Free technical content sponsored by MirrorTab
 The Automation Arms Race in Financial Cyber Crime
3.7M+ fans watch Kitboga bait scammers. Join him and top enterprise fraud experts, cyber leaders, and technologists Allison Miller, Jerry Tylman & Brian Silverstein—to break down how AI is changing fraud and fueling the automation arms race in financial cybercrime. https://www.sans.org/info/233065 | |
|
|
Four Arrested in Connection with UK Retailer Cyberattacks; M&S Chairman Confirms Social Engineering Involved
(July 8 & 10, 2025)
The UK's National Crime Agency (NCA) has published a press release stating that four people have been arrested in connection with the April 2025 cyberattacks on Marks & Spencer (M&S), Co-op, and Harrods. On July 10, 2025, "two males aged 19, another aged 17, and a 20-year-old female were apprehended in the West Midlands and London ... on suspicion of Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group," and their devices were seized for analysis. Archie Norman, chairman of Marks & Spencer since 2017, stated in a July 8 hearing with the UK Parliament's Business and Trade Sub-Committee on Economic Security that the attack on M&S was initiated via social engineering, with an attacker impersonating an employee to request a password reset from a third-party support service. Norman also verified the presence of DragonForce ransomware, though according to Bleeping Computer, he and several media sources conflate the ransomware-as-a-service (RaaS) with an unrelated hacktivist group of the same name based in Malaysia. Norman did not state whether M&S paid a ransom, but he did disclose an early internal decision that "nobody at M&S would deal with the threat actors directly," possibly indicating the aid of a third-party negotiator.
Editor's Note
[Honan]
Kudos to UK law enforcement in tracking down and arresting these suspects. While people may comment on the young ages of the suspects, I would caution that they are likely involved in a bigger criminal gang and these four individuals are not solely responsible for the attack. Their collaborators may be located outside of the UK and indeed may be more technically capable with better operational security. So, the threat from this gang is most likely still there and organisations need to continue to ensure technical, people, and process controls are in place to defend against the methods used by this gang, and indeed others.
[Neely]
In short, this is a case of a very successful Social Engineering attack followed up by ransomware. This was a well-crafted impersonation. As AI capabilities continue to evolve, so do extremely convincing impersonation capabilities. Make sure your validation processes are keeping up.
[Dukes]
Use of social engineering will only increase to get initial access to a network. Feels like MFA could have helped in defeating this social engineering attack. That said, quick work by law enforcement officials in finding and arresting the culprits. Well done! | |
|
|
CISA Adds Five CVEs to Known Exploited Vulnerabilities Catalog: CitrixBleed 2 and Four Older Flaws
(July 8, 2025)
This week the US Cybersecurity and Infrastructure Security Agency (CISA) added five vulnerabilities to their Known Exploited Vulnerabilities (KEV) catalog. On Thursday, July 10, 2025, CISA added CVE-2025-5777, an out-of-bounds read vulnerability in Citrix NetScaler ADC and Gateway. The flaw, which is known widely as CitrixBleed 2, and has a mitigation due date of Friday, July 11, 2025. On Monday, July 7, CISA added four older vulnerabilities to KEV: a server-side request forgery (SSRF) issue in Synacor Zimbra Collaboration Suite (ZCS) (CVE-2019-9621); a path traversal vulnerability in Rails Ruby on Rails (CVE-2019-5418); a command injection vulnerability in PHPMailer (CVE-2016-10033); and a buffer overflow vulnerability in Multi-Router Looking Glass (MRLG) (CVE-2014-3931). The vulnerabilities, which all have mitigation due dates of July 28, were added to KEV "based on evidence of active exploitation."
Editor's Note
[Neely]
CitrixBleed 2, CVE-2025-5777, has a CVSS score of 9.3, and not unlike the older CitrixBleed from 2023, is a memory leak which allows attackers to grab sensitive data from memory including credentials. Citrix has released patches, so make sure they are applied. WatchTowr Labs has published a writeup on the technical details of the exploit: labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/. The PHPMailer flaw, CVE-2016-10033, fix was published in December of 2016. Double check for old copies of PHPMailer, you may be surprised. Note if you move to the latest PHPMailer versions, the APIs are changed, so double check if the built-in PHP mail() function will work for you; it'll stay updated as you update PHP.
