Free technical content sponsored by Fable Security
 Training is step one, not the whole journey. The most forward-thinking leaders are extending awareness into modern human risk management—turning learning into measurable progress. This guide from Fable Security outlines five must-haves to unlock resilience, accelerate secure habits, and keep people empowered against evolving threats. Download it today and chart your path forward. https://www.sans.org/info/233430 | |
|
|
Apple Releases Emergency Updates for Actively Exploited Vulnerability in ImageIO Framework
(August 20 & 21, 2025)
Apple has released emergency security updates to address an out-of-bounds write vulnerability (CVE-2025-43300) in the ImageIO framework, affecting macOS, iOS, and iPadOS. The issue is fixed in iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8. The vulnerability has been actively exploited. Apple says the impact of the flaw is that "processing a malicious image file may result in memory corruption, ... and [the] issue was addressed with improved bounds checking." This vulnerability is the seventh zero-day Apple has patched this calendar year.
Editor's Note
[Neely]
Don't get distracted by iPhones that installed iOS 18.6.1 from August 14th; that was a feature update, and you need to get 18.6.2 deployed. CVE-2025-43300 has a CVSS score of 8.8, and is the only flaw listed in each of the five updates released Wednesday. While this requires a sophisticated attack to compromise, it's still under active exploitation, so you want to get these rolling out. | |
|
|
FBI and Cisco Talos Warn of Russian Cyber Espionage
(August 20 & 21, 2025)
Cisco Talos and the Federal Bureau of Investigation (FBI) have both warned of a state-sponsored cyber espionage group with ties to Russia that is exploiting a seven-year-old vulnerability in Cisco IOS software's Smart Install feature. The flaw (2018-0171) is "an improper input validation issue in the now defunct Smart Install feature of Cisco IOS and Cisco IOS XE software." The attackers are targeting end-of-life devices that have not been patched in the telecommunications, higher education, and manufacturing sectors around the world. Users are urged to apply the patch or disable Smart Install if they cannot patch. According to the FBI's August 20 alert, they "detected Russian FSB cyber actors exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) to broadly target entities in the United States and globally." Cisco Talos says the goal of the attackers is to steal data and gain persistent access to vulnerable systems.
Editor's Note
[Neely]
Disable Smart Install on Cisco devices then make sure the passwords on your network devices are sufficiently secure. Review the NSA guidance on password types for Cisco devices.
[Dukes]
Not having patched a vulnerability in seven years is not a good look. It certainly doesn’t meet the standard of reasonable cybersecurity should they become a victim. This reporting also reinforces the need to have a HW/SW update plan as part of your cybersecurity program.
Read more in:
- therecord.media: Russian state cyber group Static Tundra exploiting Cisco devices, FBI warns
- www.darkreading.com: FBI, Cisco Warn of Russian Attacks on 7-Year-Old Flaw
- www.theregister.com: FBI: Russian spies exploiting a 7-year-old Cisco bug to slurp configs from critical infrastructure
- thehackernews.com: FBI Warns FSB-Linked Hackers Exploiting Unpatched Cisco Devices for Cyber Espionage
- www.govinfosecurity.com: Russian Hackers Hitting Critical Infrastructure, FBI Warns
- www.ic3.gov: Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure
- blog.talosintelligence.com: Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices
- nvd.nist.gov: CVE-2018-0171 Detail | |
|
|
Scattered Spider Member Sentenced to Prison
(August 20 & 21, 2025)
Noah Michael Urban has been sentenced to 10 years in prison for his role in cyberattacks related to the threat actor group known as Scattered Spider. Urban has also been ordered to pay approximately $13 million in restitution to his victims. Urban previously pleaded guilty to wire fraud, conspiracy, and aggravated identity theft. Urban, along with several co-conspirators, allegedly used SIM-swapping attacks to steal hundreds of thousands of dollars and used social engineering attacks to trick employees at targeted organizations into divulging account access credentials, and then stole millions in cryptocurrency.
Editor's Note
[Neely]
Prosecutors were asking for eight years of prison, but the judge chose 10 years followed by three years of supervised release. This may have been due to the fact that the judge's email was hacked, through social engineering, by another Scattered Spider member during the trial. Make sure any third party support organizations used are sufficiently validating password change requests as well as being prepared for social engineering, phone, email, SMS, etc. attacks.
