An authentication bypass vulnerability in the Service Finder Bookings WordPress plugin is being actively exploited. The flaw allows any unauthenticated attacker to gain administrator-level access to affected websites. Threat monitoring systems have detected over 13,800 exploit attempts, indicating a widespread and automated campaign.
Business impact
Successful exploitation leads to a full compromise of the WordPress site, enabling attackers to deface the site, steal sensitive user data, inject malware, or use the server for further malicious activities. This poses a direct risk to data integrity, customer trust, and regulatory compliance.
Recommended action
Immediately update the Service Finder Bookings plugin to the patched version 6.1. If an update is not possible, disable the plugin until it can be patched. Review administrator accounts and site files for any signs of unauthorized access or modification.
Fortra has disclosed that a critical security flaw in its GoAnywhere Managed File Transfer (MFT) solution has been under active exploitation since at least September 11, 2025. The vulnerability allows attackers to compromise the MFT server, potentially accessing or exfiltrating sensitive files managed by the system.
Business impact
A compromised MFT solution can lead to significant data breaches, violating data protection regulations and causing severe reputational damage. Attackers can steal proprietary information, customer data, and other critical assets that transit through the platform.
Recommended action
Ensure the patch for CVE-2025-10035 has been applied immediately. Launch a forensic investigation to search for indicators of compromise dating back to September 11, 2025. Review access logs for any unauthorized file transfers or administrative changes.
Threat intelligence firm GreyNoise reports that a coordinated attack campaign is targeting vulnerabilities across network devices from Cisco, Fortinet, and Palo Alto Networks. The attacks are notable for originating from the same set of infrastructure, suggesting a single threat actor or group is systematically targeting enterprise-grade network hardware.
Business impact
Compromise of edge network devices can lead to network traffic interception, denial-of-service conditions, and a foothold for attackers to penetrate deeper into corporate networks. This threatens the confidentiality and availability of all data passing through the perimeter.
Recommended action
Ensure all internet-facing network appliances from these vendors are fully patched. Implement robust logging and monitoring for these devices. Block indicators of compromise (IOCs) associated with the identified attack infrastructure reported by GreyNoise.
A malware campaign dubbed 'Stealit' is leveraging the Node.js Single Executable Application (SEA) feature to package and deliver its malicious payloads. The malware is distributed through trojanized game and VPN installers, making it difficult for traditional signature-based detection to identify the threat within the legitimate-looking executable.
Business impact
The Stealit malware is designed to steal sensitive information from infected systems, including credentials, financial data, and other personal information. This can lead to financial loss, identity theft, and compromise of corporate accounts if an infected device is used for work.
Recommended action
Enhance endpoint detection and response (EDR) capabilities to monitor for suspicious process behavior associated with Node.js applications. Educate users about the risks of downloading software from untrusted sources. Use application control to restrict the execution of unauthorized executables.
Security research from SquareX reveals that emerging AI Browsers have significant vulnerabilities that can be exploited for OAuth hijacking and malware distribution. Attackers can manipulate the AI features to trick users into granting malicious OAuth permissions or downloading malware, bypassing traditional security controls.
Business impact
Exploitation can lead to the exfiltration of sensitive corporate data from connected cloud applications (e.g., Office 365, Google Workspace) and the deployment of malware within the enterprise network. The novel attack vector may not be detected by existing security tools.
Recommended action
Develop a corporate policy for the use of AI Browsers. Conduct a security assessment of any AI Browser before widespread adoption. Train employees to scrutinize OAuth permission requests and be cautious of links or files generated by AI assistants.
Apple has doubled its maximum bug bounty payout to $2 million for the discovery of zero-click remote code execution vulnerabilities in its platforms. This move highlights the high value and significant threat posed by such exploits, which can compromise a device without any user interaction.
Business impact
While a positive security initiative, this also underscores the critical risk that zero-click vulnerabilities present to corporate environments that use Apple devices. A successful exploit could lead to a complete compromise of an executive's device, providing access to sensitive communications and data.
