malicious-activity" ], "confidence": 90 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f7b0e18e-2e67-4c51-beb8-003c9ab95134", "created": "2025-10-04T13:21:01.081Z", "modified": "2025-10-04T13:21:01.081Z", "relationship_type": "based-on", "source_ref": "indicator--60b08c59-fcb4-4534-a16a-977d711906ca", "target_ref": "domain-name--b241a2d6-f3df-4bc9-b6c4-830c46df2da2" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b1a04d24-41ba-4a46-b485-8c14c62183ce", "created": "2025-10-04T13:21:01.083Z", "modified": "2025-10-04T13:21:01.083Z", "name": "Malicious url indicator", "description": "Malicious url identified in threat intelligence", "pattern": "[url:value = 'https://www.humblebundle.com/books/cybersecurity-month-oreilly-books?hmb_source=&hmb_medium=product_tile&hmb_campaign=mosaic_section_1_layout_index_1_layout_type_threes_tile_index_2_c_cybersecuritymonthoreilly_bookbundle']", "pattern_type": "stix", "valid_from": "2025-10-04T13:21:01.083Z", "labels": [ "malicious-activity" ], "confidence": 90 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0b829ccc-48ee-46ea-a173-764852fe3288", "created": "2025-10-04T13:21:01.083Z", "modified": "2025-10-04T13:21:01.083Z", "relationship_type": "based-on", "source_ref": "indicator--b1a04d24-41ba-4a46-b485-8c14c62183ce", "target_ref": "url--e964bdeb-f9bf-4e95-909d-857b25c13b00" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dc4180f3-270d-40e1-a6af-76f455d14bc0", "created": "2025-10-04T13:21:01.084Z", "modified": "2025-10-04T13:21:01.084Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'discord.com']", "pattern_type": "stix", "valid_from": "2025-10-04T13:21:01.084Z", "labels": [ "malicious-activity" ], "confidence": 90 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3f71e86d-a370-48a7-9b2a-8cf7a87a54e6", "created": "2025-10-04T13:21:01.084Z", "modified": "2025-10-04T13:21:01.084Z", "relationship_type": "based-on", "source_ref": "indicator--dc4180f3-270d-40e1-a6af-76f455d14bc0", "target_ref": "domain-name--ceea3d30-e2e1-4ab8-a257-4ac591340429" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7e0b3e24-ce36-400c-a50f-f4292c530ced", "created": "2025-10-04T13:21:01.086Z", "modified": "2025-10-04T13:21:01.086Z", "name": "Malicious url indicator", "description": "Malicious url identified in threat intelligence", "pattern": "[url:value = 'https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service']", "pattern_type": "stix", "valid_from": "2025-10-04T13:21:01.086Z", "labels": [ "malicious-activity" ], "confidence": 90 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7cacc10f-1b1e-4ddf-96c8-26a9e7757c15", "created": "2025-10-04T13:21:01.086Z", "modified": "2025-10-04T13:21:01.086Z", "relationship_type": "based-on", "source_ref": "indicator--7e0b3e24-ce36-400c-a50f-f4292c530ced", "target_ref": "url--17f9fc57-e970-493a-abb6-f32fc4ea8ba4" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d6d0953a-4fcd-41ea-84f1-4d5adbee3241", "created": "2025-10-04T13:21:01.087Z", "modified": "2025-10-04T13:21:01.087Z", "name": "Malicious domain-name indicator", "description": "Malicious domain-name identified in threat intelligence", "pattern": "[domain-name:value = 'unity.com']", "pattern_type": "stix", "valid_from": "2025-10-04T13:21:01.087Z", "labels": [ "malicious-activity" ], "confidence": 90 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--57e82027-e198-40f8-96c2-88ee9557ce0a", "created": "2025-10-04T13:21:01.087Z", "modified": "2025-10-04T13:21:01.087Z", "relationship_type": "based-on", "source_ref": "indicator--d6d0953a-4fcd-41ea-84f1-4d5adbee3241", "target_ref": "domain-name--5ceb37ca-29d2-4b53-be40-b48f9dcc722f" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f5115312-4bdd-41b7-a5ed-31af8afb6350", "created": "2025-10-04T13:21:01.088Z", "modified": "2025-10-04T13:21:01.088Z", "name": "Malicious url indicator", "description": "Malicious url identified in threat intelligence", "pattern": "[url:value = 'https://unity.com/security/sept-2025-01']", "pattern_type": "stix", "valid_from": "2025-10-04T13:21:01.088Z", "labels": [ "malicious-activity" ], "confidence": 90 }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c890aa62-6571-4dbb-aea9-8bf520215547", "created": "2025-10-04T13:21:01.088Z", "modified": "2025-10-04T13:21:01.089Z", "relationship_type": "based-on", "source_ref": "indicator--f5115312-4bdd-41b7-a5ed-31af8afb6350", "target_ref": "url--eb687af5-0362-4f6e-9e27-0d0d185aee22" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--de4355bd-c80b-43db-8851-05187733f3a5", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "mitigated-by", "source_ref": "vulnerability--5ccd741b-10b5-479d-92b9-cdc3eb3b599a", "target_ref": "course-of-action--138384d0-aee4-4928-a051-0c8745630647", "description": "CVE-2025-11202 