Read more in:
- krebsonsecurity.com: SIM-Swapper, Scattered Spider Hacker Gets 10 Years
- therecord.media: Scattered Spider affiliate given 10 year sentence, ordered to pay $13 million in restitution
- cyberscoop.com: Florida man gets 10 years in prison in first Scattered Spider sentencing
- thehackernews.com: Scattered Spider Hacker Gets 10 Years, $13M Restitution for SIM Swapping Crypto Theft | |
|
|
|
|
|
|
|
Sponsored Links
Webcast | Balancing On-Prem and Cloud Security: Strategic Considerations for Modern Organizations | Tuesday, September 16, 2025 at 1:00PM ET
Discover strategies to unify security across legacy systems and cloud environments while avoiding the common pitfalls of hybrid adoption. https://www.sans.org/info/233435
Webcast | CloudSecNext Summit Solutions Track | Friday, October 3, 2025 at 10:00AM MT
Explore cutting-edge solutions and practitioner insights designed to help organizations secure multicloud environments at scale. https://www.sans.org/info/233440
Webcast | Attack Surface & Vulnerability Management Survey: Hackers Don’t Wait—Why Should We? | Wednesday, October 22, 2025 at 10:30AM ET
Discover what hundreds of cybersecurity professionals revealed about their attack surface management priorities, gaps, and tools in use. https://www.sans.org/info/233445 | |
|
|
|
|
UK May Drop Apple ADP Backdoor Order, According to US DNI Gabbard
(August 18 & 19, 2025)
US Director of National Intelligence Tulsi Gabbard published a social media post on August 18, 2025, stating, "The UK has agreed to drop its mandate for Apple to provide a 'back door' that would have enabled access to the protected encrypted data of American citizens." This refers to a formerly secret Technical Capability Notice (TCN) served to Apple in January 2025 under the UK's Investigatory Powers Act, obligating Apple to comply with government requests to break end-to-end-encryption (E2EE) for Advanced Data Protection (ADP). Apple disabled ADP for UK users in February and appealed the order through the Investigatory Powers Tribunal (IPT), supported by civil society groups and privacy advocates; the UK government's first public acknowledgment of the TCN's existence was the IPT's April 2025 judgment that hiding the details was not merited for national security. UK government sources have refused to comment on Gabbard's claim at the time of this writing, but gave statements emphasizing the importance of joint security and intelligence arrangements between the UK and the US.
Editor's Note
[Neely]
Until the case is formally dropped, don't expect Apple to re-enable ADP for UK residents. The lack of transparency in the UK proceedings cast more doubt on the legitimacy of the request than support for the need to protect the sensitive nature of the use case.
[Dukes]
While the UK may have dropped their requirement, Sweden and the EU in general are still debating creation of a similar law to support law enforcement. The debate on access to encrypted data is far from over.
Read more in:
- therecord.media: UK ‘agrees to drop’ demand over Apple iCloud encryption, US intelligence head claims
- www.theregister.com: US spy chief claims UK backed down over Apple backdoor demand
- www.nextgov.com: UK ‘agreed to drop’ backdoor encryption demand for Apple, DNI says
- cyberscoop.com: UK abandons Apple backdoor demand after US diplomatic pressure
- techcrunch.com: US spy chief says UK has dropped its Apple backdoor demand
- thehackernews.com: U.K. Government Drops Apple Encryption Backdoor Order After U.S. Civil Liberties Pushback | |
|
|
Orange Belgium Says Breach Affected Data Associated with 850,000 Accounts
(August 20 & 21, 2025)
Telecommunications provider Orange Belgium says a late July 2025 breach compromised data belonging to approximately 850,000 customer accounts. The data the intruders accessed include names, phone numbers, SIM card numbers and personal unblocking key (PUK) codes, which are used to unblock SIM cards that have been locked after too many incorrect PINs have been entered. Orange Belgium provides telecommunications services to people in Belgium and Luxembourg. This incident occurred around the same time as a cyberattack targeting Orange Belgium parent company Orange Group; that breach affected business customers and consumers in France.
Editor's Note
[Pescatore]
Orange did a good job in their incident communication in clearly stating that it was “not possible” for the attackers to use this data to enable a SIM-swapping attack – an important consideration where simple SMS or voice call-based MFA is in use. If you have corporate wireless contracts, look for similar assurances.
[Neely]
Orange has setup an official outage web site and dedicated contact number, which is free from mobile devices. The most likely uses of the pilfered data are SMShing or phishing campaigns. Note that a SIM PUK is not changeable. The only way to get an updated PUK is to be issued a replacement SIM. Orange has updated security and validation processes to prevent use of the pilfered data to issue unauthorized duplicate SIM cards.
