Tag: Cyber Security

The U.K. National Cyber Security Centre (NCSC) has revealed that threat actors have exploited the recently disclosed security flaws impacting Cisco firewalls as part of zero-day attacks to deliver previously undocumented malware families like RayInitiator and LINE VIPER.

“The RayInitiator and LINE VIPER malware represent a significant evolution on that used in the previous campaign, both in sophistication and its ability to evade detection,” the agency said.

Cisco on Thursday revealed that it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May 2025 that targeted Adaptive Security Appliance (ASA) 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.

An in-depth analysis of firmware extracted from the infected devices running Cisco Secure Firewall ASA Software with VPN web services enabled ultimately led to the discovery of a memory corruption bug in the product software, it added.

“Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis,” the company said.

The activity involves the exploitation of CVE-2025-20362 (CVSS score: 6.5) and CVE-2025-20333 (CVSS score: 9.9) to bypass authentication and execute malicious code on susceptible appliances. The campaign is assessed to be linked to a threat cluster dubbed ArcaneDoor, which was attributed to a suspected China-linked hacking group known as UAT4356 (aka Storm-1849).

Additionally, in some cases, the threat actor is said to have modified ROMMON (short for Read-Only Memory Monitor) – which is responsible for managing the boot process and performing diagnostic tests in ASA devices – to facilitate persistence across reboots and software upgrades. That being said, these modifications have been detected only on Cisco ASA 5500-X Series platforms that lack Secure Boot and Trust Anchor technologies.

Cisco also said the campaign has successfully compromised ASA 5500-X Series models running Cisco ASA Software releases 9.12 or 9.14 with VPN web services enabled, and which do not support Secure Boot and Trust Anchor technologies. All the affected devices have reached end-of-support (EoS) or are about to reach EoS status by next week –

• 5512-X and 5515-X – Last Date of Support: August 31, 2022
• 5585-X – Last Date of Support: May 31, 2023
• 5525-X, 5545-X, and 5555-X – Last Date of Support: September 30, 2025

Furthermore, the company noted that it has addressed a third critical flaw (CVE-2025-20363, CVSS score: 8.5/9.0) in the web services of Adaptive Security Appliance (ASA) Software, Secure Firewall Threat Defense (FTD) Software, IOS Software, IOS XE Software, and IOS XR Software that could allow an remote attacker to execute arbitrary code on an affected device.

“An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both,” it said. “A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device.”

Unlike CVE-2025-20362 and CVE-2025-20333, there is no evidence that the vulnerability has been exploited in the wild in a malicious context. Cisco said the shortcoming was discovered by the Cisco Advanced Security Initiatives Group (ASIG) during the resolution of a Cisco TAC support case.

The Canadian Centre for Cyber Security has urged organizations in the country to take action as soon as possible to counter the threat by updating to a fixed version of Cisco ASA and FTD products.

The U.K. NCSC, in an advisory released September 25, revealed the attacks have leveraged a multi-stage bootkit called RayInitiator to deploy a user-mode shellcode loader known as LINE VIPER to the ASA appliance.

RayInitiator is a persistent GRand Unified Bootloader (GRUB) bootkit that’s flashed to victim devices, while capable of surviving reboots and firmware upgrades. It’s responsible for loading into memory LINE VIPER, which can run CLI commands, perform packet captures, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, harvest user CLI commands, and force a delayed reboot.

The bootkit accomplishes this by installing a handler within a legitimate ASA binary called “lina” to execute LINE VIPER. Lina, short for Linux-based Integrated Network Architecture, is the operating system software that integrates core firewall functionalities of the ASA.

Described as “more comprehensive” than Line Dancer, LINE VIPER uses two methods for communication with the command-and-control (C2) server: WebVPN client authentication sessions over HTTPS, or via ICMP with responses over raw TCP. It’s also designed to make a number of modifications to “lina” to avoid leaving a forensic trail and prevent detection of modifications to CLI commands like copy and verify.

“The deployment of LINE VIPER via a persistent bootkit, combined with a greater emphasis on defence evasion techniques, demonstrates an increase in actor sophistication and improvement in operational security compared to the ArcaneDoor campaign publicly documented in 2024,” the NCSC said.

Sep 25, 2025Ravie LakshmananMalvertising / Threat Intelligence

The threat actor known as Vane Viper has been outed as a purveyor of malicious ad technology (adtech), while relying on a tangled web of shell companies and opaque ownership structures to deliberately evade responsibility.

