Author: Mark

Making the move from managing a security operations center (SOC) to being a chief information security officer (CISO) is a significant career leap. Not only do you need a solid foundation of tech knowledge but also leadership skills and business smarts.

This article will guide you through the practical steps and skills you’ll need to nab an executive cybersecurity job and make the promotion from SOC manager to CISO a reality.

Is the CISO role right for you?

It’s always a good idea to think about how you could move up and grow in your career. Aspiring to be a CISO can be a great career move.

Additionally, certain operational tasks in cybersecurity, especially in a SOC, are becoming increasingly automated, making it vital to develop strategic and leadership skills to stay ahead. Having ambitious goals helps you, as a SOC analyst or lead, stay relevant and valuable in what is a constantly changing field.

However, the role of CISO is significantly different from other roles in cybersecurity and comes with its own set of challenges. So, while it is a good option, it’s not the only path and might not suit everyone’s strengths and career goals. It’s my hope that this article will lay out what being a CISO is all about so you can determine if it’s the path you want to take.

Key skills for executive growth

For those looking to take on executive and leadership roles like CISO, it’s essential to develop skills beyond the scope of your typical IT role.

Having a comprehensive IT background is a significant advantage, especially when it comes to security vulnerabilities and how to respond to incidents. But you can’t focus solely on technical expertise at the expense of vital leadership, communication, and strategic thinking skills needed for the position of CISO.

Remember: You’ll have to relay complex security matters to stakeholders outside IT, and do so in a way that they can easily understand the issues at stake.

Let’s break down areas you’ll need for the role of executive.

Strategic thinking

Strategic thinking demands a firm grip on the organization’s core operations, particularly how it generates revenue and its key value streams. This perspective allows security professionals to align their efforts with business objectives, rather than operating in isolation.

Business acumen

This is related to strategic thinking but emphasizes knowledge of risk management and finance. Security leaders must factor in financial impacts to justify security investments and manage risks effectively.

Balancing security measures with user experience and system availability is another critical aspect. If security policies are too strict, productivity can suffer; if they’re too permissive, the company can be exposed to threats. Decisions must consider the impact of security actions on the broader business environment.

Exposure to legal aspects, such as data privacy laws and intellectual property rights, broadens the perspective necessary for the CISO role and interactions with both external and internal bodies such as the GRC within your organization. Here, formal education, including a degree in computer science or cybersecurity, combined with continuous learning via industry courses and certifications, strengthens your expertise; it also prepares you for leadership responsibilities and demonstrates your readiness to take on the challenges that come with the job.

Practical advice for career transition

To successfully transition and advance your cybersecurity career, you’ll need to take concrete strategic steps toward a CISO role.

Gaining visibility, building influence, and getting promoted

To advance your cybersecurity career, make your value known. Share your contributions and accomplishments, both within your team and also with other departments and leadership.

When presenting data, make it actionable by showing how the information drives improvements and supports business goals via tactical metrics and simple language. Also, actively look for opportunities to contribute to broader initiatives and offer solutions to challenges that extend beyond your current role and responsibilities.

To set yourself apart as someone ready for a promotion to the executive level, take initiative and demonstrate a willingness to lead.

Avoiding common pitfalls

One common mistake is to communicate based on your or another person’s assumptions. Always verify information, and remember, opinions are not facts.

Another pitfall is believing your angle or viewpoint is the only correct one. Other perspectives exist and hold value.

As much as possible, embrace a collaborative approach, focused on building consensus and defining the right direction rather than prioritizing speed. This means engaging in open discussions, listening to feedback, and working towards a shared understanding. This will yield a stronger foundation for initiatives and avoid potential disagreements or misinterpretations down the road.

What exactly does being a CISO entail?

To succeed at the executive level, you need to be aware of the nuances of the CISO job, expectations depending on your company’s structure, and the different roles you’ll have to fulfill before being entrusted with the title of CISO.

Who does your CISO report to?

The reporting structure of a chief information security officer varies widely across organizations. Often, the CISO reports to the chief information officer (CIO). In this structure, security is seen as a subset of IT, focusing on the technical aspects of protecting data and systems.

However, as cybersecurity risks become more business-critical, CISOs are increasingly reporting to the chief financial officer (CFO) or the chief risk officer (CRO). Reporting to the CFO emphasizes the financial impact of security breaches and the need for risk-based security investments. But if you’re reporting to the CRO, you’ll need to highlight the enterprise-wide risk management perspective, ensuring security is integrated into broader organizational risk strategies.

The reporting line significantly influences the CISO’s priorities and scope of authority, reflecting a company’s overall security maturity and approach to risk. It’s a good idea to consider your own company’s structure and how it aligns with your career goals and potential advancement.

What changes at the top: Roles & expectations

Transitioning from a technical lead to an executive role like CISO entails a complete shift in expectations.

As a technical lead, the focus is primarily on hands-on implementation, troubleshooting, and technical problem-solving. At the executive level, the emphasis shifts to strategy, leadership, and business alignment.

CISOs are expected to develop and execute a comprehensive security strategy that protects the organization’s assets while enabling business operations. This is where decision-making becomes more strategic, requiring CISOs to balance risk mitigation with business objectives.

They must also effectively communicate technical risks to senior management in terms of their business impact. This covers everything from budgeting and policy development to regulatory compliance and security team management.

Key roles & responsibilities above technical lead

Advancement from technical lead to CISO involves several intermediate roles; each one has distinct responsibilities and demands a higher level of leadership, strategic thinking, and business savvy.

A SOC manager oversees the daily operations of the security operations center. That means making sure incident detection and response are efficient and effective. Responsibilities here include managing staff, developing processes, and reporting on metrics.

A director of security typically has a broader scope, handling multiple security functions like network security, application security, and vulnerability management. Directors develop security programs, manage budgets, and ensure compliance with regulations.

The CISO is the top security executive, responsible for the overall security strategy and posture of the organization. They align security with business goals, manage risk, and communicate with executive leadership.

Becoming a CISO is a progressive journey of developing skills and taking on broader responsibilities.

Summary and key takeaways

The journey from a SOC analyst or manager to CISO is a significant undertaking. You’re not just becoming a better expert but evolving into a leader who can align security with business objectives.

Embracing a leadership mindset involves more than just managing tasks. You need to inspire teams, influence stakeholders, and drive strategic decisions. All of this takes communication skills, strategic thinking, and business acumen to manage risks effectively and communicate complex technical information in simple terms.

Be proactive in seeking visibility and influence within your organization and avoid common pitfalls like making assumptions and prioritizing speed over consensus.

Finally, understand the reporting structure and evolving expectations of a CISO. By setting long-term goals and embracing a leadership mindset, you can successfully navigate the transition to a CISO and thrive in what is both a challenging and rewarding role.

Adaptive AI for the SOC

Interested in learning how you can build a modern SOC that focuses your analysts on real threats, eliminating false positives and alert fatigue? Radiant Security’s adaptive AI SOC platform can autonomously triage ALL alert types (without any pre-training required), dynamically generating a tailored response for every threat that can be reviewed by human analysts and implemented in 1 click or automatically.

To see Radiant in action, book a demo here.

Jul 18, 2025Ravie LakshmananMalware / Vulnerability

Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances.

According to a report published by JPCERT/CC today, the threat actors behind the exploitation of CVE-2025-0282 and CVE-2025-22457 in intrusions observed between December 2024 and July 2025 have weaponized the vulnerabilities to drop MDifyLoader, which is then used to launch Cobalt Strike in memory.

CVE-2025-0282 is a critical security flaw in ICS that could permit unauthenticated remote code execution. It was addressed by Ivanti in early January 2025. CVE-2025-22457, patched in February 2025, concerns a stack-based buffer overflow that could be exploited to execute arbitrary code.

While both vulnerabilities have been weaponized in the wild as zero-days, previous findings from JPCERT/CC in April have revealed that the first of the two issues had been abused to deliver malware families like SPAWNCHIMERA and DslogdRAT.

The latest analysis of the attacks involving ICS vulnerabilities has unearthed the use of DLL side-loading techniques to launch MDifyLoader that includes an encoded Cobalt Strike beacon payload. The beacon has been identified as version 4.5, which was released in December 2021.

“MDifyLoader is a loader created based on the open-source project libPeConv,” JPCERT/CC researcher Yuma Masubuchi said. “MDifyLoader then loads an encrypted data file, decodes Cobalt Strike Beacon, and runs it on memory.”

Also put to use is a Go-based remote access tool named VShell and another open-source network scanning utility written in Go called Fscan. It’s worth noting that both programs have been adopted by various Chinese hacking groups in recent months.

