Plus: An investigation reveals how US tech companies reportedly helped build China’s sweeping surveillance state, and two more alleged members of the Scattered Spider hacking group were arrested.

New findings this week showed that a misconfigured platform used by the Department of Homeland Security left sensitive national security information—including data related to the surveillance of Americans—exposed and accessible to thousands of people. Meanwhile, 15 New York officials were arrested by Immigration and Customs Enforcement and the New York Police Department this week in or around 26 Federal Plaza—where ICE detains people in what courts have ruled are unsanitary conditions.

Russia conducted conspicuous military exercises testing hypersonic missiles near NATO borders, stoking tensions in the region after the Kremlin had already recently flown drones into Polish and Romanian airspace. Scammers have a new tool for sending spam texts, known as “SMS blasters,” that can send up to 100,000 texts per hour while evading telecom company anti-spam measures. Scammers deploy rogue cell towers that trick people's phones into connecting to the malicious devices so they can send the texts directly and bypass filters. And a pair of flaws in Microsoft's Entra ID identity and access management system, which have been patched, could have been exploited to access virtually all Azure customer accounts—a potentially catastrophic disaster.

WIRED published a detailed guide this week to acquiring and using a burner phone, as well as alternatives that are more private than a regular phone but not as labor-intensive as a true burner. And we updated our guide to the best VPNs

But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

****The “Shai-Hulud” Worm Is Eating Its Way Through Hundreds of Software Packages****

The cybersecurity world has seen, to its growing dismay, plenty of software supply-chain attacks, in which hackers hide their code in a legitimate piece of software so that it’s silently seeded out to every system that uses that code around the world. In recent years, hackers have even tried linking one software supply-chain attack to another, finding a second software developer target among their victims to compromise yet another piece of software and launch a new round of infections. This week saw a new and troubling evolution of those tactics: a full-blown self-replicating supply-chain attack worm.

The malware, which has been dubbed Shai-Hulud after the Fremen name for the monstrous Sandworms in the sci-fi novel _Dune_ (and the name of the Github page where the malware published stolen credentials of its victims), has compromised hundreds of open source software packages on the code repository Node Packet Management, or NPM, used by developers of Javascript. The Shai-Hulud worm is designed to infect a system that uses one of those software packages, then hunt for more NPM credentials on that system so that it can corrupt another software package and continue its spread.

By one count, the worm has spread to more than 180 software packages, including 25 used by the cybersecurity firm CrowdStrike, though CrowdStrike has since had them removed from the NPM repository. Another count from cybersecurity firm ReversingLabs put the count far higher, at more than 700 affected code packages. That makes Shai-Hulud one of the biggest supply-chain attacks in history, though the intent of its mass credential-stealing remains far from clear.

****How US Tech Firms Helped Build China’s Panopticon****

Western privacy advocates have long pointed to China’s surveillance systems as the potential dystopia awaiting countries like the United States if tech industry and government data collection goes unchecked. But a sprawling Associated Press investigation highlights how China’s surveillance systems have reportedly been largely built on US technologies. The AP’s reporters found evidence that China’s surveillance network—from the “Golden Shield” policing system that Beijing officials have used to censor the internet and crack down on alleged terrorists to the tools used to target, track, and often detain Uyghurs and the country’s Xinjiang region—appear to have been built with the help of American companies, including IBM, Dell, Cisco, Intel, Nvidia, Oracle, Microsoft, Thermo Fisher, Motorola, Amazon Web Services, Western Digital, and HP. In many cases, the AP found Chinese-language marketing materials in which the Western companies specifically offer surveillance applications and tools to Chinese police and domestic intelligence services.

**Two Alleged Members of Scattered Spider Hacking Crew Arrested**

Scattered Spider, a rare hacking and extortion cybercriminal gang based largely in Western countries, has for years unleashed a trail of chaos across the internet, hitting targets from MGM Resorts and Caesar’s Palace to the Marks & Spencer grocery chain in the United Kingdom. Now two alleged members of that notorious group have been arrested in the UK: 19-year-old Thalha Jubair and 18-year-old Owen Flowers, both charged with hacking the Transport for London transit system—reportedly inflicting more than $50 million in damage—among many other targets. Jubair alone is accused of intrusions targeting 47 organizations. The arrests are just the latest in a string of busts targeting Scattered Spider, which has nonetheless continued a nearly uninterrupted string of breaches. Noah Urban, who was convicted on charges related to Scattered Spider activity, spoke from jail to Bloomberg Businessweek for a long profile of his cybercriminal career. Urban, 21, has been sentenced to a decade in prison.

A Dangerous Worm Is Eating Its Way Through Software Packages

This edition pulls the curtain aside to show the realities of the VPN Filter campaign. Joe reflects on the struggle to prevent burnout in a world constantly on fire.

Thursday, September 18, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

This is gonna be a tough read. I’m sorry. Believe it or not, it’s even tougher for me to write. I want to talk about what it costs to be in the cybersecurity profession. Not money or time, but potentially your health, both mentally and physically. I want to move the curtain aside and show you an inside look at what happens to people when the pressure is high and the desire to succeed is not only essential, but sometimes even life and death. 

So, story time. 