“Vane Viper has provided core infrastructure in widespread malvertising, ad fraud, and cyberthreat proliferation for at least a decade,” Infoblox said in a technical report published last week in collaboration with Guardio and Confiant.

“Vane Viper not only brokers traffic for malware droppers and phishers, but appears to run their own campaigns, consistent with previously documented ad-fraud techniques.”

Vane Viper, also called Omnatuor, was previously documented by the DNS threat intelligence firm in August 2022, describing it as a malvertising network akin to VexTrio Viper that takes advantage of vulnerable WordPress sites to build a massive network of compromised domains and use them to spread riskware, spyware, and adware.

One of the notable aspects of the threat actor’s persistence techniques is the abuse of push notification permissions to serve ads even after the user navigates away from the initial page by altering browser settings. This approach relies on service workers, which maintain a persistent headless browser process to listen for events and serve unwanted notifications.

Late last year, Guardio Labs laid bare a campaign dubbed DeceptionAds that was found to leverage Vane Viper’s malicious ad network to facilitate ClickFix-style social engineering campaigns. The activity was attributed to a company named Monetag, which, according to Infoblox, is a subsidiary of PropellerAds, a commercial ad technology company that, in turn, is a subsidiary of AdTech Holding, a holding company based in Cyprus.

Domains linked to ProperllerAds have long been flagged for facilitating malvertising campaigns and driving traffic to exploit kits or other fraudulent sites. Further analysis has uncovered evidence suggesting that several ad-fraud campaigns have originated from infrastructure attributed to PropellerAds.

The cybersecurity company said Vane Viper has accounted for about 1 trillion DNS queries over the past year in about half of its customer networks, adding the threat actor takes advantage of hundreds of thousands of compromised websites and malicious ads that redirect unsuspecting site users to malicious browser extensions, fake shopping sites, adult content, survey scams, fake apps, sketchy software downloads, and malware, including an Android malware called Triada in one case.

What’s more, Vane Viper appears to share infrastructure and personnel ties with URL Solutions (aka Pananames), Webzilla, and XBT Holdings, with the former also linked to disinformation sites set up by a Russian influence operation called Doppelgänger. Some of the other companies owned by AdTech Holding include ProPushMe, Zeydoo, Notix, and Adex.

About 60,000 domains are assessed to be part of Vane Viper’s infrastructure, most of which only remain active for less than a month. However, there are a few domains that have been active for over 1,200 days, including the original omnatuor[.]com, propeller-tracking[.]com, and several others centered around push notification services.

The operation has been found to register vast numbers of new domains each month, scaling a high of 3,500 domains in the month of October 2024 alone, a significant jump from less than 500 domains registered in April 2023. Vane Viper domains make up nearly 50% of bulk-registered domains via URL Solutions since 2023, per the company.

PropellerAds, however, has previously denied any wrongdoing, stating it’s “nothing more than an automated intermediary to help advertisers find the best publishers to publish their advertisements,” and that it “does not endorse, support, or encourage any malicious advertisement on its network.”

“Vane Viper isn’t just a threat actor hiding behind an adtech platform,” Infoblox noted. “It’s a threat actor as an adtech platform. AdTech Holding claims to offer advertisers reach and monetization at scale, but what it actually delivers is risk.”

“Vane Viper hides behind the plausible deniability of operating as an advertising network, while using their TDS [traffic distribution system] to deliver multiple kinds of threats.”

Sep 25, 2025Ravie LakshmananZero-Day / Vulnerability

Cisco is urging customers to patch two security flaws impacting the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, which it said have been exploited in the wild.

The zero-day vulnerabilities in question are listed below –

• CVE-2025-20333 (CVSS score: 9.9) – An improper validation of user-supplied input in HTTP(S) requests vulnerability that could allow an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on an affected device by sending crafted HTTP requests
• CVE-2025-20362 (CVSS score: 6.5) – An improper validation of user-supplied input in HTTP(S) requests vulnerability that could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication by sending crafted HTTP requests

Cisco said it’s aware of “attempted exploitation” of both vulnerabilities, but did not reveal who may be behind it, or how widespread the attacks are. It’s suspected that the two vulnerabilities are being chained to bypass authentication and execute malicious code on susceptible appliances.

It also credited the Australian Signals Directorate, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security, U.K. National Cyber Security Centre (NCSC), and U.S. Cybersecurity and Infrastructure Security Agency (CISA) for supporting the investigation.