The execution flow of Fscan

Fscan has been found to be executed by means of a loader, which, in turn, is launched using DLL side-loading. The rogue DLL loader is based on the open-source tool FilelessRemotePE.

“The used VShell has a function to check whether the system language is set to Chinese,” JPCERT/CC said. “The attackers repeatedly failed to execute VShell, and it was confirmed that each time they had installed a new version and attempted execution again. This behavior suggests that the language-checking function, likely intended for internal testing, was left enabled during deployment.”

Upon gaining a foothold into the internal network, the attackers are said to have carried out brute-force attacks against FTP, MS-SQL, and SSH servers and leveraged the EternalBlue SMB exploit (MS17-010) in an attempt to extract credentials and laterally move across the network.

“The attackers created new domain accounts and added them to existing groups, allowing them to retain access even if previously acquired credentials were revoked,” Masubuchi said.

“These accounts blend in with normal operations, enabling long-term access to the internal network. Additionally, the attackers registered their malware as a service or a task scheduler to maintain persistence, ensuring it would run at system startup or upon specific event triggers.”

Update

Following the publication of the story, an Ivanti spokesperson shared the below statement with The Hacker News –

These vulnerabilities were previously identified and patched by Ivanti. Customers that are on the latest version of Ivanti Connect Secure are not vulnerable.

CVE-2025-22457 was patched by Ivanti in February 2025. It is an N-Day that only affected unpatched or older versions of Ivanti products, including a Pulse Connect Secure version that is no longer supported.

CVE-2025-0282 was patched in January. Customers who patched and followed Ivanti’s instructions at the time have addressed this vulnerability.

The security and protection of our customers remain our top priority, and Ivanti strongly encourages customers to remain on the latest version of a solution so they can benefit from important security and product enhancements.

(The story was updated after publication to include a response from Ivanti. The article was updated to correct that patches for CVE-2025-22457 were first available in February 2025, and not April as previously stated. It’s worth noting that the flaw was only publicly disclosed in April.)

The recently disclosed critical Microsoft SharePoint vulnerability has been under exploitation as early as July 7, 2025, according to findings from Check Point Research.

The cybersecurity company said it observed first exploitation attempts targeting an unnamed major Western government, with the activity intensifying on July 18 and 19, spanning government, telecommunications, and software sectors in North America and Western Europe.

Check Point also said the exploitation efforts originated from three different IP addresses – 104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147 – one of which was previously tied to the weaponization of security flaws in Ivanti Endpoint Manager Mobile (EPMM) appliances (CVE-2025-4427 and CVE-2025-4428).

“We’re witnessing an urgent and active threat: a critical zero-day in SharePoint on-prem is being exploited in the wild, putting thousands of global organizations at risk,” Lotem Finkelstein, Director of Threat Intelligence at Check Point Research, told The Hacker News.

“Our team has confirmed dozens of compromise attempts across government, telecom, and tech sectors since July 7. We strongly urge enterprises to update their security systems immediately – this campaign is both sophisticated and fast-moving.”

The attack chains have been observed leveraging CVE-2025-53770, a newly patched remote code execution flaw in SharePoint Server, and chaining it with CVE-2025-49706, a spoofing vulnerability that was patched by Microsoft as part of its July 2025 Patch Tuesday update, to gain initial access and escalate privileges.

It’s worth mentioning at this stage that there are two sets of vulnerabilities in SharePoint that have come to light this month –

• CVE-2025-49704 (CVSS score: 8.8) – Microsoft SharePoint Remote Code Execution Vulnerability (Fixed on July 8, 2025)
• CVE-2025-49706 (CVSS score: 7.1) – Microsoft SharePoint Server Spoofing Vulnerability (Fixed on July 8, 2025)

• CVE-2025-53770 (CVSS score: 9.8) – Microsoft SharePoint Server Remote Code Execution Vulnerability
• CVE-2025-53771 (CVSS score: 7.1) – Microsoft SharePoint Server Spoofing Vulnerability

CVE-2025-49704 and CVE-2025-49706, collectively referred to as ToolShell, is an exploitation chain that can lead to remote code execution on SharePoint Server instances. They were originally disclosed by Viettel Cyber Security during the Pwn2Own 2025 hacking competition earlier this May.

CVE-2025-53770 and CVE-2025-53771, which came to light over the weekend, have been described as variants of CVE-2025-49704 and CVE-2025-49706, respectively, indicating that they are bypasses for the original fixes put in place by Microsoft earlier this month.

This is evidenced by the fact that Microsoft acknowledged active attacks exploiting “vulnerabilities partially addressed by the July Security Update.” The company also noted in its advisories that the updates for CVE-2025-53770 and CVE-2025-53771 include “more robust protections” than the updates for CVE-2025-49704 and CVE-2025-49706. However, it bears noting that CVE-2025-53771 has not been flagged by Redmond as actively exploited in the wild.

“CVE-2025-53770 exploits a weakness in how Microsoft SharePoint Server handles the deserialization of untrusted data,” Martin Zugec, technical solutions director at Bitdefender, said. “Attackers are leveraging this flaw to gain unauthenticated remote code execution.”

This, in turn, is achieved by deploying malicious ASP.NET web shells that programmatically extract sensitive cryptographic keys. These stolen keys are subsequently leveraged to craft and sign malicious __VIEWSTATE payloads, thereby establishing persistent access and enabling the execution of arbitrary commands on SharePoint Server.

According to Bitdefender telemetry, in-the-wild exploitation has been detected in the United States, Canada, Austria, Jordan, Mexico, Germany, South Africa, Switzerland, and the Netherlands, suggesting widespread abuse of the flaw.

Palo Alto Networks Unit 42, in its own analysis of the campaign, said it observed commands being run to execute a Base64-encoded PowerShell command, which creates a file at the location “C:PROGRA~1COMMON~1MICROS~1WEBSER~116TEMPLATELAYOUTSspinstall0.aspx” and then parses its content.

“The spinstall0.aspx file is a web shell that can execute various functions to retrieve ValidationKeys, DecryptionKeys, and the CompatabilityMode of the server, which are needed to forge ViewState Encryption keys,” Unit 42 said in a threat brief.

Content of spinstall0.aspx

In an advisory issued Monday, SentinelOne said it first detected exploitation on July 17, with the cybersecurity company identifying three “distinct attack clusters,” including state-aligned threat actors, engaging in reconnaissance and early-stage exploitation activities.

Targets of the campaigns include technology consulting, manufacturing, critical infrastructure, and professional services tied to sensitive architecture and engineering organizations.

“The early targets suggest that the activity was initially carefully selective, aimed at organizations with strategic value or elevated access,” researchers Simon Kenin, Jim Walter, and Tom Hegel said.

Analysis of the attack activity has revealed the use of a password-protected ASPX web shell (“xxx.aspx”) on July 18, 2025, at 9:58 a.m. GMT. The web shell supports three functions: Authentication via an embedded form, command execution via cmd.exe, and file upload.

Subsequent exploitation efforts have been found to employ the “spinstall0.aspx” web shell to extract and expose sensitive cryptographic material from the host.

Spinstall0.aspx is “not a traditional command webshell but rather a reconnaissance and persistence utility,” the researchers explained. “This code extracts and prints the host’s MachineKey values, including the ValidationKey, DecryptionKey, and cryptographic mode settings — information critical for attackers seeking to maintain persistent access across load-balanced SharePoint environments or to forge authentication tokens.”

Unlike other web shells that are typically dropped on internet-exposed servers to facilitate remote access, spinstall0.aspx appears to be designed with the sole intention of gathering cryptographic secrets that could then be used to forge authentication or session tokens across SharePoint instances.

These attacks, per CrowdStrike, commence with a specially crafted HTTP POST request to an accessible SharePoint server that attempts to write spinstall0.aspx via PowerShell, per CrowdStrike. The company said it blocked hundreds of exploitation attempts across more than 160 customer environments.

SentinelOne also discovered a cluster dubbed “no shell” that took a “more advanced and stealthy approach” to other threat actors by opting for in-memory .NET module execution without dropping any payloads on disk. The activity originated from the IP address 96.9.125[.]147.

“This approach significantly complicates detection and forensic recovery, underscoring the threat posed by fileless post-exploitation techniques,” the company said, positing that it’s either a “skilled red team emulation exercise or the work of a capable threat actor with a focus on evasive access and credential harvesting.”

It’s currently not known who is behind the attack activity, although Google-owned Mandiant has attributed the early-exploitation to a China-aligned hacking group.