[Dukes]
It makes one wonder if there is any data still out there that hasn’t been absconded with, what with ransomware and now targeted attacks of the telecommunications sector. The good news, if it can be called that, is that victims have a means for free lifetime credit monitoring available to them. | |
|
|
Business Council of New York State Says February Breach Affected More Than 47,000 People
(August 15 & 19, 2025)
In a filing with the Maine Attorney General's Office, the Business Council of New York State (BCNYS) disclosed that a breach of their internal systems in late February 2025 compromised data belonging to more than 47,000 individuals. According to the filing with the Maine AG, BCNYS discovered the breach on August 4, 2025. The stolen information included "full names, Social Security numbers, dates of birth, state identification numbers, financial institution names, financial account and routing number information, payment card numbers, payment card access PINs, payment card expiration dates, taxpayer identification numbers, electronic signature information, medical provider name, medical diagnosis or condition information, prescription information, medical treatment or procedure information, and health insurance information." BCNYS has more than 3,000 member organizations, which together employ more than 1.2 million individuals.
Editor's Note
[Neely]
Reading through the list of compromised data elements, you should be ticking them off as included (minus bank routing numbers, these are public) on your ID monitoring system. BCNYS is notifying affected individuals and offering them credit monitoring. If you think you're affected but not notified, contact their dedicated hotline. Their data security incident notice has good information on protecting your information and securing your credit if you're looking to verify you've got the bases covered.
[Dukes]
Well that’s a treasure trove of PII that been pilfered. It is important though that BCNYS let its members know that the security and privacy of the information they maintain is important to them. Well, that and complimentary credit monitoring services for 12 months.
[Murray]
When storing payment information, Primary Account Numbers should be tokenized.
Read more in:
- therecord.media: Business Council of New York State says nearly 50,000 had data leaked in February cyberattack
- www.bleepingcomputer.com: NY Business Council discloses data breach affecting 47,000 people
- www.maine.gov: Data Breach Notifications | The Business Council of New York State, Inc.
- www.bcnys.org: Notice of Data Security Incident (PDF) | |
|
|
TPG Telecom Reveals Breach of Subsidiary iiNet
(August 19 & 20, 2025)
Australia's TPG Telecom has disclosed a breach of their iiNET subsidiary compromising data belonging to approximately 280,000 customers. TPG telecom is investigating the incident. The breach appears to affect iiNET's order management system; the intruders likely obtained access to the system through account credentials stolen from an employee. Compromised information includes iiNET email addresses, landline phone numbers, contact names, numbers, and residential addresses. TPG says the incident was "contained" as of August 16. The intruders have been removed from the system and TPG has brought in third-party expertise to help manage incident response. They have also "actively engaged with the Australian Cyber Security Centre (ACSC), the National Office of Cyber Security (NOCS), the Australian Signals Directorate (ASD), the Office of the Australian Information Commissioner (OAIC) and other relevant authorities in response to this incident."
Editor's Note
[Neely]
TPG is taking the added step of reaching out to non-affected users to let them know their data was not compromised. Telecom providers are a big target and are hopefully proactively validating their security posture. Even so, these are determined and well-resourced adversaries, so make sure that you're prepared in the event your provider is compromised. Beyond ID/Credit protection, know how you'd engage an alternate provider and how feasible that actually is.
[Dukes]
Seems like a certain threat actor has been having their way with telecom providers, globally, over the last six months. We’ve seen attacks in the US, France, Belgium, India, Spain, Australia, and Ukraine. Hopefully they’re communicating with each other and with the broader sector on attacker techniques and defenses employed, but given the number of providers compromised, perhaps not.
[Murray]
The leakage of customer data is only one consequence of the successful attacks against telecoms. Perhaps more serious is loss of integrity of the network. | |
|
|
PyPI Stakes out Safety from Resurrected Email Domains
(August 18, 19, & 20, 2025)
Maintainers of the Python Package Index (PyPI) have implemented a policy of un-verifying user email addresses whose domains are suspected to have expired based on the Expired Registration Recovery Policy (ERRP) timeline set by the Internet Corporation for Assigned Names and Numbers (ICANN). This change to security posture is intended to protect against "domain resurrection" account takeover leading to supply chain attacks, where attackers purchase expired domains to gain access to email addresses already verified for PyPI accounts. PyPI notes "this is not an imaginary attack," citing the 2022 malicious replacement of the ctx project via account compromise, and the 2023 discovery of a similarly vulnerable widely-used npm package in illustria. PyPI will query the status of domains and un-verify email addresses from domains that have entered the typical 30-day Renewal Grace Period or Redemption Period and may be sold. "Since the initial implementation early June 2025, PyPI has unverified over 1,800 email addresses." All accounts active since January 1, 2024, must have 2FA enabled, and PyPI recommends adding a second verified email address from a major domain to any accounts relying on emails with custom domain names. PyPI is the official third-party repository for Python and the default source used by package manager pip.
