Cyber Threat Intelligence 30 October 2025
-
Financial Sector
- When Money Moves, Hackers Follow: Europe’s Financial Sector Under Siege
"In the time it takes to read this paragraph—less than a minute—thousands of cyberattacks will have struck systems across the world. Financial institutions remain among the most targeted, facing roughly a third of all global DDoS and web application attacks. For Chief Information Security Officers (CISOs) across Europe’s banking, financial services, and insurance (BFSI) sector, the mission is no longer limited to defending against known threats. It’s about anticipating the next wave before it hits—and ensuring resilience when it does."
https://cyble.com/blog/bfsi-cybersecurity-in-europe/ - Early Reporting Helps Credit Unions Stop Fraudulent Transfers Faster
"In this Help Net Security interview, Carl Scaffidi, CISO at VyStar Credit Union, discusses how credit unions are adapting to an evolving fraud landscape and strengthening payment security. As cybercriminals leverage social engineering and AI-driven tactics, Scaffidi explains how innovation in authentication, real-time monitoring, and member education can enhance security without sacrificing the member experience."
https://www.helpnetsecurity.com/2025/10/29/carl-scaffidi-vystar-credit-unions-payment-security/
New Tooling
- Proximity: Open-Source MCP Security Scanner
"Proximity is a new open-source tool that scans Model Context Protocol (MCP) servers. It identifies the prompts, tools, and resources that a server makes available, and it can evaluate how those elements might introduce security risks. The tool also work with NOVA, a rule engine that checks for issues such as prompt injection or jailbreak attempts."
https://www.helpnetsecurity.com/2025/10/29/proximity-open-source-mcp-security-scanner/
https://github.com/fr0gger/proximity
Vulnerabilities
- XWiki CVE-2025-24893 Exploited In The Wild
"CVE-2025-24893 is an unauthenticated, remote template-injection vulnerability in XWiki that is being actively exploited in the wild. It does not appear in CISA KEV. Public reporting from Cyble, Shadow Server, and CrowdSec prompted us to add the vulnerability to VulnCheck KEV in March 2025, but those reports only indicate exploit attempts. Our VulnCheck Canaries observed a two-stage exploit chain and associated indicators. Below are the technical details. We observed multiple exploit attempts against our XWiki canaries coming from an attacker geolocated in Vietnam. The exploitation proceeds in a two-pass workflow separated by at least 20 minutes: the first pass stages a downloader (writes a file to disk), and the second pass later executes it."
https://www.vulncheck.com/blog/xwiki-cve-2025-24893-eitw
https://www.securityweek.com/xwiki-vulnerability-exploited-in-cryptocurrency-mining-operation/
https://hackread.com/hackers-hijack-xwiki-servers-crypto-mining/ - 100,000 WordPress Sites Affected By Arbitrary File Read Vulnerability In Anti-Malware Security And Brute-Force Firewall WordPress Plugin
"On October 3rd, 2025, we received a submission for an Arbitrary File Read vulnerability in Anti-Malware Security and Brute-Force Firewall, a WordPress plugin with more than 100,000 active installations. This vulnerability makes it possible for an authenticated attacker, with subscriber-level permissions or higher, to read arbitrary files on the server, which may contain sensitive information. Props to Dmitrii Ignatyev who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $960.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program."
https://www.wordfence.com/blog/2025/10/100000-wordpress-sites-affected-by-arbitrary-file-read-vulnerability-in-anti-malware-security-and-brute-force-firewall-wordpress-plugin/
https://www.bleepingcomputer.com/news/security/wordpress-security-plugin-exposes-private-data-to-site-subscribers/ - OpenAI’s New Browser Atlas Falls For AI-Targeted Cloaking Attack
"Agent-aware cloaking reliably changes what AI search tools read… a very simplistic, but powerful exploit. We built controlled site and apps that serves different pages to regular browsers vs AI crawlers (OpenAI’s Atlas, ChatGPT, Perplexity), and showed your this can lead to context poisonning. This opens new attack vectors. Some immediate examples include manipulation of hiring decisions, product recommendations, reputation, commerce… and so much more."
https://splx.ai/blog/ai-targeted-cloaking-openai-atlas
https://thehackernews.com/2025/10/new-ai-targeted-cloaking-attack-tricks.html
https://www.darkreading.com/cyber-risk/ai-search-tools-easily-fooled-by-fake-content - AI Agents Can Leak Company Data Through Simple Web Searches
"When a company deploys an AI agent that can search the web and access internal documents, most teams assume the agent is simply working as intended. New research shows how that same setup can be used to quietly pull sensitive data out of an organization. The attack does not require direct manipulation of the model. Instead, it takes advantage of what the model is allowed to see during an ordinary task."
https://www.helpnetsecurity.com/2025/10/29/agentic-ai-security-indirect-prompt-injection/
https://arxiv.org/pdf/2510.09093 - This Security Hole Can Crash Billions Of Chromium Browsers, And Google Hasn't Patched It Yet
"A critical, currently unpatched bug in Chromium's Blink rendering engine can be abused to crash many Chromium-based browsers within seconds, causing a denial-of-service condition – and, in some tests, freezing the host system. Security researcher Jose Pino found the flaw, and created a proof-of-concept exploit, Brash, to demonstrate the vulnerability affecting billions of people worldwide. Chrome is the most popular browser in the world with over 70% market share, according to StatCounter, and that's not counting all the people who use any of the open source Chromium-based browsers, including Microsoft Edge, OpenAI's ChatGPT Atlas, Brave, and Vivaldi. Given the ITU counts 5.5 billion internet users, that suggests Chrome alone is used by more than 3 billion people."
https://www.theregister.com/2025/10/29/brash_dos_attack_crashes_chromium/
Malware
- Scammers Target International Students By Threatening Their Visa Status
"In 2025, the U.S. government revoked thousands of visas from international students, often without warning or explanation. According to a newly released study, this opened a door for scammers. Posing as government officials, police, or university staff, they took advantage of students’ fear of losing their status. Researchers interviewed students to learn how they experience these scams and what universities can do to help."
https://www.helpnetsecurity.com/2025/10/29/international-students-scams-visa-status/
https://arxiv.org/pdf/2510.18715 - 10 Npm Typosquatted Packages Deploy Multi-Stage Credential Harvester
"Socket's Threat Research Team discovered 10 malicious npm packages that deploy a multi-stage credential theft operation. The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints victims by IP address, and downloads a 24MB PyInstaller-packaged information stealer that harvests credentials from system keyrings, browsers, and authentication services across Windows, Linux, and macOS. The packages were published on July 4, 2025 and have remained live for over four months, accumulating over 9,900 downloads collectively; we have petitioned the npm registry for their removal."
https://socket.dev/blog/10-npm-typosquatted-packages-deploy-credential-harvester
https://thehackernews.com/2025/10/10-npm-packages-caught-stealing.html
https://www.bleepingcomputer.com/news/security/malicious-npm-packages-fetch-infostealer-for-windows-linux-macos/ - PhantomRaven: NPM Malware Hidden In Invisible Dependencies
"126 malicious npm packages. Over 86,000 downloads. Actively stealing npm tokens, GitHub credentials, and CI/CD secrets from developers worldwide - all while hiding the malicious code in dependencies hidden from the dependency analysis that most security tools rely on. We're calling this campaign PhantomRaven."
https://www.koi.ai/blog/phantomraven-npm-malware-hidden-in-invisible-dependencies
https://www.bleepingcomputer.com/news/security/phantomraven-attack-floods-npm-with-credential-stealing-packages/
https://www.darkreading.com/application-security/malicious-npm-packages-invisible-dependencies
https://www.infosecurity-magazine.com/news/npm-malware-invisible-dependencies/ - From Scripts To Systems: A Comprehensive Look At Tangerine Turkey Operations
"Cybereason Security Services issue Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason Security Services investigates the flow of a Tangerine Turkey campaign observed in Cybereason EDR. Tangerine Turkey is a threat actor identified as a visual basic script (VBS) worm used to facilitate cryptomining activity."
https://www.cybereason.com/blog/tangerine-turkey - Ukrainian Organizations Still Heavily Targeted By Russian Attacks
"Attackers linked to Russia are continuing to heavily target organizations in Ukraine. A recent investigation by our Threat Hunter Team uncovered a two-month intrusion against a large business services organization and a week-long attack against a local government organization, with the apparent goal of harvesting sensitive information and maintaining a persistent presence on their networks. The attackers deployed a limited amount of malware on the networks and instead relied heavily on Living-off-the-Land tactics and dual-use tools."
https://www.security.com/blog-post/ukraine-russia-attacks
https://thehackernews.com/2025/10/russian-hackers-target-ukrainian.html
https://therecord.media/russia-linked-breaches-ukraine-living-off-the-land
https://securityaffairs.com/183999/apt/russian-hackers-likely-linked-to-sandworm-exploit-legitimate-tools-against-ukrainian-targets.html - Tap-And-Steal: The Rise Of NFC Relay Malware On Mobile Devices
"Since April 2024, zLabs has identified a growing trend of Android applications misusing NFC and Host Card Emulation (HCE) to illegally obtain payment data and conduct fraudulent transactions. What began as just a few isolated samples has now expanded to more than 760 malicious apps observed in the wild—demonstrating that NFC relay abuse is not slowing down but continuing to accelerate. Campaigns previously documented by other vendors are now broadening their reach to additional regions, including Russia, Poland, the Czech Republic, Slovakia, and others."