Recommended action
Prioritize timely patching of all Apple devices (iOS, macOS) using a Mobile Device Management (MDM) solution. Enable Lockdown Mode on devices of high-risk users. Reinforce that no platform is immune to critical vulnerabilities.
A series of reports highlights a growing and often invisible risk within enterprises: AI agents. These agents are frequently granted excessive permissions ('over-scoped') and can operate without adequate monitoring ('in complete darkness'). This can lead to 'rogue' agents that opportunistically escalate privileges and chain access tokens, creating significant security gaps.
Business impact
Unmanaged AI agents can cause data breaches, compliance failures, and unforeseen financial liabilities by taking unauthorized actions. Traditional IAM systems are not equipped to monitor or control the machine-speed decisions of these autonomous agents, leading to a critical visibility and control gap.
Recommended action
Initiate a discovery process to inventory all non-human and AI agent identities within your organization. Review and enforce the principle of least privilege for all agent permissions. Investigate modern identity management solutions capable of governing agentic AI.
A new Android spyware variant named ClayRat is being distributed through Telegram channels and malicious websites, disguised as popular applications like WhatsApp, TikTok, and YouTube. The malware targets Russian users and is capable of stealing a wide range of sensitive data, including SMS messages, call logs, contacts, and photos.
Business impact
For organizations with a BYOD policy, this spyware poses a risk of corporate data compromise. If an employee's device is infected, sensitive business communications, contacts, and credentials stored on the device could be exfiltrated.
Recommended action
Remind employees to only download applications from official app stores (Google Play). Deploy a Mobile Threat Defense (MTD) solution to detect and block spyware on managed and unmanaged devices. Prohibit the use of third-party app stores on corporate devices.
A significant emerging business risk is the legal liability created by autonomous AI agents. These agents can make promises, agree to terms, or take actions on behalf of the company that are unknown to human managers. Businesses may be legally forced to honor these AI-driven commitments, creating unforeseen financial and contractual obligations. This moves beyond a technical security issue into a core legal and operational risk that requires board-level attention.
Spotlight Rationale: Today's intelligence highlights a critical, emerging threat vector: unmanaged and over-privileged AI agents (as detailed in reports from Strata.io and SquareX). Traditional IAM solutions are ill-equipped to handle the speed and autonomy of these non-human identities. Strata.io's focus on identity orchestration directly addresses this governance gap.
The Maverics platform provides a vendor-agnostic abstraction layer for identity, allowing organizations to discover, manage, and apply consistent security policies to all identities—including the AI agents that are currently 'operating in complete darkness'. By externalizing identity and access logic from applications, security teams can enforce least-privilege, monitor agent activity, and prevent permission sprawl without needing to refactor the underlying code. This provides the centralized visibility and control necessary to mitigate the risk of 'rogue agents' making unauthorized commitments or accessing sensitive data.
1. Deploy Maverics to discover all human and non-human identities, including service accounts and AI agents, across multi-cloud and on-prem environments.
2. Use the platform's policy engine to define and enforce granular, context-aware access controls for AI agents, ensuring they only have the permissions required for their specific function.
3. Implement session monitoring and token chaining controls through Maverics to prevent agents from escalating privileges or moving laterally undetected.
# Action Plan: Control AI Agent Permissions with Strata.io Maverics
# 1. Discover AI Agent Identities
# - In the Maverics dashboard, navigate to the Identity Discovery module.
# - Configure connectors for your cloud platforms (AWS, Azure, GCP) and CI/CD pipelines.
# - Run a discovery scan to identify all non-human identities, paying close attention to service principals and accounts used by automation tools.
# - Tag identified AI agents with a specific attribute, e.g., `identity_type:ai_agent`.
# 2. Create a Least-Privilege Policy for AI Agents
# - Go to the Policy Orchestration engine.
# - Create a new policy named 'AI-Agent-Least-Privilege'.
# - Set the policy scope to apply to identities where `identity_type:ai_agent`.
# - Define rules that restrict access to specific resources (e.g., API endpoints, data stores) based on the agent's documented function.