Editor's Note
[Neely]
PyPI is using the domain status API from Domainr to validate the status of accounts daily. Note the de-validation is not triggered by a non-expiring domain transfer action. Just as you would setup a recovery email on a different domain, PyPI users should establish a second, validated, email from a provider unlikely to expire, Gmail, Outlook, iCloud, Yahoo, etc.
Read more in:
- blog.pypi.org: Preventing Domain Resurrection Attacks
- thehackernews.com: PyPI Blocks 1,800 Expired-Domain Emails to Prevent Account Takeovers and Supply Chain Attacks
- www.heise.de: PyPI takes action against domain hijacking and checks email addresses
- www.bleepingcomputer.com: PyPI now blocks domain resurrection attacks used for hijacking accounts | |
|
|
Chrome, Firefox, and Thunderbird Patched for High-Severity Bugs
(August 19, 20, & 21, 2025)
Google and Mozilla have both released patches for high-severity vulnerabilities in their browsers. Chrome 139.0.7258.138/.139 for Windows and Mac, and 139.0.7258.138 for Linux, addresses CVE-2025-9132, which allows an attacker to exploit heap corruption via a crafted HTML page due to an out-of-bounds write flaw in the V8 JavaScript and WebAssembly engine. This flaw was discovered by Big Sleep, an AI agent created in 2024 by Google DeepMind and Project Zero. Firefox 142 and Thunderbird 142, as well as Firefox ESR 115.27, ESR 128.14, and ESR 140.2 and Thunderbird ESR 128.14 and ESR 140.2, address nine vulnerabilities, five of which Mozilla considers high-severity. CVE-2025-9187, CVSS score 9.8, and CVE-2025-9184 & CVE-2025-9185, both carrying CVSS score 8.1, are memory safety bugs that could be exploited to execute arbitrary code. CVE-2025-9180 is a same-origin policy bypass in the Graphics: Canvas2D component. The advisory for CVE-2025-9179 may indicate evidence of exploitation: "An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process," but Mozilla does not go into further detail about possible attacks in the wild.
Editor's Note
[Neely]
ESR 115, 128, 140 are still getting updates from Mozilla, but three stable browser versions may be a bit much for your IT folks to support. Consider consolidating after pushing the update, on 140. ESR 140.3 is slated for mid-September to match the release of Firefox 143.
[Murray]
That browsers are under constant update is only one of the reasons that they can never be trusted for any application other than browsing. Prefer purpose-built clients for most other applications. | |
|
|
Commvault Patches Flaws with PoC Exploit Chains for Pre-Auth RCE
(August 19, 20, & 21, 2025)
On August 19, Commvault released patches for four flaws affecting Commvault before versions 11.32.102 and 11.36.60, but not affecting Commvault's software as a service (SAAS). The following day, researchers from watchTowr, who discovered and reported the vulnerabilities in April, published analysis showing proof-of-concept exploit chains that could leverage these flaws to achieve pre-authorization remote code execution. The first chain is exploitable against any unpatched Commvault instance and uses CVE-2025-57791, an argument injection vulnerability in CommServe with CVSS score 6.9, and CVE-2025-57790, a path traversal vulnerability with CVSS score 8.7. The second chain only affects unpatched Commvault instances whose encrypted admin password set during installation is still stored in the database; if the admin password has been changed, it becomes stored as a hash, preventing this exploit. This second chain uses CVE-2025-57788, an unauthorized API access flaw with CVSS score 6.9, then CVE-2025-57789, a flaw allowing a remote attacker to exploit the default credential during setup to gain admin control, CVSS score 5.3, and finishes with the same path traversal flaw as the first chain.
Editor's Note
[Neely]
Kudos to watchTowr Labs for another entertaining writeup. The fix is to update your on-premises servers to the fixed Commvault versions: 11.32.102, 11.36.60 and 11.38.32 or higher. Then look at moving to version 11.40, as 11.32 and 11.36 were EOL 6/15/25. Their SaaS requires no customer action.
[Murray]
Publishing PoC lowers the cost of attack against our systems. Nice people do not do that. While such code is sometimes necessary to demonstrate a vulnerability to its developers, it need be shared only with them and only for that purpose. | |
|
|
Rapper Bot Admin Charged
(August 19, 20, & 21, 2025)
Federal authorities have charged Ethan Foltz with aiding and abetting computer intrusions for his role in developing and administering the Rapper Bot distributed denial-of-service (DDoS) for hire botnet. According to a US Justice Department press release, the botnet "primarily compromises devices like Digital Video Recorders (DVRS) or WiFi routers at scale by infecting those devices with specialized malware." The complaint indicates that most of the DDoS attacks measured between two and three terabits per second. Authorities have also seized elements of the botnet's infrastructure.
Editor's Note
[Neely]
Score another botnet setback. Even so, don't relax on your own DDoS defenses. While these guys are offline, others will fill their place.
Read more in:
- krebsonsecurity.com: Oregon Man Charged in ‘Rapper Bot’ DDoS Service
- therecord.media: Feds charge alleged administrator of ‘sophisticated’ Rapper Bot botnet
- www.theregister.com: US cops wrap up RapperBot, one of world's biggest DDoS-for-hire rackets
- www.bleepingcomputer.com: “Rapper Bot” malware seized, alleged developer identified and charged
- thehackernews.com: DOJ Charges 22-Year-Old for Running RapperBot Botnet Behind 370,000 DDoS Attacks
- defensescoop.com: ‘Rapper Bot’ hit the Pentagon in at least 3 cyberattacks
- cyberscoop.com: Officials gain control of Rapper Bot DDoS botnet, charge lead developer and administrator
- www.govinfosecurity.com: Feds Seize Powerful DDoS-for-Hire Service 'Rapper Botnet'
- www.justice.gov: Oregon man charged with administering “Rapper Bot” DDoS-for-hire Botnet | |
|
|
|
|
|
|
|
SANS Internet Storm Center StormCast Friday, August 22, 2025
The -n switch; Commvault Exploit; Docker Desktop Escape Vuln
https://isc.sans.edu/podcastdetail/9582
Don't Forget The "-n" Command Line Switch
Disabling reverse DNS lookups for IP addresses is important not just for performance, but also for opsec. Xavier is explaining some of the risks.
https://isc.sans.edu/diary
watchTowr releases details about recent Commvault flaws
Users of the Commvault enterprise backup solution must patch now after watchTowr released details about recent vulnerabilities
https://labs.watchtowr.com
Docker Desktop Vulnerability CVE-2025-9074
A vulnerability in Docker Desktop allows attackers to escape from containers to attack the host.
https://docs.docker.com | |
SANS Internet Storm Center StormCast Thursday, August 21, 2025
Airtel Scans; Apple Patch; Microsoft Copilot Audit Log Issue; Password Manager Clickjacking
https://isc.sans.edu/podcastdetail/9580
Airtel Router Scans and Mislabeled Usernames
A quick summary of some odd usernames that show up in our honeypot logs
https://isc.sans.edu/diary
Apple Patches 0-Day CVE-2025-43300
Apple released an update for iOS, iPadOS and MacOS today patching a single, already exploited, vulnerability in ImageIO.
https://support.apple.com
Microsoft Copilot Audit Logs
A user retrieving data via copilot obscures the fact that the user may have had access to data in a specific file
https://pistachioapp.com/blog
Password Managers Susceptible to Clickjacking
Many password managers are susceptible to clickjacking, and only few have fixed the problem so far.
https://marektoth.com/blog | |
SANS Internet Storm Center StormCast Wednesday, August 20, 2025
Increased Elasticsearch Scans; MSFT Patch Issues; SAP Vulnerabilities Exploited
https://isc.sans.edu/podcastdetail/9578
Increased Elasticsearch Recognizance Scans
Our honeypots noted an increase in reconnaissance scans for Elasticsearch. In particular, the endpoint /_cluster/settings is hit hard.
https://isc.sans.edu/diary
Microsoft Patch Tuesday Issues
Microsoft noted some issues deploying the most recent patches with WSUS. There are also issues with certain SSDs if larger files are transferred.
https://learn.microsoft.com
https://www.tomshardware.com
SAP Vulnerabilities Exploited CVE-2025-31324, CVE-2025-42999
Details explaining how to take advantage of two SAP vulnerabilities were made public.
https://onapsis.com/blog | |
|
|
|
