Cyber Threat Intelligence 14 August 2025
-
Industrial Sector
- ICS Patch Tuesday: Major Vendors Address Code Execution Vulnerabilities
"August 2025 Patch Tuesday advisories have been published by several major companies offering industrial control system (ICS) and other operational technology (OT) solutions. Siemens has published 22 new advisories. One of them is for CVE-2025-40746, a critical Simatic RTLS Locating Manager issue that can be exploited by an authenticated attacker for code execution with System privileges. The company has also published advisories covering high-severity vulnerabilities in Comos (code execution), Siemens Engineering Platforms (code execution), Simcenter (crash or code execution), Sinumerik controllers (unauthorized remote access), Ruggedcom (authentication bypass with physical access), Simatic (code execution), Siprotect (DoS), and Opcenter Quality (unauthorized access)."
https://www.securityweek.com/ics-patch-tuesday-major-vendors-address-code-execution-vulnerabilities/ - CISA And Partners Release Asset Inventory Guidance For Operational Technology Owners And Operators
"CISA, along with the National Security Agency, the Federal Bureau of Investigation, Environmental Protection Agency, and several international partners, released comprehensive guidance to help operational technology (OT) owners and operators across all critical infrastructure sectors create and maintain OT asset inventories and supplemental taxonomies. An asset inventory is a regularly updated, structured list of an organization's systems, hardware, and software. It includes a categorization system—a taxonomy—that classifies assets based on their importance and function. This guidance explains how OT owners and operators can create, maintain, and use asset inventories and taxonomies to identify and safeguard their critical assets."
https://www.cisa.gov/news-events/alerts/2025/08/13/cisa-and-partners-release-asset-inventory-guidance-operational-technology-owners-and-operators
https://www.cisa.gov/resources-tools/resources/foundations-ot-cybersecurity-asset-inventory-guidance-owners-and-operators
https://www.cisa.gov/sites/default/files/2025-08/joint-guide-foundations-for-OT-cybersecurity-asset-inventory-guidance_508c.pdf
Vulnerabilities
- Fortinet Warns Of FortiSIEM Pre-Auth RCE Flaw With Exploit In The Wild
"Fortinet is warning about a remote unauthenticated command injection flaw in FortiSIEM that has in-the-wild exploit code, making it critical for admins to apply the latest security updates. FortiSIEM is a central security monitoring and analytics system used for logging, network telemetry, and security incident alerts, serving as an integral part of security operation centers, where it's an essential tool in the hands of IT ops teams and analysts. The product is generally used by governments, large enterprises, financial institutions, healthcare providers, and managed security service providers (MSSPs). The flaw, tracked as CVE-2025-25256 and rated critical (CVSS: 9.8), impacts multiple branches of SIEM, from 5.4 up to 7.3."
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-fortisiem-pre-auth-rce-flaw-with-exploit-in-the-wild/
https://fortiguard.fortinet.com/psirt/FG-IR-25-152
https://thehackernews.com/2025/08/fortinet-warns-about-fortisiem.html
https://www.darkreading.com/cyberattacks-data-breaches/fortinet-products-in-crosshairs-again
https://cyberscoop.com/fortinet-fortisiem-critical-vulnerability-ssl-vpn-brute-force-traffic/
https://www.helpnetsecurity.com/2025/08/13/fortinet-warns-about-fortisiem-vulnerability-with-in-the-wild-exploit-code-cve-2025-25256/
https://securityaffairs.com/181104/hacking/critical-fortisiem-flaw-under-active-exploitation-fortinet-warns.html
https://www.theregister.com/2025/08/13/fortinet_discloses_critical_bug/ - Zoom And Xerox Release Critical Security Updates Fixing Privilege Escalation And RCE Flaws
"Zoom and Xerox have addressed critical security flaws in Zoom Clients for Windows and FreeFlow Core that could allow privilege escalation and remote code execution. The vulnerability impacting Zoom Clients for Windows, tracked as CVE-2025-49457 (CVSS score: 9.6), relates to a case of an untrusted search path that could pave the way for privilege escalation. "Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access," Zoom said in a security bulletin on Tuesday."
