Free technical content sponsored by SANS
 Special Virtual Event | SANS 2025 Fall Cyber Solutions Fest | November 4 - 6, 2025
Five great track over 3 days including Emerging Technology, Cloud Identity Management, SOC, Threat Intelligence and Artificial Intelligence. Join SANS experts Dave Shackleford, Chris Edmundson, Chris Crowley, Ismael Valenzuela, Matt Bromiley and over 50 other speakers at SANS' biggest event of the year. https://www.sans.org/info/233830 | |
|
|
Red Hat: GitLab Breach and OpenShift AI Critical Flaw
(October 1 & 2, 2025)
Following an alleged threat actor’s social media and email claims of data theft from Red Hat, the software company has stated to news sources, "[We are] aware of reports regarding a security incident related to our consulting business and we have initiated necessary remediation steps," also clarifying that the incident "is related to a GitLab instance used solely for Red Hat Consulting on consulting engagements, not GitHub." The Centre for Cybersecurity Belgium (CCB) has published an advisory containing more details, informing Belgian organizations that a data breach at Red Hat Consulting Services compromised "repositories containing Customer Engagement Reports (CERs)" which may include network information, authentication tokens and keys, configuration data, and other details. Red Hat has not publicly commented on these details. The CCB warns of "high risk" to organizations who have interacted with Red Hat Consulting and shared credentials, tokens, or configuration data; those who have implemented integrations involving Red Hat systems; and those who have used Red Hat Consulting services or worked with third-party providers who have, posing a supply chain risk. The CCB advisory recommends that organizations revoke and rotate tokens, keys, and credentials; consult third parties about possible exposure; contact Red Hat directly for guidance; and "increase Monitoring of authentication events, API calls, and system access for anomalies." Unrelatedly, Red Hat also recently disclosed and patched CVE-2025-10725, a CVSS 9.9 flaw in its OpenShift AI platform that allows "a low-privileged attacker with access to an authenticated account" to achieve "a total breach of the platform and all applications hosted on it" by escalating privileges to a full cluster administrator.
Editor's Note
[Neely]
You may want to revoke all credentials/keys and tokens shared with Red Hat or used in integrations and work to get them re-issued. If you’re using OpenShift AI or just want to up your game on cluster privileges, you want to remove the ClusterRoleBinding which links the kueue-batch-user-role to the system:authenticated group, which means you’re going to need to re-grant permission to create jobs to specific users or groups, only as-needed.
Read more in:
- ccb.belgium.be: Hackers (The Crimson Collective) use leaked authentication tokens to access customer systems
- www.darkreading.com: Red Hat Investigates Widespread Breach of Private GitLab Repositories
- www.bleepingcomputer.com: Red Hat confirms security incident after hackers claim GitHub breach
- www.theregister.com: Cybercrims claim raid on 28,000 Red Hat repos, say they have sensitive customer files
- www.theregister.com: 'Delightful' root-access bug in Red Hat OpenShift AI allows full cluster takeover | |
|
|
CISA Adds Critical sudo Flaw Patched in July to KEV
(September 30, 2025)
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in the command line utility sudo, used in Linux and Unix-like operating systems including macOS, to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-32463, CVSS score 9.3, allows a local attacker not listed in the permitted sudoers file to run arbitrary commands as root by leveraging the -R (--chroot) option to load /etc/nsswitch[.]conf from a user-controlled directory. Rich Mirch with the Stratascale Cyber Research Unit (CRU) originally discovered and reported the flaw, which was patched and publicly disclosed in June 2025 as of sudo 1.9.17p1, with a proof of concept exploit published in July. Federal Civilian Executive Branch agencies are required to patch this vulnerability by October 20.
Editor's Note
[Neely]
This impacts sudo 1.9.14 to 1.9.17 on systems that support /etc/nsswitch[.]conf. Not all Linux distributions are on impacted versions, so you may catch a break; still check, don't assume. A change was made in sudo 1.9.14 to resolve paths via chroot() while the sudoers file was still being evaluated, and if the chroot directory has an /etc/nsswitch[.]conf and corresponding (bogus) libraries/files, these are processed rather than the system defaults. This change was reverted in 1.9.17p1 and the chroot function of sudo is marked as deprecated. | |
|
|
CISA Announces End for Funding for Center for Internet Security MS-ISAC
(September 29 & 30, 2025)
The US Cybersecurity and Infrastructure Security Agency (CISA) has ended its "cooperative agreement with the Center for Internet Security (CIS) [as of] September 30, 2025." CIS president and CEO John Gilligan told The Register that "CIS has been informed that the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency have chosen not to renew federal funding that for the past 20 years has supported the MS-ISAC’s (Multi-State ISAC's) highly effective work to increase the security resilience for state, local, tribal, and territorial (SLTT) organizations," adding that "CIS remains committed to the SLTT community. The new fee-based membership model for the MS-ISAC will permit it to continue to deliver high-impact cybersecurity services including threat intelligence in a variety of forms and formats, best practices and collaboration opportunities, and effective monitoring, blocking, and response to cyber attacks." CISA says it plans to support state, local, tribal, and territorial (SLTT) governments through access to grant funding from the Department of Homeland Security (DHS) and other services.