Data from Censys shows that there are 9,762 on-premises SharePoint servers online, although it’s currently not known if all of them are susceptible to the flaws. Given that SharePoint servers are a lucrative target for threat actors due to the nature of sensitive organizational data stored in them, it’s essential that users move quickly to apply the fixes, rotate the keys, and restart the instances.

“We assess that at least one of the actors responsible for the early exploitation is a China-nexus threat actor,” Charles Carmakal, CTO, Mandiant Consulting at Google Cloud, said in a post on LinkedIn. “We’re aware of victims in several sectors and global geographies. The activity primarily involved the theft of machine key material which could be used to access victim environments after the patch has been applied.”

Jul 21, 2025Ravie LakshmananBrowser Security / Malware

The China-linked cyber espionage group tracked as APT41 has been attributed to a new campaign targeting government IT services in the African region.

“The attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware,” Kaspersky researchers Denis Kulik and Daniil Pogorelov said. “One of the C2s [command-and-control servers] was a captive SharePoint server within the victim’s infrastructure.”

APT41 is the moniker assigned to a prolific Chinese nation-state hacking group that’s known for targeting organizations spanning multiple sectors, including telecom and energy providers, educational institutions, healthcare organizations and IT energy companies in more than three dozen countries.

What makes the campaign noteworthy is its focus on Africa, which, as the Russian cybersecurity vendor noted, “had experienced the least activity” from this specific threat actor. That said, the findings line up with previous observations from Trend Micro that the continent has found itself in its crosshairs since late 2022.

Kaspersky said it began an investigation after it found “suspicious activity” on multiple workstations associated with an unnamed organization’s IT infrastructure that involved the attackers running commands to ascertain the availability of their C2 server, either directly or via an internal proxy server within the compromised entity.

“The source of the suspicious activity turned out to be an unmonitored host that had been compromised,” the researchers noted. “Impacket was executed on it in the context of a service account. After the Atexec and WmiExec modules finished running, the attackers temporarily suspended their operations.”

Soon after, the attackers are said to have harvested credentials associated with privileged accounts to facilitate privilege escalation and lateral movement, ultimately deploying Cobalt Strike for C2 communication using DLL side-loading.

The malicious DLLs incorporate a check to verify the language packs installed on the host and proceed with the execution only if the following language packs are not detected: Japanese, Korean (South Korea), Chinese (Mainland China), and Chinese (Taiwan).

The attack is also characterized by the use of a hacked SharePoint server for C2 purposes, using it to send commands that are run by a C#-based malware uploaded to the victim hosts.

“They distributed files named agents.exe and agentx.exe via the SMB protocol to communicate with the server,” Kaspersky explained. “Each of these files is actually a C# trojan whose primary function is to execute commands it receives from a web shell named CommandHandler.aspx, which is installed on the SharePoint server.”

This method blends traditional malware deployment with living-off-the-land tactics, where trusted services like SharePoint are turned into covert control channels. These behaviors align with techniques categorized under MITRE ATT&CK, including T1071.001 (Web Protocols) and T1047 (WMI), making them difficult to detect using signature-based tools alone.

Furthermore, the threat actors have been spotted carrying out follow-on activity on machines deemed valuable post initial reconnaissance. This is accomplished by running a cmd.exe command to download from an external resource a malicious HTML Application (HTA) file containing embedded JavaScript and run it using mshta.exe.

The exact nature of the payload delivered via the external URL, a domain impersonating GitHub (“github.githubassets[.]net”) so as to evade detection, is currently unknown. However, an analysis of one of the previously distributed scripts shows that it’s designed to spawn a reverse shell, thereby granting the attackers the ability to execute commands on the infected system.

Also put to use in the attacks are stealers and credential-harvesting utilities to gather sensitive data and exfiltrate the details via the SharePoint server. Some of the tools deployed by the adversary are listed below –

• Pillager, albeit a modified version, to steal credentials from browsers, databases, and administrative utilities like MobaXterm; source code; screenshots; chat sessions and data; email messages; SSH and FTP sessions; list of installed apps; output of the systeminfo and tasklist commands; and account information from chat apps and email clients
• Checkout to steal information about downloaded files and credit card data saved in web browsers like Yandex, Opera, OperaGX, Vivaldi, Google Chrome, Brave, and Cốc Cốc.
• RawCopy to copy raw registry files
• Mimikatz to dump account credentials

“The attackers wield a wide array of both custom-built and publicly available tools,” Kaspersky said. “Specifically, they use penetration testing tools like Cobalt Strike at various stages of an attack.”

“The attackers are quick to adapt to their target’s infrastructure, updating their malicious tools to account for specific characteristics. They can even leverage internal services for C2 communication and data exfiltration.”

This operation also highlights the blurred line between red team tools and real-world adversary simulation, where threat actors use public frameworks like Impacket, Mimikatz, and Cobalt Strike alongside custom implants. These overlaps pose challenges for detection teams focused on lateral movement, credential access, and defense evasion across Windows environments.

Jul 21, 2025Ravie LakshmananSpyware / Mobile Security

Cybersecurity researchers have unearthed new Android spyware artifacts that are likely affiliated with the Iranian Ministry of Intelligence and Security (MOIS) and have been distributed to targets by masquerading as VPN apps and Starlink, a satellite internet connection service offered by SpaceX.

Mobile security vendor Lookout said it discovered four samples of a surveillanceware tool it tracks as DCHSpy one week after the onset of the Israel-Iran conflict last month. Exactly how many people may have installed these apps is not clear.

“DCHSpy collects WhatsApp data, accounts, contacts, SMS, files, location, and call logs, and can record audio and take photos,” security researchers Alemdar Islamoglu and Justin Albrecht said.

First detected in July 2024, DCHSpy is assessed to be the handiwork of MuddyWater, an Iranian nation-state group tied to MOIS. The hacking crew is also called Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Seedworm, Static Kitten, TA450, and Yellow Nix.

Early iterations of DCHSPy have been identified targeting English and Farsi speakers via Telegram channels using themes that run counter to the Iranian regime. Given the use of VPN lures to advertise the malware, it’s likely that dissidents, activists, and journalists are a target of the activity.

It’s suspected that the newly identified DCHSpy variants are being deployed against adversaries in the wake of the recent conflict in the region by passing them off as seemingly useful services like Earth VPN (“com.earth.earth_vpn”), Comodo VPN (“com.comodoapp.comodovpn”), and Hide VPN (“com.hv.hide_vpn”).

Interestingly, one of the Earth VPN app samples has been found to be distributed in the form of APK files using the name “starlink_vpn(1.3.0)-3012 (1).apk,” indicating that the malware is likely being spread to targets using Starlink-related lures.

It’s worth noting that Starlink’s satellite internet service was activated in Iran last month amid a government-imposed internet blackout. But, weeks later, the country’s parliament voted to outlaw its use over unauthorized operations.

A modular trojan, DCHSpy is equipped to collect a wide range of data, including account signed-in to the device, contacts, SMS messages, call logs, files, location, ambient audio, photos, and WhatsApp information.

DCHSpy also shares infrastructure with another Android malware known as SandStrike, which was flagged by Kaspersky in November 2022 as targeting Persian-speaking individuals by posing as seemingly harmless VPN applications.

The discovery of DCHSpy is the latest instance of Android spyware that has been used to target individuals and entities in the Middle East. Other documented malware strains include AridSpy, BouldSpy, GuardZoo, RatMilad, and SpyNote.

“DCHSpy uses similar tactics and infrastructure as SandStrike,” Lookout said. “It is distributed to targeted groups and individuals by leveraging malicious URLs shared directly over messaging apps such as Telegram.”

“These most recent samples of DCHSpy indicate continued development and usage of the surveillanceware as the situation in the Middle East evolves, especially as Iran cracks down on its citizens following the ceasefire with Israel.”

By 2025, Zero Trust has evolved from a conceptual framework into an essential pillar of modern security. No longer merely theoretical, it’s now a requirement that organizations must adopt. A robust, defensible architecture built on Zero Trust principles does more than satisfy baseline regulatory mandates. It underpins cyber resilience, secures third-party partnerships, and ensures uninterrupted business operations. In turn, more than 80% of organizations plan to implement Zero Trust strategies by 2026, according to a recent Zscaler report.

In the context of Zero Trust, artificial intelligence (AI) can assist greatly as a tool for implementing automation around adaptive trust and continuous risk evaluation. In a Zero Trust architecture, access decisions must adapt continuously to changing factors such as device posture, user behavior, location, workload sensitivity, and more. This constant evaluation generates massive volumes of data, far beyond what human teams can process alone.