CISA Issues Emergency Directive ED 25-03

In a separate alert, CISA said it’s issuing an emergency directive urging federal agencies to identify, analyze, and mitigate potential compromises with immediate effect. In addition, both vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) catalog, giving the agencies 24 hours to apply the necessary mitigations.

“CISA is aware of an ongoing exploitation campaign by an advanced threat actor targeting Cisco Adaptive Security Appliances (ASA),” the agency noted.

“The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks.”

The agency also noted that the activity is linked to a threat cluster dubbed ArcaneDoor, which was previously identified as targeting perimeter network devices from several vendors, including Cisco, to deliver malware families like Line Runner and Line Dancer. The activity was attributed to a threat actor dubbed UAT4356 (aka Storm-1849).

“This threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024,” CISA added. “These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower. Firepower appliances’ Secure Boot would detect the identified manipulation of the ROM.”

Sep 25, 2025Ravie LakshmananVulnerability / AI Security

Cybersecurity researchers have disclosed a critical flaw impacting Salesforce Agentforce, a platform for building artificial intelligence (AI) agents, that could allow attackers to potentially exfiltrate sensitive data from its customer relationship management (CRM) tool by means of an indirect prompt injection.

The vulnerability has been codenamed ForcedLeak (CVSS score: 9.4) by Noma Security, which discovered and reported the problem on July 28, 2025. It impacts any organization using Salesforce Agentforce with the Web-to-Lead functionality enabled.

“This vulnerability demonstrates how AI agents present a fundamentally different and expanded attack surface compared to traditional prompt-response systems,” Sasi Levi, security research lead at Noma, said in a report shared with The Hacker News.

One of the most severe threats facing generative artificial intelligence (GenAI) systems today is indirect prompt injection, which occurs when malicious instructions are inserted into external data sources accessed by the service, effectively causing it to generate otherwise prohibited content or take unintended actions.

The attack path demonstrated by Noma is deceptively simple in that it coaxes the Description field in Web-to-Lead form to run malicious instructions by means of a prompt injection, allowing a threat actor to leak sensitive data and exfiltrate it to a Salesforce-related allowlisted domain that had expired and become available for purchase for as little as $5.

This takes place over five steps –

• Attacker submits Web-to-Lead form with a malicious Description
• Internal employee processes lead using a standard AI query to process incoming leads
• Agentforce executes both legitimate and hidden instructions
• System queries CRM for sensitive lead information
• Transmit the data to the now attacker-controlled domain in the form of a PNG image

“By exploiting weaknesses in context validation, overly permissive AI model behavior, and a Content Security Policy (CSP) bypass, attackers can create malicious Web-to-Lead submissions that execute unauthorized commands when processed by Agentforce,” Noma said.

“The LLM, operating as a straightforward execution engine, lacked the ability to distinguish between legitimate data loaded into its context and malicious instructions that should only be executed from trusted sources, resulting in critical sensitive data leakage.”

Salesforce has since re-secured the expired domain, rolled out patches that prevent output in Agentforce and Einstein AI agents from being sent to untrusted URLs by enforcing a URL allowlist mechanism.

“Our underlying services powering Agentforce will enforce the Trusted URL allowlist to ensure no malicious links are called or generated through potential prompt injection,” the company said in an alert issued earlier this month. “This provides a crucial defense-in-depth control against sensitive data escaping customer systems via external requests after a successful prompt injection.”

Besides applying Salesforce’s recommended actions to enforce Trusted URLs, users are recommended to audit existing lead data for suspicious submissions containing unusual instructions, implement strict input validation to detect possible prompt injection, and sanitize data from untrusted sources.

“The ForcedLeak vulnerability highlights the importance of proactive AI security and governance,” Levi said. “It serves as a strong reminder that even a low-cost discovery can prevent millions in potential breach damages.”

The North Korea-linked threat actors associated with the Contagious Interview campaign have been attributed to a previously undocumented backdoor called AkdoorTea, along with tools like TsunamiKit and Tropidoor.

Slovak cybersecurity firm ESET, which is tracking the activity under the name DeceptiveDevelopment, said the campaign targets software developers across all operating systems, Windows, Linux, and macOS, particularly those involved in cryptocurrency and Web3 projects. It’s also referred to as DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi.

“DeceptiveDevelopment’s toolset is mostly multi-platform and consists of initial obfuscated malicious scripts in Python and JavaScript, basic backdoors in Python and Go, and a dark web project in .NET,” ESET researchers Peter Kálnai and Matěj Havránek said in a report shared with The Hacker News.