Editor's Note
[Elgee]
I don't understand how defunding the most effective SLTT platform (MS-ISAC) empowers anyone at the state, local, territorial, and tribal level. 😒 Kudos to CIS for pushing forward with scalable member dues. Here's hoping they can continue their critically important work without direct federal funding!
[Neely]
MS-ISAC is operated by CIS, which announced a fee-based model on September 1, with existing benefits to expire October 1, to continue services you need to sign up for the fee based service post-haste. The services include threat intelligence, incident response and forensic services, malicious domain blocking and reporting, annual self-assessments, and SOC services, and are well worth the investment. This, mixed with CISA's announcement to provide grants to SLTT organizations, may provide grants to offset the costs of the fee based services; expect some complexities until the current shutdown is resolved.
[Dukes]
In complete transparency, I am a CIS employee. Unfortunately, one of the support tools referenced by CISA, the State and Local Cybersecurity Grant Program (SLCGP) also lapsed on 1 October. That said, it is heartening to hear that CIS will continue to serve as the ISAC for the SLTT community, providing cybersecurity services.
Read more in:
- statescoop.com: CISA confirms it’s ending MS-ISAC support
- www.theregister.com: Feds cut funding to program that shared cyber threat info with local governments
- www.helpnetsecurity.com: CISA says it will fill the gap as federal funding for MS-ISAC dries up
- www.cisecurity.org: MS-ISAC Services | Membership Overview
- www.cisa.gov: CISA is Strengthening Our Nation’s Security with Direct Cyber Support to State and Local Governments | |
|
|
|
|
|
|
|
Sponsored Links
Virtual Event | SANS 2025 Attack Surface & Vulnerability Management Survey: Hackers Don’t Wait—Why Should We? | Wednesday, October 22, 2025 at 10:30am ET
Join Chris Dale, SANS Chief Hacking Officer as he explores the results of SANS's 2025 survey and hosts a series of industry experts specializing in Exposure Management. https://www.sans.org/info/233835
Webcast | Continuous Penetration Testing: Closing the Gaps Between Threat and Response | Thursday, October 23, 2025 at 10:30 AM ET
Traditional penetration testing provides only a snapshot in time—a brief glimpse of your vulnerabilities that may already be outdated before the report reaches your desk. Continuous Penetration Testing (CPT) changes the game. By integrating attack surface management with offensive and defensive collaboration, CPT delivers real-time, actionable insight into your security posture. https://www.sans.org/info/233840
Webcast | Closing the Gaps: Zero Trust Microsegmentation in Hybrid Cloud Environments | Monday, October 20, 2025 at 10:30 AM ET
Join Dave Shackleford as he shares results from an in-depth hands-on review of Zscaler Microsegmentation, revealing how it enables real-time asset discovery, granular policy enforcement, and unified Zero Trust controls across cloud and on-premises environments. https://www.sans.org/info/233845 | |
|
|
|
|
Broadcom Releases Updates to Address Six Vulnerabilities
(September 29 & 30 and October 1, 2025)
Earlier this week, Broadcom has released two advisories to address a total of six vulnerabilities. The first advisory, VMSA-2025-0015, addresses three vulnerabilities in VMware Aria Operations and VMware Tools: a local privilege escalation vulnerability (CVE-2025-41244); a VMware Aria Operations Information disclosure vulnerability (CVE-2025-41245); and a VMware Tools improper authorization vulnerability (CVE-2025-41246). Researchers at NVISO say that CVE-2025-41244 has been exploited as a zero-day vulnerability since mid-October 2024. The second advisory, VMSA-2025-0016, addresses three vulnerabilities in VMware vCenter and NSX: a vCenter SMTP header injection vulnerability (CVE-2025-41250); an NSX weak password recovery mechanism vulnerability (CVE-2025-41251); and an NSX username enumeration vulnerability (CVE-2025-41252). Affected products include VMware NSX, NSX-T, VMware Cloud Foundation, VMware vCenter Server, VMware Telco Cloud Platform, and VMware Telco Cloud Infrastructure. All three flaws are rated high severity. Broadcom was alerted to the vulnerabilities by the US National Security Agency.