AI is key to managing that scale, playing a critical role across all five of CISA’s Zero Trust pillars—identity, devices, networks, applications, and data. By filtering signal from noise, AI can help detect intrusions, identify malware, and apply behavioral analytics to flag anomalies that would be nearly impossible to catch manually. For example, if a user suddenly downloads sensitive files at 2 a.m. from an unusual location, AI models trained on behavioral baselines can flag the event, assess the risk, and trigger actions like reauthentication or session termination. This enables adaptive trust: access that adjusts in real time based on risk, supported by automation so the system can respond immediately without waiting on human intervention.

Predictive vs. Generative AI: Different Tools, Different Purposes

There are two primary categories of AI relevant to Zero Trust: predictive models and generative models. Predictive AI, including machine learning and deep learning, is trained on historical data to identify patterns, behaviors, and early indicators of compromise. These models power detection and prevention systems—such as EDRs, intrusion detection platforms, and behavioral analytics engines—that help catch threats early in the attack chain. When it comes to Zero Trust, predictive AI supports the control plane by feeding real-time signals into dynamic policy enforcement. It enables continuous evaluation of access requests by scoring context: is the device compliant? Is the login location unusual? Is the behavior consistent with baseline activity?

Generative AI, such as large language models like ChatGPT and Gemini, serves a different purpose. These systems are not predictive and don’t enforce controls. Instead, they support human operators by summarizing information, generating queries, accelerating scripting, and providing faster access to relevant context. In high-tempo security environments, this functionality helps reduce friction and allows analysts to triage and investigate more efficiently.

Agentic AI takes large language models beyond support roles into active participants in security workflows. By wrapping an LLM in a lightweight “agent” that can call APIs, execute scripts, and adapt its behavior based on real-time feedback, you gain a self-driving automation layer that orchestrates complex Zero Trust tasks end to end. For example, an agentic AI could automatically gather identity context, adjust network micro-segmentation policies, spin up temporary access workflows, and then revoke privileges once a risk threshold is cleared, all without manual intervention. This evolution not only accelerates response times, but also ensures consistency and scalability, letting your team focus on strategic threat hunting while routine enforcement and remediation happen reliably in the background.

These approaches all have a place in a Zero Trust model. Predictive AI enhances automated enforcement by driving real-time risk scoring. Generative AI enables defenders to move faster and make better-informed decisions, especially in time-sensitive or high-volume scenarios. Agentic AI brings orchestration and end-to-end automation into the mix, letting you automatically adjust policies, remediate risks, and revoke privileges without manual intervention. The strength of a Zero Trust architecture lies in applying it where it fits best.

Human-Machine Teaming: Working in Tandem

Despite their growing roles, AI models alone can’t serve as the sole “brain” of a Zero Trust architecture. Predictive AI, generative AI, and agentic AI each act more like specialized co-pilot analysts—surfacing patterns, summarizing context, or orchestrating workflows based on real-time signals. True Zero Trust still relies on human-defined policy logic, rigorous system-level design, and ongoing oversight to ensure that automated actions align with your security objectives.

That’s especially important because AI is not immune to manipulation. The SANS Critical AI Security Guidelines outline risks, including model poisoning, inference tampering, and vector database manipulation—all of which can be used to subvert Zero Trust enforcement if the AI system is blindly trusted. This is why our SANS SEC530 Defensible Security Architecture & Engineering: Implementing Zero Trust for the Hybrid Enterprise course emphasizes the concept of human-machine teaming. AI automates data analysis and response recommendations, but humans must set boundaries and validate those outputs within the broader security architecture. Whether that means writing tighter enforcement rules or segmenting access to model outputs, the control stays with the operator.

This model of collaboration is increasingly being recognized as the most sustainable way forward. Machines can outpace humans when it comes to processing volume, but they may lack certain business context, creativity, and ethical reasoning that only humans bring. Practitioners – “all-around defenders”, as I like to call them – remain essential not just for incident response, but for designing resilient enforcement strategies, interpreting ambiguous scenarios, and making the judgment calls that machines can’t. The future of Zero Trust isn’t AI replacing human. It’s AI amplifying the human, surfacing actionable insight, accelerating investigation, and scaling enforcement decisions without removing human control.

Ready for More Insight?

For a deeper dive on AI’s role in Zero Trust, SANS Certified Instructor Josh Johnson will be teaching SEC530 at our SANS DC Metro Fall 2025 live training event (Sept. 29-Oct. 4, 2025) in Rockville, MD. The event cultivates a dynamic learning environment that features industry-leading hands-on labs, simulations, and exercises, all geared towards practical application.

Register for SANS DC Metro Fall 2025 here.

Note: This article was written and contributed by Ismael Valenzuela, SANS Senior Instructor and Vice President of Threat Research and Intelligence at Arctic Wolf.

Even in well-secured environments, attackers are getting in—not with flashy exploits, but by quietly taking advantage of weak settings, outdated encryption, and trusted tools left unprotected.

These attacks don’t depend on zero-days. They work by staying unnoticed—slipping through the cracks in what we monitor and what we assume is safe. What once looked suspicious now blends in, thanks to modular techniques and automation that copy normal behavior.

The real concern? Control isn’t just being challenged—it’s being quietly taken. This week’s updates highlight how default settings, blurred trust boundaries, and exposed infrastructure are turning everyday systems into entry points.

⚡ Threat of the Week

Critical SharePoint Zero-Day Actively Exploited (Patch Released Today) — Microsoft has released fixes to address two security flaws in SharePoint Server that have come under active exploitation in the wild to breach dozens of organizations across the world. Details of exploitation emerged over the weekend, prompting Microsoft to issue an advisory for CVE-2025-53770 and CVE-2025-53771, which are now assessed to be patch bypasses for two other SharePoint flaws tracked as CVE-2025-49704 and CVE-2025-49706, an exploit chain dubbed ToolShell that could be leveraged to achieve remote code execution on on-premises SharePoint servers. The two vulnerabilities were addressed by Microsoft earlier this month as part of its Patch Tuesday update. It’s currently not known who is behind the mass-exploitation activity.

• Google Ships Patch for Actively Exploited Chrome Flaw — Google out patches to resolve a high-severity vulnerability in Chrome browser (CVE-2025-6558) that has come under active exploitation in the wild, making it the fifth zero-day to be either actively abused or demonstrated as a proof-of-concept (PoC) since the start of the year. The vulnerability is an incorrect validation of untrusted input in the browser’s ANGLE and GPU components that could allow an attacker to potentially perform a sandbox escape via a crafted HTML page. The issue has been addressed in versions 138.0.7204.157/.158 for Windows and Apple macOS, and 138.0.7204.157 for Linux.
• Critical NVIDIA Container Toolkit Flaw Disclosed — A critical vulnerability in NVIDIA Container Toolkit (CVE-2025-23266) could be exploited to achieve code execution with elevated permissions. “A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial-of-service,” the GPU maker said. Wiz, which disclosed the flaw, said the shortcoming could be trivially exploited to access, steal, or manipulate the sensitive data and proprietary models of all other customers running on the same shared hardware by means of a three-line exploit.
• New CrushFTP Bug Comes Under Attack — CrushFTP revealed that a critical flaw in its file transfer software (CVE-2025-54309) has been exploited in the wild, with unknown threat actors reverse engineering its source code to discover the bug and target devices that are yet to be updated to the latest versions. The issue affects all versions of CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23. “The attack vector was HTTP(S) for how they could exploit the server,” CrushFTP said. “We had fixed a different issue related to AS2 in HTTP(S) not realizing that a prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured out a way to exploit the prior bug.”
• Golden dMSA Attack in Windows Server 2025 Enables Cross-Domain Attacks — Cybersecurity researchers disclosed a “critical design flaw” in delegated Managed Service Accounts (dMSAs) introduced in Windows Server 2025 that could enable cross-domain lateral movement and persistent access to all managed service accounts and their resources across Active Directory indefinitely. “The attack leverages a critical design flaw: A structure that’s used for the password-generation computation contains predictable time-based components with only 1,024 possible combinations, making brute-force password generation computationally trivial,” Semperis researcher Adi Malyanker said.
• Google Big Sleep AI Agent Flags Critical SQLite Flaw Before Exploitation — Big Sleep, an artificial intelligence (AI) agent launched by Google last year as a collaboration between DeepMind and Google Project Zero, facilitated the discovery of a critical security flaw in SQLite (CVE-2025-6965) that was previously only known to attackers as a zero-day and was on the verge of exploitation. Google described it as the first time an AI agent has been used to “directly foil efforts to exploit a vulnerability in the wild.”
• Threat Actors Target EoL SonicWall SMA 100 Devices — Unknown intruders codenamed UNC6148 are targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances and deploying a novel, persistent backdoor and rootkit called OVERWATCH. Many key details about the campaign are currently unknown. For starters, Google said it does not have enough data to determine where the threat actors are based, or what their motives are. Second, the attacks are exploiting leaked local administrator credentials on the targeted devices for initial access. But it has been unable to pinpoint how the attackers managed to obtain the credentials used in the attack. While it’s possible that they were sourced from infostealer logs or credential marketplaces, the company noted it’s more likely that the attackers leveraged a known vulnerability. It’s also unclear precisely what the attackers are trying to accomplish after they take control of a device. The lack of information largely stems from how OVERWATCH functions, which allows the attackers to selectively remove log entries to hinder forensic investigation. The investigation also found that UNC6148 also managed to deploy a reverse shell on infected devices, something that should not normally be possible, leading to speculations that a zero-day might have been in play. The findings once again show network appliances are popular attacker targets, as they offer a way to gain access to high-value networks.