The campaign essentially involves the impersonated recruiters offering what appear to be lucrative job roles over platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List. After initial outreach, should the prospective target express interest in the opportunity, they are either asked to complete a video assessment by clicking on a link or a coding exercise.

The programming assignment requires them to clone projects hosted on GitHub, which silently install malware. On the other hand, websites explicitly set up for undertaking the so-called video assessment display non-existent errors related to camera or microphone access being blocked, and urge them to follow ClickFix-style instructions to rectify the problem by either launching the command prompt or the Terminal app, depending on the operating system used.

Irrespective of the method employed, the attacks have been generally found to deliver several pieces of malware such as BeaverTail, InvisibleFerret, OtterCookie, GolangGhost (aka FlexibleFerret or WeaselStore), and PylangGhost.

“WeaselStore’s functionality is quite similar to both BeaverTail and InvisibleFerret, with the main focus being exfiltration of sensitive data from browsers and cryptocurrency wallets,” ESET said. “Once the data has been exfiltrated, WeaselStore, unlike traditional infostealers, continues to communicate with its C&C server, serving as a RAT capable of executing various commands.”

Also deployed as part of these infection sequences are TsunamiKit, PostNapTea, and Tropidoor, the first of which is a malware toolkit delivered by InvisibleFerret and is designed for information and cryptocurrency theft. The use of TsunamiKit was first discovered in November 2024.

The toolkit comprises several components, the starting point being the initial stage TsunamiLoader that triggers the execution of an injector (TsunamiInjector), which, in turn, drops TsunamiInstaller and TsunamiHardener.

The BeaverTail stealer and downloader has also been found to act as a distribution vehicle for another malware known as Tropidoor that, according to ASEC, overlaps with a Lazarus Group tool called LightlessCan. ESET said it found evidence of Tropidoor artifacts uploaded to VirusTotal from Kenya, Colombia, and Canada, adding the malware also shares “large portions of code” with PostNapTea, a malware used by the threat actor against South Korean targets in 2022.

PostNapTea supports commands for configuration updates, file manipulation and screen capturing, file system management, process management, and running custom versions of Windows commands like whoami, netstat, tracert, lookup, ipconfig, and systeminfo, among others, for improved stealth – a feature also present in LightlessCan.

“Tropidoor is the most sophisticated payload yet linked to the DeceptiveDevelopment group, probably because it is based on malware developed by the more technically advanced threat actors under the Lazarus umbrella,” ESET said.

Execution chain of WeaselStore

The latest addition to the threat actor’s arsenal is a remote access trojan dubbed AkdoorTea that’s delivered by means of a Windows batch script. The script downloads a ZIP file (“nvidiaRelease.zip”) and executes a Visual Basic Script present in it, which then proceeds to launch BeaverTail and AkdoorTea payloads also contained in the archive.

It’s worth pointing out that the campaign has leveraged NVIDIA-themed driver updates in the past as part of ClickFix attacks to address supposed camera or microphone issues when providing the video assessments, indicating that this approach is being used to propagate AkdoorTea.

AkdoorTea gets its name from the fact that it shares commonalities with Akdoor, which is described as a variant of the NukeSped (aka Manuscrypt) implant – further reinforcing Contagious Interview’s connections to the larger Lazarus Group umbrella.

“DeceptiveDevelopment’s TTPs illustrate a more distributed, volume-driven model of its operations. Despite often lacking technical sophistication, the group compensates through scale and creative social engineering,” ESET said.

“Its campaigns demonstrate a pragmatic approach, exploiting open-source tooling, reusing available dark web projects, adapting malware probably rented from other North Korea-aligned groups, and leveraging human vulnerabilities through fake job offers and interview platforms.”

Contagious Interview doesn’t operate in silo, as it has been also found to share some level of overlaps with Pyongyang’s fraudulent IT worker scheme (aka WageMole), with the Zscaler noting that intelligence gleaned from the former is used by North Korean actors to secure jobs at those companies using stolen identities and fabricating synthetic personas. The IT worker threat is believed to have been ongoing since 2017.

Connection between Contagious Interview and WageMole

Cybersecurity company Trellix, in a report published this week, said it uncovered an instance of a North Korean IT worker employment fraud targeting a U.S. healthcare company, where an individual using the name “Kyle Lankford” applied for a Principal Software Engineer position.