Editor's Note
[Neely]
Don't overlook the update to VMware Tools on Windows guests, particularly if you're still on version 11; move to 12.5.4 or better still 13.0.5.0. The updates are more friendly than the workarounds, where they apply.
Read more in:
- support.broadcom.com: VMSA-2025-0015: VMware Aria Operations and VMware Tools updates address multiple vulnerabilities (CVE-2025-41244,CVE-2025-41245, CVE-2025-41246)
- support.broadcom.com: VMSA-2025-0016: VMware vCenter and NSX updates address multiple vulnerabilities (CVE-2025-41250, CVE-2025-41251, CVE-2025-41252)
- www.securityweek.com: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability
- www.scworld.com: Broadcom fixes three high-severity VMware bugs
- blog.nviso.eu: You name it, VMware elevates it (CVE-2025-41244) | |
|
|
OpenSSL Vulnerabilities
(September 30 and October 1, 2025)
The OpenSSL project has released versions 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm, and 1.1.1zd of the OpenSSL Library to address three vulnerabilities: CVE-2025-9230, a moderate severity out-of-bounds read/write issue that can be exploited for arbitrary code execution or DoS attacks; CVE-2025-9231, a moderate severity timing side-channel in the SM2 algorithm implementation on 64 bit ARM platforms that could potentially allow remote recovery of the private key; and CVE-2025-9232, a low severity out-of-bounds read issue that can trigger a crash, leading to denial-of-service conditions. Users are urged to update to fixed versions of OpenSSL.
Editor's Note
[Neely]
Deploy updated OpenSSL libraries as they become available for your platforms. The CMS messages in CVE-2025-9230 and SM2 keys in CVE-2025-9342 are not commonly used, but you still want to roll the updated code when it's available as they can be added and exploited. | |
|
|
NIST Publishes Guidance for Protecting OT Systems from Portable Storage Media Threats
(October 1, 2025)
The US National Institute of Standards and Technology's (NIST's) National Cybersecurity Center of Excellence (NCCoE) has published guidance for reducing the cybersecurity risks of portable storage media in OT environments. The document focuses primarily on USB devices, but also addresses external hard drives and CD and DVD drives. "The NCCoE has developed cybersecurity considerations to be integrated into a broader cybersecurity risk management program to help OT personnel use portable storage media securely and effectively," including procedural, physical, and technical controls, and transport and sanitization recommendations.
Editor's Note
[Neely]
Media transfer is the most effective way to get malware to air-gapped systems, and many of you have already implemented controls for scanning and restricting which media can be used. Even so, read NIST SP 1334 (it's only two pages) to make sure you're not missing any tricks. You may want to not only restrict media inserted in your OT systems but also configure your traditional IT systems to only accept approved media; your EDR is likely already able to both restrict and scan removable media. Investigate media transfer stations which scan and transfer information from unsafe media to approved devices.
Read more in:
- www.securityweek.com: NIST Publishes Guide for Protecting ICS Against USB-Borne Threats
- nvlpubs.nist.gov: REDUCING THE CYBERSECURITY RISKSOF PORTABLE STORAGE MEDIA IN OT ENVIRONMENTS (PDF) | |
|
|
ENISA Threat Landscape 2025 Report
(October 2, 2025)
The European Union Agency for Cybersecurity (ENISA) has published the ENISA Threat Landscape 2025 report. The report analyzes nearly 4,900 cyber incidents affecting European organizations between July 2024 and June 2025. Among the findings: the most common initial infection vector was phishing (60%), followed by vulnerabilities (21.3%), botnets (9.9%), and malicious applications (8%). The majority of incident types were identified as DDoS (76.7%), followed by intrusion (17.8%), and the distribution of threats was headed by mobile (42.4%), then web threats (27.3%), operational technology (18.2%), and supply chain (10.6%). The report "integrates additional analysis of adversary behaviours, vulnerabilities and geopolitical drivers, aimed at both strategic and operational audiences, offering an actionable perspective on trends shaping the EU’s cyber threat environment."