is mitigated by Mitigate CVE-2025-11202" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5618f147-f469-4b1f-b918-2e59106bd5cb", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "mitigated-by", "source_ref": "vulnerability--b167d898-c404-43b4-bd50-db2afd304b75", "target_ref": "course-of-action--21617f22-d90c-4c74-9d75-7f74fa8057d4", "description": "CVE-2025-11201 is mitigated by Mitigate CVE-2025-11201" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b91d5b32-650b-4173-8f85-ee070a06ba11", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "mitigated-by", "source_ref": "vulnerability--f128a7b1-62ad-4387-a84a-81a9432bdc5a", "target_ref": "course-of-action--a5933805-e88a-494d-9458-8bd3e093cc68", "description": "CVE-2025-11200 is mitigated by Mitigate CVE-2025-11200" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9abc7404-54d4-4029-90df-226a701a9e1d", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "mitigated-by", "source_ref": "vulnerability--9968b396-a461-4008-aaab-addd0e6e4eb6", "target_ref": "course-of-action--824a4f4f-f778-4399-b18f-1662279cce41", "description": "CVE-2025-10547 is mitigated by Mitigate CVE-2025-10547" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--04a2f1af-15cc-4c44-8335-586dd4478ddd", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "mitigated-by", "source_ref": "vulnerability--2c344ff8-fef3-453e-a755-699ffdd7afdb", "target_ref": "course-of-action--4b257858-5d6e-472d-9527-acec00c6e687", "description": "CVE-2025-11203 is mitigated by Mitigate CVE-2025-11203" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cdc01636-b427-4c2b-926c-e96057dad448", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "mitigated-by", "source_ref": "vulnerability--34315f8d-afed-4968-9cbf-9e209154929c", "target_ref": "course-of-action--a7809b8a-5499-4c26-b837-e9648f806a5e", "description": "CVE-2025-4008 is mitigated by Mitigate CVE-2025-4008" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--64c506ae-14af-49fc-8e22-6c397f940dc5", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "targets", "source_ref": "campaign--688118ce-d0bd-4a35-8e42-12a506441207", "target_ref": "vulnerability--5ccd741b-10b5-479d-92b9-cdc3eb3b599a", "description": "CVE-2025-11202 Exploitation Campaign targets CVE-2025-11202" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2f5790b9-0bc6-4e6d-880d-53398731e7fd", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "targets", "source_ref": "campaign--ca8e9efc-a887-4c41-a481-2f1128f3e50d", "target_ref": "vulnerability--b167d898-c404-43b4-bd50-db2afd304b75", "description": "CVE-2025-11201 Exploitation Campaign targets CVE-2025-11201" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fdc2caee-abca-4620-b485-d01d60487aad", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "targets", "source_ref": "campaign--ba2a60c9-a114-485f-abc9-c4f9d5f6fbaf", "target_ref": "vulnerability--f128a7b1-62ad-4387-a84a-81a9432bdc5a", "description": "CVE-2025-11200 Exploitation Campaign targets CVE-2025-11200" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2e0cf94a-e227-405d-8302-d79183318747", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "targets", "source_ref": "campaign--23ca3d3b-0fb9-440b-aed0-6486c25e2cc9", "target_ref": "vulnerability--9968b396-a461-4008-aaab-addd0e6e4eb6", "description": "CVE-2025-10547 Exploitation Campaign targets CVE-2025-10547" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c284abae-5266-4266-a3d5-a3b2644a8b8a", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "targets", "source_ref": "campaign--05764aae-712c-434a-9c0f-f0c6b1459060", "target_ref": "vulnerability--2c344ff8-fef3-453e-a755-699ffdd7afdb", "description": "CVE-2025-11203 Exploitation Campaign targets CVE-2025-11203" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--baa2b9d4-1e65-4476-857b-7901caed12e2", "created": "2025-10-04T13:21:01.705Z", "modified": "2025-10-04T13:21:01.705Z", "relationship_type": "targets", "source_ref": "campaign--61e6c492-6e9a-4225-8c44-9e4e123e0c8b", "target_ref": "vulnerability--34315f8d-afed-4968-9cbf-9e209154929c", "description": "CVE-2025-4008 Exploitation Campaign targets CVE-2025-4008" } ] }

Playbook for the Secure Enterprise