‎️‍🔥 Trending CVEs

Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it’s a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week’s high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.

This week’s list includes — CVE-2025-53770, CVE-2025-53771 (Microsoft SharePoint Server), CVE-2025-37103 (HPE Instant On Access Points), CVE-2025-54309 (CrushFTP), CVE-2025-23266, CVE-2025-23267 (NVIDIA Container Toolkit), CVE-2025-20337 (Cisco Identity Services Engine and ISE Passive Identity Connector), CVE-2025-6558 (Google Chrome), CVE-2025-6965 (SQLite), CVE-2025-5333 (Broadcom Symantec Endpoint Management Suite), CVE-2025-6965 (SQLite), CVE-2025-48384 (Git CLI), CVE-2025-4919 (Mozilla Firefox), CVE-2025-53833 (LaRecipe), CVE-2025-53506 (Apache Tomcat), CVE-2025-41236 (Broadcom VMware ESXi, Workstation, and Fusion), CVE-2025-27210, CVE-2025-27209 (Node.js), CVE-2025-53906 (Vim), CVE-2025-50067 (Oracle Application Express), CVE-2025-30751 (Oracle Database), CVE-2025-6230, CVE-2025-6231, CVE-2025-6232 (Lenovo Vantage), CVE-2024-13972, CVE-2025-7433, CVE-2025-7472 (Sophos Intercept X for Windows), CVE-2025-27212 (Ubiquiti UniFi Access), CVE-2025-4657 (Lenovo Protection Driver), CVE-2025-2500 (Hitachi Energy Asset Suite), CVE-2025-6023, CVE-2025-6197 (Grafana), CVE-2025-40776, CVE-2025-40777 (BIND 9), CVE-2025-33043, CVE-2025-2884, CVE-2025-3052 (Gigabyte), and CVE-2025-31019 (Password Policy Manager plugin).