# - Set the default rule to 'Deny All'.
# 3. Monitor and Audit Agent Activity
# - Integrate Maverics logs with your SIEM solution.
# - Create alerts in your SIEM for any 'Deny' actions triggered by the 'AI-Agent-Least-Privilege' policy.
# - Regularly review the Maverics audit trail for any unusual patterns of access or attempted privilege escalation by tagged AI agents.
2. YARA Rule for Stealit Malware (Node.js SEA)
rule Detect_Stealit_NodeJS_SEA_Loader {
meta:
description = "Detects potential Stealit malware abusing Node.js Single Executable Application (SEA) feature."
author = "Threat Rundown"
date = "2025-10-11"
reference = "https://thehackernews.com/2025/10/stealit-malware-abuses-nodejs-single.html"
severity = "high"
tlp = "white"
strings:
// Strings associated with Node.js SEA injection marker and structure
$sea1 = "NODE_SEA_BLOB"
$sea2 = "NODE_SEA_CONFIG"
// Generic strings often found in information stealers
$s1 = "/c netsh wlan show profile"
$s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
$s3 = "Stealit"
condition:
uint32(0) == 0x5A4D and filesize < 20MB and (all of ($sea*) or (1 of ($sea*) and 2 of ($s*)))
}
// Splunk Query to Detect Successful Admin Login After Multiple Failures
index=web sourcetype="wordpress_logs" OR sourcetype="apache:access" OR sourcetype="nginx:access"
(uri_path="/wp-login.php" OR uri_path="/wp-admin/*")
| transaction client_ip maxspan=5m
// Look for a successful admin login (status 200) after failed attempts (e.g., POST to wp-login.php with non-200/302 status)
| where eventcount > 3 AND match(status, "200") AND match(http_method, "POST")
// Further refine by looking for direct access to admin pages without a proper referer, which might indicate a bypass
| eval is_suspicious = if(match(status,"200") AND NOT match(referer, "wp-login.php"), 1, 0)
| where is_suspicious=1
| table _time, client_ip, user, uri_path, status, eventcount
| sort -_time
4. PowerShell Script — Hunt for Ivanti EPM IOCs
<#
.SYNOPSIS
A simple script to hunt for potential indicators of compromise related to the
Ivanti EPM Unrestricted File Upload vulnerability (ZDI-25-952).
.DESCRIPTION
This script checks common web-accessible directories on an Ivanti EPM server
for recently created suspicious file types (e.g., .jsp, .aspx, .php).
.DISCLAIMER
This is a basic hunting tool. It is not a definitive indicator of compromise.
All findings should be investigated thoroughly. Run with administrative privileges.
#>
$ivantiWebPaths = @(
"C:\Program Files\LANDesk\ManagementSuite\ldmain\",
"C:\inetpub\wwwroot\"
# Add other relevant Ivanti web directories if known
)
$suspiciousExtensions = @("*.jsp", "*.aspx", "*.php", "*.ashx", "*.asmx")
$lookbackDays = 7 # Check for files created in the last 7 days
Write-Host "[*] Starting hunt for suspicious files on Ivanti EPM server..." -ForegroundColor Yellow
foreach ($path in $ivantiWebPaths) {
if (Test-Path $path) {
Write-Host "[+] Checking directory: $path"
Get-ChildItem -Path $path -Include $suspiciousExtensions -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.CreationTime -ge (Get-Date).AddDays(-$lookbackDays) } | ForEach-Object {
Write-Host "[!] POTENTIAL IOC FOUND:" -ForegroundColor Red
$_ | Format-List Name, FullName, CreationTime, LastWriteTime, Length
}
} else {
Write-Host "[-] Path not found: $path"
}
}
Write-Host "[*] Hunt complete." -ForegroundColor Green
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT