Cyber Threat Intelligence 06 November 2025
-
Industrial Sector
- Operational Technology Security Poses Inherent Risks For Manufacturers
"From supply chain risks and breaches to employees' physical safety, the manufacturing industry is no stranger to operational technology (OT) security challenges. The good news? Experts say awareness has increased among manufacturers. But whether that will lead to improvements is difficult to say. OT controls the processes and equipment necessary for manufacturers. It's built to last, but that also means there's legacy technology — unsupported and difficult to update — on the factory floor. A lack of visibility around an overwhelming number of assets presents heightened concerns as well. And then comes the human factor."
https://www.darkreading.com/ics-ot-security/operational-technology-security-poses-inherent-risks-for-manufacturers
New Tooling
- Decrypted: Midnight Ransomware
"In the ever-evolving landscape of cyber threats, a new ransomware strain known as Midnight has emerged, echoing the notorious tactics of its predecessor, Babuk. First detected by Gen researchers, Midnight blends familiar ransomware mechanics with novel cryptographic modifications – some of which unintentionally open the door to file recovery. This blog dives into the technical anatomy of Midnight, its lineage from Babuk, and the critical indicators of infection. Most importantly, it offers a practical guide to decrypting affected files, empowering victims with a rare opportunity to reclaim their data without paying a ransom."
https://www.gendigital.com/blog/insights/research/midnight-ransomware
https://hackread.com/norton-midnight-ransomware-free-decryptor/ - VulnRisk: Open-Source Vulnerability Risk Assessment Platform
"VulnRisk is an open-source platform for vulnerability risk assessment. It goes beyond basic CVSS scoring by adding context-aware analysis that reduces noise and highlights what matters. The tool is free to use and designed for local development and testing. The platform’s scoring engine cuts up to 90 percent of noise by applying contextual factors such as exploit likelihood and asset importance. Every score comes with a full calculation breakdown, so users can see exactly how each risk level is determined. VulnRisk’s transparent methodology makes it easier for teams to trust the results and adjust their security priorities."
https://www.helpnetsecurity.com/2025/11/05/vulnrisk-open-source-vulnerability-risk-assessment-platform/
https://github.com/GurkhaShieldForce/VulnRisk_Public
Vulnerabilities
- PromptJacking: The Critical RCEs In Claude Desktop That Turn Questions Into Exploits
"Hi again. This is a reminder that while we often write about malicious extensions from unknown developers, or large scale supply chain compromises, sometimes, even the most trusted developers can make mistakes that may wreak havoc on your enterprise... We’ve identified severe RCE vulnerabilities in three extensions that were written, published, and promoted by Anthropic themselves - the Chrome, iMessage, and Apple Notes connectors, and are sitting at the very top of Claude Desktop's extension marketplace."
https://www.koi.ai/blog/promptjacking-the-critical-rce-in-claude-desktop-that-turn-questions-into-exploits
https://www.infosecurity-magazine.com/news/claude-desktop-extensions-prompt/ - AMD Red-Faced Over Random-Number Bug That Kills Cryptographic Security
"AMD will issue a microcode patch for a high-severity vulnerability that could weaken cryptographic keys across Epyc and Ryzen CPUs. The flaw, tracked as CVE-2025-62626 (7.2), affects Zen 5 chips with the 16-bit and 32-bit instruction variants. The bug involves RDSEED, a function that generates high-quality random numbers used by security keys. RDSEED provides the true entropy that's required by apps generating high-strength cryptographic keys."
https://www.theregister.com/2025/11/05/amd_promises_to_fix_chips/
Malware
- Gootloader Is Back (Back Again)
"Before I start, I have to give credit, where it’s due. A Major shout-out to RussianPanda and the team at Huntress for catching this new Gootloader campaign in the wild. As the title suggests — yes, Gootloader is back. Back again. I was (like many others) hoping that after the disruptions my April blog caused, they’d finally hang up their hats and retire. But here we are. For over five years, the threat actor behind Gootloader has been using legal-themed bait — terms like “contract”, “form” and “agreement” — to draw victims into their traps. (There was that brief detour into PDF converters.)"
https://gootloader.wordpress.com/2025/11/05/gootloader-is-back-back-again/
https://www.bleepingcomputer.com/news/security/gootloader-malware-is-back-with-new-tricks-after-7-month-break/ - International Threats – Infection URLs Used In Regional Phishing Campaigns
"Cofense Intelligence relies on over 35 million trained employees from around the world, and a considerable number of analyzed campaigns are written in languages other than English. This report focuses on the URLs embedded in emails that bypassed email security controls like secure email gateways (SEGs) to deliver malware. The URLs that are the focus of this report are commonly referred to as “infection URLs” as they are the source for an infection by malware. Infection URLs, especially the services hosting them, are important as they represent the first step in a chain of events that can be broken with proper preparations and tools. This report is part of a series of reports covering different trends in phishing campaigns that are delivered by the top five non-English languages that Cofense sees. Other topics include the malware families and delivery mechanisms seen in different languages, as well as the themes seen in various languages."
https://cofense.com/blog/international-threats-infection-urls-used-in-regional-phishing-campaigns - Crossed Wires: a Case Study Of Iranian Espionage And Attribution
"In June, Proofpoint Threat Research began investigating a benign email discussing economic uncertainty and domestic political unrest in Iran. While coinciding with the escalations in the Iran-Israel conflict, there was no indication that the observed activity was directly correlated with Israel’s attacks on Iranian nuclear facilities or Iran’s actions in response. Initial analysis of the activity found tactics, techniques, and procedures (TTP) overlaps with multiple Iranian aligned groups, including TA455 (C5 Agent, Smoke Sandstorm), TA453 (Mint Sandstorm, Charming Kitten), and TA450 (MuddyWater, Mango Sandstorm). Given a lack of high confidence links to any one established threat group, we designated the activity as a temporary cluster called UNK_SmudgedSerpent."
https://www.proofpoint.com/us/blog/threat-insight/crossed-wires-case-study-iranian-espionage-and-attribution
https://thehackernews.com/2025/11/mysterious-smudgedserpent-hackers.html
https://www.darkreading.com/cyberattacks-data-breaches/iranian-apt-phishes-us-policy-wonks
https://www.infosecurity-magazine.com/news/unksmudgedserpent-targets-academics/ - Voice Of SecOps Spotlight: Tis The Season For Online Sales — And AI-Fueled Cyberattacks
"With Black Friday, Cyber Monday, and peak holiday shopping just weeks away, retailers anticipate record-breaking sales volumes — paired with a sharp surge in cyber risk. The massive flow of sensitive data, cloud file transfers, and third-party integrations makes this the most dangerous time of year. Deep Instinct recently released the sixth edition of its Voice of SecOps Report, Cybersecurity & AI – Promises, Pitfalls, and Prevention Paradise, which sheds light on how leaders across seven industries, including the retail and eCommerce sector, are bracing for this challenge. The report reveals a clear warning: while AI is driving unprecedented productivity gains for retail security teams, it’s also exposing new vulnerabilities that legacy defenses can’t handle."
https://www.deepinstinct.com/blog/voice-of-secops-spotlight-tis-the-season-for-online-sales-and-ai-fueled-cyberattacks - Ghosts In /proc: Manipulation And Timeline Corruption
"In our previous blog, “Hiding in plain sight: Techniques and defenses against/procfilesystem manipulation in Linux” we explored techniques for concealing malicious processes from forensics triage tools. Forensic analysts often rely on the Linux virtual filesystem /proc to enumerate processes, reconstruct timelines, and attribute activity to specific executables. Utilities such as ps, top, and various triage scripts extract process metadata from files located under /proc//, including cmdline and stat. The integrity of these files is therefore critical to many incident response workflows."
https://www.group-ib.com/blog/ghosts-in-proc/ - HackedGPT: Novel AI Vulnerabilities Open The Door For Private Data Leakage
"Tenable Research has discovered seven vulnerabilities and attack techniques in ChatGPT, including unique indirect prompt injections, exfiltration of personal user information, persistence, evasion, and bypass of safety mechanisms. Prompt injections are a weakness in how large language models (LLMs) process input data. An attacker can manipulate the LLM by injecting instructions into any data it ingests, which can cause the LLM to ignore the original instructions and perform unintended or malicious actions instead. Specifically, indirect prompt injection occurs when an LLM finds unexpected instructions in an external source, such as a document or website, rather than a direct prompt from the user."
https://www.tenable.com/blog/hackedgpt-novel-ai-vulnerabilities-open-the-door-for-private-data-leakage
https://thehackernews.com/2025/11/researchers-find-chatgpt.html - PHP Cryptomining Campaign: October/November 2025
"From August through October 2025, we observed (GreyNoise Visualizer) a clear ramp-up in exploitation attempts against PHP and PHP-based frameworks as actors push to deploy cryptominers. The query below captures a range of attempts (ThinkPHP, PHP CGI, PHPUnit, the recent PHP CVE-2024-4577, etc.), and the telemetry shows seven distinct attack patterns that move in parallel: steady in August–September, then spiking into October and November."
https://www.greynoise.io/blog/php-cryptomining-campaign
Breaches/Hacks/Leaks
- Hyundai AutoEver America Data Breach Exposes SSNs, Drivers Licenses
"Hyundai AutoEver America is notifying individuals that hackers breached the company's IT environment and gained access to personal information. The company discovered the intrusion on March 1 but the investigation revealed that the attacker had access to the systems since February 22nd. Hyundai AutoEver America (HAEA) is an affiliate of Hyundai Motor Group that provides IT consulting, managed services, and helpdesk support for the entire lifecycle of automotive IT from production to retirement."
https://www.bleepingcomputer.com/news/security/hyundai-autoever-america-data-breach-exposes-ssns-drivers-licenses/ - SonicWall Says State-Sponsored Hackers Behind September Security Breach
"SonicWall's investigation into the September security breach that exposed customers' firewall configuration backup files concludes that state-sponsored hackers were behind the attack. The network security company says that incident responders from Mandiant confirmed that the malicious activity had no impact on SonicWall's products, firmware, systems, tools, source code, or customer networks. “The Mandiant investigation is now complete. Their findings confirm that the malicious activity – carried out by a state-sponsored threat actor - was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call,” SonicWall states."
https://www.bleepingcomputer.com/news/security/sonicwall-says-state-sponsored-hackers-behind-security-breach-in-september/
https://www.sonicwall.com/blog/cloud-backup-security-incident-investigation-complete-and-strengthened-cyber-resilience
https://securityaffairs.com/184258/security/sonicwall-blames-state-sponsored-hackers-for-september-security-breach.html
General News
- GTIG AI Threat Tracker: Advances In Threat Actor Usage Of AI Tools
"Based on recent analysis of the broader threat landscape, Google Threat Intelligence Group (GTIG) has identified a shift that occurred within the last year: adversaries are no longer leveraging artificial intelligence (AI) just for productivity gains, they are deploying novel AI-enabled malware in active operations. This marks a new operational phase of AI abuse, involving tools that dynamically alter behavior mid-execution. This report serves as an update to our January 2025 analysis, "Adversarial Misuse of Generative AI," and details how government-backed threat actors and cyber criminals are integrating and experimenting with AI across the industry throughout the entire attack lifecycle. Our findings are based on the broader threat landscape."
https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools
https://www.bleepingcomputer.com/news/security/google-warns-of-new-ai-powered-malware-families-deployed-in-the-wild/
https://thehackernews.com/2025/11/google-uncovers-promptflux-malware-that.html
https://therecord.media/new-malware-uses-ai-to-adapt
https://www.bankinfosecurity.com/malware-developers-test-ai-for-adaptive-code-generation-a-29932
https://www.securityweek.com/malware-now-uses-ai-during-execution-to-mutate-and-collect-data-google-warns/
https://www.helpnetsecurity.com/2025/11/05/malware-using-llms/
https://www.theregister.com/2025/11/05/attackers_experiment_with_gemini_ai/ - Operation Chargeback: 4.3 Million Cardholders Affected, EUR 300 Million In Damages
"On 4 November 2025, an international coordinated action day targeted three major fraud and money laundering networks as part of Operation “Chargeback.” Led by the Cybercrime Department (Landeszentralstelle Cybercrime) of the General Prosecutor's Office (Generalstaatsanwaltschaft) in Koblenz, Germany, and the German Federal Criminal Police Office (Bundeskriminalamt), the operation has been investigating these networks since December 2020. More than 60 house searches were conducted and a total of 18 arrest warrants executed. The criminal networks are suspected of misusing credit card data from over 4.3 million cardholders across 193 countries. In total, the estimated damage from the fraud scheme exceeds EUR 300 million, with attempted damages amounting to over EUR 750 million."
https://www.europol.europa.eu/media-press/newsroom/news/operation-chargeback-43-million-cardholders-affected-eur-300-million-in-damages
https://www.eurojust.europa.eu/news/eurojust-coordinates-major-operation-against-eur-300-million-global-credit-card-fraud-18
https://www.bleepingcomputer.com/news/security/europol-credit-card-fraud-rings-stole-eur-300-million-from-43-million-cardholders/
https://therecord.media/europe-police-bust-global-fraud-ring-payment-firms
https://www.bankinfosecurity.com/cops-cuff-18-suspects-over-345m-credit-card-fraud-scheme-a-29935
https://www.infosecurity-magazine.com/news/operation-chargeback-uncovers/
https://www.helpnetsecurity.com/2025/11/05/global-credit-card-fraud-arrests/ - Closing The AI Execution Gap In Cybersecurity — A CISO Framework
"Artificial intelligence (AI) is a present-day reality reshaping the cybersecurity landscape. For chief information security officers (CISOs), the integration of AI into security frameworks is a double-edged sword. AI promises enhanced efficiency, predictive capabilities, and automation for internal security teams. Simultaneously, it also endows bad actors with new tools to exploit vulnerabilities across complex ICT supply chains."
https://www.darkreading.com/cybersecurity-operations/closing-ai-execution-gap-cybersecurity-ciso-framework - Risk 'Comparable' To SolarWinds Incident Lurks In Popular Software Update Tool
"Researchers have discovered a supply chain risk in a popular installer authoring tool, which they've described as potentially leading to cyberattacks "comparable in scope to supply chain incidents like SolarWinds." Its developers, however, say it's working as intended. The tool, Advanced Installer, is used for building application installers. After developing their software, vendors turn to it to bundle all the many files, dependencies, drivers, configurations, and so on that allow their software to install smoothly on customers' systems."
https://www.darkreading.com/application-security/risk-solarwinds-popular-software-tool-update - Threat Spotlight: How Automation, Customization, And Tooling Signal Next Ransomware Front Runners
"In the competitive ransomware-as-a-service (RaaS) ecosystem, a group’s success—defined here as victim count on its data-leak sitei—depends on the sophistication of its platform and its unique offerings. Such bespoke platforms attract the most skilled affiliates, who can often bypass stronger defenses to compromise higher-revenue organizations, increasing the likelihood of a successful extortion payment."
https://reliaquest.com/blog/threat-spotlight-how-automation-customization-and-tooling-signal-ransomware
https://www.darkreading.com/cyberattacks-data-breaches/inside-the-playbook-of-ransomware-s-most-profitable-players - Credentials And Misconfigurations Behind Most Cloud Breaches, Says AWS
"Businesses are rapidly moving into the public cloud, a change confirmed by the “Building Cloud Trust” report from Amazon Web Services (AWS) and UK-based research firm Vanson Bourne. This report is based on a survey of 2,800 technology and security firms across 13 countries conducted during September and October. The findings show that while the public cloud is now central to how organisations operate, given its agility, they are simultaneously facing unexpected threats that demand continuous caution."
https://hackread.com/aws-credentials-misconfigurations-cloud-breaches/
https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/whitepapers/compliance/Cloud_Trust_Report.pdf - PortGPT: How Researchers Taught An AI To Backport Security Patches Automatically
"Keeping older software versions secure often means backporting patches from newer releases. It is a routine but tedious job, especially for large open-source projects such as the Linux kernel. A new research effort has built a tool that uses a large language model to do that work automatically. A team of researchers from China, the United States, and Canada created PortGPT, an AI system designed to automate the process of migrating security patches from mainline branches to older versions of software. They describe their method as an attempt to replicate the reasoning steps that developers use when they manually adapt patches."
https://www.helpnetsecurity.com/2025/11/05/portgpt-ai-backport-security-patches-automatically/ - AI Can Flag The Risk, But Only Humans Can Close The Loop
"In this Help Net Security interview, Dilek Çilingir, Global Forensic & Integrity Services Leader at EY, discusses how AI is transforming third-party assessments and due diligence. She explains how machine learning and behavioral analytics help organizations detect risks earlier, improve compliance, and strengthen accountability. As oversight grows, Çilingir explains why human judgment still matters in every AI-supported decision."
https://www.helpnetsecurity.com/2025/11/05/dilek-cilingir-ey-ai-third-party-assessments/
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- Operational Technology Security Poses Inherent Risks For Manufacturers