Seven years ago, Cisco Talos disclosed a novel and new threat campaign: VPN Filter. VPN Filter was a small office/home office (SOHO) device botnet that had many new things we’d never seen before in SOHO devices: infection persistence past device reboot, modularity, victimology, and perhaps most importantly, the (later) attribution to the Russian threat actor APT28 (aka Sandworm). The platform also featured a kill switch, a module designed to cover the tracks and or destroy a device infected with VPN Filter. This could be executed en masse, if they desired. This was a methodical, clever and well-structured campaign to attack unpatched and/or vulnerable devices all over the world for state cyber operations. As I look back at that time, it was (and still is) a marvel of tradecraft and offensive cyber operations. 

Put yourself in our position at Talos. We’ve just discovered a massive campaign by a notorious threat actor. We all know what this is, who this is, and what the consequences could be — and the threat actor had a massive head start on us. We absolutely couldn’t screw this up. If we tipped our hand via our research, the threat actor might get spooked and just burn the whole thing down with the kill switch. The stakes were very high. 

We spent months reversing and analyzing the malware, the victimology, infrastructure, and understanding the scale and scope of what VPN Filter did and potentially could do. The more we peeled things back, the more ominous the implications and the harder we worked. 

As the weeks turned into months, the hours we worked grew longer and longer, and the stress began to take its toll on all of us. The raw enormity of the tasks of analyzing and responding to VPN Filter and the stress of being stealthy begin to extract a price from us personally. Attitudes grew sour, relationships frayed, and some were rent asunder completely. For me, personally, it was a very dark time and would cost me dearly – I would exit people management into an individual contributor role that I still inhabit to this day. 

In the end, the threat actor forced us to into action. We had always theorized a “break glass” moment when the threat actor might hit the gas pedal and we would have to alert the world. One day we saw a massive spike in infections in Ukraine, and we disclosed to the world VPN Filter. We still had so many unanswered questions but had no choice when we saw the spike. In a way, it was a mercy. We had long since hit our limit and were just all collectively cooked and demoralized. I know I was, and it deeply affected my relationships and career, the reverberations of which I still feel to this day.  

I’m often asked by new or potential security practitioners, “Joe, what’s a cool hacker story?!” I have plenty of those, and VPN Filter is certainly one of them. But rarely does anyone want to hear the worst days of our lives. The tales of burnout and stress. Of the long hours and constant work. There is _always_ a breach happening somewhere, your company is _always_ under attack, there is _always_ a story of a someone getting hacked and sometimes people are even hurt or killed. This cadence takes a toll – from events like VPN Filter, to being in a SOC – it’s all the same. No matter where you work, we are here to keep our customers, constituents, and communities safe from some real assholes out there. It is about fighting the good fight, and the fight never stops.  

So, what can we do about it? How can you avoid being me in the middle of VPN Filter? 

1.  **Learn and enforce boundaries.** You must make space and time for you and firmly enforce that space and time. If that means disabling after hours comms, then do so, and do so guilt free. You must look after yourself. 
2.  **Peer support.** Whether it's a therapist, a colleague, or a Slack/Discord/Bsides where you can share and vent with others in the same boat as you, you must reduce the sense of isolation this career space can give you. Others are looking for the same thing and happy to listen and share. Celebrate your wins with people who are eager to reciprocate.  
3.  **Unplugged self-care.** This is tough, and I’m not great at it. Exercise, paint, work in your garden and do something unrelated to your job. Put down the hell rectangle that is your phone and unplug from the news and social media. 
4.  **Mandatory decompression/vacation.** After an incident, be it VPN Filter or a breach, leaders: _look after your people._ Recognize burnout and push your directs into some enforced downtime so they can recover. At a minimum, rotate them into a less stressful role so they can take a break. It’s your responsibility to care for those who work hard for you. 

Responding after the event is just as important as responding to the event itself. Every breach, VPN Filter-like event, or emergency is an opportunity to reflect on the cost to your health and evaluate what you can do to help yourself and others. This is a tough gig sometimes, but it’s a calling we love. Just take care of yourself and each other, ya hear?

**The one big thing **

In Talos' latest blog post, we break down why having a Cisco Talos Incident Response (IR) Retainer is a game-changer for any organization facing today’s nonstop cyber threats. With a Talos IR Retainer, you get direct access to our expert team, 24/7 emergency support, and tailored plans that keep everyone — from IT to leadership — on the same page. You’ll also benefit from continuous threat intelligence and real-world guidance to help your organization bounce back stronger after any incident. 

**Why do I care? **

Our team helps you hunt threats before they escalate, assess your readiness and improve your security posture over time. If a cyber incident hits, having a trusted partner already in place means you’re prepared to act decisively, with clear roles, tested procedures and experts ready to back you up every step of the way. 

**So now what? **

Think about securing a Talos IR Retainer to make sure you’ve got experts on speed dial and your defenses are always up to date. Reach out to us to schedule a tabletop exercise or to talk through how prepared your organization really is.