📰 Around the Cyber World

• Russian Sentenced to 3 Years in Prison in the Netherlands for Sharing Data — A Rotterdam court sentenced a 43-year-old Russian to three years in prison for breaching international sanctions by sharing sensitive ASML information from Dutch semiconductor chip machine maker ASML and NXP with a person in Russia. At his trial on June 26, the suspect admitted to copying files last year and sending them to a person in Russia using the Signal messaging app. While the name of the defendant was not disclosed, Reuters reported in February 2025 that the perpetrator was German Aksenov, and that he had contact with Russia’s FSB intelligence service. He was charged with IP theft and sanctions violations in December 2024.
• U.K. NCSC Launches Vulnerability Research Initiative — The U.K. National Cyber Security Centre (NCSC) announced a new Vulnerability Research Initiative (VRI) that aims to strengthen relations with external cybersecurity experts. “The VRI’s mission is to strengthen the UK’s ability to carry out VR,” the NCSC said. “We work with the best external vulnerability researchers to deliver a deep understanding of security on a wide range of  technologies we care about.​ The external VRI community also supports us in having tools and tradecraft for vulnerability discovery.”
• Storm-1516 Spreads Disinformation in Europe — A Kremlin-linked disinformation group tracked as Storm-1516 has been masquerading as real journalists and publishing fake articles on spoofed news websites to spread false narratives in France, Armenia, Germany, Moldova, and Norway. The threat actors used the names and photos of legitimate reporters to lend credibility to the bogus articles, per the Gnida Project. Another pro-Russia disinformation campaign known as Operation Overload (aka Matryoshka or Storm-1679) has been observed leveraging consumer-grade artificial intelligence tools to fuel a “content explosion” focused around exacerbating existing tensions around global elections, Ukraine, and immigration, among other controversial issues. The activity, operating since 2023, has a track record of disseminating false narratives by impersonating media outlets with the apparent aim of sowing discord in democratic countries. “This marks a shift toward more scalable, multilingual, and increasingly sophisticated propaganda tactics,” Reset Tech and Check First said. “The campaign has substantially amped up the production of new content in the past eight months, signalling a shift toward faster, more scalable content creation methods.” Some of the images used in the campaign are believed to have been generated using Flux AI, a text-to-image generator developed by Black Forest Labs. The company told WIRED that it has built “multiple layers of safeguards” to prevent abuse and that it’s committed to working with social media platforms and authorities to ward off unlawful misuse.
• SLOW#TEMPEST Campaign’s Evolving Techniques Detailed — The threat actors behind a malware campaign called SLOW#TEMPEST have been observed using DLL-sideloading techniques to launch a malicious DLL, while relying on Control Flow Graph (CFG) obfuscation and dynamic function calls to conceal the code in the loader DLL. The primary goal of the DLL is to unpack and launch an embedded payload directly in memory only if the target machine has at least 6 GB of RAM. “The SLOW#TEMPEST campaign’s evolution highlights malware obfuscation techniques, specifically dynamic jumps and obfuscated function calls,” Palo Alto Networks Unit 42 said. “The success of the SLOW#TEMPEST campaign using these techniques demonstrates the potential impact of advanced obfuscation on organizations, making detection and mitigation significantly more challenging.”
• Abacus Market Shutters After Likely Exit Scam — The darknet marketplace known as Abacus Market has suddenly closed its operations, rendering all its infrastructure, including its clearnet mirror, inaccessible. The development comes after Abacus Market users began reporting withdrawal issues in late June 2025. Blockchain intelligence firm TRM Labs said the marketplace’s creators may have possibly pulled off an exit scam and disappeared with users’ funds, although the possibility of a law enforcement seizure hasn’t been ruled out. Abacus’s exit follows the June 16, 2025, seizure of Archetyp Market by Europol. Abacus Market launched in September 2021 as Alphabet Market, before it rebranded to its current name two months later. The marketplace is estimated to have generated anywhere between $300 million and $400 million in cryptocurrency sales, spanning illicit drugs, counterfeit items, and stolen cards. ​​According to data from Chainlysis, Abacus Market’s revenue has increased significantly, growing by 183.2% YoY in 2024.
• MITRE Announces AADAPT for Cryptocurrency Security — The MITRE Corporation launched Adversarial Actions in Digital Asset Payment Technologies, aka AADAPT, a cybersecurity framework for addressing vulnerabilities in digital financial systems such as cryptocurrency. It’s modeled after the MITRE ATT&CK framework. “AADAPT provides developers, policymakers, and financial organizations with a structured methodology for identifying, analyzing, and mitigating potential risks associated with digital asset payments,” MITRE said. “By using insights derived from real-world attacks as cited by more than 150 sources from government, industry, and academia, the AADAPT framework identifies adversarial tactics, techniques, and procedures linked to digital asset payment technologies, including consensus algorithms and smart contracts.”
• U.S. Ex-Army soldier Pleads Guilty to Hacking 10 Telcos — Former U.S. Army soldier Cameron John Wagenius (aka kiberphant0m and cyb3rph4nt0m) pleaded guilty to hacking and extorting at least 10 telecommunications companies between April 2023 and December 2024. The 21-year-old “conspired with others to defraud at least 10 victim organizations by obtaining login credentials for the organizations’ protected computer networks,” the U.S. Department of Justice (DoJ) said. “The conspirators obtained these credentials using a hacking tool that they called SSH Brute, among other means. They used Telegram group chats to transfer stolen credentials and discuss gaining unauthorized access to victim companies’ networks.” The threat actors behind the scheme then extorted the victim organizations both privately and on cybercrime forums such as BreachForums and XSS.is by offering to sell the stolen data for thousands of dollars. Some of the data was eventually sold and used to perpetuate other frauds, including SIM-swapping. Wagenius et al are said to have attempted to extort at least $1 million from victim data owners. The attacks took place while Wagenius was on active duty, the DoJ said. Court documents show that the defendant Googled for phrases like “can hacking be treason” and “U.S. military personnel defecting to Russia.” In February 2025, Wagenius pleaded guilty to conspiracy to commit wire fraud, extortion in relation to computer fraud, aggravated identity theft, and unlawful transfer of confidential phone records information. He is scheduled for sentencing on October 6, 2025. His alleged co-conspirators, Connor Moucka and John Binns, were indicted in November 2024.
• Signed Drivers in Malicious Campaigns — Since 2020, no less than 620 signed drivers, 80 certificates, and 60 Windows Hardware Compatibility Program (WHCP) accounts have been associated with threat actor campaigns. The majority of drivers have been signed by 131 Chinese companies. In 2022 alone, over 250 drivers and roughly 34 certificates and WHCP accounts were identified as potentially compromised. The findings show that “kernel-level attacks remain highly attractive to threat actors despite Microsoft’s improved defenses, due to the highest level of privileges on the compromised system and control they offer to attackers,” Group-IB said, adding it found overlap in the signing infrastructure across different malware campaigns, such as those using POORTRY and RedDriver. Some of the notable malware strains using kernel loaders for added stealth include Festi, FiveSys, FK_Undead, and BlackMoon. “Attackers leverage many signing certificates and WHCP accounts by exploiting legitimate processes like the WHCP and Extended Validation (EV) certificates. This includes those belonging to compromised or fraudulently registered organizations, signing malicious drivers, bypassing established security measures, and exploiting the trust model inherent in signed kernel drivers,” the company noted.
• TeleMessage SGNL Flaw Seeing Exploitation Activity — Threat actors are actively attempting to exploit a security flaw in TeleMessage SGNL, an enterprise messaging system modeled after Signal, used by government agencies and enterprises alike to achieve secure communications. The vulnerability, CVE-2025-48927, can be used to leak sensitive information, including plaintext usernames, passwords, and other data. According to GreyNoise, exploitation efforts are coming from 25 IP addresses over the past 30 days. The majority of the IP addresses are from France, followed by Singapore, Germany, Hong Kong, and India. The attacks target the United States, Singapore, India, Mexico, and Brazil.
• Microsoft Stops Relying on Chinese Engineers for Defense Cloud Support — Microsoft changed its practices to ensure that engineers in China no longer provide technical support to U.S. defense clients using the company’s Azure cloud services. The revamps came after a ProPublica investigation revealed that Microsoft has been using Chinese engineers to help maintain U.S. Department of Defense systems, potentially exposing sensitive data to the Chinese government. “In response to concerns raised earlier this week about US-supervised foreign engineers, Microsoft has made changes to our support for US Government customers to assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services,” the company said.
• Japan Authorities Release Free Phobos and 8Base Decryptor — Japan’s National Police Agency published a free decryption tool and a guide in English for organizations impacted by the Phobos and 8Base ransomware attacks. Earlier this February, two Russian nationals accused of using the Phobos ransomware to attack more than 1,000 entities were charged as part of a global law enforcement takedown. Phobos launched in December 2018, with a modified version called 8Base gaining prominence in 2023.
• Android Allows Gemini Access Third-Party Apps — Google has implemented a change that will allow its Gemini artificial intelligence (AI) chatbot to interact with other apps installed on Android devices, such as Phone, Messages, and others, even if users have turned off “Gemini Apps Activity.” According to a support document from the company, “Even when Gemini Apps Activity is off, your conversations will be saved with your account for up to 72 hours. This lets Google provide the service and process any feedback. This activity won’t appear in your Gemini Apps Activity.” The update went into effect this month.
• EvilPanel Phishing Toolkit Detailed — Cybersecurity researchers have discovered a new phishing toolkit called EvilPanel that’s built on Evilginx and provides a web interface for launching multi-factor authentication (MFA)-bypassing attacks. “EvilPanel wraps all of Evilginx’s powerful AiTM capabilities into a sleek, user-friendly web interface, eliminating the need for manual configuration and lowering the barrier to entry for would-be attackers,” Abnormal AI said. “EvilPanel’s core phishing functionality follows the Evilginx model – i.e., it maintains the login flow by acting as a transparent proxy.”
• Katz Stealer and Octalyn Stealer Detailed — Cybersecurity company SentinelOne is warning that threat actors are increasingly adopting an information stealer called Katz Stealer owing to its “robust credential and data discovery with theft capabilities as well as modern evasion and anti-analysis features.” It described the stealer as a “combination of credential theft and modern malware design.” Offered under a Malware-as-a-Service (MaaS) model for a mere $50 per month (or $360 for a whole year), stealers such as Katz are turnkey tools that lower the barrier to entry for pulling off malicious attacks. A notable feature of Katz Stealer is its ability to defeat Chromium’s app-bound encryption to gain access to and extract credentials and cookies. “Katz Stealer is not a ‘one shot’ infostealer; it is designed to continually exfiltrate the victim’s data,” SentinelOne said. “The malware not only extracts data found on a targeted system at the point of infection but also as data updated, changed, or freshly introduced.” Another new stealer masquerades as an educational tool called Octalyn Forensic Toolkit, but acts as a credential stealer, harvesting browser data, Discord and Telegram tokens, VPN configurations, gaming accounts, and cryptocurrency wallet artifacts. “Its modular C++ payload, Delphi-based builder, Telegram-based C2, and secondary payload delivery capability make it a potent tool for threat actors,” CYFIRMA said. “The use of obfuscation, Windows persistence techniques, and structured data theft highlights a deliberate effort to evade detection and maximize impact.”
• Armenia Passes Use of Facial Recognition Technology by Police — Armenia’s parliament has passed controversial amendments to the country’s Law on Police, granting the Ministry of Internal Affairs access to a nationwide network of real-time surveillance cameras that are equipped with facial recognition technology. The cameras will operate across state and municipal buildings, public transport, airports, and parking areas. The law is set to take effect on August 9, 2025. The CSO Meter said the law “lacks clear legal safeguards, public oversight, and proper regulation of artificial intelligence (AI) technologies,” posing a risk to citizens’ privacy.
• Scammers Using MaisonReceipts to Create Fake Receipts — Fraudsters are using tools like MaisonReceipts to generate counterfeit receipts for over 21 well-known retail brands in multiple currencies (USD, EUR, GBP). They are used by groups that resell counterfeit or stolen items, presenting them as authentic using bogus receipts. “The service is marketed through subscription-based websites, social media accounts, and encrypted messaging platforms, with features that make the fraudulent receipts appear convincing enough to deceive consumers and online marketplaces,” Group-IB said.
• PyPI Blocks inbox.ru Email Domain — A recent spam campaign against PyPI has prompted the maintainers of the Python Package Index (PyPI) repository to ban the use of the “inbox.ru” email domain during new registrations as well as adding extra email addresses. “The campaign created over 250 new user accounts, publishing over 1,500 new projects on PyPI, leading to end-user confusion, abuse of resources, and potential security issues,” PyPI said. “All relevant projects have been removed from PyPI, and accounts have been disabled.”
• Silver Fox Actor Creates Fake Websites for Malware Delivery — The threat actor known as Silver Fox, which is known for targeting Chinese-speaking individuals and entities, has created over 2,800 domains since June 2023, with 266 of the over 850 identified domains since December 2024 actively distributing malware. These fake websites act as a delivery vector for Windows-specific malware and masquerade as application download sites and software update prompts. “The consistent operational timing across all hours with high influxes during Chinese working hours, in addition to other factors, suggests a combination of automated and likely human-driven approach to their activities,” DomainTools said.
• Arrested Scattered Spider Members Released on Bail — A British court has released four members of the Scattered Spider group on bail. They were arrested last week on suspicion of Computer Misuse Act offenses, blackmail, money laundering, and participating in the activities of an organized crime group. They’ve been charged with hacking U.K. retailers Marks & Spencer, Co-op, and Harrods.
• Armenian National Charged with Ryuk Ransomware Attacks — An Armenian man extradited from Ukraine to the United States has been charged over his alleged role in Ryuk ransomware attacks between March 2019 and September 2020. Karen Serobovich Vardanyan was arrested in Kyiv in April, and was extradited to the United States on June 18. Vardanyan has been charged with conspiracy, fraud in connection with computers, and extortion in connection with computers. He has been charged alongside Levon Georgiyovych Avetisyan, 45, who is also an Armenian national facing the same charges. He is currently detained in France and is expected to be extradited as well. Vardanyan and his accomplices received about 1,610 bitcoins from victims, valued at more than $15 million at the time of payment. Two Ukrainians — 53-year-olds Oleg Nikolayevich Lyulyava and Andrii Leonydovich Prykhodchenko — were also charged in connection with Ryuk activity but remain at large.
• $2.17B Stolen from Crypto Services in 2025 — Hackers and scammers have stolen over $2.17 billion in crypto assets in the first half of this year, with North Korea’s $1.5 billion hack of Bybit accounting for the majority of the assets. Data from TRM Labs shows that $2.1 billion was stolen across at least 75 distinct hacks and exploits. A total of $801,315,669 was lost across 144 incidents in Q2 2025, per CertiK. Wallet compromise emerged as the most costly attack vector in H1 2025, with $1,706,937,700 stolen across 34 incidents. “So far in 2025, significant concentrations of stolen fund victims have emerged in the U.S., Germany, Russia, Canada, Japan, Indonesia, and South Korea,” Chainalysis said. “Personal wallet compromises make up a growing share of total ecosystem value stolen over time.”