While the job applicant did not raise any red flags during the early stages of the hiring process, Trellix said it was able to correlate their email addresses with known North Korea IT worker indicators. Further analysis of the email exchanges and background checks identified the candidate as a likely North Korean operative, it added.

“The activities of North Korean IT workers constitute a hybrid threat,” ESET noted. “This fraud-for-hire scheme combines classical criminal operations, such as identity theft and synthetic identity fraud, with digital tools, which classify it as both a traditional crime and a cybercrime (or e-crime).”

Despite a coordinated investment of time, effort, planning, and resources, even the most up-to-date cybersecurity systems continue to fail. Every day. Why?

It’s not because security teams can’t see enough. Quite the contrary. Every security tool spits out thousands of findings. Patch this. Block that. Investigate this. It’s a tsunami of red dots that not even the most crackerjack team on earth could ever clear.

And here’s the other uncomfortable truth: Most of it doesn’t matter.

Fixing everything is impossible. Trying to is a fool’s errand. Smart teams aren’t wasting precious time running down meaningless alerts. They understand that the hidden key to protecting their organization is knowing which exposures are actually putting the business at risk.

That’s why Gartner introduced the concept of Continuous Threat Exposure Management and put prioritization and validation at the heart of it. It’s not about more dashboards or prettier charts. It’s about narrowing focus and taking the fight to the handful of exposures that actually matter and proving your defenses will actually hold up when and where they really need to.

The Problem with Traditional Vulnerability Management

Vulnerability management was built on a simple premise: Find every weakness, rank it, then patch it. On paper, it sounds logical and systematic. And there was a time when it made perfect sense. Today, however, facing an unprecedented and constant barrage of threats, it’s a treadmill not even the fittest team can keep up with.

Each year, over 40,000 Common Vulnerabilities and Exposures (CVEs) hit the wire. Scoring systems like CVSS and EPSS dutifully stamp 61% of them as “critical.” That’s not prioritization, it’s panic at scale. These labels don’t care if the bug is buried behind three layers of authentication, blocked by existing controls, or practically unexploitable in your specific environment. As far as they’re concerned, a threat is a threat.

Figure 1: Projected Vulnerability Volume

So teams grind themselves down chasing ghosts. They burn cycles on vulnerabilities that will never be used in an attack, while a handful of the ones that do matter slip through, unnoticed. It’s security theater masquerading as risk reduction.

In reality, the actual risk scenario looks very different. Once you factor in existing security controls, only around 10% of real world vulnerabilities are truly critical. Which means that 84% of so-called “critical” alerts amount to false urgency, again draining time, budget, and focus that could, and should, be spent on real threats.

Enter Continuous Threat Exposure Management (CTEM)

Continuous Threat Exposure Management (CTEM) was developed to end the never-ending treadmill. Instead of drowning teams in theoretical “critical” findings, it replaces volume with clarity through two essential steps.

• Prioritization ranks exposures by real business impact, not abstract severity scores.
• Validation pressure-tests those prioritized exposures against your specific environment, uncovering which ones attackers can actually exploit.

One without the other fails. Prioritization alone is just educated guesswork. Validation alone wastes cycles on hypotheticals and the wrong issues. But together they convert assumptions into evidence and endless lists into focused, realistic action.

Figure 2: CTEM in Action

And the scope goes far beyond CVEs. As Gartner predicts, by 2028, more than half of exposures will stem from nontechnical weaknesses like misconfigured SaaS apps, leaked credentials, and human error. Happily, CTEM addresses this head-on, applying the same disciplined prioritize-then-validate action chain across every kind of exposure.

That’s why CTEM isn’t just a framework. It’s a necessary evolution from chasing alerts to proving risk, and from fixing everything to fixing what matters most.

Automating Validation with Adversarial Exposure Validation (AEV) Technologies

CTEM demands validation, but validation requires finesse and adversarial context, which Adversarial Exposure Validation (AEV) technologies deliver. They help further cut through inflated “priority” lists and prove in practice which exposures will actually open the door to attackers.

Two technologies drive this automation:

• Breach and Attack Simulation (BAS) continuously and safely simulates and emulates adversarial techniques like ransomware payloads, lateral movement, and data exfiltration to verify whether your specific security controls will actually stop what they’re supposed to. It’s not a one-time exercise but an ongoing practice, with scenarios mapped to the MITRE ATT&CKⓇ threat framework for relevance, consistency and coverage.
• Automated Penetration Testing goes further by chaining vulnerabilities and misconfigurations the way real attackers do. It excels at exposing and exploiting complex attack paths that include Kerberoasting in Active Directory or privilege escalation through mismanaged identity systems. Instead of relying on an annual pentest, Automated Pentesting lets teams run meaningful tests on demand, as often as needed.