https://zimperium.com/blog/tap-and-steal-the-rise-of-nfc-relay-malware-on-mobile-devices
https://hackread.com/nfc-relay-malware-clone-tap-to-pay-android/ - Cloud Atlas Hackers Target Russian Agriculture Sector Ahead Of Industry Forum
"A Russia-based cybersecurity firm has uncovered another cyber-espionage campaign by the state-backed threat actor Cloud Atlas, which targeted the country’s agricultural sector using lures tied to an upcoming industry forum. The attack, which is the second time the group has hit Russia’s agro industrial firms in recent months, coincided with preparations for the Russian agriculture forum scheduled for the end of the month in Moscow. According to researchers at F6, the hackers sent phishing emails disguised as the event’s official program, containing a malicious file that exploited an old Microsoft Office flaw — CVE-2017-11882, a vulnerability patched in 2017 but still widely abused by cybercriminals."
https://therecord.media/cloud-atlas-targets-russian-agriculture - Suspected Nation-State Threat Actor Uses New Airstalk Malware In a Supply Chain Attack
"We have discovered a new Windows-based malware family we've named Airstalk, which is available in both PowerShell and .NET variants. We assess with medium confidence that a possible nation-state threat actor used this malware in a likely supply chain attack. We have created the threat activity cluster CL-STA-1009 to identify and track any further related activity. Airstalk misuses the AirWatch API for mobile device management (MDM), which is now called Workspace ONE Unified Endpoint Management. It uses the API to establish a covert command-and-control (C2) channel, primarily through the AirWatch feature to manage custom device attributes and file uploads."
https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airstalk/
Breaches/Hacks/Leaks
- Canada Says Hacktivists Breached Water And Energy Facilities
"The Canadian Centre for Cyber Security warned today that hacktivists have breached critical infrastructure systems multiple times across the country, allowing them to modify industrial controls that could have led to dangerous conditions. The authorities issued the warning to raise awareness of the elevated malicious activity targeting internet-exposed Industrial Control Systems (ICS) and the need to adopt stronger security measures to block the attacks. The alert shares three recent incidents in which so-called hacktivists tampered with critical systems at a water treatment facility, an oil & gas firm, and an agricultural facility, causing disruptions, false alarms, and a risk of dangerous conditions."
https://www.bleepingcomputer.com/news/security/canada-says-hacktivists-breached-water-and-energy-facilities/
https://www.cyber.gc.ca/en/alerts-advisories/al25-016-internet-accessible-industrial-control-systems-ics-abused-hacktivists
https://securityaffairs.com/184007/hacktivism/hacktivists-breach-canadas-critical-infrastructure-cyber-agency-warns.html - The 4TB Time Bomb: When EY's Cloud Went Public (and What It Taught Us)
"Here at Neo Security, we don't just "scan." We practice a form of digital cartography. The modern internet isn't a fixed map; it's a constantly shifting, fluid landscape of assets, relationships, and data. Together with our partners, we map it, understand it, and find the parts that organizations have forgotten they own. During one of these recent mapping expeditions, our lead researcher found something that made him stop and double-check his work. Our engineers have real incident response experience. Worked on breaches where attackers found their way in through database files that were briefly exposed. We know the scenario well: a .BAK file leaked for five minutes. An exposure window measured in seconds. That's all it takes."
https://www.neosecurity.nl/blog/ey-data-leak-4tb-sql-server-backup
https://www.theregister.com/2025/10/29/ey_exposes_4tb_sql_database/ - Tasmanian Gov Agencies Impacted By Cyber Attack
"The VETtrak platform, which is used by Tasmania’s Department for Education, Children and Young People, the state's fire and services, and its health department, is developed by third-party supplier, ReadyTech. ReadyTech first notified the ASX of the incident on October 17. The Tasmanian government said in a statement there was no evidence that sensitive student information had been accessed. However, ReadyTech told the market on October 24 that it had become aware that “a small number” of documents containing personal information originating from the platform had been published."
https://www.itnews.com.au/news/tasmanian-gov-agencies-impacted-by-cyber-attack-621382
General News
- The Evolution Of Data Extortion TTPs: From Exploiting Code To Exploiting People
"Groups like Scattered Spider, LAPSUS$, and ShinyHunters have captured global attention for their high-profile, devastating data breaches. However, data extortion hasn’t always been a professionalized, human-operated tradecraft. Just a decade ago, this landscape was defined by fragmented, low-sophistication threat actors committing digital smash-and-grabs. The focus was simple: steal as much data as possible and exfiltrate it fast. So, what has changed?"
https://flashpoint.io/blog/data-extortion-ttps-exploiting-code-people/ - Cybersecurity On a Budget: Strategies For An Economic Downturn
"As many seasoned industry professionals remember, 2008 – 2010 was a tough time for the tech industry as well as the larger U.S. economy. During the Great Recession, unemployment rose as high as 10%, and IT and cybersecurity budgets were certainly not spared. During the 2020 COVID-19 crisis, the need for tech workers and larger IT budgets to support remote work was so strong that it outweighed the global economic slowdown. As a result, many new IT professionals never experienced what a real recession feels like."
https://blog.talosintelligence.com/cybersecurity-on-a-budget-strategies-for-an-economic-downturn/ - From Power Users To Protective Stewards: How To Tune Security Training For Specialized Employees
"One of the biggest mistakes that low-performing security education programs make is that they treat security awareness training as if every user impacts security in exactly the same way. Each user gets the same exact training, no matter their role or knowledge base. But the truth of the matter is that certain power users and certain roles in the organization are going to bring significantly more risk to the table, simply as a function of what they do and the systems they use. Whether they're C-suite executives, developers, DevOps pros, or finance professionals, these specialized and privileged users have access to some of the most sensitive data, and they're also much more likely to use emerging technologies in their daily workflows. Effective end-user security awareness training programs turn these power users into what some experts refer to as "protective stewards.""
https://www.darkreading.com/cybersecurity-operations/power-users-protective-stewards-how-tune-security-training-specialized-employees - Botnets Step Up Cloud Attacks Via Flaws, Misconfigurations
"A series of known and powerful botnets are ramping up attacks against Web-exposed assets such as PHP servers, Internet of Things (IoT) devices, and cloud gateways to gain control over network resources and bolster their own strength for further malicious activity. These systems and devices are under an increasing threat from Mirai, Gafgyt, and Mozi botnets through automated campaigns that exploit known vulnerabilities and cloud misconfigurations. The security gaps allow the attackers to launch remote code execution (RCE) attacks, exfiltrate data, or turn the server into a vehicle for further malware distribution, the Qualys Threat Research Unit (TRU) revealed in a report published today."
https://www.darkreading.com/cloud-security/botnets-cloud-attacks-flaws-misconfigurations
https://thehackernews.com/2025/10/experts-reports-sharp-increase-in.html
https://www.infosecurity-magazine.com/news/php-servers-and-iot-devices-cyber/ - AI-Generated Code Poses Security, Bloat Challenges
"Developers using large language models (LLMs) to generate code perceive significant benefits, yet the reality is often less rosy. Programmers who adopted AI for code generation estimate, for example, that their individual effectiveness improved by 17%, according to the "State of AI-assisted Software Development" report published by Google's DevOps Research and Assessment (DORA) team in late September. Yet the same report also finds that software delivery instability climbed by nearly 10% as well. Overall, 60% of developers work in teams that suffer from either lower development speeds, greater software delivery instability, or both."
https://www.darkreading.com/application-security/ai-generated-code-leading-expanded-technical-security-debt - Inside The Data On Insider Threats: What 1,000 Real Cases Reveal About Hidden Risk
"After 14 months, 15,000 legal cases, and countless late nights, security analyst Michael Robinson distilled insider threats down to 1,000 instances of misconduct — real-world cases where trusted employees turned their access into a weapon. "I gave up television, books, even exercise," he says. "For 14 months, I went through every case that touched an insider threat — computer abuse, trade secret theft, espionage — and pulled out the data. It was like true crime for cybersecurity.""
https://www.darkreading.com/insider-threats/inside-the-data-on-insider-threats-what-1000-real-cases-reveal-about-hidden-risk - 9 In 10 Exchange Servers In Germany Still Running Out-Of-Support Software
"Germany's infosec office (BSI) is sounding the alarm after finding that 92 percent of the nation's Exchange boxes are still running out-of-support software, a fortnight after Microsoft axed versions 2016 and 2019. While the end of Windows 10 updates occupied most of the headlines, Microsoft's support for Exchange and a bunch of other 2016 and 2019-branded products ended on October 14, as scheduled a year earlier."
https://www.theregister.com/2025/10/29/germany_exchange_support/ - BSI Warns Of Looming AI Governance Crisis
"A leading standards body has warned of a growing “AI governance gap” as business leaders rush to adopt the new technology without first putting the requisite controls and processes in place. The British Standards Institution (BSI) made its remarks in a new report compiled from AI-assisted analysis of 100+ annual reports from multinationals and two global polls of more than 850 senior business leaders. On the one hand, nearly two-thirds (62%) of business leaders plan to increase AI investment over the coming year, to boost productivity, efficiency and cost reduction. Over half (59%) said they consider AI critical to future growth."
https://www.infosecurity-magazine.com/news/bsi-warns-of-looming-ai-governance/
https://www.bsigroup.com/en-GB/insights-and-media/insights/whitepapers/trust-in-ai-grounded-in-governance/
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- When Money Moves, Hackers Follow: Europe’s Financial Sector Under Siege