• Japan Targeted by North Korea and China in 2024 — Japanese organizations have been targeted by North Korean threat actors to distribute malware families like BeaverTail, InvisibleFerret, and RokRAT, as well as by Chinese hacking groups such as Mustang Panda, Stone Panda, MirrorFace, Teleboyi, and UNC5221. The China-linked attacks led to the deployment of backdoors and trojans like ANEL and PlugX, Macnica said.
• Rainbow Hyena Goes After Russian Firms — The threat actor known as Rainbow Hyena targeted Russian healthcare and IT organizations using phishing emails containing malicious attachments to distribute a C++-based custom backdoor called PhantomRemote. “The backdoor collects information about the compromised system, loads other executables from the C2 server, and runs commands via the cmd.exe interpreter,” BI.ZONE said.
• Migration to Post-Quantum Cryptography is Uneven — About 6% of all 186 million SSH servers on the internet already use quantum-safe encryption, according to a new report from Forescout Research – Vedere Labs. “Three quarters of OpenSSH versions on the internet still run versions released between 2015 and 2022 that do not support quantum-safe encryption,” the company said. “If regulators mandate quantum-safe encryption in the near future, organizations will face serious gaps. Outdated infrastructure will become a compliance and security risk.”
• Brazilian Police Arrest IT Worker for $100 Million Cyber Theft — Authorities in Brazil arrested a suspect in connection with a cyber attack that diverted more than $100 million from the country’s banking systems. Per a report from Associated Press, the suspect has been identified as João Roque, an IT employee of a software company named C&M and he allegedly helped unknown threat actors gain unauthorized access to Brazil’s instant payment system, known as PIX, by selling his credentials to them earlier this year for about $2,700 in two separate cash payments. Once the cybercriminals breached the company’s network, they carried out fraudulent PIX transactions. It’s believed that the losses could go up further, as the loss refers to just one financial institution that contracted with C&M.
• Italian Police Arrest Diskstation Ransomware Gang — Italian police have arrested a 44-year-old Romanian for carrying out cyber attacks against Italian companies as part of a law enforcement effort called Operation Elicius. The unidentified man is alleged to be the leader of the DiskStation Security ransomware group, which has targeted Synology network-attached storage (NAS) devices since 2021. He faces charges of unauthorized access to computer systems and extortion.
• Samsung Announces KEEP to Store Sensitive Data — Samsung announced a number of security and privacy updates to its Galaxy smartphones with One UI 8, including support for quantum-resistant Wi-Fi connections using ML‑KEM and a new architecture called Knox Enhanced Encrypted Protection (KEEP) that creates encrypted, app-specific storage environments for storing data. KEEP also integrates with Samsung’s Personal Data Engine (PDE) and Knox Vault, the company’s hardware security environment, to enable personalized artificial intelligence (AI) features by analyzing users’ data on-device.
• Cambodia Arrests Over 1,000 Amid Crackdown on Online Scams — Cambodian authorities have arrested more than 1,000 suspects linked to online scams in an effort to crack down on cybercrime operations in the country. Those detained included over 200 Vietnamese, 27 Chinese, and 75 suspects from Taiwan and 85 Cambodians in the capital Phnom Penh and the southern city of Sihanoukville. About 270 Indonesians, including 45 women, were arrested in Poipet. In a related development, Thai officials raided properties connected to a Cambodian senator and business tycoon, Kok An, in relation to a local network of cyber scam call centers.

🎥 Cybersecurity Webinars

• From Autofill to Alarm Bells: Securing Identity in the Age of AI — Logins got easier—but trust got harder. As AI reshapes digital identity, users are questioning how their data is used and who’s really behind the screen. In this session, discover how top brands are tackling AI-driven identity risks while rebuilding trust with smarter, privacy-first authentication strategies.
• How Attackers Hijack Your Dependencies—and What DevSecOps Teams Must Do Now — Your Python environment is under attack—quietly, and from within. In 2025, repo hijacks, poisoned packages, and typosquatting aren’t rare edge cases—they’re part of the threat landscape. This webinar shows developers and DevSecOps leaders how to lock down the Python supply chain before compromised dependencies take down your systems.
• Your AI Copilot May Be Letting Attackers In — Learn How to Lock Down the Identity Layer — AI copilots are boosting productivity—and attackers are using the same power to break your identity perimeter. From API abuse to synthetic logins, the identity layer is under siege. Join Okta to learn how to secure AI-powered workflows, detect AI-driven threats, and make identity your strongest line of defense in 2025.

🔧 Cybersecurity Tools

• OSINTMap — It is a lightweight tool that helps you quickly find and use popular OSINT resources. It organizes hundreds of investigation links—like people search, domain lookups, and breach checkers—into one easy-to-browse local dashboard. Ideal for anyone doing OSINT work, it saves time by keeping everything in one place.
• NortixMail — It is an open-source, self‑hosted disposable email server that makes burner addresses easy—without the usual email server headache. You can spin it up with Docker or manually, generate temporary email addresses on demand, and view messages via a clean web interface. Since it keeps messages locally and doesn’t rely on third-party services, it’s a great tool for testing, avoiding spam, or protecting your inbox during risky sign‑ups.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Map Known Vulnerabilities Automatically Across Your Stack — Attackers often use Windows Scheduled Tasks to stay hidden on systems. Some go a step further by removing key registry values like SD (Security Descriptor) or Index, making their tasks invisible to common tools like Task Scheduler, schtasks, or even Autoruns. These hidden tasks still run in the background and can be used for persistence or malware delivery.

To check for visible tasks, tools like Autoruns (by Sysinternals) and TaskSchedulerView (by NirSoft) are great starting points. They show active tasks and let you spot unusual ones. But hidden tasks require deeper digging. You can use PowerShell to scan the registry path HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTree and look for tasks with missing SD values.

For more advanced checks, use Sysmon to track changes in the TaskCache registry and ProcMon to monitor registry activity in real time. Look for suspicious task names, missing values, or tasks with an Index of 0. Also, set alerts for Event ID 4698, which logs new scheduled task creation.

In short: use both visual tools and registry checks to uncover hidden scheduled tasks. Regular scans, baseline comparisons, and basic alerting can help catch threats early—before they do damage.

Conclusion

What’s becoming clearer each week is that attacker sophistication isn’t the exception—it’s the baseline. AI-driven reconnaissance, credential abuse, and signal mimicry are no longer advanced—they’re routine.

And as coordination gaps persist across security teams, the boundary between low-level noise and high-impact intrusions continues to blur. The result isn’t just a faster compromise—it’s a deeper erosion of trust. If trust was once a strength, it’s now a surface that attackers exploit.

Jul 21, 2025Ravie LakshmananThreat Intelligence / Authentication

Cybersecurity researchers have disclosed a novel attack technique that allows threat actors to bypass Fast IDentity Online (FIDO) key protections by deceiving users into approving authentication requests from spoofed company login portals.

The activity, observed by Expel as part of a phishing campaign in the wild, has been attributed to a threat actor named PoisonSeed, which was recently flagged as leveraging compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases and drain victims’ digital wallets.

“The attacker does this by taking advantage of cross-device sign-in features available with FIDO keys,” researchers Ben Nahorney and Brandon Overstreet said. “However, the bad actors in this case are using this feature in adversary-in-the-middle (AitM) attacks.”

Cross-device sign-in allows users to sign-in on a device that does not have a passkey using a second device that does hold the cryptographic key, such as a mobile phone.

The attack chain documented by Expel commences with a phishing email that lures recipients to log into a fake sign-in page mimicking the enterprise’s Okta portal. Once the victims enter their credentials, the sign-in information is stealthily relayed by the bogus site to the real login page.

The phishing site then instructs the legitimate login page to use the hybrid transport method for authentication, which causes the page to serve a QR code that’s subsequently sent back to the phishing site and presented to the victim.