https://thehackernews.com/2025/08/zoom-and-xerox-release-critical.html - Fortinet, Ivanti Release August 2025 Security Patches
"Fortinet and Ivanti have each published new security advisories to inform customers about the vulnerabilities fixed with their August 2025 Patch Tuesday updates. Fortinet has published 14 new advisories. The most important one, with a critical severity rating, describes CVE-2025-25256, a FortiSIEM flaw that allows an unauthenticated, remote attacker to execute arbitrary code or commands through specially crafted CLI requests. Fortinet warned that a practical exploit for this vulnerability has been found in the wild — the company’s phrasing suggests that the vulnerability has not been exploited for malicious purposes, but a PoC exploit is public."
https://www.securityweek.com/fortinet-ivanti-release-august-2025-security-patches/ - Adobe Patches Over 60 Vulnerabilities Across 13 Products
"Adobe’s August 2025 Patch Tuesday updates address more than 60 vulnerabilities across 3D design, content creation, publishing and other types of products. The software giant has published 13 new advisories, including five that cover vulnerabilities in Substance 3D products such as Viewer, Modeler, Painter, Sampler, and Stager. In each of them Adobe patched one or more critical (high severity based on CVSS score) code execution vulnerabilities, and in some of them multiple important (medium severity) memory leaks."
https://www.securityweek.com/adobe-patches-over-60-vulnerabilities-across-13-products/ - CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-8875 N-able N-central Insecure Deserialization Vulnerability
CVE-2025-8876 N-able N-central Command Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/08/13/cisa-adds-two-known-exploited-vulnerabilities-catalog - Chipmaker Patch Tuesday: Many Vulnerabilities Addressed By Intel, AMD, Nvidia
"Dozens of security advisories were published on Tuesday by Intel, AMD and Nvidia to inform customers about vulnerabilities found recently in their products. Intel has published 34 new advisories this Patch Tuesday. High-severity vulnerabilities have been addressed by the company in Xeon processors, Ethernet drivers for Linux, chipset firmware, processor stream cache, 800 Series Ethernet, PROSet/Wireless, and Connectivity Performance Suite products. Most of them allow privilege escalation, while some can be exploited for denial of service (DoS) and information disclosure."
https://www.securityweek.com/chipmaker-patch-tuesday-many-vulnerabilities-addressed-by-intel-amd-nvidia/ - Alarm Raised Over 'high-Severity' Vulnerabilities In Matrix Messaging Protocol
"The nonprofit Matrix Foundation, behind the federated communications protocol of the same name, announced this week patching what it described as two high-severity vulnerabilities that could have had catastrophic impact if exploited by sufficiently malicious actors. The off-cycle security release, which does not detail the specific nature of the bugs, suggests potential attacks where malicious actors could be enabled to seize control of classified discussion spaces, which numerous governments use Matrix for. A spokesperson for the Matrix Foundation said “the vulnerabilities were discovered as part of an ongoing joint security research project at Element and the Matrix.org Foundation,” and added that they not aware of the vulnerabilities ever being exploited in the wild."
https://therecord.media/matrix-messaging-protocol-high-severity-vulnerabilities
https://matrix.org/blog/2025/08/security-release/
https://www.theregister.com/2025/08/13/secure_chat_darling_matrix_admits/ - Crooks Can't Let Go: Active Attacks Target Office Vuln Patched 8 Years Ago
"Very few people are immune to the siren song of nostalgia, a yearning for a "better time" when this was all fields and kids respected their elders - and it looks like cyber criminals are no exception. Malware campaigns continue targeting a 2017-patched vulnerability in Microsoft Office Equation Editor software that was discontinued in 2018, according to an infosec hound at SANS Internet Storm Centre. "One of the key messages broadcasted by security professionals is: 'Patch, patch, and patch again,'" said security consultant Xavier Mertens said in a malware analysis posted to the today."
https://www.theregister.com/2025/08/13/crooks_cant_let_go_active/
Malware
- Personalization In Phishing: Advanced Tactics For Malware Delivery
"Subject customization is a widely utilized tactic in targeted malware-delivery phishing campaigns, designed to deceive recipients by making emails appear more authentic and trustworthy. Like credential-phishing attempts, attackers craft personalized subject lines, attachment names, and embedded links to create a sense of familiarity or urgency, increasing the likelihood that the recipient engages within the email. This strategy is not limited to the subject line; it is often extended to the email attachments, links, and message body."
https://cofense.com/blog/personalization-in-phishing-advanced-tactics-for-malware-delivery - Exposing Investment Scams: AI Trading, Deepfake & Online Fraud
"Artificial intelligence has long become a part of everyday life. Today, it’s used across a wide range of fields — especially in finance, where large volumes of data need to be processed. In this area, AI makes it much easier to identify patterns and simplifies many tasks. Recently, there’s been a rise in trading platforms that call themselves “smart.” They promise easy profits through new technologies, often with little to no effort from the user. But behind these appealing claims, there are increasingly well-planned online trading scams. Fraudsters take advantage of people’s trust in AI to lure them into traps. To seem credible, they create fake AI-generated videos, fake reviews, and misleading ads."
https://www.group-ib.com/blog/exposing-investment-scams/
https://www.infosecurity-magazine.com/news/deepfake-ai-trading-scams-target/ - Fake Minecraft Game Spreads NjRat Malware: What You Need To Know
"With the Minecraft movie hype reigniting interest in the game, downloads of Minecraft-related content have surged, both legitimate and unofficial. Threat actors are exploiting this moment, crafting malware disguised as popular Minecraft installers or mods to prey on unsuspecting users, especially kids and casual gamers. In this blog, I dissected a malware campaign masquerading as “Eaglercraft 1.12 Offline”, a browser based Minecraft clone. While seemingly harmless at first glance, it bundles a powerful Remote Access Trojan (NjRat) and demonstrates modern stealth, persistence and exfiltration techniques all wrapped in a nostalgic gaming lure."
https://www.pointwild.com/threat-intelligence/fake-minecraft-game-spreads-njrat-malware-what-you-need-to-know
https://hackread.com/fake-minecraft-installer-njrat-spyware-steal-data/ - Threat Bulletin: Fire In The Woods – A New Variant Of FireWood
"FireWood is a Linux backdoor discovered by ESET’s research team. They linked it to the long‑running “Project Wood” malware lineage, which dates back to at least 2005 and includes usage in the earlier Operation TooHash campaign. It functions as a remote access trojan (RAT) on Linux systems, employing kernel‑level rootkit modules (e.g., usbdev.ko) and TEA‑based encryption to hide its presence, maintain persistence, and communicate covertly with its command‑and‑control infrastructure. Once deployed, likely via web shells left on compromised Linux desktops, it enables attackers to execute commands, exfiltrate sensitive data such as system information and credentials, and operate stealthily over prolonged espionage operations. The backdoor has low confidence connections to the China-aligned Gelsemium APT group, as the overlaps may be coincidental or reflect shared tools across multiple groups."
https://intezer.com/blog/threat-bulletin-firewood/ - Shedding Light On PoisonSeed’s Phishing Kit
"As first reported by SilentPush, PoisonSeed is a threat actor whose TTPs closely align with Scattered Spider and CryptoChameleon, groups that are part of “The Com,” a young, English-speaking threat actor community. They engage in phishing attacks to obtain login information from CRM and bulk email service providers, allowing them to export contact lists and distribute larger volumes of spam using these accounts. The primary aim of targeting email providers appears to be establishing infrastructure for conducting cryptocurrency-related spam activities. Recipients of these spam operations are subjected to a cryptocurrency seed phrase manipulation attack. In this tactic, PoisonSeed offers security seed phrases, encouraging victims to use them in new cryptocurrency wallets, which they can later exploit. PoisonSeed is responsible for the campaign that targeted Troy Hunt where the actors stole his Mailchimp mailing list, and the Coinbase phishing emails tricking users with fake wallet migration."
https://blog.nviso.eu/2025/08/12/shedding-light-on-poisonseeds-phishing-kit/
Breaches/Hacks/Leaks
- Pennsylvania Attorney General's Email, Site Down After Cyberattack
"The Office of the Pennsylvania Attorney General has announced that a recent cyberattack has taken down its systems, including landline phone lines and email accounts. As Attorney General Dave Sunday revealed on social media on Monday, the office staff is currently working to restore affected services and investigate the incident with the help of law enforcement authorities. "The network that hosts the Office of Attorney General's systems is currently down, meaning the office's website is offline, as are office email accounts and land phone lines," Sunday said."
https://www.bleepingcomputer.com/news/security/pennsylvania-attorney-generals-email-site-down-after-cyberattack/
https://therecord.media/pennsylvania-attorney-general-office-cyberattack - Croatian Research Institute Confirms Ransomware Attack Via ToolShell Vulnerabilities
"The Ruđer Bošković Institute (RBI), the largest Croatian science and technology research institute, has confirmed that it was the one of “at least 9,000 institutions worldwide” that were attacked using the Microsoft SharePoint “ToolShell” vulnerabilities."