[Honan]
If CISA are recommending US government agencies patch Citrix Bleed 2 within 24 hours of issuing their alert, then you should sit up, take notice of the alert, and ensure you take appropriate action to address the vulnerability.
[Murray]
Patching should be as timely and thorough as resources permit. However, if choices must be made, the KEV catalog should be used to identify priorities.
Read more in:
- thehackernews.com: CISA Adds Four Critical Vulnerabilities to KEV Catalog Due to Active Exploitation
- www.scworld.com: CISA adds four older CVEs to known exploited vulnerabilities list
- www.cisa.gov: CISA Adds Four Known Exploited Vulnerabilities to Catalog | |
|
|
Patch Tuesday: Microsoft and Adobe
(July 8, 2025)
On Tuesday, July 8, Microsoft and Adobe both released updates to address multiple vulnerabilities across their product lines. Microsoft released updates to address at least 130 security issues. Just one of the patched vulnerabilities, an information disclosure issue in Microsoft SQL Server (CVE-2025-49719), was previously disclosed, and does not appear to have been actively exploited. However, it affects all versions of SQL Server going back to SQL Server 2016. This month's batch of Microsoft updates includes fixes for more than 50 privilege elevation vulnerabilities, more than 40 remote code execution vulnerabilities, and nearly 20 information disclosure vulnerabilities. Adobe released updates to address nearly 60 vulnerabilities, including five critical flaws (three arbitrary file system read vulnerabilities, a privilege escalation vulnerability, and a security feature bypass issue) in ColdFusion and a critical deserialization of untrusted data issue in Adobe Experience Manager Forms.
Editor's Note
[Neely]
Not a bad time to validate you're not exposing your SQLServer instances to the Internet, as well as to apply the update. Note that the Adobe updates include After Effects, Substance, Audition, InCopy, InDesign, Connect, Dimension, Illustrator, and Frame Maker, as well as Adobe Experience Manager Forms, Screens, and ColdFusion.
[Dukes]
A big month for MSFT, and not in a good way. It makes one wonder about their efforts with Secure by Design. Regardless, be sure to back up your data before installing the patches. With that many vulnerabilities, things can certainly go wrong.
[Murray]
It bears repeating that these large numbers are a measure of quality. That the numbers continue to the in the high tens month after month justifies the inference that there is a large reservoir of both known and unknown vulnerabilities. We are left with a porous infrastructure and there is little evidence that it is getting any better. | |
|
|
|
|
|
|
|
Sponsored Links
Join Picus and SANS on Wednesday, July 23 at 1:00 PM ET | From Pentest Project to Offensive SOC Program
Annual pentests show yesterday’s weaknesses once. Discover how leading SOCs shift from point-in-time testing to continuous penetration testing. https://www.sans.org/info/233055
Webcast | Swimlane Turbine AI Automation in Security Operations
Tool sprawl, alert fatigue, and resource limitations? It’s time to turn chaos into clarity. Walk away with real-world examples, platform demos, and insights that operational teams can implement immediately. Secure your spot now: https://www.sans.org/info/233020
Survey | Detection & Response | We Need Your Voice
This annual research provides critical insights into how organizations detect threats, respond to incidents, and improve operational maturity. Participants will be entered to win a $100 Amazon gift card and receive early access to the final report. Take the survey today: https://www.sans.org/info/233025 | |
|
|
|
|
More Patches: SAP, Ivanti, Fortinet, and Splunk
(July 8 & 9, 2025)
SAP has released 31 security notes, 27 new and four updated, which address vulnerabilities in Supplier Relationship Management (SRM), NetWeaver, Business Objects, Business Warehouse, and other products. Ivanti has released updates to address a total of 11 vulnerabilities in Ivanti Connect Secure (ICS) and Policy Secure (IPS), Endpoint Manager Mobile (EPMM), and Endpoint Manager (EPM). Fortinet has released advisories to address a total of eight vulnerabilities affecting FortiAnalyzer, FortiIsolator, FortiManager, FortiOS, FortiProxy, FortiSandbox, FortiSASE, FortiVoice, and FortiWeb. Splunk has published a dozen advisories addressing vulnerabilities in third-party dependencies in Splunk SOAR, Enterprise, and DB Connect.
Editor's Note
[Neely]
Don't overlook the SAP & Splunk updates, while you're looking at Ivanti and Fortinet fixes. Exploiting ERP weaknesses is still a thing.
[Murray]
Patching can no longer be an unplanned, merely responsive, effort. It is a continuing function. It requires planning and adequate dedicated resources. It is a significant cost. | |
|
|
Critical Vulnerability in Cisco Unified Communications Manager
(July 2 & 3, 2025)
Cisco has released updates to address a critical vulnerability in the Engineering Special (ES) builds of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) that could be exploited to gain root privileges on vulnerable systems. The root accounts of both products have "default, static credentials that cannot be changed or deleted." The vulnerability, CVE-2025-20309, has a CVSS score of 10.0.
Editor's Note
[Neely]
Hooray, CVE-2025-20309, static credential exploit, rates a perfect 10. Yeah, we both had a different term in mind, but I'm not using that language in our publication. There is no workaround, the affected versions are vulnerable regardless of configuration, so you need to apply the update, as well as get your threat hunters on the IoCs. Lastly, go see what else has static credentials, to include any code your team is creating.
[Frost]
These appear to be limited to engineering builds. For those that haven’t ever dealt with these, sometimes when you have a bug that is impacting you and TAC can solve it with a small patch, they will have developers sitting in TAC that can fix up a special build for a quick fix. What’s interesting is that somewhere along that build cycle, a static root password was introduced. This would likely be caught during a major release, so it's possible the Devs used the root password during their work. This is all speculation; who knows how this happens, but it’s not a good look.
Read more in:
- www.theregister.com: Cisco scores a perfect 10 - sadly for a critical flaw in its comms platform
- thehackernews.com: Critical Cisco Vulnerability in Unified CM Grants Root Access via Static Credentials
- sec.cloudapps.cisco.com: Cisco Unified Communications Manager Static SSH Credentials Vulnerability
- nvd.nist.gov: CVE-2025-20309 Detail | |
|
|
Chrome and Edge Extensions Became Trojan Horses via Update
(July 8, 2025)
Researchers at Koi Security have discovered 18 malicious browser extensions – 10 for Chrome and 8 for Edge – that they posit are part of a campaign to add Man-in-the-Middle (MitM) surveillance and attack capabilities to extensions that had previously been legitimate and safe to use for years. These extensions perform their purported functionalities, and several have held "Verified" badges or have been "Featured" in Google and Microsoft online marketplaces, but all received subsequent automatic version updates that introduced the same type of malware. Infected extensions capture users' browser activity and exfiltrate it to a remote command-and-control (C2) server, and may redirect the browser to a malicious URL the C2 server returns. Koi estimates the total number of users affected at 2.3 million, and provides the extension IDs as indicators of compromise (IoCs), urging users to remove affected extensions; clear browser data; scan for malware; monitor accounts for suspicious activity; and continue to review extensions for similar malicious behavior. The researchers highlight the exploitation of "trust signals" such as "verification badges, install counts, featured placement, years of legitimate operation, and positive reviews" leveraging platform credibility to hide unsafe software.
Editor's Note
[Neely]
Some of these extensions were good for years and have been compromised. Chrome will automatically update to the latest versions available. This is a supply chain attack, “Trust Signal Weaponization” as it were. Koi Security published IoCs, so have your threat hunters verify you don't have any. Again, another time to validate the need for extensions – make sure you're still using the ones you have and deleting those which are unused or didn't work out. Google has confirmed all the extensions identified by Koi Security have been removed from the Chrome Web Store.