**Top security headlines of the week **

**New VoidProxy phishing service bypasses MFA on Microsoft and Google accounts**   
An attack typically begins with a deceptive email sent from a compromised account of legitimate email service providers, like Constant Contact, Active Campaign or NotifyVisitors. (Hack Read) 

**Shai-Hulud supply chain attack: Worm used to steal secrets, 180+ npm packages hit**   
The self-spreading potential of the malicious code will likely keep the campaign alive for a few more days. To avoid being infected, users should be wary of any packages that have new versions on npm but not on GitHub, and pin dependencies. (SecurityWeek) 

**Google nukes 224 Android malware apps behind massive ad fraud campaign**   
The apps were downloaded over 38 million times and employed obfuscation and steganography to conceal the malicious behavior from Google and security tools. (Bleeping Computer) 

**Former FinWise employee may have accessed nearly 700K customer records**   
Nearly 700,000 FinWise Bank customers are being notified after a former employee may have accessed or taken personal data post-employment. The incident went undetected for over a year. (The Register)

**Can’t get enough Talos? **

*   **Alex Ryan: From zero chill to quiet confidence**   
    Discover how a Cisco Talos Incident Response expert transitioned from philosophy to the high-stakes, emotionally intense world of incident command, and the advice that she has for aspiring cybersecurity professionals. 
*   **Beers with Talos: How to ruin an APT's day**   
    The B-Team is joined by Sara McBroom from Talos’ nation-state threat intelligence and interdiction team. Sara shares her journey from a liberal arts major to tracking some of the world’s most advanced adversaries. 
*   **Tampered Chef: When malvertising serves up infostealers**   
    Imagine downloading a PDF Editor tool from the internet that works great... until nearly two months later, when it quietly steals your credentials. Nick Biasini explains how cybercriminals are investing in "malvertising" and challenges in defense.

**Upcoming events where you can find Talos **

*   LABScon (Sept. 17 – 20) Scottsdale, AZ 
*   VB2025 (Sept. 24 – 26) Berlin, Germany 
*   Wild West Hackin' Fest (Oct. 8 – 10) Deadwood, SD

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: executable.exe   
Claimed Product: N/A     
Example Filename:0a0dc0e95070a2b05b04c2f0a049dad8\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610    
Typical Filename: nwx3hgsl.exe   
Claimed Product: Self-extracting archive   
Detection Name: W32.41F14D86BC-100.SBX.TG 

**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**    
MD5: bf9672ec85283fdf002d83662f0b08b7    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe    
Typical Filename: werrx01USAHTML   
Claimed Product: N/A   
Detection Name: W32.C0AD494457-95.SBX.TG 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974    
Typical Filename: ~3B6A.tmp   
Claimed Product: N/A   
Detection Name: W32.Injector:Gen.21ie.1201 

**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**   
MD5: 7bdbd180c081fa63ca94f9c22c457376    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: img001.exe   
Claimed Product:   
Detection Name: Win.Dropper.Miner::95.sbx.tg

Put together an IR playbook — for your personal mental health and wellbeing

Palo Alto, California, 18th September 2025, CyberNewsWire

**Palo Alto, California, September 18th, 2025, CyberNewsWire**

SquareX first discovered and disclosed Last Mile Reassembly attacks at DEF CON 32 last year, warning the security community of 20+ attacks that allow attackers to bypass all major SASE/SSE solutions and smuggle malware through the browser. Despite responsible disclosures to all major SASE/SSE providers, no vendor has made an official statement to warn its customers about the vulnerability in the past 13 months – until two weeks ago. 

As more attackers are leveraging Last Mile Reassembly techniques to exploit enterprises, SASE/SSE vendors are beginning to recognize that proxy solutions are no longer sufficient to protect against browser based attacks, with Palo Alto Networks being the first to publicly acknowledge that Secure Web Gateways are architecturally unable to defend against Last Mile Reassembly attacks. In the press release, Palo Alto Networks recognized the attack as “encrypted, evasive attacks that assemble inside the browser and bypass traditional secure web gateways.” The release also recognized that “the browser is becoming the new operating system for the enterprise, the primary interface for AI and cloud applications. Securing it is not optional.”

This marks a watershed moment in cybersecurity where a major incumbent SASE/SSE vendor publicly admits the fundamental limitations of Secure Web Gateways (SWGs) and acknowledges the critical importance of browser-native security solutions – exactly what SquareX has been advocating since pioneering this research.

**What are Last Mile Reassembly Attacks?**

Last Mile Reassembly attacks are a class of techniques that exploit architectural limitations of SWGs to smuggle malicious files through the proxy layer, only to be reassembled as functional malware in the victim’s browser. In one technique, attackers break the malware into different chunks. Individually, none of these chunks trigger a detection by SWGs. Once they bypass proxy inspection, the malware is then reassembled in the browser. 

In another example, attackers smuggle these malicious files via binary channels like WebRTC, gRPC and WebSockets. These are common communication channels used by web apps like video conferencing and streaming tools, but are completely unmonitored by SWGs. In fact, many SWGs publicly admit this on their website and recommend their customers disable these channels.

In total, there are over 20 such techniques that completely bypass SWGs. While Palo Alto Networks is the first to publicly admit this limitation, SquareX has demonstrated that all major SASE/SSE vendors are vulnerable and have been in touch with multiple solutions as part of responsible disclosures and to discuss alternative protection mechanisms. 

**Data Splicing Attacks: Exfiltrating Data with Last Mile Reassembly Techniques**

Since the discovery of Last Mile Reassembly Attacks, SquareX’s research team conducted further research to see how attackers can leverage these techniques to steal sensitive data. At BSides San Francisco this year, SquareX’s talk on Data Splicing Attacks demonstrated how similar techniques can be used by insider threats and attackers to share confidential files and copy-paste sensitive data in the browser, completely bypassing both endpoint DLP and cloud SASE/SSE DLP solutions. In fact, there has been an emergence of P2P file sharing sites that allow users to send any file with no DLP inspection.

**The Year of Browser Bugs: Pioneering Critical Browser Security Research**

As the browser becomes one of the most common initial access points for attackers, browser security research plays a critical role in understanding and defending against bleeding edge browser-based attacks. Inspired by the impact of Last Mile Reassembly, SquareX launched a research project called The Year of Browser Bugs, disclosing a major architectural vulnerability every month since January. Some seminal research include Polymorphic Extensions, a malicious extension that can silently impersonate password managers and crypto wallets to steal credentials/crypto and Passkeys Pwned, a major passkey implementation flaw disclosed at DEF CON 33 this year. 

> “Research has always been a core part of SquareX’s DNA. We believe that the only way to defend against bleeding edge attacks is to be one step ahead of attackers. In the past year alone, we’ve discovered over 10 zero day vulnerabilities in the browser, many of which we disclosed at major conferences like DEF CON and Black Hat due to the major threat it poses to organizations,” says Vivek Ramachandran, the Founder of SquareX, “Palo Alto Networks’ recognition of Last Mile Reassembly attacks represents a major shift in incumbent perspectives on browser security. At SquareX, research has continued to inform how we build browser-native defenses, allowing us to protect our customers against Last Mile Reassembly attacks and other novel browser-native attacks even before we disclosed the attack last year.”

As part of their mission to further browser security education, SquareX collaborated with CISOs from major enterprises like Campbell’s and Arista Networks to write The Browser Security Field Manual. Launched at Black Hat this year, the book serves as a technical guide for the cybersecurity practitioners to learn about bleeding edge attacks and mitigation techniques. 

**Fair Use Disclaimer**

This site may contain copyrighted materials (including but not limited to the recent press release by Palo Alto Networks dated September 4, 2025), the use of which has not always been specifically authorised by the copyright owner. Such materials are made available to advance understanding of issues related to Last Mile Reassembly attacks which shall constitute a “fair use” of any such copyrighted material as provided for under the applicable laws. If you wish to use copyrighted material from this site for purposes of your own that go beyond fair use, you must obtain permission from the respective copyright owner.

**About SquareX**

SquareX‘s browser extension turns any browser on any device into an enterprise-grade secure browser. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively defend against browser-native threats including Last Mile Reassembly Attacks, rogue AI agents, malicious extensions and identity attacks. Unlike dedicated enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, delivering security without compromising user experience. Users can find out more about SquareX’s research-led innovation at www.sqrx.com.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

Palo Alto Networks Acknowledges SquareX Research on Limitations of SWGs Against Last Mile Reassembly Attacks

Discover how a Cisco Talos Incident Response expert transitioned from philosophy to the high-stakes world of incident command, offering candid insights into managing burnout and finding a supportive team.

Thursday, September 18, 2025 06:00

Welcome to another episode of Humans of Talos, our ongoing video interview series that celebrates the people powering Cisco’s threat intelligence efforts. In each episode, we dive deep into the personal journeys, motivations and lessons learned from the team members who help keep the internet safe.

This time, we sit down with Alex Ryan, a seasoned Incident Commander from Cisco Talos Incident Response. Read (or watch) on to hear her candid reflections on the emotional intensity of incident response, the critical role of a supportive team in preventing burnout, and invaluable advice for aspiring cybersecurity professionals.

**Amy Ciminnisi: Alex, you were recently on the Beers with Talos podcast, and during that, we learned that you have two liberal arts degrees, but you found yourself really loving how machines and systems worked, and then you work your way through the cybersecurity ranks. I'd love to know: What brought you to Talos?**

Alex Ryan: During my career inside companies doing incident response, vulnerability management, and risk management, Talos Intelligence was often one of my sources. I often looked at intelligence from vendors who were using their own datasets to generate the finished intelligence, rather than those who just took whatever intelligence was already out there, re-mashed it, and enriched it a bit. I have a lot of respect for Talos from using them as a source for guiding how I would do incident response and prioritize my defenses and things like that. When the opportunity came up to join Cisco Talos Incident Response as an Incident Commander, it was that reputation (and having used their material for so long which showed that there was really good quality people and research being done) that put this job at the top of my list of choices.

**AC: You have a very difficult job as an Incident Commander, acting as the point person in situations where people are possibly going through the worst days of their careers. What's something about your day-to-day role that people might be surprised by or interested in?**

AR: Incident response is a very high pressure situation to be in. You need to exude quiet confidence and build a trust relationships quickly with your customer. But on the back end, things can be chaotic: trying to get access to machines, trying to find the _right_ machines. "Do we have the right IOCs?" "What is this thing? Let me reverse engineer it." Trying to distill all of that activity into larger topics and give progress to the customer on it is critical.

It's also high risk for the business being impacted. I think that there was a statistic at one point that about 70% of small to medium businesses that paid the ransom after being compromised went out of business within a year, because the ransom was such a financial hit that they just couldn't absorb that kind of impact. So while the customer is trying to not freak out, I'm trying to exude quiet confidence while managing the forensics analysis activity. Trying to balance all of that is quite difficult, so incident response has a very high burnout rate.

After I came back from raising my children, it took me about two years to detox completely from incident response. I was _really_ high strung, and I had no chill. _Zero_ chill. I had to learn how to say no and how to prioritize my family over this hero complex that I was having at work. I would say I'm a much more well-rounded person now, and perhaps I'm better at my job because of that.

_Want to see more?_ _Watch the full interview__, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos!_

Alex Ryan: From zero chill to quiet confidence

With a Cisco Talos IR retainer, your organization can stay resilient and ahead of tomorrow's threats. Here's how.

**Why a Cisco Talos Incident Response Retainer is a game-changer**

Wednesday, September 17, 2025 06:00

In today’s hyper-connected world, cyber attacks are not a matter of if but when. Ransomware, phishing and data breaches dominate headlines. For any organization, the stakes are high and the impact can be wide. A cybersecurity breach can impact your organization’s ability to conduct normal business, damaging its reputation, reducing revenue, and disrupting operations. 

A Cisco Talos Incident Response (Talos IR) Retainer is a strategic investment that empowers your entire organization to stay resilient and ahead of tomorrow’s threats. Here’s how a Talos IR Retainer can strengthen your organization’s security and ensure peace of mind.

**What is a Cisco Talos IR Retainer? **

A Talos IR Retainer offers a direct line to Cisco’s top cybersecurity specialists, ensuring both proactive protection and swift response to cyber threats. Backed by Cisco Talos global threat intelligence and hundreds of threat intelligence researchers, it equips organizations to prevent, respond to, and recover from cyber incidents efficiently. From tailored incident response plans to 24/7 emergency support, the retainer is a lifeline in a threat landscape that never sleeps.

We have just released a series of short videos that explain the full range of Talos IR services. Check out the playlist here, or start by watching the Emergency Response video below:

**Benefits to the entire organization **

A Cisco Talos IR Retainer is not only designed to benefit your IT teams, but it’s a catalyst for building organization-wide resilience. Here is how Talos IR delivers value to clients’ stakeholders:  

1.  **Risk mitigation and cost savings**   
    Talos IR enables customers to respond swiftly to cyber threats and supports them through recovery efforts, minimizing downtime, costs, and regulatory risks 
2.  **Reputation protection**   
    A retainer equips leadership with strategic response plans and expert guidance, ensuring preparedness, demonstrating due diligence, and preserving stakeholder confidence during critical incidents. 
3.  **Organization-wide alignment**   
    A cybersecurity retainer ensures that your legal, human resources, information technology, and leadership teams are aligned before a threat strikes. Defined responsibilities and structured playbooks, plans, and tabletop exercises eliminate ambiguity and drive faster, more efficient incident response and recovery. Talos IR is there to create and review existing policies and make sure you are prepared at various levels.

**Bolstering organizational security **

A Talos IR Retainer transforms your organization’s security posture from reactive to proactive. Our job is to take you though the lifecycle of an incident and build up long-term resilience to cybersecurity attacks. We do this by delivering various engagements, such as: 

*   **Proactive Threat Hunting**   
    Using the PEAK Framework (Prepare, Execute, Act with Knowledge), Talos IR specialists proactively hunt for threats before they escalate, leveraging real-time intelligence to stay ahead of adversaries. 
*   **Customized preparedness**   
    Tailored IR plans, playbooks, and readiness assessments address your organization’s unique risks and evaluates the current state of its cybersecurity preparations.  
*   **Continuous improvement**   
    Post-incident reports and ongoing collaboration identify gaps and recommend long-term strategies, ensuring that security evolves with the threat landscape. 
*   **Vendor-agnostic integration**   
    Talos IR works with existing security tools, maximizing investments and enhancing detection and response capabilities in place. If needed, we can always deploy additional Cisco technology to help with an investigation. 
*   **Intelligence-driven defense**   
    Access to Talos’ global threat intelligence, updated in real time, ensures your organization is armed with the latest insights on adversary tactics, techniques, and procedures (TTPs). 

**What it means to have IR specialists on speed dial **

Having Talos IR specialists on call is like having an elite SWAT team for cybersecurity. Here is what Talos IR provides for your organization: 

*   **Rapid response, 24/7**   
    With a retainer, Cisco Talos IR specialists mobilize within hours of an incident, isolating threats and minimizing damage. This speed is critical, as every minute counts when containing ransomware or a data breach. 
*   **Expert guidance**   
    The Talos IR team brings unmatched expertise, analyzing adversary TTPs and providing actionable recommendations across many verticals and industries. 
*   **Tailored support**   
    Specialists collaborate with your teams, aligning response efforts with your business priorities. Whether coordinating with legal or PR, they ensure a cohesive strategy. 
*   **Peace of mind**   
    Knowing experts are a call away reduces stress for your executives and IT teams. Priority access means your organization is never left waiting during a crisis. 
*   **Post-Incident Review**   
    Talos IR delivers comprehensive reports that detail root causes, remediation steps, and preventive measures, turning incidents into opportunities for increased cybersecurity and prevention of future incidents.

**Real-world impact **

Our customers trust us to bring the expertise and knowledge they need to navigate their most challenging days with confidence.  Read about our work with Veradigm and how we made a difference during a Qakbot attack here. 

**Take the next step **

A Cisco Talos IR Retainer is a shield against cyber chaos. It strengthens your cybersecurity and ensures rapid recovery with specialists just a call away. Here’s how to get started: 

*   **Secure a Retainer**: Lock in priority access to proactive and emergency services. 
*   **Schedule a Tabletop Exercise**: Test your preparedness with tailored scenarios to fit your environment. 
*   **Explore** **our website****:** Access quarterly trends and learn more about Talos and what we do to secure our clients.

Why a Cisco Talos Incident Response Retainer is a game-changer

In a world where threats are persistent, the modern CISO’s real job isn't just to secure technology—it's to preserve institutional trust and ensure business continuity.
This week, we saw a clear pattern: adversaries are targeting the complex relationships that hold businesses together, from supply chains to strategic partnerships. With new regulations and the rise of AI-driven attacks, the

⚡ Weekly Recap: Bootkit Malware, AI-Powered Attacks, Supply Chain Breaches, Zero-Days & More

Thor examines why supply chain and identity attacks took center stage in this week’s headlines, rather than AI and ransomware.

Thursday, September 11, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

I took a two-week vacation (thanks to Bill for covering my author shift last week) and made the deliberate choice to leave my laptop behind. No emails, IMs, no IT at all. Thank you, European work culture! It was a complete break. 

Well, almost. 

The weather didn’t always cooperate, so instead of freezing on a beach, I found myself catching up on TV — mostly news and a few series. But wherever I clicked, I just couldn’t escape the daily dose of AI. What can we do about invasive mosquitos? Ask AI. Government doesn’t move the needle? Ask AI. Want the weather forecast? AI, obviously. There are countless ads with people asking AI whether or not to wear a jacket “because it might rain.” Even with your favorite TV shows, gone are the days when the hoodied hacker sits in front of a black terminal with green text running a dangerous (haha) ping or nmap. Now, they're writing lines like, “Did you try breaking the firewall with our latest AI algorithm, bro?” 

Coming back to work and catching up on our industry news, I almost expected AI to be dominating the headlines. But it wasn't, and neither was ransomware. Instead, they were all about breaches. Many — but not all — reports referenced compromised OAuth tokens linked to Salesloft’s Drift integration, with a notable number of high-profile victims. Sure, this isn’t a scientific or qualitative analysis (ransomware isn’t disappearing anytime soon), but the reporting and the headlines have definitely shifted from one to the other. 

Looking past the buzzwords and catchphrases, the headlines really boiled down to two main themes: supply chain and identity attacks. In a SaaS world, I think it’s time to rethink their definitions and priority levels. 

Why? First, supply chain attacks aren’t limited to hardware or software anymore. We need to consider the datapath (or where data possibly is processed) as a key part of the supply chain. 

Second, identity attacks don’t just target users; interconnected applications are increasingly at risk, too. I’m not saying we can ignore the users, especially with current reporting that it started with access through a GitHub account or software vulnerabilities in our “classic” applications, but we absolutely need to broaden our focus. Last week’s headlines made that clear. 

**The one big thing **

Cisco Talos’ latest blog post details the Cyber Threat Intelligence Capability Maturity Model (CTI-CMM), a framework that helps organizations assess and enhance their cyber threat intelligence programs across 11 key domains. By outlining clear maturity levels and improvement cycles, CTI-CMM can help your team benchmark your current capabilities and develop a strategy for continuous (and practical) growth. 

**Why do I care? **

Understanding and improving your CTI program’s maturity can help your organization better anticipate, detect, and respond to cyber threats, no matter your budget or staffing level. It also makes the security investments you do have more effective, and ensure your team’s efforts are aligned with business priorities.  

**So now what? **

Check out the CTI-CMM framework to assess where your organization stands, identify gaps and opportunities, and create a roadmap to practical improvements for your organization.

**Top security headlines of the week **

**Huge NPM supply chain attack goes out with whimper**   
A supply chain attack involving multiple NPM packages had the potential to be one of the most impactful security incidents in recent memory, but such fears seemingly have proved unrealized. (Dark Reading) 

**Swiss Re warns of rate deterioration in cyber insurance**   
Increased competition among insurers has led to a third consecutive year of reduced rates, according to the report, as the available supply of cyber coverage has exceeded current demand. (Cybersecurity Dive) 

**Critical SAP vulnerability actively exploited by hackers**   
A critical security flaw has been found in several SAP products, and could allow a malicious actor to gain administrator-level control. (HackRead)

**No gains, just pains: 1.6M fitness phone call recordings exposed**   
Sensitive info from hundreds of thousands of gym customers and staff was left sitting in an unencrypted, non-password protected database. Audio recordings spanned from 2020 to 2025. (The Register)

**US offers $10M reward for Ukrainian ransomware operator**   
Volodymyr Tymoshchuk allegedly hit hundreds of organizations with the LockerGoga, MegaCortex, and Nefilim ransomware families. According to an indictment, the intrusions caused hundreds of millions of dollars in losses. (Security Week)

**China accuses Dior's Shanghai branch of illegal data transfer**   
China's public security authority alleges that Dior's Shanghai branch has transferred customers' personal data to its headquarters in France illegally, leading to a data leak in May. (Reuters)

**Can’t get enough Talos? **

*   **Beers with Talos: How to ruin an APT's day**  
    The B-Team is joined by Sara McBroom from Talos’ nation-state threat intelligence and interdiction team. Sara shares her journey from a liberal arts major to tracking some of the world’s most advanced adversaries.
*   **Who would sign up to secure a network full of hackers?**   
    Our latest video takes you behind-the-scenes at the Black Hat Network Operations Center (NOC) to see how Cisco and SnortML contain the chaos. 
*   **Patch Tuesday for Sept 2025**   
    In this month’s release, Microsoft observed none of the included vulnerabilities being exploited in the wild. However, there are eight vulnerabilities where exploitation may be likely. 
*   **Cisco: 10 years protecting Black Hat**   
    Cisco works with other official providers to bring the hardware, software and engineers to build and secure the Black Hat USA network: Arista, Corelight, Lumen, and Palo Alto Networks.

**Upcoming events where you can find Talos **

*   LABScon (Sept. 17 – 20) Scottsdale, AZ 
*   VB2025 (Sept. 24 – 26) Berlin, Germany 
*   Wild West Hackin' Fest (Oct. 8 – 10) Deadwood, SD

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**     
MD5: 85bbddc502f7b10871621fd460243fbc      
VirusTotal: https://www.virustotal.com/gui/file/41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610/details  
Typical Filename: N/A     
Claimed Product: Self-extracting archive     
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507     
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Win.Worm.Coinminer::1201 

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**    
MD5: 8c69830a50fb85d8a794fa46643493b2     
VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
Typical Filename: AAct.exe     
Claimed Product: N/A     
Detection Name: PUA.Win.Dropper.Generic::1201

Beaches and breaches

Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release.
Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day. Like last month, 38 of the disclosed flaws are related to

Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release.

Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day. Like last month, 38 of the disclosed flaws are related to privilege escalation, followed by remote code execution (22), information disclosure (14), and denial-of-service (3).

"For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws," Satnam Narang, senior staff research engineer at Tenable, said. "Nearly 50% (47.5%) of all bugs this month are privilege escalation vulnerabilities."

The patches are in addition to 12 vulnerabilities addressed in Microsoft's Chromium-based Edge browser since the release of August 2025's Patch Tuesday update, including a security bypass bug (CVE-2025-53791, CVSS score: 4.7) that has been patched in version 140.0.3485.54 of the browser.

The vulnerability that has been flagged as publicly known is CVE-2025-55234 (CVSS score: 8.8), a case of privilege escalation in Windows SMB.

"SMB Server might be susceptible to relay attacks depending on the configuration," Microsoft said. "An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks."

The Windows maker said the update enables support for auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA, allowing customers to assess their environment and detect any potential device or software incompatibility issues before deploying appropriate hardening measures.

"The key takeaway from the CVE-2025-55234 advisory, other than the explanation of the well-known attack surface around SMB authentication, is that this is one of those times where simply patching isn't enough; in fact, the patches provide administrators with more auditing options to determine whether their SMB Server is interacting with clients that won't support the recommended hardening options," Adam Barnett, lead software engineer at Rapid7, said.

Mike Walters, president and co-founder of Action, said the vulnerability stems from the fact that SMB sessions can be established without properly validating the authentication context when key hardening measures, such as SMB signing and Extended Protection for Authentication, are not in place.

"This gap opens the door to man-in-the-middle relay attacks, where attackers can capture and forward authentication material to gain unauthorized access," Walters added. "It can easily become part of a larger campaign, moving from phishing to SMB relay, credential theft, lateral movement, and eventually data exfiltration."

The CVE with the highest CVSS score for this month is CVE-2025-54914 (CVSS score: 10.0), a critical flaw impacting Azure Networking that could result in privilege escalation. It requires no customer action, given that it's a cloud-related vulnerability.

Two other shortcomings that merit attention include a remote code execution flaw in Microsoft High Performance Compute (HPC) Pack (CVE-2025-55232, CVSS score: 9.8) and an elevation of privilege issue affecting Windows NTLM (CVE-2025-54918, CVSS score: 8.8) that could allow an attacker to gain SYSTEM privileges.

"From Microsoft's limited description, it appears that if an attacker is able to send specially crafted packets over the network to the target device, they would have the ability to gain SYSTEM-level privileges on the target machine," Kev Breen, senior director of threat research at Immersive, said.

"The patch notes for this vulnerability state that 'Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network,' suggesting an attacker may already need to have access to the NTLM hash or the user's credentials."

Lastly, the update also remediates a security flaw (CVE-2024-21907, CVSS score: 7.5) in Newtonsoft.Json, a third-party component used in SQL Server, that could be exploited to trigger a denial-of-service condition, as well as two privilege escalation vulnerabilities in Windows BitLocker (CVE-2025-54911, CVSS score: 7.3, and CVE-2025-54912, CVSS score: 7.8).

Microsoft's Hussein Alrubaye has been credited with discovering and reporting both the BitLocker flaws. The two flaws add to four other vulnerabilities (collectively called BitUnlocker) in the full-disk encryption feature that were patched by Microsoft in July 2025 -

*   CVE-2025-48003 (CVSS score: 6.8) - BitLocker Security Feature Bypass Vulnerability via WinRE Apps Scheduled Operation
*   CVE-2025-48800 (CVSS score: 6.8) - BitLocker Security Feature Bypass Vulnerability by Targeting ReAgent.xml Parsing
*   CVE-2025-48804 (CVSS score: 6.8) - BitLocker Security Feature Bypass Vulnerability by Targeting Boot.sdi Parsing
*   CVE-2025-48818 (CVSS score: 6.8) - BitLocker Security Feature Bypass Vulnerability by Targeting Boot Configuration Data (BCD) Parsing

Successful exploitation of any of the above four flaws could allow an attacker with physical access to the target to bypass BitLocker protections and gain access to encrypted data.

"To further enhance the security of BitLocker, we recommend enabling TPM+PIN for pre-boot authentication," Security Testing and Offensive Research at Microsoft (STORM) researchers Netanel Ben Simon and Alon Leviev said in a report last month. "This significantly reduces the BitLocker attack surfaces by limiting exposure to only the TPM."

"To mitigate BitLocker downgrade attacks, we advise enabling the REVISE mitigation. This mechanism enforces secure versioning across critical boot components, preventing downgrades that could reintroduce known vulnerabilities in BitLocker and Secure Boot."