https://www.helpnetsecurity.com/2025/08/13/croatian-research-institute-confirms-ransomware-attack-via-toolshell-vulnerabilities/
General News
- Artificial Exploits, Real Limitations: How AI Cyber Attacks Fall Short
"Since 2024, major artificial intelligence (AI) providers have reported malicious use of their technology by state-sponsored actors, influence operations, and online scammers. By 2025, software vendors also began disclosing vulnerabilities identified by AI models, while researchers started experimenting with these tools for exploitation. Many now believe that AI can enable both novice cybercriminals and sophisticated threat actors to identify and exploit vulnerabilities at scale – an alarming prospect for cybersecurity practitioners."
https://www.forescout.com/blog/artificial-exploits-real-limitations-how-ai-cyber-attacks-fall-short/
https://www.darkreading.com/vulnerabilities-threats/popular-ai-systems-still-work-in-progress-security - What The LockBit 4.0 Leak Reveals About RaaS Groups
"For years, LockBit has been viewed as the gold standard in ransomware — a sleek, professional, and ruthlessly efficient criminal syndicate with the polish of a Silicon Valley startup. But the recent leak of LockBit's 4.0 affiliate panel shattered that illusion, exposing a chaotic, backbiting, and wildly inconsistent operation behind the scenes. If you've been picturing ransomware groups as disciplined digital criminal organizations, this leak made one thing clear: The real threat is far more fragmented and unpredictable because of it."
https://www.darkreading.com/vulnerabilities-threats/what-lockbit-leak-reveals-raas-groups - NIST Finalizes Lightweight Cryptography Standard For Small Devices
"The National Institute of Standards and Technology (NIST) has finalized a lightweight cryptography standard to protect even the smallest networked devices from cyberattacks. Published as Ascon-Based Lightweight Cryptography Standards for Constrained Devices (NIST Special Publication 800-232), the standard offers tools for securing data created and transmitted by billions of IoT devices, along with other small electronics such as RFID tags and medical implants. These technologies often have far less computing power than smartphones or laptops, yet still need strong protection. Lightweight cryptography is designed for these resource-limited environments."
https://www.helpnetsecurity.com/2025/08/13/nist-lightweight-cryptography-standard/ - AWS CISO Explains How Cloud-Native Security Scales With Your Business
"In this Help Net Security interview, Amy Herzog, CISO at AWS, discusses how cloud-native security enables scalable, flexible protection that aligns with how teams build in the cloud. She explains the Shared Responsibility Model and the tools and processes that scale security. Herzog also explains how AI helps automate threat detection and vulnerability management."
https://www.helpnetsecurity.com/2025/08/13/amy-herzog-aws-scale-cloud-native-security/ - CISOs Face a Complex Tangle Of Tools, Threats, And AI Uncertainty
"Most organizations are juggling too many tools, struggling with security blind spots, and rushing into AI adoption without governance, according to JumpCloud. The average organization now uses more than nine tools to manage core IT functions. That is fueling a rise in complexity, and with it, security risks. Nearly three-quarters of respondents said their IT environments are difficult to manage. Security gaps were listed as the top problem with tool sprawl, followed by compliance issues and poor visibility."
https://www.helpnetsecurity.com/2025/08/13/ciso-it-tool-sprawl/ - New Trends In Phishing And Scams: How AI And Social Media Are Changing The Game
"Phishing and scams are dynamic types of online fraud that primarily target individuals, with cybercriminals constantly adapting their tactics to deceive people. Scammers invent new methods and improve old ones, adjusting them to fit current news, trends, and major world events: anything to lure in their next victim. Since our last publication on phishing tactics, there has been a significant leap in the evolution of these threats. While many of the tools we previously described are still relevant, new techniques have emerged, and the goals and methods of these attacks have shifted."
https://securelist.com/new-phishing-and-scam-trends-in-2025/117217/ - Estonians Behind $577 Million Cryptomining Fraud Sentenced To 16 Months
"Two Estonian nationals were sentenced on Tuesday in Washington state to 16 months in prison for carrying out a cryptocurrency Ponzi scheme that netted more than a half-billion dollars. Sergei Potapenko and Ivan Turõgin, both 40, worked alongside four unnamed co-conspirators to defraud investors through a bogus cryptomining operation, the Department of Justice said in a statement Tuesday."
https://therecord.media/estonians-behind-multimillion-dollar-crypto-fraud-sentenced
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- ICS Patch Tuesday: Major Vendors Address Code Execution Vulnerabilities
