Cyber Threat Intelligence 13 October 2025
-
Industrial Sector
- Pro-Russian Hackers Caught Bragging About Attack On Fake Water Utility
"A pro-Russian hacker group has been caught boasting about a cyberattack that unfolded entirely inside a decoy system set up by researchers. The relatively new group, known as TwoNet, claimed in September that it had disrupted a Dutch water facility by hacking into its control systems. In reality, the hackers had infiltrated a honeypot — a decoy network designed by cybersecurity firm Forescout to lure attackers and study their behavior. According to the company, the threat actor, using the alias Barlati, defaced the login page with an message reading “HACKED BY BARLATI, FUCK.” The attacker also changed configuration settings and disabled alarms — actions that, if carried out on a real system, could have disrupted operations."
https://therecord.media/fake-water-utility-honeypot-hacked-pro-russian-group
https://www.infosecurity-magazine.com/news/russia-hacktivistsattack-water/
Vulnerabilities
- Active Exploitation Of Gladinet CentreStack And Triofox Local File Inclusion Flaw (CVE-2025-11371)
"In April 2025, Huntress published its findings on the exploitation of CVE-2025-30406, a critical-severity flaw in Gladinet CentreStack and Triofox products. On September 27, 2025, the Huntress SOC received an alert from an internal detector for successful exploitation of Gladinet CentreStack software. However, the version of the software running was later than 16.4.10315.56368, which was no longer vulnerable to CVE-2025-30406. In earlier versions of CentreStack and Triofox vulnerable to CVE-2025-30406, a hardcoded machine key would allow a threat actor to perform remote code execution via a ViewState deserialization vulnerability."
https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw
https://www.bleepingcomputer.com/news/security/hackers-exploiting-zero-day-in-gladinet-file-sharing-software/
https://thehackernews.com/2025/10/from-lfi-to-rce-active-exploitation.html
https://www.bankinfosecurity.com/hackers-exploit-lfi-flaw-in-file-sharing-platforms-a-29708
https://www.helpnetsecurity.com/2025/10/10/gladinet-centrestack-vulnerability-exploited-cve-2025-11371/
https://securityaffairs.com/183259/hacking/cve-2025-11371-unpatched-zero-day-in-gladinet-centrestack-triofox-under-attack.html - Juniper Networks Patches Critical Junos Space Vulnerabilities
"Juniper Networks has announced patches for nearly 220 vulnerabilities in Junos OS, Junos Space, and Security Director, including nine critical-severity flaws affecting Junos Space. More than 200 security defects were resolved in Junos Space and Junos Space Security Director, Juniper’s October 2025 security advisories, published as part of the company’s predefined quarterly schedule, reveal."
https://www.securityweek.com/juniper-networks-patches-critical-junos-space-vulnerabilities/
https://securityaffairs.com/183229/security/juniper-patched-nine-critical-flaws-in-junos-space.html - ZDI Drops 13 Unpatched Ivanti Endpoint Manager Vulnerabilities
"Trend Micro’s Zero Day Initiative (ZDI) this week published 13 advisories describing unpatched vulnerabilities in Ivanti Endpoint Manager. One of the flaws allows local attackers to elevate their privileges and was reported to Ivanti in November 2024. The remaining 12 lead to remote code execution (RCE) and were reported in June 2025. While the vulnerabilities are technically not zero-days, ZDI flags all of the unpatched flaws it discloses as ‘0day’. ZDI’s advisories name the vulnerable component and provide a general description of the root cause, but do not contain any other technical details."
https://www.securityweek.com/zdi-drops-13-unpatched-ivanti-endpoint-manager-vulnerabilities/ - Huntress Threat Advisory: Widespread SonicWall SSLVPN Compromise
"As of October 10, Huntress has observed widespread compromise of SonicWall SSLVPN devices across multiple customer environments. Threat actors are authenticating into multiple accounts rapidly across compromised devices. The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing. The bulk of the activity started on October 4, with clustered authentications occurring over the course of the following two days. So far, over 100 SonicWall SSLVPN accounts across 16 customer accounts have been impacted. In the cases observed, authentications on the SonicWall devices originated from 202.155.8[.]73."
https://www.huntress.com/blog/sonicwall-sslvpn-compromise
https://thehackernews.com/2025/10/experts-warn-of-widespread-sonicwall.html
https://securityaffairs.com/183245/hacking/attackers-exploit-valid-logins-in-sonicwall-ssl-vpn-compromise.html - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2021-43798 Grafana Path Traversal Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/10/09/cisa-adds-one-known-exploited-vulnerability-catalog - Summary Of The Investigation Related To CVE-2025-10035
"On Sept. 11, 2025, we began investigating a potential vulnerability reported by a customer. After identifying the issue, Fortra developed and released hotfixes for supported versions and updated the product to further secure the affected component. We also notified all Fortra GoAnywhere MFT customers of the available updates and mitigation steps. The timeline below provides an overview of our investigation, remediation, and customer communications."
https://www.fortra.com/blog/summary-investigation-related-cve-2025-10035
https://thehackernews.com/2025/10/from-detection-to-patch-fortra-reveals.html
https://www.bankinfosecurity.com/fortra-confirms-unauthorized-activity-hit-goanywhere-mft-a-29701 - Another Remotely Exploitable Oracle EBS Vulnerability Requires Your Attention (CVE-2025-61884)
"Oracle has revealed the existence of yet another remotely exploitable Oracle E-Business Suite vulnerability (CVE-2025-61884). CVE-2025-61884 is a vulnerability in the Runtime user interface in the Oracle Configurator product of Oracle E-Business Suite (EBS). Like CVE-2025-61882 before it, it officially affects the ESB versions 12.2.3 through 12.2.14. According to the NIST national vulnerability database entry for CVE-2025-61884, this is an “easily exploitable vulnerability [that] allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.”"
https://www.helpnetsecurity.com/2025/10/12/another-remotely-exploitable-oracle-ebs-vulnerability-requires-your-attention-cve-2025-61884/
https://archive.ph/nPs5O
https://www.oracle.com/security-alerts/alert-cve-2025-61884.html
https://thehackernews.com/2025/10/new-oracle-e-business-suite-bug-could.html
Malware
- New Stealit Campaign Abuses Node.js Single Executable Application
"FortiGuard Labs has encountered a new and active Stealit malware campaign that leverages Node.js’ Single Executable Application (SEA) feature to distribute its payloads. This campaign was uncovered following a spike in detections of a particular Visual Basic script, which was later determined to be a component for persistence. Earlier Stealit campaigns were built using Electron, an open-source framework that packages Node.js scripts as NSIS installers for distribution. This new campaign has adopted Node.js' native Single Executable Application, which similarly bundles scripts and their assets into standalone binaries. Both approaches are effective for distributing Node.js-based malware, as they allow execution without requiring a pre-installed Node.js runtime or additional dependencies."
https://www.fortinet.com/blog/threat-research/stealit-campaign-abuses-nodejs-single-executable-application
https://thehackernews.com/2025/10/stealit-malware-abuses-nodejs-single.html
https://hackread.com/stealit-malware-node-js-fake-game-vpn-installers/ - Astaroth: Banking Trojan Abusing GitHub For Resilience
"Digital banking has made our lives easier, but it’s also handed cybercriminals a golden opportunity. Banking trojans are the invisible pickpockets of the digital age, silently stealing credentials while you browse your bank account or check your crypto wallet. Today, we’re breaking down a particularly nasty variant called Astaroth, and it’s doing something clever: abusing GitHub to stay resilient."
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/astaroth-banking-trojan-abusing-github-for-resilience/ - 175 Malicious Npm Packages Host Phishing Infrastructure Targeting 135+ Organizations
"Socket's Threat Research Team uncovered 175 malicious npm packages which have collectively accumulated over 26,000 downloads, serving as infrastructure for a widespread phishing campaign targeting 135+ industrial, technology, and energy companies worldwide. While the packages' randomized names make accidental developer installation unlikely, the download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure. The campaign, which we're calling "Beamglea" based on consistent artifacts across all packages, uses npm's public registry and unpkg.com's CDN to host redirect scripts that funnel victims to credential harvesting pages. The origin and meaning of "beamglea" remains unclear - it may be a codename, inside reference, or randomly chosen identifier by the threat actors."
https://socket.dev/blog/175-malicious-npm-packages-host-phishing-infrastructure
https://thehackernews.com/2025/10/175-malicious-npm-packages-with-26000.html - The Golden Scale: Bling Libra And The Evolving Extortion Economy
"In recent months, threat actors claiming to be part of a new conglomerate dubbed Scattered Lapsus$ Hunters (aka SP1D3R HUNTERS, SLSH) have asserted responsibility for laying siege to customer Salesforce tenants as part of a coordinated effort to steal data and hold it for ransom. At least one industry source refers to this criminal syndicate as the Trinity of Chaos. “Trinity” is used because the conglomerate is likely composed of individuals tied to three groups: Muddled Libra (aka Scattered Spider), Bling Libra (aka ShinyHunters), and LAPSUS$, all of which are likely representative of the broader cybercriminal community known as The Com."
https://unit42.paloaltonetworks.com/scattered-lapsus-hunters/ - Fake 'Inflation Refund' Texts Target New Yorkers In New Scam
"An ongoing smishing campaign is targeting New Yorkers with text messages posing as the Department of Taxation and Finance, claiming to offer "Inflation Refunds" in an attempt to steal victims' personal and financial data. The Inflation Refund is an initiative from New York State that automatically sends refund checks to eligible residents to help offset the effects of inflation. Those who qualify include taxpayers who filed a return, meet certain income thresholds, and were not claimed as dependents by another filer. New Yorkers do not need to apply, sign up, or provide any personal information to receive their checks, as they are automatically sent to qualified taxpayers."
https://www.bleepingcomputer.com/news/security/fake-inflation-refund-texts-target-new-yorkers-in-new-scam/
Breaches/Hacks/Leaks
- Telstra Denies Scattered Spider Data Breach Claims Amid Ransom Threats
"Telstra, one of Australia’s leading telecommunications companies, has denied claims made by the hacker group Scattered Spider that it suffered a massive data breach compromising nearly 19 million personal records. The company issued a statement clarifying that its internal systems remain secure and that the data in question was scraped from publicly available sources rather than stolen. In a post on X (formerly Twitter), Telstra emphasized that no passwords, banking details, or sensitive identification data such as driver’s licenses or Medicare numbers were included in the dataset."
https://www.itsecuritynews.info/telstra-denies-scattered-spider-data-breach-claims-amid-ransom-threats/ - AI Girlfriend Can’t Keep a Secret: App Leaks Intimate Conversations Of 400K+ Users
"Two AI character apps by the same developer, “Chattee Chat” and “GiMe Chat,” have exposed millions of intimate conversations, over 600K images, and other private data. Leaked purchase logs reveal that some users spend thousands of dollars on their AI girlfriends."
https://cybernews.com/security/ai-girlfriend-app-leak-exposes-400k-users/
https://www.malwarebytes.com/blog/news/2025/10/millions-of-very-private-chats-exposed-by-two-ai-companion-apps - Houston Suburb Says Some Online Services Taken Down By Cyberattack
"Officials in Sugar Land, Texas, said a cyberattack has impacted several online services after they reported technology outages on Thursday morning. The city published notices on social media and on its website saying it experienced a “cyber-event” and is working with state and federal law enforcement to investigate a breach of internal network infrastructure. “Critical infrastructure systems remain operational. Some online services, such as bill pay are impacted,” the city said, noting that police, fire and medical services are still available at 911."
https://therecord.media/houston-suburb-cyberattack-services - UK Techies' Union Warns Members After Breach Exposes Sensitive Personal Details
"UK trade union Prospect is notifying members of a breach that involved data such as sexual orientation and disabilities. According to disclosure emails seen by The Register sent to union members who work as scientists, engineers, techies, and managers, the attack took place in June, yet members were only notified this week. Members include professionals working at organizations such as BT Group, the Met Office, BAE Systems, Rolls Royce, Siemens, Jacobs, the Ministry of Defence, the National Trust, and many more."
https://www.theregister.com/2025/10/10/prospect_union_breach/ - From Sizzle To Drizzle To Fizzle: The Massive Data Leak That Wasn’t (1)
"After days of endlessly urging Salesforce or companies to pay them so that their data would not be leaked, the deadline for Salesforce to pay came and went. And as it went, ScatteredLAPSUS$Hunters leaked data from six of the 39 companies listed on its dark web leak site. But that’s where the massive leak that many people stayed up late to watch ended."
https://databreaches.net/2025/10/12/from-sizzle-to-drizzle-to-fizzle-the-massive-data-leak-that-wasnt/ - Clop Ransomware Group Claims The Hack Of Harvard University
"The Clop Ransomware group announced the hack of the prestigious Harvard University. The cybercrime group created a page for the university on its Tor data leak site and announced it will leak the stolen data soon. “PAGE CREATED, DATA ARCHIVING IS IN PROGRESS… A TORRENT LINK WILL BE AVAILABLE SOON … !!!” reads the announcement on its leak site. “The company doesn’t care about its customers, it ignored their security!!!”"
https://securityaffairs.com/183282/cyber-crime/clop-ransomware-group-claims-the-hack-of-harvard-university.html
General News
- Apple Now Offers $2 Million For Zero-Click RCE Vulnerabilities
"Apple is announcing a major expansion and redesign of its bug bounty program, doubling maximum payouts, adding new research categories, and introducing a more transparent reward structure. Since the program launched in 2020, Apple has awarded $35 million to 800 security researchers, the company paying $500,000 for some of the submitted reports. The highest reward has been doubled to $2 million, for reporting vulnerabilities that can lead to zero-click (no user interaction) remote compromise, similar to mercenary spyware attacks. However, payouts can go as high as $5 million through the bonus system."
https://www.bleepingcomputer.com/news/security/apple-now-offers-2-million-for-zero-click-rce-vulnerabilities/
https://www.securityweek.com/apple-bug-bounty-update-top-payout-now-2-million-35-million-paid-to-date/
https://securityaffairs.com/183235/security/apple-doubles-maximum-bug-bounty-to-2m-for-zero-click-rces.html
https://www.helpnetsecurity.com/2025/10/10/apple-bug-bounty-rewards-zero-click/ - The Fight Against Ransomware Heats Up On The Factory Floor
"Ransomware groups come and go, but one constant is that manufacturing remains a top target. The ransomware landscape is ever-evolving. New groups emerge and old ones dismantle or rebrand. Ransomware-as-a-service (RaaS) launched and lowered the barrier to entry. Even the name "ransomware" doesn't always apply now, as some groups rely solely on data extortion threats over encryption, to pressure victims into paying. And of course, attackers are increasingly using artificial intelligence (AI)."
https://www.darkreading.com/ics-ot-security/ransomware-manufacturing-an-escalating-battle
https://content.blackkite.com/ebook/manufacturing-tprm-report-2025/ - Don’t Breathe That Sigh Of Relief Just Yet: BreachForums Is Gone, But The Salesforce Leak Site Isn’t
"As everyone expected, it was only a matter of time before the most recent version of BreachForums was seized, and last night, it happened. This time, though, there is no announcement from ShinyHunters about rebuilding the forum and making it stronger and better than ever. To the contrary, ShinyHunters says they are done with the forum. In response to the seizure of BreachForums last night, ShinyHunters posted a statement:"
https://databreaches.net/2025/10/10/dont-breathe-that-sigh-of-relief-just-yet-breachforums-is-gone-but-a-leak-site-isnt/ - Your SOC Is Tired, AI Isn’t
"Security teams have discussed AI in the SOC for years, but solid evidence of its impact has been limited. A recent benchmark study by Dropzone puts measurable evidence behind the idea, showing that AI agents can help analysts work faster and with greater accuracy during alert investigations, without major changes to existing workflows. Researchers measured how 148 security professionals performed under two conditions: using AI assistance or investigating manually."
https://www.helpnetsecurity.com/2025/10/10/dropzone-report-soc-analysts-using-ai/ - Your Passwords Don’t Need So Many Fiddly Characters, NIST Says
"It’s once again time to change your passwords, but if one government agency has its way, this might be the very last time you do it. After nearly four years of work to update and modernize its guidance for how companies, organizations, and businesses should protect their systems and their employees, the US National Institute of Standards and Technology has released its latest guidelines for password creation, and it comes with some serious changes."
https://www.malwarebytes.com/blog/news/2025/10/your-passwords-dont-need-so-many-fiddly-characters-nist-says
https://pages.nist.gov/800-63-4/sp800-63b.html - Group-IB Intelligence Powers Spanish Guardia Civil Operation To Dismantle The “GXC Team” Cybercrime Syndicate
"Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, announced today its contribution to the Spanish Guardia Civil led operation that led to the dismantling of one of the country’s most active cybercrime networks. The operation resulted in the arrest of a 25-year-old Brazilian national known as “GoogleXcoder,” the mastermind behind the “GXC Team” – threat actor known to operate Crime-as-a-Service (CaaS) ecosystem providing AI-powered phishing kits and Android malware to cybercriminals targeting banks, transportation, and eCommerce, in Spain, Slovakia, the UK, US, and Brazil. Besides the mastermind, also the criminals who were running attacks with the usage of these tools were also identified and apprehended by Guardia Civil."
https://www.group-ib.com/media-center/press-releases/guardia-civil-gxc-team-takedown/
https://www.bleepingcomputer.com/news/security/spain-dismantles-gxc-team-cybercrime-syndicate-arrests-leader/
https://securityaffairs.com/183252/cyber-crime/cybercrime-ring-gxc-team-dismantled-in-spain-25-year-old-leader-detained.html
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- Pro-Russian Hackers Caught Bragging About Attack On Fake Water Utility