Figure 3: BAS and Automated Penetration Testing Use Cases

Together, BAS and Automated Pentesting provide your teams with the attacker’s perspective at scale. They reveal not just the threats that look dangerous, but what’s actually exploitable, detectable, and defendable in your environment.

This shift is critical for dynamic infrastructures where endpoints spin up and down daily, credentials can leak across SaaS apps, and configurations change with every sprint. In today’s increasingly dynamic environments, static assessments can’t help but fall behind. BAS and Automated Pentesting keep the validation continuous, turning exposure management from theoretical into real-world proof.

A Real-Life Case: Adversarial Exposure Validation (AEV) in Action

Take Log4j as an example. When it first surfaced, every scanner lit up red. CVSS scores gave it a 10.0 (Critical), EPSS models flagged high exploit probability, and asset inventories showed it was scattered across environments.

Traditional methods left security teams with a flat picture, instructing them to treat every instance as equally urgent. The result? Resources quickly spread thin, wasting time chasing duplicates of the same problem.

Adversarial Exposure Validation changes the narrative. By validating in context, teams quickly see that not every Log4j instance is a crisis. One system might already have effective WAF rules, compensating controls, or segmentation that drops its risk score from a 10.0 to a 5.2. That reprioritization shifts it from “drop everything now” with klaxons blaring, to “patch as part of normal cycles”.

Meanwhile, Adversarial Exposure Validation can also reveal the opposite scenario: a seemingly low-priority misconfiguration in a SaaS app could chain directly to sensitive data exfiltration, elevating it from “medium” to “urgent.”

Figure 4: Validating the Log4j Vulnerability to its True Risk Score

Adversarial Exposure Validation delivers real value to your security teams by measuring:

• Control effectiveness: Proving if an exploit attempt is blocked, logged, or ignored.
• Detection and response: Showing whether SOC teams are seeing the activity and IR teams are containing it fast enough.
• Operational readiness: Exposing weak links in workflows, escalation paths, and containment procedures.

In practice, Adversarial Exposure Validation transforms Log4j, or any other vulnerability, from a generic “critical everywhere” all hands on deck nightmare into a precise risk map. It tells CISOs and security teams not just what’s out there, but which threats that are out there actually matter for their environment today.

The Future of Validation: The Picus BAS Summit 2025

Continuous Threat Exposure Management (CTEM) provides a much-needed clarity that comes from two engines working together: prioritization to focus effort, and validation to prove what matters.

Adversarial Exposure Validation (AEV) technologies help bring this vision to life. By combining Breach and Attack Simulation (BAS) and Automated Penetration Testing, they’re able to show security teams the attacker’s perspective at scale, surfacing not just what could happen, but what will happen if existing gaps go unaddressed.

To see Adversarial Exposure Validation (AEV) technologies in action, join Picus Security, SANS, Hacker Valley, and other prominent security leaders at The Picus BAS Summit 2025: Redefining Attack Simulation through AI. This virtual summit will showcase how BAS and AI are shaping the future of security validation, with insights from analysts, practitioners, and innovators driving the field forward.

[Secure your spot today.]

Sep 25, 2025Ravie LakshmananCybersecurity / Hacking News

Welcome to this week’s Threatsday Bulletin—your Thursday check-in on the latest twists and turns in cybersecurity and hacking.

The digital threat landscape never stands still. One week it’s a critical zero-day, the next it’s a wave of phishing lures or a state-backed disinformation push. Each headline is a reminder that the rules keep changing and that defenders—whether you’re protecting a global enterprise or your own personal data—need to keep moving just as fast.

In this edition we unpack fresh exploits, high-profile arrests, and the newest tactics cybercriminals are testing right now. Grab a coffee, take five minutes, and get the key insights that help you stay a step ahead of the next breach.

That wraps up this week’s Threatsday Bulletin. Use these stories as a prompt to double-check your own defenses: apply the urgent updates, tighten access controls, and talk with colleagues about what these incidents mean for your environment.

Every small action today helps prevent a big incident tomorrow.

👉 Stay in the loop: Sign up for our newsletter for real-time updates and next week’s highlights.

The latest Gcore Radar report analyzing attack data from Q1–Q2 2025, reveals a 41% year-on-year increase in total attack volume. The largest attack peaked at 2.2 Tbps, surpassing the 2 Tbps record in late 2024. Attacks are growing not only in scale but in sophistication, with longer durations, multi-layered strategies, and a shift in target industries. Technology now overtakes gaming as the most attacked sector, while the financial services industry continues to face heightened risks.

Key takeaways: the evolving DDoS landscape

Here are five key insights from the Q1–Q2 2025 Gcore Radar report:

1. Attack volumes are rising. Total attacks climbed from 969,000 in H2 2024 to 1.17 million in H1 2025, a 21% increase over the previous two quarters and 41% YoY growth.
2. Attack size continues to grow. The peak attack of 2.2 Tbps demonstrates the increasing scale and destructive potential of modern DDoS campaigns.
3. Attacks are becoming longer and more sophisticated. Extended durations and multi-layered tactics allow threat actors to bypass defenses and maximize disruption.
4. The industries targeted are shifting. Technology overtakes gaming as the top target, while financial services is being increasingly targeted.
5. Application-layer attacks are on the rise. Multi-vector assaults targeting web applications and APIs now account for 38% of total attacks, up from 28% in Q3–Q4 2024.

DDoS attack frequency has surged

Gcore Radar highlights a continued upward trajectory in DDoS activity. Compared to H2 2024, attack volumes rose 21%, while YoY growth reached 41%, underscoring a long-term escalation trend. Several factors contribute to this rise:

The largest attack reached 2.2 Tbps

The peak assault in Q1–Q2 2025 hit 2.2 Tbps, surpassing late 2024’s 2 Tbps attack. While attacks exceeding 1 Tbps remain rare, their frequency is rising, highlighting attackers’ growing ambition to overwhelm networks, applications, and services. Even smaller attacks can incapacitate unprotected systems.

Industries targeted are shifting

Technology now represents 30% of all DDoS attacks, overtaking gaming (19%). Hosting providers supporting SaaS, e-commerce, gaming, and financial clients are particularly vulnerable, as a single attack can trigger ripple effects across multiple dependent businesses.

Financial services account for 21% of attacks. Banks and payment systems are prime targets due to high disruption potential, regulatory sensitivity, and ransomware risk.

Gaming continues to face significant threats, but improved defenses and strategic attacker shifts reduced its share from 34% in H2 2024 to 19% in H1 2025. Key drivers of ongoing attacks include competitive advantage and revenue impact.

Telecommunications now make up 13% of attacks, reflecting their role as critical internet infrastructure.

Media, entertainment, and retail see more moderate attack levels, with media at 10% and retail at 5–6%.

Attack duration and tactics

Recent data shows a shift toward longer, more sustained assaults. Attacks under 10 minutes decreased by roughly 33%, while 10–30 minute attacks nearly quadrupled. Maximum attack duration slightly decreased, from five hours to three, indicating a focus on concentrated, high-impact campaigns.

Short bursts remain preferred. Despite longer attacks gaining prevalence, brief attacks remain highly disruptive, evading automated defenses and often serving as smokescreens for multi-stage cyberattacks.

Attack vectors

In terms of network-layer attack vectors, UDP flood attacks remain dominant, accounting for 56% of network-layer attacks, followed by SYN floods (17%), TCP floods (10%), ACK floods (8%), and ICMP (6%). Multi-vector approaches allow attackers to mask malicious activity as legitimate traffic.

ACK flood attacks continue to rise, now making up 8% of network-layer traffic, highlighting their ability to bypass detection.

Application-layer attack vectors

L7 UDP floods dominate (62%), followed by L7 TCP floods (33%), with other attack types at 5%. Attackers increasingly exploit business logic and APIs to disrupt operations beyond traditional network overload.

Geographical trends

The United States and the Netherlands remain top sources for network-layer attacks. Hong Kong emerges as a new significant source, contributing 17% of network-layer and 10% of application-layer attacks.

These findings highlight the need for proactive, geographically aware defenses.

Multi-layered attacks highlight the critical role of WAAP

Attackers are increasingly targeting web applications and APIs, exploiting inventory systems, payment flows, and customer interaction points. These attacks often combine volumetric disruption with manipulation of economic logic, affecting sectors such as e-commerce, logistics, online banking, and public services.