Editor's Note
[Neely]
The report reinforces your work on phishing and DDoS protections; expenditures for mobile device security and that your OT systems are targets. Read the report to make sure that you're ready for the current techniques, the use of AI makes things a little different, for example, expect increasingly sophisticated phishing, with some of our old giveaways becoming a thing of the past. | |
|
|
WestJet, Allianz Life, and Motility Send Breach Notices
(October 1 & 2, 2025)
Three North American companies that experienced data breaches in the summer of 2025 have filed reports with the Office of the Maine Attorney General and are sending notification letters to those affected. Calgary-based airline WestJet discovered unauthorized access to their systems on June 13; they immediately secured their environment, notified authorities, and began investigating with the aid of internal and external experts. WestJet's analysis of the breach concluded on September 15 and determined that 1.2 million individuals' data may have been compromised, including "name, date of birth, [and] mailing address," as well as information about travel documents, accommodations, and complaints. While "no credit card or debit card numbers, expiry dates or CVV numbers or account passwords were involved," WestJet credit card identifier type and WestJet Rewards ID number and points balance along with associated account information, excluding passwords, may also be compromised. The airline recommends affected customers notify others who may have traveled under the same booking number. WestJet is offering 24 months of free identity theft and monitoring through myTrueIdentity, including proactive fraud assistance and expense reimbursement insurance. On July 16, a threat actor breached a third-party cloud customer relationship management (CRM) system used by insurance company Allianz Life; Allianz immediately contained and mitigated the attack, and has found no evidence that Allianz's own network or company systems were accessed. Investigation revealed that information belonging to nearly 1.5 million "customers, financial professionals, and select Allianz Life employees" may have been compromised, including "name, address, date of birth and Social Security number." Allianz is offering 24 months of identity monitoring through Kroll. On August 19, vehicle dealership software developer Motility detected unauthorized access to their servers by a threat actor who exfiltrated customer data before encrypting a portion of the company's systems. Motility implemented preventative security measures, restored systems from backups, established dark net monitoring, and engaged experts and legal counsel. Investigation determined that 766,670 customers' information was affected, including "full name, postal address, e-mail address, telephone number, date of birth, social security number, and driver’s license number." Motility is offering 12 months of free identity monitoring services through LifeLock.
Editor's Note
[Neely]
This boils down to about 3.7 million breach notices being sent. Not necessarily the start to fall you're expecting. Your ID Protection service likely already emailed you a heads up, particularly if you're impacted, so make sure your notifications are configured if it didn't. For the enterprise, take a look at the steps Motility took; you should be set to do all the same things. Verify the team is on the same page and prepared.
[Dukes]
I realize that I may sound like a broken record but the length of time from determination of security breach to victim notification is still too great. A security incident investigation taking between 2-4 months leaves ample time for the evildoer to monetize the data. Offering identity theft and monitoring service is a start but not a solution when the bad guy has a 60-120 day head start.
Read more in:
- www.maine.gov: Data Breach Notifications | WestJet
- www.maine.gov: Data Breach Notifications | Allianz Life Insurance Company of North America
- www.maine.gov: Data Breach Notifications | Motility Software Solutions, Inc.
- www.theregister.com: 3.7M breach notification letters set to flood North America's mailboxes
- therecord.media: Millions impacted by data breaches at insurance giant, auto dealership software firm
- www.bleepingcomputer.com: WestJet data breach exposes travel details of 1.2 million customers
- www.bleepingcomputer.com: Allianz Life says July data breach impacts 1.5 million people
- www.securityweek.com: 766,000 Impacted by Data Breach at Dealership Software Provider Motility | |
|
|
UK’s Second Encryption-Breaking Order to Apple Reported
(October 1, 2025)
The UK Government has reportedly issued a second Technical Capability Notice (TCN) to Apple under the country's Investigatory Powers Act, once again demanding the right to access to users' encrypted data, but this time limiting the scope to users in the UK. While the Home Office and Apple are not legally permitted to comment, the Financial Times and BBC report that this new notice "targeting only British users’ data" may represent a compromise following January 2025's TCN targeting all Apple users -- also initially neither confirmed nor denied -- which was withdrawn in August according to US Director of National Intelligence Tulsi Gabbard. Since February, Apple has rescinded and disabled Advanced Data Protection (ADP) encryption for UK users, even after the alleged withdrawal. During an April appeal hearing for the first TCN, the Investigatory Powers Tribunal ruled that the government's desire to withhold the "bare details of the case" from public knowledge is not justified by the possible impacts to public interest and national security. According to the BBC, "A tribunal hearing is still due to take place in January 2026."
Editor's Note
[Neely]
The upshot is that ADP is still not available to UK users. Time to read up on ADP. ADP adds end-to-end encryption to ten iCloud services on top of the base 14 where it already is. This still leaves five data sets, including Mail, Contacts, and Calendars, using standard data protection due to how they interact with other services. When enabled, Apple truly cannot restore access to your data, nor help recover your data if you lose your device. You may have a few use cases where you want to require it, such as when traveling in risky areas. It can be turned off once enabled by the user. Note that it cannot be used for managed Apple accounts and child accounts, and requires users to set up a recovery method. This would be a good time to seriously look at turning ADP on if you haven't already. ADP closes the gap on services which are not end-to-end encrypted in iCloud.
