The Australian Signals Directorate (ASD) has issued a warning about ongoing attacks actively exploiting a critical vulnerability in Cisco IOS XE devices. Threat actors are leveraging this flaw to install the "BadCandy" webshell, which grants them administrative access and persistent control over compromised network infrastructure.
Business impact
Compromise of core network devices can lead to widespread network outages, data interception, lateral movement into sensitive internal networks, and significant reputational damage. This poses a direct threat to network integrity and data security.
Recommended action
Immediately apply patches for CVE-2023-20198 to all affected Cisco IOS XE devices. Hunt for indicators of compromise, including the presence of the BadCandy webshell, and review device configurations for unauthorized changes.
CISA is warning that ransomware groups are actively exploiting a high-severity use-after-free vulnerability in the Linux kernel's `netfilter: nf_tables` subsystem. The flaw, which was introduced in 2014 and patched in January 2024, allows a local attacker to achieve privilege escalation to root, a critical step in deploying ransomware across a server.
Business impact
Successful exploitation allows attackers to gain full control over compromised Linux servers, enabling data exfiltration, ransomware deployment, and destruction of backups. This can result in catastrophic operational disruption and financial loss.
Recommended action
Ensure all Linux systems are patched against CVE-2024-1086. Prioritize patching for internet-facing servers. Monitor for anomalous processes and unauthorized privilege escalation events.
The cyber espionage group known as Tick, linked to China, is exploiting a critical zero-day vulnerability in Motex Lanscope Endpoint Manager. The flaw allows remote attackers to execute arbitrary commands with SYSTEM-level privileges, effectively enabling a complete takeover of managed endpoints.
Business impact
This vulnerability allows for widespread compromise of corporate systems, facilitating data theft, deployment of additional malware, and long-term persistence within the network. The high CVSS score of 9.3 underscores the severe risk to intellectual property and operational security.
Recommended action
Immediately apply the patch for CVE-2025-61932 to all instances of Motex Lanscope Endpoint Manager. Isolate vulnerable systems if patching is not immediately possible and scan endpoints for signs of compromise.
Check Point Research has detailed three vulnerabilities in the Windows Graphics Device Interface (GDI) that can lead to remote code execution and memory exposure. These flaws were addressed in Microsoft's Patch Tuesday updates in May, July, and August 2025, but unpatched systems remain at high risk.
Business impact
Exploitation could allow an attacker to take full control of an affected system by tricking a user into opening a specially crafted file or visiting a malicious website. This can lead to data breaches, malware installation, and further network intrusion.
Recommended action
Verify that all Windows systems have received the cumulative updates from May, July, and August 2025. Prioritize patching for user workstations, which are common targets for this type of attack vector.
The China-based threat group Storm-1849 is actively scanning for and exploiting vulnerabilities in Cisco ASA firewalls, with a particular focus on devices used by government entities worldwide. This campaign aims to establish initial access into sensitive government networks for espionage purposes.
Business impact
A compromised firewall provides a direct entry point into a network, bypassing perimeter defenses. This can lead to significant data exfiltration of sensitive government information, long-term persistence, and the ability to pivot to other critical systems.
Recommended action
Ensure all Cisco ASA devices are fully patched and securely configured. Monitor firewall logs for anomalous scanning activity and outbound connections originating from the firewall itself. Implement network segmentation to limit the impact of a potential breach.
CVE: n/a | Compliance: General Enterprise | Source:The Record ↗
A sophisticated malware campaign is targeting the defense sector using weaponized ZIP archives disguised as Russian military documents. The payload is an advanced backdoor that uses SSH over the Tor network for stealthy and resilient command-and-control (C2) communications.
Business impact
This attack poses a severe espionage risk to defense organizations. The use of Tor for C2 makes detection and blocking difficult, allowing attackers to exfiltrate sensitive data and maintain long-term access undetected.
Recommended action
Enhance user awareness training on phishing, especially with themed lures. Block or monitor Tor traffic at network egress points. Employ advanced endpoint protection to detect malicious script execution from archive files.
Ukrainian national Oleksii Lytvynenko has been extradited from Ireland to the U.S. to face charges for his alleged involvement in the prolific Conti ransomware operation. This action highlights ongoing international law enforcement efforts to dismantle cybercrime syndicates and hold their members accountable.
Business impact
This legal action serves as a deterrent to cybercriminals and disrupts the operations of ransomware groups. For businesses, it underscores the severe legal and financial consequences associated with ransomware attacks and the global effort to combat them.
Recommended action
This is a law enforcement update with no direct technical action. Maintain robust anti-ransomware defenses, including offline backups, network segmentation, and incident response plans.
This article emphasizes the critical role of DNS in the cyberattack lifecycle. Nearly all malicious actions, from phishing to C2 callbacks and data exfiltration, begin with a DNS query. Treating DNS as a security control point through Protective DNS services can proactively block threats before they establish a connection.
Business impact
Failing to secure DNS leaves a significant gap in security posture. A DNS-based defense can prevent malware infections, block ransomware C2, and stop data exfiltration, reducing overall incident response costs and operational impact.
