Threat intelligence firm GreyNoise has reported a 500% increase in scanning activity targeting Palo Alto Networks login portals, the highest level observed in three months. This significant spike in reconnaissance suggests threat actors may be actively searching for vulnerable instances in preparation for widespread exploitation campaigns. Organizations using Palo Alto Networks products should verify their exposure and ensure all systems are fully patched and securely configured.
CISA has added vulnerabilities affecting Smartbedded Meteobridge, Samsung, Juniper ScreenOS, Jenkins, and GNU Bash to its KEV catalog, confirming they are under active exploitation in the wild. This action mandates that Federal Civilian Executive Branch agencies patch these flaws by specified deadlines. The inclusion of these diverse products highlights the broad attack surface actively targeted by threat actors.
Researchers have detailed a new attack, dubbed "CometJacking," that targets Perplexity's Comet AI browser. By embedding malicious prompts into a seemingly harmless link, attackers can trick the browser into exfiltrating sensitive data from connected services, including email and calendars. This highlights the emerging threat surface associated with agentic AI systems and their integrations.
A retrospective of major September 2025 incidents reveals a diverse and persistent threat landscape. Key events included a worm-like supply chain attack affecting npm packages, a significant ransomware attack on Brazil's healthcare sector, and an insider data breach at a U.S. bank. This analysis underscores the need for a multi-layered defense strategy that addresses external attacks, supply chain integrity, and internal threats.
Italy is set to enact a national artificial intelligence law on October 10, 2025, becoming the first EU member to do so ahead of the broader EU AI Act. This move signals a growing global focus on AI regulation, which will have significant compliance and risk management implications for organizations developing or deploying AI technologies. Security and compliance leaders must begin assessing how this evolving legal landscape impacts their AI governance strategies and data protection obligations.
Spotlight Rationale: Selected in response to the 500% surge in scanning activity targeting Palo Alto Networks portals. GreyNoise's internet-wide sensor network provides critical, early-warning intelligence on reconnaissance campaigns, enabling defenders to proactively identify and block malicious scanners before an exploit is attempted.
GreyNoise addresses the challenge of alert fatigue by differentiating benign internet noise from targeted and opportunistic scanning. By analyzing and classifying IP addresses scanning the internet, it provides high-fidelity data on emerging threats. This allows Security Operations Centers (SOCs) to prioritize firewall alerts originating from IPs that GreyNoise has identified as malicious, directly addressing the risk highlighted by the increased scanning of PAN-OS devices.
Actionable Platform Guidance: Organizations can immediately leverage GreyNoise to triage the Palo Alto scanning threat by searching for IPs targeting PAN-OS and GlobalProtect ports. For proactive defense, integrating the GreyNoise API with a SIEM or SOAR platform allows for automated enrichment of firewall logs, enabling high-confidence alerting and blocking of IPs with malicious classifications.
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - GreyNoise
# Action Plan: Integrate GreyNoise to Detect & Block Malicious PAN Scanners
# 1. SIEM/SOAR Integration:
# - In your SIEM or SOAR platform, install the GreyNoise App/Connector.
# - Configure the connector with your GreyNoise API key.
# - Set up an automated lookup or enrichment job for all inbound traffic logs from your perimeter firewall (e.g., Palo Alto Networks).
# 2. Create a High-Fidelity Alert Rule:
# - Trigger an alert when the following conditions are met:
# a. Log source is your perimeter firewall (sourcetype="pan:traffic").
# b. Connection is denied OR accepted to your PAN management/GlobalProtect ports.
# c. The source IP address is enriched with GreyNoise data.
# d. The GreyNoise classification is "malicious".
# 3. Verification:
# - Monitor the new alerts. They should represent confirmed malicious scanners.
# - Use the GreyNoise Visualizer (https://viz.greynoise.io/) to manually investigate IPs from alerts for additional context on tags, actor, and activity.
# 4. (Optional) Automated Blocking:
# - Create a SOAR playbook to automatically add any source IP that triggers the above alert to a firewall blocklist for a specified duration (e.g., 30 days).
2. YARA Rule for win-cli-mcp-server RCE (CVE-2025-11202)
rule SUSP_WinCliMCPServer_RCE_CVE_2025_11202 {
meta:
description = "Detects strings related to the win-cli-mcp-server command injection vulnerability (CVE-2025-11202)."
author = "Threat Rundown"
date = "2025-10-05"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-11202"
severity = "critical"
tlp = "white"
strings:
$s1 = "resolveCommandPath"
$s2 = "win-cli-mcp-server"
// Common command injection payloads
$c1 = ";/bin/sh"
$c2 = "|/bin/bash"
$c3 = "&& powershell"
$c4 = "`wget"
condition:
(uint16(0) == 0x5a4d or uint32(0) == 0x464c457f) and // PE or ELF file
(1 of ($s*)) and (1 of ($c*))
}
// Splunk Search Query
index=pan sourcetype="pan:traffic" action=deny OR action=allow
// Add your PAN management or GlobalProtect destination ports
(dest_port=443 OR dest_port=4443 OR dest_port=4767)
// Use a lookup table populated by the GreyNoise API
| lookup greynoise_ip_context source_ip as src_ip
// Filter for IPs GreyNoise has classified as malicious
| where classification="malicious"
| stats count by _time, src_ip, dest_port, classification, actor
| sort -_time
4. PowerShell Script — Check for Vulnerable win-cli-mcp-server Version
# This script is a template. Update $vulnerableVersion and the file path.
$computers = "localhost", "SERVER01", "WEBSRV05"
$filePath = "C:\Program Files\win-cli-mcp-server\bin\mcp-server.exe"
$vulnerableVersion = "1.2.0" # Replace with the actual last vulnerable version
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
try {
Write-Host "Checking $computer..." -ForegroundColor Yellow
$fileObject = Invoke-Command -ComputerName $computer -ScriptBlock {
param($path)
Get-Item -Path $path -ErrorAction Stop
} -ArgumentList $filePath
$fileVersion = $fileObject.VersionInfo.ProductVersion
if ([System.Version]$fileVersion -le [System.Version]$vulnerableVersion) {
Write-Host "[VULNERABLE] $computer has version $fileVersion of mcp-server.exe" -ForegroundColor Red
} else {
Write-Host "[OK] $computer has version $fileVersion (not vulnerable)." -ForegroundColor Green
}
} catch {
Write-Host "[INFO] Could not find file on $computer or other error: $($_.Exception.Message)" -ForegroundColor Cyan
}
} else {
Write-Host "[ERROR] Cannot connect to $computer." -ForegroundColor Gray
}
}
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT