Cyber Threat Intelligence 09 July 2025
-
Industrial Sector
- Emerson ValveLink Products
"Successful exploitation of these vulnerabilities could allow an attacker with access to the system to read sensitive information stored in cleartext, tamper with parameters, and run un-authorized code."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-189-01
Vulnerabilities
- Adobe Patches Critical Code Execution Bugs
"Adobe on Tuesday announced the rollout of security fixes for 58 vulnerabilities across 13 products, including three critical-severity flaws in Adobe Connect, ColdFusion, and Experience Manager Forms (AEM Forms) on JEE. The most severe of these bugs is CVE-2025-49533 (CVSS score of 9.8), a deserialization of untrusted data in AEM Forms on JEE that could lead to arbitrary code execution. Although it says it is not aware of any exploits in the wild targeting the security defect, Adobe marked the patch as priority 1, urging users to update to AEM Forms on JEE version 6.5.0.0.20250527.0."
https://www.securityweek.com/adobe-patches-critical-code-execution-bugs/ - SAP Patches Critical Flaws That Could Allow Remote Code Execution, Full System Takeover
"Enterprise software maker SAP on Tuesday announced the release of 27 new and four updated security notes as part of its July 2025 Security Patch Day, including six that address critical vulnerabilities. At the top of the list is an update for a note released in May, which addresses five security defects in its Supplier Relationship Management (SRM). SAP initially marked the note as high-priority, based on the severity score of the most important of these bugs. Now, it has updated the rating to ‘critical’, upon learning that the impact of one of these issues is much higher than initially determined."
https://www.securityweek.com/sap-patches-critical-flaws-that-could-allow-remote-code-execution-full-system-takeover/ - Microsoft July 2025 Patch Tuesday Fixes One Zero-Day, 137 Flaws
"Today is Microsoft's July 2025 Patch Tuesday, which includes security updates for 137 flaws, including one publicly disclosed zero-day vulnerability in Microsoft SQL Server. This Patch Tuesday also fixes fourteen "Critical" vulnerabilities, ten of which are remote code execution vulnerabilities, one is an information disclosure, and two are AMD side channel attack flaws."
https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2025-patch-tuesday-fixes-one-zero-day-137-flaws/
https://www.darkreading.com/application-security/microsoft-patches-137-cves-no-zero-days
https://blog.talosintelligence.com/microsoft-patch-tuesday-july-2025/
https://cyberscoop.com/microsoft-patch-tuesday-july-2025/
https://www.securityweek.com/microsoft-patches-130-vulnerabilities-for-july-2025-patch-tuesday/
https://securityaffairs.com/179738/security/microsoft-patch-tuesday-security-updates-for-july-2025-fixed-a-zero-day.html
https://www.theregister.com/2025/07/08/microsoft_patch_tuesday/
Malware
- New Android TapTrap Attack Fools Users With Invisible UI Trick
"A novel tapjacking technique can exploit user interface animations to bypass Android's permission system and allow access to sensitive data or trick users into performing destructive actions, such as wiping the device. Unlike traditional, overlay-based tapjacking, TapTrap attacks work even with zero-permission apps to launch a harmless transparent activity on top of a malicious one, a behavior that remains unmitigated in Android 15 and 16. TapTrap was developed by a team of security researchers at TU Wien and the University of Bayreuth (Philipp Beer, Marco Squarcina, Sebastian Roth, Martina Lindorfer), and will be presented next month at the USENIX Security Symposium."
https://www.bleepingcomputer.com/news/security/new-android-taptrap-attack-fools-users-with-invisible-ui-trick/
https://taptrap.click/usenix25_taptrap_paper.pdf - Anatsa Targets North America; Uses Proven Mobile Campaign Process
"ThreatFabric researchers have identified a new campaign involving the Anatsa Android banking trojan, which is now targeting users in North America. This marks at least the third instance of Anatsa focusing its operations on mobile banking customers in the United States and Canada. As with previous campaigns, Anatsa is being distributed via the official Google Play Store."
https://www.threatfabric.com/blogs/anatsa-targets-north-america-uses-proven-mobile-campaign-process
https://thehackernews.com/2025/07/anatsa-android-banking-trojan-hits.html
https://www.bleepingcomputer.com/news/security/android-malware-anatsa-infiltrates-google-play-to-target-us-banks/
https://therecord.media/anatsa-android-banking-malware-returns-north-america - How a Hybrid Mesh Architecture Disrupts The Attack Chain (Part Two)
"In Part 1 we covered the basics and how a fragmented approach can have a higher MTTD and MTTR. In part two we highlight five critical ways a hybrid mesh approach uniquely disrupts the ransomware lifecycle."
https://blog.checkpoint.com/security/how-a-hybrid-mesh-architecture-disrupts-the-attack-chain-part-two/ - CoinMiner Attacks Exploiting GeoServer Vulnerability
"AhnLab SEcurity intelligence Center (ASEC) has confirmed that the unpatched GeoServer is still under continuous attack. Threat actors are scanning for vulnerable GeoServer and installing CoinMiner. ASEC has also identified cases of infection in South Korea."
https://asec.ahnlab.com/en/88917/ - Phishing Attack : Deploying Malware On Indian Defense BOSS Linux
"CYFIRMA has identified a sophisticated cyber-espionage campaign orchestrated by APT36 (also known as Transparent Tribe), a threat actor based in Pakistan. This campaign specifically targets personnel within the Indian defense sector. In a notable shift from previous methodologies, APT36 has adapted its tactics to focus on Linux-based environments, with a particular emphasis on systems running BOSS Linux, a distribution extensively utilized by Indian government agencies."
https://www.cyfirma.com/research/phishing-attack-deploying-malware-on-indian-defense-boss-linux/
https://hackread.com/pakistan-transparent-tribe-indian-defence-linux-malware/ - Approach To Mainframe Penetration Testing On z/OS. Deep Dive Into RACF
"In our previous article we dissected penetration testing techniques for IBM z/OS mainframes protected by the Resource Access Control Facility (RACF) security package. In this second part of our research, we delve deeper into RACF by examining its decision-making logic, database structure, and the interactions between the various entities in this subsystem. To facilitate offline analysis of the RACF database, we have developed our own utility, racfudit, which we will use to perform possible checks and evaluate RACF configuration security. As part of this research, we also outline the relationships between RACF entities (users, resources, and data sets) to identify potential privilege escalation paths for z/OS users."
https://securelist.com/zos-mainframe-pentesting-resource-access-control-facility/116873/ - Malicious Pull Request Infects VS Code Extension
"In the last few months, ReversingLabs (RL) researchers have encountered multiple malicious packages that target cryptocurrency users and developers. In May, RL researcher Karlo Zanki wrote a blog about malicious PyPI packages that targets developers in the Solana ecosystem. Another RL researcher, Lucija Valentić, wrote about malicious npm packages that steal crypto funds from wallets by injecting code into local, legitimate packages. Those are notable incidents."
https://www.reversinglabs.com/blog/malicious-pull-request-infects-vscode-extension
https://thehackernews.com/2025/07/malicious-pull-request-infects-6000.html - BaitTrap: Over 17,000 Fake News Websites Caught Fueling Investment Fraud Globally
"A newly released report by cybersecurity firm CTM360 reveals a large-scale scam operation utilizing fake news websites—known as Baiting News Sites (BNS)—to deceive users into online investment fraud across 50 countries. These BNS pages are made to look like real news outlets: CNN, BBC, CNBC, or regional media. They publish fake stories that feature public figures, central banks, or financial brands, all claiming to back new ways to earn passive income. The goal? Build trust quickly and steer readers toward professional-looking scam platforms like Trap10, Solara Vynex, or Eclipse Earn."
https://thehackernews.com/2025/07/baittrap-over-17000-fake-news-websites.html
https://www.ctm360.com/reports/baittrap-rise-of-baiting-news-sites - GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed
"Unit 42 researchers uncovered a campaign by an initial access broker (IAB) to exploit leaked Machine Keys — cryptographic keys used on ASP.NET sites — to gain access to targeted organizations. IABs breach organizations and then sell that access to other threat actors. This report analyzes the tools used in these attacks. We track this actor as the temporary group TGR-CRI-0045. The group seems to follow an opportunistic approach but has attacked organizations in Europe and the U.S. in the following industries: financial services, manufacturing, wholesale and retail, high technology, and transportation and logistics."
https://unit42.paloaltonetworks.com/initial-access-broker-exploits-leaked-machine-keys/
Breaches/Hacks/Leaks
- M&S Confirms Social Engineering Led To Massive Ransomware Attack
"M&S confirmed today that the retail outlet's network was initially breached in a "sophisticated impersonation attack" that ultimately led to a DragonForce ransomware attack. M&S chairman Archie Norman revealed this in a hearing with the UK Parliament's Business and Trade Sub-Committee on Economic Security regarding the recent attacks on the retail sector in the country. While Norman did not go into details, he stated that the threat actors impersonated one of the 50,000 people working with the company to trick a third-party entity into resetting an employee's password."
https://www.bleepingcomputer.com/news/security/mands-confirms-social-engineering-led-to-massive-ransomware-attack/ - State Secrets For Sale: More Leaks From The Chinese Hack-For-Hire Industry
"In late May, two particularly interesting Chinese datasets appeared for sale in posts on DarkForums, an English-language data breach and leak forum that has become popular since BreachForums went dark in mid-April. These two posts, which we’re calling the VenusTech Data Leak and the Salt Typhoon Data Leak, had some interesting similarities."
https://spycloud.com/blog/state-secrets-for-sale-chinese-hacking/
https://www.bankinfosecurity.com/chinese-data-leak-reveals-salt-typhoon-contractors-a-28919
General News
- Exposure Management Is The Answer To: “Am I Working On The Right Things?”
"In this Help Net Security interview, Dan DeCloss, Founder and CTO at PlexTrac, discusses the role of exposure management in cybersecurity and how it helps organizations gain visibility into their attack surface to improve risk assessment and prioritization. He also explains how PlexTrac’s platform streamlines the reporting process and enables teams to collaborate more effectively to speed up remediation. DeCloss looks forward to widespread adoption of Continuous Threat Exposure Management, believing it will help close the gap on unidentified vulnerabilities through continuous, contextual, and risk-informed security programs."
https://www.helpnetsecurity.com/2025/07/08/dan-decloss-plextrac-exposure-management-strategy/ - Cyberattacks Are Changing The Game For Major Sports Events
"Sports fans and cybercriminals both look forward to major sporting events, but for very different reasons. Fake ticket sites, stolen login details, and DDoS attacks are common ways criminals try to make money or disrupt an event. Events like the FIFA World Cup, the Olympics, and major sports leagues pull in millions of viewers. The 2026 FIFA World Cup is expected to draw over 5.5 million fans in person, with 6 billion more engaging worldwide with the newly expanded 48-team tournament, generating massive online traffic across platforms such as ticketing, betting, streaming, and merchandise sales."
https://www.helpnetsecurity.com/2025/07/08/sport-events-cybercrime/ - CISOs Urged To Fix API Risk Before Regulation Forces Their Hand
"Most organizations are exposing sensitive data through APIs without security controls in place, and they may not even realize it, according to Raidiam. Their report, API Security at a Turning Point, draws on a detailed assessment of 68 organizations across industries. It deliberately excludes regulated environments like UK Open Banking, where advanced security is mandated. The goal was to understand how typical businesses, those without regulatory pressure, are protecting their APIs. The results aren’t encouraging."
https://www.helpnetsecurity.com/2025/07/08/report-enterprise-api-security-risks/ - Combolists And ULP Files On The Dark Web: A Secondary And Unreliable Source Of Information About Compromises
"Combolists and URL-Login-Password (ULP) files have existed since the earliest user data leaks. These files offer a convenient format for storing and distributing compromised credentials — typically just a username (or email) and password — where all “unnecessary” information is removed. It’s simplicity makes them ideal tools for cybercriminals launching attacks such as credential stuffing, phishing, and other forms of account-based exploitation. With the advent of modern infostealers, stealing login credentials has become easier and more automated than ever. At the same time, distributing stolen data has been simplified through platforms like dark web forums, file-sharing services, and Telegram channels."
https://www.group-ib.com/blog/combolists-ulp-darkweb/ - Sanctions Imposed On DPRK IT Workers Generating Revenue For The Kim Regime
"Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Song Kum Hyok, (Song), a malicious cyber actor associated with the sanctioned Democratic People’s Republic of Korea (DPRK) Reconnaissance General Bureau (RGB) hacking group Andariel. Song facilitated an information technology (IT) worker scheme in which individuals, often DPRK nationals working from countries such as China and Russia, were recruited and provided with falsified identities and nationalities to obtain employment at unwitting companies to generate revenue for the DPRK regime. In some cases, these DPRK IT workers have been known to introduce malware into company networks for additional exploitation. OFAC is also sanctioning one individual and four entities involved in a Russia-based IT worker scheme that has generated revenue for the DPRK."
https://home.treasury.gov/news/press-releases/sb0190
https://therecord.media/north-korea-it-worker-scheme-us-sanctions-song-kum-hyok
https://cyberscoop.com/treasury-slaps-sanctions-on-people-companies-tied-to-north-korean-it-worker-schemes/ - Open Source Malware Index Q2 2025: Data Exfiltration Remains a Leading Threat
"In the second quarter of 2025, Sonatype uncovered 16,279 pieces of open source malware, bringing the total number of malicious packages identified by our automated detection systems to 845,204 and counting. Once again, data exfiltration emerged as the dominant tactic, reinforcing a persistent and growing trend in software supply chain attacks targeting developers and CI/CD environments."
https://www.sonatype.com/blog/open-source-malware-index-q2-2025
https://www.darkreading.com/application-security/malicious-open-source-packages-spike
https://www.infosecurity-magazine.com/news/malicious-open-source-surge-188/ - 4 Critical Steps In Advance Of 47-Day SSL/TLS Certificates
"The CA/Browser Forum's decision to reduce SSL/TLS certificate lifespans to just 47 days by 2029 is set to fundamentally change how organizations manage digital trust. While the full impact will unfold over several years, the transition begins much sooner, with certificate validity dropping to 200 days in less than a year (March 2026). This accelerated timeline means IT teams have a small window of time to prepare for these sweeping changes. To navigate this shift successfully and avoid operational disruptions, organizations must focus on a few key steps over the next 100 days."
https://www.darkreading.com/cyberattacks-data-breaches/critical-steps-advance-ssl-tls-certificates - Iranian Ransomware Group Offers Bigger Payouts For Attacks On Israel, US
"An Iranian ransomware gang has ramped up operations amid heightened tensions in the Middle East, offering larger profit shares to affiliates who carry out cyberattacks against Israel and the U.S., researchers said. The group, known as Pay2Key.I2P, is believed to be a successor to the original Pay2Key operation, which has been linked to Iran’s state-backed Fox Kitten hacking group. Fox Kitten has previously carried out cyber-espionage campaigns targeting Israeli and U.S. organizations. According to a new report from cybersecurity firm Morphisec, Pay2Key.I2P has adopted a ransomware-as-a-service model and claims to have collected more than $4 million in payments over the past four months."
https://therecord.media/iran-ransomware-group-pay2keyi2p-israel-us-targets
https://engage.morphisec.com/hubfs/Pay2Key_Iranian_Cyber_Warfare_Targets_the_West_Whitepaper.pdf - June 2025 Trends Report On Phishing Emails
"This report provides the distribution quantity, statistics, trends, and case information on phishing emails and email threats collected and analyzed for one month in June 2025. The following are some statistics and cases included in the original report."
https://asec.ahnlab.com/en/88919/ - Statistics Report On Malware Targeting Windows Database Servers In The Q2 2025
"The AhnLab SEcurity intelligence Center (ASEC) analysis team is responding to and categorizing attacks targeting MS-SQL and MySQL servers installed on Windows operating systems using the AhnLab Smart Defense (ASD) infrastructure. This post covers the damage and statistics of attacks that occurred on MS-SQL and MySQL servers in the second quarter of 2025 based on the logs. It also classifies the malware used in each attack and provides detailed statistics."
https://asec.ahnlab.com/en/88920/ - Statistics Report On Malware Targeting Windows Web Servers In Q2 2025
"AhnLab SEcurity intelligence Center (ASEC) is responding to and categorizing attacks targeting poorly managed Windows web servers by utilizing their AhnLab Smart Defense (ASD) infrastructure. This post will cover the damage status of Windows web servers that have become attack targets and the statistics of attacks launched against these servers, based on the logs identified in the second quarter of 2025. It will also provide detailed statistics by categorizing the malware strains used in each attack."
https://asec.ahnlab.com/en/88925/ - Statistics Report On Malware Targeting Linux SSH Servers In Q2 2025
"AhnLab SEcurity intelligence Center (ASEC) is using a honeypot to respond to and categorize brute-force and dictionary attacks that target poorly managed Linux SSH servers. This post covers the status of the attack sources identified in logs from the second quarter of 2025 and the statistics of attacks performed by these sources. It also classifies the malware used in each attack and provides detailed statistics."
https://asec.ahnlab.com/en/88927/
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- Emerson ValveLink Products