Should the user scan the QR code with the authenticator app on their mobile device, it allows the attackers to gain unauthorized access to the victim’s account.

“In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in,” Expel said.

“The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator communicate, and the attackers are in.”

What makes the attack noteworthy is that it bypasses protections offered by FIDO keys and enables threat actors to obtain access to users’ accounts. The compromise method does not exploit any flaw in the FIDO implementation. Rather, it abuses a legitimate feature to downgrade the authentication process.

While FIDO2 is designed to resist phishing, its cross-device login flow—known as hybrid transport—can be misused if proximity verification like Bluetooth is not enforced. In this flow, users can log in on a desktop by scanning a QR code with a mobile device that holds their passkey.

However, attackers can intercept and relay that QR code in real time via a phishing site, tricking users into approving the authentication on a spoofed domain. This turns a secure feature into a phishing loophole—not due to a protocol flaw, but due to its flexible implementation.

Expel also said it observed a separate incident where a threat actor enrolled their own FIDO key after compromising an account through a phishing email and resetting the user’s password.

If anything, the findings underscore the need for adopting phishing-resistant authentication at all steps in an account lifecycle, including during recovery phases, as using an authentication method that’s susceptible to phishing can undermine the entire identity infrastructure.

“AitM attacks against FIDO keys and attacker-controlled FIDO keys are just the latest in a long line of examples where bad actors and defenders up the ante in the fight to compromise/protect user accounts,” the researchers added.

Jul 21, 2025Ravie LakshmananWeb Security / Cryptocurrency

A new attack campaign has compromised more than 3,500 websites worldwide with JavaScript cryptocurrency miners, marking the return of browser-based cryptojacking attacks once popularized by the likes of CoinHive.

Although the service has since shuttered after browser makers took steps to ban miner-related apps and add-ons, researchers from the c/side said they found evidence of a stealthy miner packed within obfuscated JavaScript that assesses the computational power of a device and spawns background Web Workers to execute mining tasks in parallel without raising any alarm.

More importantly, the activity has been found to leverage WebSockets to fetch mining tasks from an external server, so as to dynamically adjust the mining intensity based on the device capabilities and accordingly throttle resource consumption to maintain stealth.

“This was a stealth miner, designed to avoid detection by staying below the radar of both users and security tools,” security researcher Himanshu Anand said.

The net result of this approach is that users would unknowingly mine cryptocurrency while browsing the compromised website, turning their computers into covert crypto generation machines without their knowledge or consent. Exactly how the websites are breached to facilitate in-browser mining is currently not known.

Further dissection has determined that over 3,500 websites have been ensnared in the sprawling illicit crypto mining effort, with the domain hosting the JavaScript miner also linked to Magecart credit card skimmers in the past, indicating attempts on the part of the attackers to diversify their payloads and revenue streams.

The use of the same domains to deliver both miner and credit/debit card exfiltration scripts indicates the ability of the threat actors to weaponize JavaScript and stage opportunistic attacks aimed at unsuspecting site visitors.

“Attackers now prioritize stealth over brute-force resource theft, using obfuscation, WebSockets, and infrastructure reuse to stay hidden,” c/side said. “The goal isn’t to drain devices instantly, it is to persistently siphon resources over time, like a digital vampire.”

The findings coincide with a Magecart skimming campaign targeting East Asian e-commerce websites using the OpenCart content management system (CMS) to inject a fake payment form during checkout and collect financial information, including bank details, from victims. The captured information is then exfiltrated to the attacker’s server.

In recent weeks, client-side and website-oriented attacks have been found to take different forms –

• Utilizing JavaScript embeds that abuse the callback parameter associated with a legitimate Google OAuth endpoint (“accounts.google[.]com/o/oauth2/revoke”) to redirect to an obfuscated JavaScript payload that creates a malicious WebSocket connection to an attacker-controlled domain
• Using Google Tag Manager (GTM) script directly injected into the WordPress database (i.e., wp_options and wp_posts tables) in order to load remote JavaScript that redirects visitors to over 200 sites to spam domains
• Compromising a WordPress site’s wp-settings.php file to include a malicious PHP script directly from a ZIP archive that connects to a command-and-control (C2) server and ultimately leverages the site’s search engine rankings to inject spammy content and boost their sketchy sites in search results
• Injecting malicious code into a WordPress site theme’s footer PHP script to server browser redirects
• Using a fake WordPress plugin named after the infected domain to evade detection and spring into action only when search engine crawlers are detected in order to serve spam content designed to manipulate search engine results
• Distributing backdoored versions of the WordPress plugin Gravity Forms (affecting only versions 2.9.11.1 and 2.9.12) through the official download page in a supply chain attack that contacts an external server to fetch additional payloads and adds an admin account that gives the attacker complete control of the website

“If installed, the malicious code modifications will block attempts to update the package and attempt to reach an external server to download additional payload,” RocketGenius, the team behind Gravity Forms, said.

“If it succeeds in executing this payload, it will then attempt to add an administrative account. That opens a back door to a range of other possible malicious actions, such as expanding remote access, additional unauthorized arbitrary code injections, manipulation of existing admin accounts, and access to stored WordPress data.”

Microsoft on Sunday released security patches for an actively exploited security flaw in SharePoint and also released details of another vulnerability that it said has been addressed with “more robust protections.”

The tech giant acknowledged it’s “aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.”

CVE-2025-53770 (CVSS score: 9.8), as the exploited Vulnerability is tracked, concerns a case of remote code execution that arises due to the deserialization of untrusted data in on-premise versions of Microsoft SharePoint Server.

The newly disclosed shortcoming is a spoofing flaw in SharePoint (CVE-2025-53771, CVSS score: 6.3). An anonymous researcher has been credited with discovering and reporting the bug.

“Improper limitation of a pathname to a restricted directory (‘path traversal’) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network,” Microsoft said in an advisory released on July 20, 2025.

Microsoft also noted that CVE-2025-53770 and CVE-2025-53771 are related to two other SharePoint vulnerabilities documented by CVE-2025-49704 and CVE-2025-49706, which could be chained to achieve remote code execution. The exploit chain, referred to as ToolShell, was patched as part of the company’s July 2025 Patch Tuesday update.

“The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704,” the Windows maker said. “The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.”

It’s worth noting that Microsoft previously characterized CVE-2025-53770 as a variant of CVE-2025-49706. When reached for comment about this discrepancy, a Microsoft spokesperson told The Hacker News that “it is prioritizing getting updates out to customers while also correcting any content inaccuracies as necessary.”

The company also said that the current published content is correct and that the previous inconsistency does not impact the company’s guidance for customers.

Both the identified flaws apply to on-premises SharePoint Servers only, and do not impact SharePoint Online in Microsoft 365. The issues have been addressed in the versions below (for now) –

To mitigate potential attacks, customers are recommended to –

• Use supported versions of on-premises SharePoint Server (SharePoint Server 2016, 2019, and SharePoint Subscription Edition)
• Apply the latest security updates
• Ensure the Antimalware Scan Interface (AMSI) is turned on and enable Full Mode for optimal protection, along with an appropriate antivirus solution such as Defender Antivirus
• Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions
• Rotate SharePoint Server ASP.NET machine keys

“After applying the latest security updates above or enabling AMSI, it is critical that customers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers,” Microsoft said. “If you cannot enable AMSI, you will need to rotate your keys after you install the new security update.”

The development comes as Eye Security told The Hacker News that at least 54 organizations have been compromised, including banks, universities, and government entities. Active exploitation is said to have commenced around July 18, according to the company.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), for its part, added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 21, 2025.

Palo Alto Networks Unit 42, which is also tracking what it described as a “high-impact, ongoing threat campaign,” said government, schools, healthcare, including hospitals, and large enterprise companies—are at immediate risk.

“Attackers are bypassing identity controls, including MFA and SSO, to gain privileged access,” Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, told The Hacker News. “Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys. The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold.

“If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point. Patching alone is insufficient to fully evict the threat. What makes this especially concerning is SharePoint’s deep integration with Microsoft’s platform, including their services like Office, Teams, OneDrive and Outlook, which have all the information valuable to an attacker. A compromise doesn’t stay contained—it opens the door to the entire network.”

The cybersecurity vendor has also classified it as a high-severity, high-urgency threat, urging organizations running on-premises Microsoft SharePoint servers to apply the necessary patches with immediate effect, rotate all cryptographic material, and engage in incident response efforts.

“An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,” Sikorski added. “A false sense of security could result in prolonged exposure and widespread compromise.”

(This is a developing story. Please check back for more details.)