Recommended action
Evaluate and implement a Protective DNS solution. Integrate threat intelligence feeds into DNS firewalls to block known malicious domains and monitor DNS logs for suspicious query patterns.
A community-provided script and guide focuses on hardening SSH configurations based on CIS benchmarks. Key recommendations include implementing multi-factor authentication (MFA), disabling root login, and using strong cryptographic algorithms to prevent unauthorized access to critical servers.
Business impact
Unsecured SSH is a primary vector for server compromise. Hardening SSH configurations significantly reduces the attack surface, preventing brute-force attacks and unauthorized access that could lead to data breaches or system takeovers.
Recommended action
Audit SSH configurations across all servers. Implement MFA for all SSH access, disable password-based authentication in favor of SSH keys, and apply configuration changes aligned with security benchmarks like CIS.
OpenAI has announced Aardvark, an autonomous AI agent powered by GPT-5 designed to function as an agentic security researcher. The system can automatically scan code, identify complex vulnerabilities, and generate patches, potentially revolutionizing secure software development and vulnerability management. This represents a major strategic shift in cybersecurity, where AI can be leveraged to scale and accelerate defensive capabilities, though it also raises questions about the potential for misuse.
Spotlight Rationale: Today's critical threats, including the [BadCandy webshell](https://securityaffairs.com/?p=184095) and the [SSH-Tor backdoor](https://cyble.com/?p=103767), rely on command-and-control (C2) communications to function. A Protective DNS solution can disrupt this critical stage of the attack chain, rendering the malware ineffective.
Infoblox's BloxOne Threat Defense provides a cloud-native Protective DNS service that proactively blocks connections to malicious destinations. By analyzing DNS queries in real-time and applying threat intelligence, it can prevent endpoints from communicating with C2 servers used by threats like BadCandy. This approach stops attacks before data exfiltration or lateral movement can occur, effectively neutralizing the threat at the network edge.
1. **Enable Threat Feeds:** In the BloxOne Threat Defense policy engine, ensure that threat intelligence feeds for "Malware," "C2," and "Newly Observed Domains" are enabled and set to block.
2. **Create Custom Blocklists:** Augment built-in feeds by adding any available domain-based IOCs for threat groups like Storm-1849 and Tick to a custom blocklist.
3. **Monitor DNS Logs:** Use the reporting features to monitor for spikes in DNS queries to suspicious domains. Investigate endpoints making these requests, as they may be compromised.
# Infoblox BloxOne Threat Defense Policy Configuration Steps
# 1. Log in to the Infoblox Cloud Services Portal.
# 2. Navigate to: Manage -> Security -> Security Policies.
# 3. Select the default global policy or create a new one for critical assets.
# 4. In the policy editor, click 'Add Rule'.
# 5. For 'Threat Feeds', add the following and set Action to 'Block - No Redirect':
# - C2 (Command and Control)
# - Malware
# - Phishing
# 6. For 'Threat Insight' and 'Newly Observed Domains', set Action to 'Block - No Redirect' to prevent connections to new, potentially malicious domains.
# 7. To add specific IOCs (e.g., from today's report):
# - Navigate to: Manage -> Security -> Custom Lists.
# - Create a new Custom List and add malicious domains associated with Storm-1849 or Tick.
# - Add this new Custom List to your security policy with an action of 'Block'.
# 8. Save and deploy the policy changes.
3. SIEM Query — Linux Privilege Escalation (CVE-2024-1086)
// Splunk Query for potential CVE-2024-1086 exploitation via auditd logs
index=linux sourcetype="linux:audit" type=SYSCALL
// Look for processes run by a web server user
| search (auid!="unset" euid="www-data" OR euid="apache" OR euid="nginx")
// Correlate by process ID to find subsequent actions
| transaction pid maxspan=5m
// Find transactions where the effective user ID changes to root (0)
| search euid=0
| table _time, host, auid, pid, exe, a0, a1, a2
| rename auid as InitialUser, exe as Process, a* as Arguments
| sort -_time
4. PowerShell Script — Hunt for Post-Exploitation Dropper Files
<#
.SYNOPSIS
Scans for recently created executable or script files in critical Windows directories.
This can help find droppers from exploits like the Windows GDI vulnerabilities.
.DESCRIPTION
Checks System32, Temp, and ProgramData for files created in the last 24 hours with suspicious extensions.
#>
$lookbackHours = 24
$targetPaths = @(
"$env:SystemRoot\System32",
"$env:TEMP",
"$env:ProgramData"
)
$suspiciousExtensions = @(".exe", ".dll", ".ps1", ".vbs", ".bat")
Write-Host "[*] Starting scan for suspicious files created in the last $lookbackHours hours..."
foreach ($path in $targetPaths) {
if (Test-Path $path) {
Write-Host "[+] Checking directory: $path"
Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | Where-Object {
$_.CreationTime -gt (Get-Date).AddHours(-$lookbackHours) -and $_.PSIsContainer -eq $false -and $suspiciousExtensions -contains $_.Extension
} | Select-Object FullName, CreationTime, Length
} else {
Write-Warning "[!] Path not found: $path"
}
}
Write-Host "[*] Scan complete."
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT