Cyber Threat

Blogs

Vulnerability Tracked in Oracle is being Exploited; CISA

CISA, the cyber security agency from US has added a serious vulnerability in Oracle E-Business Suite.As per CISA the flaw tracked in an Oracle E-Business Suite flaw tracked as CVE-2025-61884 is being exploited in attacks, adding it to its Known Exploited Vulnerabilities catalog.

Vulnerability CVE-2025-61884

Oracle published CVE-2025-61884, a server-side request forgery (SSRF) vulnerability in the Oracle Configurator runtime component, on October 11.

The bug received a CVSS score of 7.5 and does not require authentication to exploit. According to the company, attackers can use this vulnerability to gain “unauthorized access to critical data or full access to all Oracle Configurator data.”

Government organizations in the US must install patches before November 10. However, Oracle itself has not yet confirmed the exploitation.

In early October, Mandiant revealed that the Clop ransomware gang had begun sending extortion emails to companies, claiming that they had stolen data from Oracle E-Business Suite instances using zero-day flaws.

Oracle responded to this news by stating that the threat actors had exploited previously patched flaws disclosed in July.

As per Bleeping computers CVE-2025-61884 addresses the flaw by validating an attacker-supplied “return_url” using a regular expression. If the validation fails, the request is blocked.

To this day, it remains unclear why Oracle listed the ShinyHunters exploit as an IOC for CVE-2025-61882, when it is actually intended for CVE-2025-61884.
Oracle EBS under attack

 Orcale E-Business Suit is under targeted atatck by threat actors and investigations by various research teams from Mandiant and Crowdstrike revealed that Oracle EBS had been targeted in two different campaigns.

  • July campaign: Used an exploit that targeted an SSRF flaw in the “/configurator/UiServlet” endpoint, which is now confirmed as CVE-2025-61884.
  • August campaign: Used a different exploit against the “/OA_HTML/SyncServlet” endpoint, and was fixed under CVE-2025-61882 through mod_security rules to block the endpoint and by stubbing out the SYNCSERVLET class. This flaw is attributed to Clop.

Oracle disclosed CVE-2025-61884 on October 11 but did not confirm whether it had been exploited, despite having fixed the exploit used in the July attacks. Earlier when the vulnerability CVE-2025-61884 was discovered concerns an information disclosure flaw in the Runtime UI component.

Last week Oracle released an emergency patch this weekend for a critical vulnerability in E-Business Suite. This software flaw can be exploited by attackers without authentication to steal sensitive data.Oracle has assigned the vulnerability a CVSS score of 7.5, which underscores the severity of the problem.

CISA also confirmed that five new vulnerabilities are actually being used to attack systems in the real world. These 5 new CVE’s hit everything from business apps to CMS platforms to core Windows components.

These are

  • Oracle EBS bugs give attackers an unauthenticated RCE path and data access through SSRF.
  • The SMB flaw enables lateral movement inside networks.
  • The Kentico pair lets attackers take over CMS environments used for staging and publishing.
  • The Apple vulnerability shows the ongoing risk of legacy systems that missed critical patches.

Threat Mitigation by Oracle E Business Suit when hunting for Threat indicators

• Look for weird patterns in Oracle EBS requests – could be a SSRF issue

• See if there are any spikes in SMB share privileges & check Kentico logs for anything fishy

• Browser logs are the place to look for JavaScriptCore crashes or just weird execution

Oracle released critical patch for a wide range of products and this include

The Critical Patch Update provides security updates for a wide range of product families: Oracle Database Server, Oracle Application Express, Oracle Blockchain Platform, Oracle GoldenGate, Oracle NoSQL Database, Oracle REST Data Services, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Health Sciences Applications, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, and Oracle Virtualization.

Sources: CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw

October 2025 Critical Patch Update Released | security

Blogs

Unpatched Systems, Software’s Exposes Business to Cyber Threats

Remember when Qantas, Australia’s flagship airline confirmed a cyberattack exposing data from its frequent flyer program and customer accounts. The data was upto 6 million, which is staggering in number. This means any kind of exploits are malicious programs designed to take advantage of bugs or vulnerabilities in unpatched software or operating systems to gain unauthorised access. When left unpatched, these weak points act as open doors for cybercriminals.

Kaspersky research shows that the share of exploits targeting critical vulnerabilities in operating systems reached 64% in Q2 2025 (up from 48% in Q1 2025), with third-party apps (29%) and browsers (7%) following.

Unpatched Systems, Software’s exposes Business to Cyber Threats

The breach originated from a third-party customer service platform, proving that even indirect systems can expose millions of records we all knew. This was a clear case how unpatched software’s but Qantas denied any of its service platform was vulnerable and there was no sign the platform was compromised.

Similarly 1.5 billion records across 760 global companies record exposed to data breach when Salesforce was hit and the hacking group claimed to have breached Salesforce through compromised integrations with third-party tools like Drift and SalesLoft, stealing huge amounts of CRM data. And as recent Salesloft Drift cyberattack may have also compromised some Google Workspace accounts.