[Frost]
Most people don’t realize how powerful browser extensions can be. It hasn’t been a real focus for many on the attack side. If you can get someone to install a Trojan extension, you can cause significant damage. It’s one of those vectors that we know about, and we acknowledge it, but it’s not the attack class we often think about, so no one focuses on it. At some point, attackers may use it increasingly, causing us to focus more on it. It’s kind of like SSRFs; it was out there for years and years before it finally caught on like wildfire after a few major breaches.
[Murray]
The openness, complexity, and pervasiveness of browsers makes them a perpetual target. Their use should be restricted to browsing. They should not be used as clients for sensitive applications. Prefer purpose-built clients for sensitive applications.
Read more in:
- blog.koi.security: Google and Microsoft Trusted Them. 2.3 Million Users Installed Them. They Were Malware.
- www.theregister.com: Massive browser hijacking campaign infects 2.3M Chrome, Edge users
- www.bleepingcomputer.com: Malicious Chrome extensions with 1.7M installs found on Web Store | |
|
|
ServiceNow Issues CVE for Vulnerability Patched in May
(July 8, 9, & 10, 2025)
Cloud-based Software-as-a-Service (SaaS) platform ServiceNow has issued a CVE (CVE-2025-3648) for a high-severity vulnerability affecting their Now Platform, two months after ServiceNow pushed out an update addressing the flaw, and 17 months after the Varonis Threat Labs researchers notified them about the issue. In a July 2025 security bulletin, ServiceNow describes the vulnerability: "Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them." ServiceNow has also added access control frameworks in their Xanadu and Yokohama releases.
Editor's Note
[Neely]
It's important to note that this exploit leverages four different ACL responses to infer data. ServiceNow customers need to validate the ACLs on their sensitive data and look to the new Query ACLs, Security Data Filters, and Deny-Unless ACLs to mitigate blind query attacks. Also note that ServiceNow is changing Query ACLs to default deny, so you may need to create exclusions to allow currently authorized access.
[Frost]
ServiceNow is a core component of many businesses. It has linkages to the internal IT systems many times. A vulnerability in ServiceNow components could be impactful. | |
|
|
Qantas Notifies 5.7M Customers of Data Breach
(July 4, 9, & 10, 2025)
Australia's Qantas Airlines has published updates and an FAQ in the wake of a June 30 cyberattack that breached a third-party customer service platform in one of the airline's call centers. Airline operations and safety have not been impacted. Qantas is notifying customers that personal data of 5.7 million individuals were accessed in varying combinations, possibly including name, email address, and frequent flyer number with account details, in conjunction with address, date of birth, phone number, gender, and/or meal preferences. No financial or passport details were stored on the affected system, and customer login credentials were not compromised. While "there is no evidence that any personal data stolen from Qantas has been released," Qantas is notifying affected customers over the age of 15 via email, and allowing customers with frequent flyer accounts to view potentially affected data types when logged in. The airline has set up a 24/7 support hotline providing "specialist identity protection advice and resources," and is implementing additional security to restrict system access and strengthen monitoring and detection. The Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Australian Federal Police have been notified, and Qantas is working with the National Cyber Security Coordinator, the Australian Cyber Security Centre, and cybersecurity experts to investigate. While news sources initially reported a statement indicating contact with a threat actor, the updated post states, "Qantas has not been contacted by anyone claiming to have the data." The airline urges customers to verify the identity of callers and email senders, checking that any future Qantas emails originate from a domain ending in "qantas.com" or "qantas.com.au", and reporting any suspicious communications to the support line or to the National Anti-Scam Centre's Scamwatch service.
Editor's Note
[Pescatore]
The headlines have stopped including the term “supply chain,” but this one is a supply chain security issue and it highlights the need to assure that third party services are at least as secure as yours are. Qantas’s communication to customers is a great example to follow – plenty of information and no “in an abundance of caution…” that I could find…
[Neely]
This appears to be a third-party breach, reminding us to double check third-party security actively and regularly. If you're a Qantas customer, be alert to scammers taking advantage of the incident: verify all communication is really from Qantas. Leverage the hotline Qantas setup for the breach. The data compromised from a third party was the loyalty/frequent flyer program data. Regardless of which data sets were compromised for which customers, don't assume you fall into the name/email only category. Nobody has taken credit for the attack, but this matches Scattered Spider's shift to attacking the airline industry, notably Hawaiian and WestJet.