The disclosure comes as Purple Team detailed a new lateral movement technique dubbed BitLockMove that involves the remote manipulation of BitLocker registry keys via Windows Management Instrumentation (WMI) to hijack specific COM objects of BitLocker.

BitLockMove, developed by security researcher Fabian Mosch, works by initiating a remote connection to the target host through WMI and copying a malicious DLL to the target over SMB. In the next phase, the attacker writes a new registry key that specifies the DLL path, ultimately causing BitLocker to load the copied DLL by hijacking its COM objects.

"The purpose of the BitLocker COM Hijacking is to execute code under the context of the interactive user on a target host," Purple Team said. "In the event that the interactive user has excessive privileges (i.e., domain administrator), this could also lead to domain escalation."

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including —

*   Adobe
*   Arm
*   Broadcom (including VMware)
*   Cisco
*   Commvault
*   Dell
*   Drupal
*   F5
*   Fortra
*   FUJIFILM
*   Gigabyte
*   GitLab
*   Google Android and Pixel
*   Google Chrome
*   Google Cloud
*   Google Wear OS
*   Hikvision
*   Hitachi Energy
*   HP
*   HP Enterprise (including Aruba Networking)
*   IBM
*   Ivanti
*   Jenkins
*   Juniper Networks
*   Lenovo
*   Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   Moxa
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NVIDIA
*   QNAP
*   Qualcomm
*   Rockwell Automation
*   Salesforce
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   Sitecore
*   Sophos
*   Spring Framework
*   Supermicro
*   Synology
*   TP-Link, and
*   Zoom

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Microsoft Fixes 80 Flaws — Including SMB PrivEsc and Azure CVSS 10.0 Bugs

After 25 years at the Electronic Frontier Foundation, Cindy Cohn is stepping down as executive director. In a WIRED interview, she reflects on encryption, AI, and why she’s not ready to quit the battle.

Cindy Cohn Is Leaving the EFF, but Not the Fight for Digital Rights

Microsoft has released its monthly security update for September 2025, which includes 86 vulnerabilities affecting a range of products.

Tuesday, September 9, 2025 15:12

Microsoft has released its monthly security update for September 2025, which includes 86 vulnerabilities affecting a range of products.

In this month’s release, Microsoft observed none of the included vulnerabilities being exploited in the wild. However, there are eight vulnerabilities where exploitation may be likely. Five consist of elevation of privileges, two may result in information disclosure and only one, CVE-2025-54916, is a remote code execution (RCE) vulnerability.

CVE-2025-54916 is an RCE vulnerability caused by a stack-buffer overflow in Windows NTFS that allows an authorized attacker to execute code over the network. Microsoft has noted that this vulnerability affects different versions of Windows 10, 11, Server 2008, 2012, 2016, 2019, 2022 and 2025.

CVE-2025-54910 is an RCE vulnerability caused by a heap-based buffer overflow in Microsoft Office that allows an unauthorized attacker to execute code locally. This type of vulnerability is also known as Arbitrary Code Execution (ACE). Microsoft clarifies that the attack itself is carried out locally, and that the location of the attacker can be remote, but the vulnerability must be exploited locally. This vulnerability affects Microsoft 365 Apps, Office 2016, 2019 and LTSC 2021 and 2024. 

CVE-2025-54918 is an elevation of privilege (EoP) vulnerability caused by improper authentication in Windows NTLM that allows an authorized attacker to elevate privileges over a network to gain SYSTEM privileges. This vulnerability affects various versions of Windows including Windows 10, 11, Server 2008, 2012, 2016, 2019, 2022 and 2025.

CVE-2025-54101 is an RCE vulnerability caused by a use-after-free in Windows SMB v3 Client/Server that allows an authorized attacker to execute code over a network. Successful exploitation requires the attacker to win a race condition. This vulnerability affects various versions of Windows including Windows 10, 11, Server 2008, 2012, 2016, 2019 and 2022.

Two RCE vulnerabilities in DirectX Graphics kernel may result in remote code execution: CVE-2025-55226 and CVE-2025-55236. CVE-2025-55226 is caused by concurrent execution using a shared resource and improper synchronization in the Graphics Kernel allowing an authorized attacker to execute code locally. Microsoft also notes that this vulnerability requires an attacker to prepare the target environment to improve exploit reliability. This vulnerability affects various versions of Windows including Windows 10, 11, Server 2008, 2012, 2016, 2019, 2022 and 2025.

CVE-2025-55236 is a time-of-check time-of-use (toctou) race condition in the Graphics Kernel allowing an authorized attacker to execute locally. This vulnerability affects various versions of Windows including Windows 10, 11, Server 2019, 2022 and 2025.

Talos would also like to highlight the following important vulnerabilities as Microsoft has assessed that their exploitation is more likely:

CVE-2025-53803: Windows Kernel Memory Information Disclosure Vulnerability.

CVE-2025-53804: Windows Kernel-Mode Driver Information Disclosure Vulnerability.

CVE-2025-54093: Windows TCP/IP Driver Elevation of Privilege Vulnerability.

CVE-2025-54098: Windows Hyper-V Elevation of Privilege Vulnerability.

CVE-2025-54110: Windows Kernel Elevation of Privilege Vulnerability.

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.   

Snort2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65327 – 65334.

The following Snort3 rules are also available: 301310 – 301313.

Tag

#cisco