The above case are all about software vulnerabilities when left unpatched. Latest data from cybersecurity and privacy company Kaspersky revealed that existing vulnerabilities in business networks continue to leave Malaysian enterprises exposed to cyberattacks.

Globally, in Q2 2025, the most common exploits targeted vulnerable Microsoft Office products with unpatched security flaws, according to Kaspersky’s findings. Its solutions detected the most exploits on the Windows platform for the following vulnerabilities:

  • CVE-2018-0802: Remote code execution vulnerability in the Equation Editor component
  • CVE-2017-11882: Another remote code execution vulnerability in Equation Editor
  • CVE-2017-0199: Vulnerability in Microsoft Office and WordPad allowing attackers to gain control of the system

(Source: Kaspersky: Unpatched Systems Expose Malaysian Businesses To Exploits – TechTRP)

The report also revealed that the top 10 most exploited vulnerabilities included both new zero-day flaws and older unpatched issues that organisations continue to overlook. A zero-day vulnerability is a software flaw discovered by attackers before the vendor is aware of it. As no patch exists at the time, zero-day attacks often succeed.

Key findings from Kaspersky reports to secure your unpatched systems

  • Increased Exploitation: In the first half of 2025, more Windows and Linux users encountered vulnerability exploits compared to the previous year.
  • Targeted Vulnerabilities: Common exploits in Q2 2025 targeted Microsoft Office products with unpatched security flaws, such as those in the Equation Editor (CVE-2018-0802 and CVE-2017-11882).
  • End of Support: The end of free support for Windows 10 means millions of users will no longer receive critical security patches, leaving their systems vulnerable to new threats.
  • High volume of attacks: Kaspersky solutions blocked over 700,000 exploits targeting Indian organizations in the first half of 2025, averaging more than 4,000 per day

Attackers increasingly use methods to escalate privileges and exploit weaknesses in digital systems. As the number of vulnerabilities continues to grow, it is very important to constantly prioritize patching known vulnerabilities and use software that can mitigate post-exploitation actions. CISOs should counter the consequences of exploitation by searching for and neutralizing command and control implants that can be used by attackers on a compromised system,” says Alexander Kolesnikov, a security expert at Kaspersky.

What Businesses can do to remain Secure from Cyber threats when systems are unpatched?

For legacy systems and applications there is a lack ongoing vendor support, leaving remote code execution vulnerabilities open for exploitation. These attacks enable full system control with little user interaction.

How to Fix:

Apply host-based intrusion prevention and patch virtualization and replace or containerize legacy apps. It is important to isolate critical workloads in secure enclaves as being in legacy catagory they are prone to any kind of cyber threats and intrusion.

Follow more below recommendations

Conduct 24/7 monitoring of your infrastructure, focusing on perimeter defenses and using tools that can detect and block malicious software.

  • Utilize solutions for vulnerability assessment, patch management
  • Prioritize defense strategies & threat detection like phishing emails and web threats
  • Deploy comprehensive cybersecurity solutions that include incident response, employee training, and access to updated threat intelligence.
  • Implement a robust patch management process

Security Advisory

Advanced eBPF Rootkit LinkPro Evade Detection in Linux Systems via Magic TCP Packets

Overview: LinkPro rootkit targets GNU/Linux systems: LinkPro is a newly discovered Linux rootkit that leverages eBPF (extended Berkeley Packet Filter) technology to stealthily hide its presence on infected systems. The sophisticated Linux rootkit linkpro was uncovered by Synacktiv CSIRT during an investigation of a compromised AWS infrastructure and evade detection in Linux Systems.

This threat was deployed in an AWS environment after attackers exploited a vulnerable Jenkins server to distribute a malicious Docker image containing a Rust downloader that fetched a memory-resident vShell backdoor. This rootkit’s use of eBPF, a legitimate kernel feature, makes detection challenging in Linux as it operates at a low level within the Linux kernel. 

Leveraging extended Berkeley Packet Filter (eBPF) technology, where linkpro backdoor evades detection by hiding its processes and network activity, activating remotely via a “magic packet.”

Source: www.synacktiv.com 

Issues Details: The attack, originating from a vulnerable Jenkins server, deployed a malicious Docker image across AWS EKS clusters, enabling credential theft and lateral movement. This highlights the misuse of ebpf for advanced persistent threats (apts) in cloud environments. 

The LinkPro rootkit targets GNU/Linux systems, exploiting eBPF kernel capabilities to achieve stealth and remote activation.

It embeds multiple ELF modules, including two eBPF programs that hook into critical kernel system calls like getdents and sys_bpf to hide files, processes, and its own presence from detection tools.

If kernel support for these hooks is unavailable, LinkPro falls back to user-space concealment by loading a malicious shared library via /etc/ld.so.preload. This sophisticated rootkit deploys an advanced network packet filtering mechanism, activating only upon receiving a specific “magic packet” (a TCP SYN with a window size of 54321), allowing the attacker to control the system covertly. 

LinkPro masquerades as the legitimate systemd-resolved service for persistence and uses encrypted channels such as HTTP, DNS tunneling, and raw TCP/UDP for command and control. Its design enables attackers to execute arbitrary commands, perform file operations, and establish proxy tunnels, making it a highly adaptable and stealthy tool for persistent intrusions targeting cloud-native Linux systems. 

Attack Flow 

IOCs 

IOC Type Indicator Description 
  Network /api/client/file/download?Path=… URL used to download tools/payloads onto the compromised host. 
/reverse/handshake /reverse/heartbeat /reverse/operation Endpoints the implant calls in reverse mode to receive operator commands. 
18.199.101.111 Destination IP used by LinkPro in forward (active) mode. 
   File /etc/systemd/system/systemd-resolveld.service Malicious systemd service file named to look like systemd-resolved. 
/root/.tmp~data.ok Location/name of the LinkPro binary, disguised as a system file. 
/usr/lib/.system/.tmp~data.resolveld Alternate disguised location for the LinkPro binary. 
/etc/libld.so Malicious library loaded via /etc/ld.so.preload as a fallback concealment method. 
   Host Systemd-resolveld Fake service name intended to be mistaken for systemd-resolved. 
Conf_map eBPF map holding the internal port used by the Knock module. 
Knock_map eBPF map containing authorized IP addresses for the Knock module. 
Main_ebpf_progs eBPF map listing programs that the Hide module manages. 
Pids_to_hide_map eBPF map listing process IDs the rootkit hides. 
Hashes D5b2202b7308b25bda8e106552dafb8b6e739ca62287ee33ec77abe4016e698b Passive linkpro backdoor 
1368f3a8a8254feea14af7dc928af6847cab8fcceec4f21e0166843a75e81964 Active linkpro backdoor 
B11a1aa2809708101b0e2067bd40549fac4880522f7086eb15b71bfb322ff5e7 Ld_Preload module (libld.so) 
B8c8f9888a8764df73442ea78393fe12464e160d840c0e7e573f5d9ea226e164 Hide ebpf module 
364c680f0cab651bb119aa1cd82fefda9384853b1e8f467bcad91c9bdef097d3 Knock ebpf module 
0da5a7d302ca5bc15341f9350a130ce46e18b7f06ca0ecf4a1c37b4029667dbb Vget downloader 

Recommendations

Here are some recommendations below 

  • Patch the vulnerable Jenkins server (CVE-2024-23897) to prevent initial access. 
  • Restrict public exposure of CI/CD tools and enforce strict network segmentation. 
  • Monitor for suspicious Docker container deployments and unexpected host filesystem mounts. 
  • Watch for unusual or unauthorized eBPF program activity using kernel auditing tools. 
  • Regularly update Linux kernels and apply available security patches. 

Conclusion: 
The LinkPro rootkit is anadvanced Linux malware that uses eBPF at the kernel level to stay hidden and persist on systems.

It spreads through Jenkins vulnerabilities, container escapes and remote activation,  highlighting the critical vigilance organizations must maintain to continuously monitor and secure their environments.

To protect against it, companies should focus on timely patching and monitoring suspicious activities. 

References

Blogs Cybersecurity News

Cyber Threats in Maritime Domain; National Security in Focus at Delhi Seminar

Seminar Titled ‘Impact of Cyber Attacks on Maritime Sector and its Effects on National Security and International Relations’ 

The event in Delhi organized by Indian Navy and address cyber threat on the Maritime domain and how the threats are aligned to national security and their impact.

The event organized at a time when geo -politics is evolving and the seminar aims to deepen understanding of cyber threats in the maritime domain and foster collaboration amongst key stakeholders to enhance cybersecurity and strengthen the national cybersecurity posture.

Cyber threats evolving and looming above the maritime sector as the Maritime industry steps into the world of cyber risk. The cyber risk is vast and includes array of ransomware capable of shutting down port operations to GPS, halting steering vessels as hackers are get more creative.

Any cyberthreat on maritime sector also involves national security and is not isolated and target of cyber criminals. Maritime security involves trade, global logistics, oil and gas, defense which are major reasons to map maritime cyber threat to national security.

With an aim to deepen understanding of cyber threats in the maritime domain, the Indian Navy is organized the seminar.

The seminar, titled ‘Impact of Cyber Attacks on Maritime Sector and Its Effects on National Security and International Relations’, aims to foster collaboration among key stakeholders to enhance cybersecurity and strengthen the national cybersecurity posture.

Minister of State for IT Ministry, Jitin Prasada, deliver the keynote address during the inaugural session. The seminar will feature panel discussions each led by distinguished experts from the ministries and organizations.

The seminar aims to advance Hon’ble PM’s vision of MAHASAGAR (Mutual and Holistic Advancement for Security and Growth Across the Regions) by reinforcing a safe, secure cyberspace, and echoes the call for ‘Aatmanirbhar Bharat’ through indigenous, secure-by-design digital systems and robust public-private partnership.

Aligned with Maritime India Vision 2030 and the Amrit Kaal Vision 2047, the seminar positions cybersecurity as a core enabler of port-led growth, smart logistics, offshore energy security, and mission critical naval operations.

These include the Ministry of Ports, Shipping and Waterways, the Ministry of Petroleum and Natural Gas (MoPNG), the National Security Council Secretariat (NSCS), the Gas Authority of India Limited (GAIL), the Directorate General of Hydrocarbons (DGH), the Indian Computer Emergency Response Team (CERT-In), the National Critical Information Infrastructure Protection Centre (NCIIPC), and the National Maritime Foundation (NMF) as well as leaders from private organisations.

The topics for panel discussions are ‘Global Cyber Threats to Maritime Infrastructure,’ ‘Civil and Military Partnership,’ and ‘Maritime Sector as Critical Information Infrastructure’.

Security Advisory

Google Chrome Patched High-Severity Memory Vulnerabilities  

Summary : Security Advisory: Google recently rolled out an update for Chrome to address two high & and one medium severity vulnerabilities.

OEM Google 
Severity High 
CVSS Score 8.0 
CVEs CVE-2025-11458, CVE-2025-11460, CVE-2025-11211 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A heap buffer overflow in the Sync component and a use-after-free (UAF) vulnerability in the Storage component have been fixed, along with other security issues.

Users and administrators are advised to apply the latest patch as soon as possible to ensure their systems remain secure. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Heap Buffer Overflow in Sync  CVE-2025-11458 Chrome (Windows, Mac, Linux)  High 141.0.7390.65/66 
Use-After-Free in Storage  CVE-2025-11460 Chrome (Windows, Mac, Linux) High 141.0.7390.65/66 
Out-of-Bounds Read in WebCodecs CVE-2025-11211 Chrome (Windows, Mac, Linux) Medium 141.0.7390.65/66 

Technical Summary 

Google released an update for the Chrome Stable channel, addresses three significant security vulnerabilities related to memory safety. The update addresses multiple critical memory-related vulnerabilities within Chrome’s core components.

These include a flaw that could allow attackers to corrupt memory during browser data synchronization, potentially enabling arbitrary code execution, and another vulnerability in the storage system that involves improper memory handling after an object is freed, which could also lead to exploitation through crafted web content.

Additionally, a medium-severity issue was fixed in the media processing API that could cause exposure of sensitive memory or impact browser stability when handling certain media files. These fixes are part of ongoing efforts to improve browser security by mitigating risks of remote code execution, data exposure, and crashes. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-11458 Chrome Sync component Heap buffer overflow in the Sync component could allow memory corruption and potentially enable arbitrary code execution when handling synchronization data.  Remote Code Execution / Data Leakage 
 CVE-2025-11460 Chrome Storage component Use-after-free in the Storage component could allow attackers to access freed memory, potentially leading to code execution or information disclosure. Remote Code Execution / Browser Instability 
CVE-2025-11211 Chrome WebCodecs API Out-of-bounds read in the WebCodecs API could expose memory contents or crash the browser when processing malformed media inputs. Memory Disclosure / Browser Crash 

Recommendations 

Update Chrome immediately to the following versions: 

  • Windows/Mac: Chrome v141.0.7390.65/66 
  • Linux: Chrome v141.0.7390.65 

Here are bellow recommended actions 

  • Manual Update Check: Navigate to Settings → Help → About Google Chrome to force update. 
  • Enterprise Patch Management: Enforce Chrome auto-updates across managed systems. 
  • Threat Monitoring: Actively monitor browser crash reports, endpoint security alerts, and system/network logs for suspicious behavior. 

Conclusion: 
This update reflects Chrome’s continued commitment to robust browser security by addressing multiple critical memory vulnerabilities that could otherwise be exploited for remote code execution, data exposure, or browser instability.

Promptly applying updates is essential to reduce potential attack surfaces, maintain browser stability, and safeguard user data against emerging threats. 

References

Security Advisory

Critical Lua Sandbox Escape Flaw in Redis Allows Remote Code Execution (RCE)

Summary: Security Advisory: A critical vulnerability has been found in the Lua scripting engine of Redis, enabled by default in all versions, allows authenticated attackers to break out of the Lua sandbox and perform remote code execution (RCE) to gain full control of the affected system.

OEMRedis
SeverityCritical
CVSS Score10.0
CVEsCVE-2025-49844
POC AvailableYes
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

Since Redis is used in most cloud environments the impact is highly critical. Redis team has released the patches and urged for immediate updates recommended to secure systems.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
Lua Use-After-Free RCE Vulnerability  CVE-2025-49844All Redis Software & OSS/CE/Stack versions with Lua scripting  CriticalRedis Software: 7.22.2-12+, 7.8.6-207+, 7.4.6-272+, 7.2.4-138+, 6.4.2-131+ Redis OSS/CE: 8.2.2+, 8.0.4+, 7.4.6+, 7.2.11+ Redis Stack: 7.4.0-v7+, 7.2.0-v19+

Technical Summary

The vulnerability comes from a use-after-free (UAF) bug in Redis’s Lua scripting system, caused by improper checks during memory cleanup. Authenticated attackers can send malicious Lua scripts via EVAL or EVALSHA commands to manipulate memory, bypass the sandbox, and run arbitrary code. Even internal servers are at risk if attackers gain network access, making this flaw highly critical for both exposed and internal environments.

CVE IDSystem AffectedVulnerability DetailsImpact
CVE-2025-49844All Redis Software & OSS/CE/Stack below the fixed versionA user after free in the Lua garbage collector allows memory corruption via crafted scripts, enabling sandbox escape and RCERemote Code Execution

Recommendations

Upgrade to the below  fixed versions immediately.

  • Redis Software: 7.22.2-12+, 7.8.6-207+, 7.4.6-272+, 7.2.4-138+, 6.4.2-131+
  • Redis OSS/CE: 8.2.2+, 8.0.4+, 7.4.6+, 7.2.11+
  • Redis Stack: 7.4.0-v7+, 7.2.0-v19+

Here are some best practices

  • Enable Strong Authentication: Configure strong passwords on all the instances, ensure protected-mode is enabled (in CE and OSS) to prevent accidental exposure.
  • Network Controls: Restrict access to authorized IPs using firewalls or VPCs, limit access to trusted sources and prevent unauthorized connectivity.
  • Limit permissions: To enhance security, user needs to give minimum necessary permissions.
  • Monitoring: Check the logs to see if there are any suspicious activities.
  • Incident Response: If compromised, isolate systems, rotate credentials, and scan for malware.

Conclusion:
This is a critical vulnerability with a CVSS score of 10.0, affecting all Redis versions with Lua scripting. The widespread Redis usage, default insecure configurations makes this a critical threat. Immediate patching and hardening are essential to prevent full system compromise, data breaches, and further attacks.

References:

Security Advisory

Chrome Security Update Fixed Active Zero-Day Exploit & Multiple High-Severity Vulnerabilities 

Security advisory : Google has issued a Stable Channel Update for Chrome to address 4 high-severity vulnerabilities, including one zero-day vulnerability (CVE-2025-10585) actively exploited in the wild.

OEM Google 
Severity High 
CVSS Score N/A 
CVEs CVE-2025-10585, CVE-2025-10500, CVE-2025-10501, CVE-2025-10502 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This flaw, a Type Confusion in the V8 JavaScript and WebAssembly engine, can allow remote attackers to execute arbitrary code outside of Chrome’s security sandbox when users visit maliciously crafted web pages. Users and administrators are urged to update to the latest Chrome version immediately to mitigate potential exploitation 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Type Confusion in V8 Engine  CVE-2025-10585 Chrome (Windows, Mac, Linux)  High  140.0.7339.185/.186 

Technical Summary 

The zero-day vulnerability in Chrome’s V8 engine arises from a type of confusion flaw, where object types are misinterpreted, leading to logical errors and memory corruption.

Attackers can exploit this issue when users visit maliciously crafted websites, enabling arbitrary code execution and possible sandbox escape.

This flaw has been confirmed as actively exploited in the wild. In addition to this zero-day, the update also fixes three other high-severity issues, a use-after-free in the Dawn graphics abstraction layer that could lead to memory corruption, a use-after-free in WebRTC that may enable remote code execution, and a heap buffer overflow in ANGLE that could result in program crashes or arbitrary code execution. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-10585 Google Chrome (Windows, Mac, Linux) Type confusion in the V8 JavaScript engine could allow memory corruption, arbitrary code execution, and potential sandbox escape Remote Code Execution / Sandbox Escape 

Other Vulnerabilities  

In addition to the zero-day, Google patched three other high-severity vulnerabilities in the same stable channel release. 

Vulnerability Name CVE ID Affected Component Severity 
​Use-after-free in Dawn CVE-2025-10500 Chrome GPU Renderer Component (Dawn)  High 
Use-after-free in WebRTC CVE-2025-10501 Chrome WebRTC Audio/Video Communication Module High 
Heap Buffer Overflow in ANGLE CVE-2025-10502 Chrome Graphics Translation Engine (ANGLE) High 

Recommendations

Update Chrome immediately to the following versions: 

  • Windows/Mac: Chrome 140.0.7339.185/.186 
  • Linux: Chrome 140.0.7339.185 

Here are some Recommendations below 

  • Manual Update Check: Navigate to “Settings → Help → About Google Chrome” to trigger the update. 
  • Patch Management: Ensure enterprise update policies enforce Chrome auto-updates. 
  • Threat Monitoring: Keep monitoring logs for any signs of exploitation 

Conclusion: 
There are high vulnerabilities in Google Chrome, including an actively exploited zero-day flaw in the V8 JavaScript engine that poses a significant risk of remote code execution and sandbox escape.

Given the severity and confirmed exploitation in the wild, it is imperative that all users and administrators promptly update to the latest Chrome versions to mitigate potential attacks. Immediate action is essential to safeguard systems, data, and user privacy in light of these emerging threats. 

References

  • https://cybersecuritynews.com/google-chrome-0-day-vulnerability-exploited/  

Blogs Security Advisory

Shai-Hulud NPM Supply Chain Attack Expands to 470+ Packages 

Summary: A large-scale malicious campaign, nicknamed the Shai-Hulud attack, has impacted the npm ecosystem with over 500 trojanized packages, including those packages maintained by CrowdStrike. The attack originated from a sophisticated phishing campaign that exploited the fundamental trust relationships within the npm ecosystem. 

The JavaScript ecosystem is under a massive threat following a major supply chain attack. Hence, millions of crypto users and developers are now at risk. With more than a billion of these packages downloaded already, thousands of blockchain wallets and applications could be suffer varying exploits.

  • Malicious NPM updates spread malware that steals and replaces crypto addresses.
  • Developers encouraged developer to cease on-chain operation and inspect HD wallets thoroughly.

The attackers injected malicious scripts that

  • Run secret-scanning tools on developer systems, 
  • Steal GitHub, npm and cloud credentials, 
  • Insert persistent GitHub Actions workflows for long-term access, and 
  • Exfiltrate sensitive data to attacker-controlled endpoints. 

This attack is ongoing and all users of npm packages should take immediate steps to secure tokens, audit their environments and verify package integrity. 

Issue Details 

Initial discovery on September 14, 2025, when suspicious versions of @ctrl/tinycolor and ~40 other packages were flagged. By September 16, the attack had spread to include CrowdStrike-namespaced packages and dozens from @ctrl, @nativescript-community, rxnt, @operato, and others. 

Malware behavior 

  • Downloads and runs TruffleHog, a legitimate secret scanner. 
  • Harvests secrets from local machines and CI/CD agents (npm tokens, GitHub PATs, AWS/GCP cloud keys). 
  • Writes malicious workflows into .github/workflows (shai-hulud-workflow.yml). 
  • Continuously exfiltrates findings to a fixed webhook endpoint or pushes them into new GitHub repos under the victim’s account. 

Attack Flow 

Here are some popular packages with affected versions 

Package Version 
@ctrl/ngx-codemirror 7.0.1, 7.0.2 
@ctrl/tinycolor 4.1.1, 4.1.2 
@crowdstrike/foundry-js 0.19.1, 0.19.2 
@crowdstrike/logscale-dashboard 1.205.1, 1.205.2 
@nativescript-community/sqlite 3.5.2 – 3.5.5 
@nativescript-community/text 1.6.9 – 1.6.13 
@nstudio/nativescript-checkbox 2.0.6 – 2.0.9 
@nstudio/angular 20.0.4 – 20.0.6 
eslint-config-crowdstrike 11.0.2, 11.0.3 
remark-preset-lint-crowdstrike 4.0.1, 4.0.2 

Attack Indicators 

Malicious Workflow Filenames 

  • .github/workflows/shai-hulud-workflow.yml 
  • .github/workflows/shai-hulud.yaml 

Exfiltration Endpoint 

  • hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 

Hashes of Malicious Payloads 

SHA-256 Hash Notes 
46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 Large batch, Sept 15–16 
b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777 CrowdStrike-related packages burst (Sept 16) 
de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6 First observed compromise (Sept 14) 
81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3 Sept 14 small burst 
83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e ~25 packages, Sept 14 
4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db Burst of ~17 packages, Sept 14–15 
dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c Multiple reuse across Sept 15–16 

Recommendations

Organizations and developers using npm should take immediate actions: 

  1. Uninstall or downgrade 
    Pin dependencies to known-safe versions until patched releases are confirmed. 
  1. Rotate credentials 
    Immediately revoke and reissue: 
  • npm access tokens 
  • GitHub personal access tokens / org tokens 
  • Cloud credentials (AWS, GCP, Azure) 
  1. Audit systems 
  • Inspect developer machines and CI/CD build agents for signs of the malicious bundle.js. 
  • Check .github/workflows for unauthorized files named “shai-hulud-*”. 
  • Review repositories for suspicious commits or new repos labeled “Shai-Hulud Migration”. 
  1. Monitor and log 
  • Search event logs for unusual npm publish activity. 
  • Investigate GitHub Actions runs designed to exfiltrate secrets. 
  1. Harden pipelines 
  • Pin package versions and use integrity checks (e.g.- lockfiles, checksums). 
  • Limit exposure of sensitive tokens in build environments. 
  • Rotate all build-related secrets regularly. 

 
Conclusion 
This incident is significant compromises in the npm ecosystem, impacting hundreds of widely used packages across various namespaces.

The attackers’ tactics such as credential theft, manipulation of GitHub workflows, and widespread package propagation, highlighting the growing sophistication of modern supply chain attacks.

Developers and organizations are strongly advised to take immediate action by removing affected package versions, rotating any exposed secrets, auditing their build environments and strengthening CI/CD security. Continuous monitoring and rapid response are essential to reducing risk and maintaining trust in open-source software. 

The attack’s browser API-level operation revealed critical blind spots in enterprise security monitoring, particularly for organizations handling cryptocurrency transactions.

References

Blogs Security Advisory

Kaspersky reveals SharePoint ToolShell vulnerabilities stem from incomplete 2020 fix.

Kaspersky’s Global Research and Analysis Team (GReAT) discovered that the recently exploited ToolShell vulnerabilities in Microsoft SharePoint originate from an incomplete fix for CVE-2020-1147, first reported in 2020.

IntruceptLabs have published the security advisory https://intruceptlabs.com/2025/07/toolshell-zero-day-exploits-in-microsoft-sharepoint-enable-full-remote-takeover/ on 21st July 2025.

The SharePoint vulnerabilities have emerged as a major cybersecurity threat this year amid active exploitation. Kaspersky Security Network showed exploitation attempts worldwide, including in Egypt, Jordan, Russia, Vietnam and Zambia.

The attacks target organizations across government, finance, manufacturing, forestry and agriculture sectors. 

Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.

There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.

Share point Vulnerabilities a major cyber threat

The SharePoint vulnerabilities have emerged as a major cybersecurity threat this year amid
active exploitation. Kaspersky Security Network showed exploitation attempts worldwide,
including in Egypt, Jordan, Russia, Vietnam and Zambia.

The attacks target organizations across government, finance, manufacturing, forestry and agriculture sectors. Kaspersky solutions proactively detected and blocked ToolShell attacks before the vulnerabilities were publicly disclosed.

Kaspersky GReAT researchers analyzed the published ToolShell exploit and found it alarmingly similar to the 2020 CVE-2020-1147 exploit.

This suggests that the CVE-2025- 53770 patch is, in fact, an effective fix for the vulnerability that CVE-2020-1147 attempted to address five years ago.
The connection to CVE-2020-1147 became evident following the discovery of CVE-2025- 49704 and CVE-2025-49706, patched on July 8. However, these fixes could be bypassed by adding a single forward slash to the exploit payload.

Once Microsoft learned of active exploitation of these vulnerabilities, they responded with comprehensive patches that addressed potential bypass methods, designating the vulnerabilities as CVE-2025-53770 and CVE-2025-53771.

The surge in attacks against SharePoint servers worldwide occurred during the window between initial exploitation and full patch deployment. Despite patches now being available for the ToolShell vulnerabilities, Kaspersky expects attackers will continue exploiting this chain for years to come.

“Many high-profile vulnerabilities remain actively exploited years after discovery —
ProxyLogon, PrintNightmare and EternalBlue still compromise unpatched systems today.

We expect ToolShell to follow the same pattern: its ease of exploitation means the public exploit
will soon appear in popular penetration testing tools, ensuring prolonged use by attackers,”
said Boris Larin, principal security researcher at Kaspersky GReAT.

Do connect with us for any queries https://intruceptlabs.com/contact/

(Source: Read full report on Read the full report on Securelist.com)

Blogs

Iran & Israel war shaping cyber warfare; Hacktivism a tool used widely for Proxy Warfare

Iran & Israel war shaping cyber warfare; Hacktivism a tool used widely for Proxy Warfare

The latest in geo -politics is Israeli air strikes on Iran that triggered Hacktivist to attack and they chose social media platform to announce their activities ‘The Telegram platform’. Now cyber war fare is taking a different path and has no borders and enemy is not visible. One shot of attack is enough to bring down and cripple and entire system starting from banking systems to power grids.

Hacktivist group often uses Telegram as first approach to share about their cyber-attacks and victims list. The hacktivist group DieNet claimed that they will attack Israeli radio stations and   announced it in Telegram.

Israeli cyber officials expect more spear-phishing, malware and similar patterns of attack attempts in the days ahead. Iran is currently engaged in a cyber-conflict with Israel and uses major two hacktivist groups that helps conduct destructive cyber-attacks, linked to Iran’s Ministry of Intelligence and Security (MOIS).

According to NSFOCUS Fuying Lab, hacker groups targeting Israel and Iran have been active since 2025. Up to now, there are about 170 hacker groups attacking Israel, with about 1,345 cyber attacks on Israel, including about 447 cyber attacks launched against Israel after the conflict broke out. (The Hacktivist Cyber Attacks in the Iran-Israel Conflict – Security Boulevard)

In the past Russia has used “hacktivism” as a tool for proxy warfare for various forms of cyber activities to create fear and uncertainty on their opponent.

The Iranian Cyber Units or forces are mostly linked to MOIS and IRGC the hackers group who use fake identities or front groups to hide their state connections.

Surge in Disruptive Cyber Operations

According to Radware, a global cybersecurity provider, Israel has faced an average of 30 DDoS attacks per day since the conflict’s onset. These attacks primarily target government and public institutions (27%), manufacturing (20%), telecommunications (12%), and media platforms (9%).

DDoS operations overload online services, rendering them inaccessible and often accompany website defacements and data leaks to maximise disruption during crises.

The pro-Iranian hacker group’s attacks on Israel peaked on June 16, the day after the Israeli military’s “massive strike” against multiple Iranian weapons production sites, including surface-to-surface missile production sites, detection radar bases and surface-to-air missile launchers in Tehran.

The targets of attack were mainly concentrated on Israeli government and public sector, national defense, aerospace, education and other industries.

The War in disguise-fought with malicious coding

Now along with tanks and war machineries, another kind of war is being simultaneous wagged i.e. cyber warfare. Here it is unconventional warfare no border no clear enemy. Everything is in disguise to create more sensation and install fear. This is being conducted by either by various state sponsored espionage or individual groups who are posing challenge for nation security.

And sometimes this kind of cyber-attack is fatal as malicious code on any application software can damage the system. Imagine doctors not able to open the required files in their system to check patient history on time, due to swarm of malicious code being pushed in their system and is life threatening for the patient as there is a delay to start treatment.

Again malicious code threats are hidden in software and mask their presence to evade detection by traditional security technologies.

Once any encrypted coding being pushed by threat actors inside organizations network, they can enter network and mail, overload with email messages, steal data like passwords and even reformat hard drives.

Hacktivist are now more empowered and Cyber warfare is now fought in disguise to exert influence and destabilize adversaries. Many methods used by Iran in destructive cyber attacks mirror those used by large ransomware groups, such as abusing vulnerabilities in VPN applications to gain entrance. 

Emergence of New Axis in Cyber warfare

Those countries who lack in having a resilient cyber security infrastructure or organizations particularly fragile are soft targets becomes unintended battlegrounds in the global cyber war.

They make the easy victims either via hacking; data theft, cyber extortion and sometimes major cyber-attack that can sabotage their government systems.

If your capability suffers and able to provide effective defense then remaining vulnerable is an option slowly loosing creditability.

Either as a organization or country this growing disparity in cyber defense capacity has emerged as a new axis of global inequality and thriving grounds for threat actors.

The wave of cyber activity in this present state of Iran and Israel war, highlights how modern conflicts extend beyond physical battlegrounds. Attacks on infrastructure highlights the strategic importance of digital resilience.

Iranian state-sponsored hackers, particularly the APT35 group (also known as Charming Kitten), reportedly used AI to enhance their cyberattacks.

According to Check Point, these operations targeted Israeli cybersecurity experts, computer scientists, and tech executives with sophisticated phishing attempts. The attackers used fake messages and emails designed to trick people into sharing sensitive information, along with realistic decoys and fake login pages mimicking Google’s. 

Here are recommendations to secure your networks against cyber-attacks, happening in disguise. How to improve organizational resilience.

  • First have clear visibility across your network as traffic flows, without visibility it is not possible to stop attack. You can’t defend if your enemy is not visible. Once you have visibility, you can see across the threat landscape in your network and gather intelligence.
  • Now with insights one gathers it’s time to turn insights into action and understand the tactics employed by threat actors. These insights are keys to set up proactive defense.
  • Bring Intrucept as a part of your Security team. We are here to assist you as you need a deeper understanding of evolving threats and ways to mitigate them. Our next gen SIEM is a comprehensive solution for Security Information. It gathers information and then interprets, centralizing all security data for organizations.

For visibility Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack.

  • Simply your workflows with Intru360, which automatically handles alerts, allow faster detection of both known and unknown threats.
  • When it is question of cyber security and threats most organizations face, one need’s to have confidence in the threat intelligence one uses
  • Once you are able to identify latest threats and you will not have to purchase, implement and oversee several solutions and even manage a team security analyst, it is easier. You get to save time and reduce complexity while researching for threats.

At the end we can say its not only responsibility for Government to respond or remain alert to cyber attacks and hackers foul play.

The present decade will witness more cyber war that is parallel along side when two nations go at war with each other deploying different AI-driven tools in their attacks. It is high time to stay alert and practice safe cyber security measures at individual level and enterprise level.

Sources: Reflections of the Israel-Iran Conflict on the Cyber World – SOCRadar® Cyber Intelligence Inc.

https://8am.media/eng/the-role-of-cyber-warfare-in-shaping-global-power-dynamics/#
Scroll to top