Gcore DDoS Protection: defending against evolving threats

Gcore DDoS Protection leverages 200+ Tbps filtering capacity across 210+ PoPs worldwide, neutralizing attacks in real time. Integrated Web Application and API Protection (WAAP) combines DDoS mitigation, bot management, and API security to protect critical assets while maintaining performance.

Download the full report.

Sep 25, 2025Ravie LakshmananSoftware Security / Malware

Cybersecurity researchers have discovered two malicious Rust crates impersonating a legitimate library called fast_log to steal Solana and Ethereum wallet keys from source code.

The crates, named faster_log and async_println, were published by the threat actor under the alias rustguruman and dumbnbased on May 25, 2025, amassing 8,424 downloads in total, according to software supply chain security company Socket.

“The crates include working logging code for cover and embed routines that scan source files for Solana and Ethereum private keys, then exfiltrate matches via HTTP POST to a hardcoded command and control (C2) endpoint,” security researcher Kirill Boychenko said.

Following responsible disclosure, the maintainers of crates.io have taken steps to remove the Rust packages and disable the two accounts. It has also preserved logs of the threat actor-operated users along with the malicious crates for further analysis.

“The malicious code was executed at runtime, when running or testing a project depending on them,” Crates.io’s Walter Pearce said. “Notably, they did not execute any malicious code at build time. Except for their malicious payload, these crates copied the source code, features, and documentation of legitimate crates, using a similar name to them.”

The typosquatting attack, as detailed by Socket, involved the threat actors retaining the logging functionality of the actual library, while introducing malicious code changes during a log packing operation that recursively searched Rust files (*.rs) in a directory for Ethereum and Solana private keys and bracketed byte arrays and exfiltrate them to an Cloudflare Workers domain (“mainnet.solana-rpc-pool.workers[.]dev”).

Besides copying fast_log’s README and setting the bogus crates’ repository field to the real GitHub project, the use of “mainnet.solana-rpc-pool.workers[.]dev” is an attempt to mimic Solana’s Mainnet beta RPC endpoint “api.mainnet-beta.solana[.]com.”

According to crates.io, the two crates did not have any dependent downstream crates, nor did the users publish other crates on the Rust package registry. The GitHub accounts linked to the crates.io publisher accounts remain accessible as of writing. While the GitHub account dumbnbased was created on May 27, 2023, rustguruman did not exist until May 25, 2025.

“This campaign shows how minimal code and simple deception can create a supply chain risk,” Boychenko said. “A functional logger with a familiar name, copied design, and README can pass casual review, while a small routine posts private wallet keys to a threat actor-controlled C2 endpoint. Unfortunately, that is enough to reach developer laptops and CI.”

Sep 25, 2025Ravie LakshmananVulnerability / Network Security

Cisco has warned of a high-severity security flaw in IOS Software and IOS XE Software that could allow a remote attacker to execute arbitrary code or trigger a denial-of-service (DoS) condition under specific circumstances.

The company said the vulnerability, CVE-2025-20352 (CVSS score: 7.7), has been exploited in the wild, adding it became aware of it “after local Administrator credentials were compromised.”

The issue, per the networking equipment major, is rooted in the Simple Network Management Protocol (SNMP) subsystem, arising as a result of a stack overflow condition.

An authenticated, remote attacker could exploit the flaw by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks, resulting in DoS if they have low privileges or arbitrary code execution as root if they have high privileges and ultimately take control of the susceptible system.

However, Cisco noted that for this to happen, the following conditions need to be met –

• To cause the DoS, the attacker must have the SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials
• To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device

The company said the issue affects all versions of SNMP, as well as Meraki MS390 and Cisco Catalyst 9300 Series Switches that are running Meraki CS 17 and earlier. It has been fixed in Cisco IOS XE Software Release 17.15.4a. Cisco IOS XR Software and NX-OS Software are not impacted.

“This vulnerability affects all versions of SNMP. All devices that have SNMP enabled and have not explicitly excluded the affected object ID (OID) should be considered vulnerable,” Cisco said.

While there are no workarounds that resolve CVE-2025-20352, one mitigation proposed by Cisco involves allowing only trusted users to have SNMP access on an affected system, and monitoring the systems by running the “show snmp host” command.

“Administrators can disable the affected OIDs on a device,” it added. “Not all software will support the OID that is listed in the mitigation. If the OID is not valid for specific software, then it is not affected by this vulnerability. Excluding these OIDs may affect device management through SNMP, such as discovery and hardware inventory.”