[Dukes]
A good reminder to check the SLA with third-party platform providers used by the company. Third-party providers should be an entry in the company’s risk register and discussed at every risk management meeting, especially given their access to customer information. | |
|
|
Ingram Micro Recovers From Ransomware
(July 5, 7, 8, & 9, 2025)
Major IT distributor Ingram Micro has filed form 8-K with the US Securities and Exchange Commission (SEC) and issued ongoing updates since its discovery of ransomware on certain internal systems on or before July 5, 2025. Upon identifying the ransomware, Ingram Micro proactively took certain systems offline and implemented mitigation measures, notified law enforcement, and began investigating alongside third-party cybersecurity experts. On July 7, subscription order service was restored globally, and phone and email order service were restored in western Europe, Brazil, India, and China. By July 8, phone and email ordering was restored in Austria, Canada, Singapore, the Nordics, and the US; the unauthorized access was also deemed fully contained, and the affected systems remediated. July 9 updates confirm full restoration of operations across all countries and regions. Palo Alto Networks (PAN) has confirmed that neither the GlobalProtect VPN platform nor any PAN products were the attacker's access route. The Register reports complaints from customers that Ingram Micro did not communicate directly about the incident and recovery, and that customer support phone lines and emails were unresponsive.
Editor's Note
[Dukes]
The GOOD – They seem to have contained and recovered from the attack quickly. The BAD – Quite a chunk of revenue was lost whilst recovering from the attack. The UGLY – Poor, poor communication to customers on what had happened and assurances in protection of customer data going forward.
[Neely]
A takeaway here is to be more direct in your incident communication as well as make sure you have adequate customer support, in bandwidth/capacity, knowledge, and empowerment to help customers. | |
|
|
International Criminal Court Detects and Contains Cyberattack
(June 30 and July 1 & 2, 2025)
The International Criminal Court (ICC) experienced a "sophisticated and targeted" cyberattack in late June 2025. The ICC has not provided details beyond acknowledging that the incident "was swiftly discovered, confirmed and contained, through the Court’s alert and response mechanisms." This is the second cyberattack the ICC has reported since 2023, when the organization's systems were targeted by a cyberespionage group. The ICC is based in The Hague, Netherlands.
Editor's Note
[Neely]
Not a lot of details here, except a reference to being a sophisticated cybersecurity incident, similar to one in 2023. The court is balancing the need to inform the public and address incidents with waiting for fully disclosable details. Be prepared, when you find yourself in a similar situation, to not only release information rapidly, but also to loop back and fill in/clarify details. Use caution when disclosing details which need rolling back; that can be tricky, as Qantas learned.
[Dukes]
Certainly the Court by its mere existence can be a target of nation states. Unfortunately, there is scant information on what form of attack was launched. So, it is difficult to draw conclusions on who perpetrated the attack. | |
|
|
|
|
|
|
|
|
|
SANS Internet Storm Center StormCast Friday, July 11, 2025
SSH Tunnel; FortiWeb SQL Injection; Ruckus Unpatched Vuln; Missing Motherboard Patches
https://isc.sans.edu/podcastdetail/9522
SSH Tunneling in Action: direct-tcp requests
Attackers are compromising ssh servers to abuse them as relays. The attacker will configure port forwarding direct-tcp connections to forward traffic to a victim. In this particular case, the Yandex mail server was the primary victim of these attacks.
https://isc.sans.edu
Fortiguard FortiWeb Unauthenticated SQL injection in GUI (CVE-2025-25257)
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
https://www.fortiguard.com
Ruckus Virtual SmartZone (vSZ) and Ruckus Network Director (RND) contain multiple vulnerabilities
Ruckus products suffer from a number of critical vulnerabilities. There is no patch available, and users are advised to restrict access to the vulnerable admin interface.
https://kb.cert.org | |
SANS Internet Storm Center StormCast Thursday, July 10, 2025
Internal CA with ACME; TapJacking on Android; Adobe Patches
https://isc.sans.edu/podcastdetail/9520
Setting up Your Own Certificate Authority for Development: Why and How.