[Dukes]
The UK Government has learned from recent global blowback and have adapted the capability notice. The primary losers in this are the UK citizens that won’t have access to advanced protection capabilities provided organically by AAPL. Other countries will likely follow the UK’s process to gain access to end-to-end encrypted data.
Read more in:
- arstechnica.com: UK once again demands backdoor to Apple’s encrypted cloud storage
- www.bbc.com: Government issues new data demand for UK Apple users
- www.theguardian.com: UK government resumes row with Apple by demanding access to British users’ data
- techcrunch.com: UK government tries again to access encrypted Apple customer data: Report
- www.eff.org: The UK Is Still Trying to Backdoor Encryption for Apple Users | |
|
|
Spyware Campaigns Targeting Users in UAE
(October 2, 2025)
Researchers at ESET have detected spyware campaigns targeting individuals in the United Arab Emirates (UAE). The malware specimens, which are delivered through maliciously crafted web sites and social engineering, are disguised as Android Signal and ToTok apps. The spyware "exfiltrate[s] user data, including documents, media, files, contacts, and chat backups," to servers controlled by the attackers. The spyware campaigns were detected in June 2025; one appears to have been active since 2022, and the other is believed to have been active since 2024. The apps were not available in official app stores – instead, users needed to install them manually from third-party sites. One of the malicious websites is a phony version of the Samsung Galaxy Store.
Editor's Note
[Neely]
The downside of unofficial app stores is that they don't have the same restrictions the official ones do, and users can be tricked into loading software under false pretenses, such as an apparently improved Signal or ToTok app. Google Protect is detecting/blocking known versions of this spyware. Even so, develop strong guidance if you are permitting unofficial app store use. Note, I had to check: they *do* mean ToTok, which is a messaging and VoIP application developed by G42 around 2019.
[Dukes]
Seems like old tradecraft repurposed that continues to prove effective for the evildoer: website watering holes and social engineering. We continue to have a collective user awareness problem. Training can help, but ultimately secure configuration, effective patch management, and active monitoring are what's required.
Read more in:
- www.welivesecurity.com: New spyware campaigns target privacy-conscious Android users in the UAE
- cyberscoop.com: Android spyware disguised as legitimate messaging apps targets UAE victims, researchers reveal
- therecord.media: Researchers uncover spyware targeting messaging app users in the UAE | |
|
|
|
|
|
|
|
|
|
SANS Internet Storm Center StormCast Friday, October 3, 2025
More .well-known Scans; RedHat Openshift Patch; TOTOLINK Vuln; DrayOS Vulnerability
https://isc.sans.edu/podcastdetail/9640
More .well-known scans
Attackers are using API documentation automatically published in the .well-known directory for reconnaissance.
https://isc.sans.edu/diary
RedHat Patches Openshift AI Services
A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example, as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator.
https://access.redhat.com/security
TOTOLINK X6000R Vulnerabilities
Palo Alto released details regarding three recently patched vulnerabilities in TotoLink-X6000R routers.
https://unit42.paloaltonetworks.com
DrayOS Vulnerability Patched
Draytek fixed a single memory corruption vulnerability in its Vigor series router. An unauthenticated user may use it to execute arbitrary code.
https://www.draytek.com | |
SANS Internet Storm Center StormCast Thursday, October 2, 2025
Honeypot Passwords; OneLogin Vuln; Breaking Intel SGX; OpenSSL Patch
https://isc.sans.edu/podcastdetail/9638
Comparing Honeypot Passwords with HIBP
Most passwords used against our honeypots are also found in the “Have I been pwn3d” list. However, the few percent that are not found tend to be variations of known passwords, extending them to find likely mutations.
https://isc.sans.edu/diary
Breaking Server SGX via DRAM Inspection
By observing read and write operations to memory, it is possible to derive keys stored in SGX and break the security of systems relying on SGX.
https://wiretap.fail/files/wiretap.pdf
OneLogin OIDC Vulnerability
A vulnerability in OneLogin can be used to read secret application keys
https://www.clutch.security/blog
OpenSSL Patch
OpenSSL patched three vulnerabilities. One could lead to remote code execution, but the feature is used infrequently, and the exploit is difficult, according to OpenSSL
https://openssl-library.org/news/vulnerabilities/index.html | |
|
|
|