Some tips on setting up your own internal certificate authority using the smallstep CA.
https://isc.sans.edu
Animation-Driven Tapjacking on Android
Attackers can use a click-jacking like trick to trick victims into clicking on animated transparent dialogs opened from other applications.
https://taptrap.click (PDF)
Adobe Patches
Adobe patched 13 different products yesterday. Most concerning are vulnerabilities in ColdFusion that include code execution and arbitrary file disclosure vulnerabilities.
https://helpx.adobe.com | |
SANS Internet Storm Center StormCast Wednesday, July 9, 2025
Microsoft Patches; Opossum Attack; Ivanti Updates
https://isc.sans.edu/podcastdetail/9518
Microsoft Patch Tuesday, July 2025
Today, Microsoft released patches for 130 Microsoft vulnerabilities and 9 additional vulnerabilities not part of Microsoft's portfolio but distributed by Microsoft. 14 of these are rated critical. Only one of the vulnerabilities was disclosed before being patched, and none of the vulnerabilities have so far been exploited.
https://isc.sans.edu
Opossum Attack
If a TLS server is configured to allow switching from HTTP to HTTPS on a specific port, an attacker may be able to inject a request into the data stream.
https://opossum-attack.com
Ivanti Security Updates
Ivanti fixed vulnerabilities in Ivanti Connect Secure, EPMM, and EPM. In particular the password decryption vulnerability may be interesting.
https://www.ivanti.com/blog/july-security-update-2025 | |
SANS Internet Storm Center StormCast Tuesday, July 8, 2025
Detecting Filename (Windows); Atomic Stealer Now with Backdoor; Houken Intrusion Set; SEO Scams
https://isc.sans.edu/podcastdetail/9516
What’s My File Name
Malware may use the GetModuleFileName API to detect if it was renamed to a name typical for analysis, like sample.exe or malware.exe
https://isc.sans.edu
Atomic macOS infostealer adds backdoor for persistent attacks
Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems.
https://moonlock.com
Houken Seeking a Path by Living on the Edge with Zero-days
At the beginning of September 2024, an attacker repeatedly exploited vulnerabilities CVE-2024- 8190, CVE-2024-8963, and CVE-2024-9380 vulnerabilities to remotely execute arbitrary code on vulnerable Ivanti Cloud Service Appliance devices.
https://www.cert.ssi.gouv.fr (PDF)
SEO Scams Targeting Putty, WinSCP, and AI Tools
Paid Google ads are advertising trojaned versions of popular tools like ssh and winscp
https://arcticwolf.com | |
SANS Internet Storm Center StormCast Monday, July 7, 2025
Interesting Usernames; More Sudo Issues; CitrixBleed2 PoC; Short Lived Certs
https://isc.sans.edu/podcastdetail/9514
Interesting ssh/telnet usernames
Some interesting usernames observed in our honeypots
https://isc.sans.edu
More sudo trouble
The host option in Sudo can be exploited to execute commands on unauthorized hosts.
https://www.stratascale.com
CitrixBleed2 PoC Posted (CVE-2025-5777)
WatchTowr published additional details about the recently patched CitrixBleed vulnerability, including a PoC exploit.
https://labs.watchtowr.com
Instagram Using Six Day Certificates
Instagram changes their TLS certificates daily and they use certificates that are just about to expire in a week.
https://hereket.com | |
SANS Internet Storm Center StormCast Thursday, July 3, 2025
Sudo Problems; Polymorphic ZIP Files; Cisco Vulnerability
https://isc.sans.edu/podcastdetail/9512
Sudo chroot Elevation of Privilege
The sudo chroot option can be leveraged by any local user to elevate privileges to root, even if no sudo rules are defined for that user.
https://www.stratascale.com
Polymorphic ZIP Files
A zip file with a corrupt End of Central Directory Record may extract different data depending on the tool used to extract the files.
https://hackarcana.com
Cisco Unified Communications Manager Static SSH Credentials Vulnerability
A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.
https://sec.cloudapps.cisco.com | |
|
|
|
