18 Aug
This week we see continious rise in the EDR weaponised types of attacks. Another thing that has caught my eyes for the last couple of weeks – groups associated with Russia have been more active. Maybe not all of the news have made it to the list but there have definitely been more to choose from. Like this week a Russian group claimed rosponsibility for remotely opening valves of a Norweigan dam.
P.S. You can get this summary straight into your inbox if you scroll down and subscribe to the newsletter.
1. UK Telecom Provider Colt Reports Cyber Incident Causing Service Outages
Colt Technology Services confirmed a cyber incident on internal systems this week that has left Colt Online and its Voice API platform offline, forcing the company to switch to manual monitoring. Customer infrastructure was not impacted.
Key Details
- Outage affects Colt Online portal and Voice API platform.
- Network monitoring and incident management moved to manual processes.
- Colt reports no compromise of customer infrastructure.
- Status updates available on Colt’s public status page.
Read more at
2. New Crypto24 Ransomware Campaign Can Bypass 30+ EDRs with Custom ‘RealBlindingEDR’ Tool
Trend Micro reports a new Crypto24 ransomware wave uses a custom RealBlindingEDR variant and legitimate admin utilities to disable EDR, enabling stealthy lateral movement and data theft. Focused on large enterprises in finance, manufacturing, entertainment, and tech across Asia, Europe, and the US RealBlindingEDR can netralize security callbacks for nearly 30 vendors!
Key Details
- The RealBlindingEDR variant neutralizes security callbacks for nearly 30 vendors.
- Attackers leverage PSExec, AnyDesk, GPScript.exe, and Google Drive for post-compromise activity.
- Campaign targets high-value enterprises in financial services, manufacturing, entertainment, and tech.
Next Steps
- Enable endpoint agent self-protection and anti-tampering features.
- Audit and restrict use of admin tools and scripts (e.g., gpscript.exe).
- Enforce least-privilege access and monitor scheduled tasks for anomalies.
Read more at
3. Cisco Patches CVSS 10.0 RCE in Secure Firewall Management Center RADIUS Authentication
Cisco released patches for a critical CVSS 10.0 vulnerability (CVE-2025-20265) in its Secure Firewall Management Center RADIUS subsystem, which allows unauthenticated remote attackers to inject and execute arbitrary shell commands at high privilege. The flaw affects FMC Software 7.0.7 and 7.7.0 when RADIUS authentication is enabled for web or SSH management, and there is no workaround except applying the update.
Key Details
- CVE-2025-20265 (CVSS 10.0) lets attackers send crafted RADIUS input to run shell commands.
- Affects Secure FMC Software versions 7.0.7 and 7.7.0 with RADIUS on web/SSH interfaces.
- Discovered by Cisco’s Brandon Sakai during internal testing; no known in-the-wild exploits.
- Updates also address multiple high-severity DoS, HTML injection, and buffer overflow flaws.
Next Steps
- Upgrade FMC to patched releases (7.0.8 or 7.7.1) immediately.
- Audit RADIUS authentication settings on management interfaces.
- Embed appliance updates into regular change-management workflows.
Read more at
4. Norwegian Police Link Pro-Russian Hackers to April Dam Sabotage
Norway’s Police Security Service (PST) says pro-Russian hackers breached a small fishery dam control system in April, opening valves for four hours and releasing 500 L/s of water into the Riselva River.
Key Details
- Attackers opened valves remotely for roughly four hours before operators regained control.
- Dam serves fishery purposes; no power-generation impact but high symbolic value in hydropower-reliant Norway.
- Pro-Russian “Z-Alliance” claimed responsibility; PST had warned in February of continued Russia-linked subversion.
- Similar Russia-linked intrusions hit water facilities in Indiana and Texas in 2024–2025.
Read more at
5. Curly COMrades APT Abuses .NET Ngen COM Hijacking in Georgia, Moldova Espionage
A newly identified threat actor, Curly COMrades, has deployed a custom .NET backdoor called MucorAgent to hijack the Native Image Generator (Ngen) COM scheduler and maintain stealthy persistence in judicial and energy networks across Georgia and Moldova.
They targeted NTDS and LSASS credentials, using curl-based C2, Resocks/Stunnel/SOCKS5 proxies, and compromised websites to blend malicious traffic with legitimate activity—all aligned with Russia’s long-term espionage goals.
Key Details
- Active since at least November 2023, tracked by Bitdefender since mid-2024.
- MucorAgent hijacks the Ngen scheduled task via COM CLSID to execute under SYSTEM privileges.
- Operators dumped NTDS database and LSASS memory for credential harvesting.
- Infrastructure uses curl, CurlCat, Resocks, Stunnel, SOCKS5 and compromised sites for low-noise C2.
- Additional tools include RuRat for persistence and Mimikatz for in-memory credential extraction.
Next Steps
- Audit and restrict custom COM CLSID registrations for Ngen tasks.
- Monitor unexpected activation of the .NET Native Image Generator task.
- Block unauthorized curl-based outbound traffic and proxy protocols.
Read more at
6. Phishing Kits Exploit Downgrade Attack to Circumvent FIDO Authentication
Researchers at Proofpoint demonstrated a proof-of-concept that uses the Evilginx adversary-in-the-middle framework to spoof user-agent strings and force Microsoft Entra ID to downgrade FIDO authentication to weaker MFA methods.
This tactic lets attackers relay valid credentials and one-time codes to obtain session tokens without ever breaking FIDO cryptography. Although not yet seen in the wild, the attack highlights risks for organizations allowing non-FIDO fallback logins.
Key Details
- Evilginx “phishlets” relay real Entra ID pages, avoiding spoof detection.
- Attack spoofs the victim’s browser-OS combo as FIDO-unsupported.
- Entra ID then redirects to password+OTP or SMS, which attackers capture.
- Proofpoint has not observed active exploits of this downgrade in the wild.
Next Steps
- Enforce FIDO-only authentication policies in Microsoft Entra ID.
- Disable SMS and OTP fallbacks for FIDO-enrolled accounts.
- Monitor login user-agent strings for anomalies or proxy relays.
Read more at
7. Full ERMAC 3.0 Banking Trojan Infrastructure Exposed in Source Code Leak
Cybersecurity researchers obtained the complete MaaS source code for ERMAC 3.0, revealing its full C2 backend, builder, and Android backdoor. The leak exposes hardcoded secrets, default credentials, and open registrations, offering defenders actionable insights to detect and disrupt active ERMAC campaigns.
Key Details
- Targets over 700 banking, shopping, and crypto apps via form injection.
- Leaked components include PHP/Laravel C2 server, React panel, Go exfil server, Kotlin Android backdoor, and builder tool.
- Malware excludes devices in CIS countries and uses AES-CBC encrypted communications.
- Critical flaws: hardcoded JWT secret, static admin bearer token, default root credentials, open admin registrations.
Next Steps
- Block or monitor traffic to the identified exfiltration endpoint IP.
Read more at
8. Interview Notes About Chrome Enterprise with Director of Product Management at Google
Google is positioning Chrome Enterprise as a secure workspace platform, adding granular Data Loss Protection controls to block or allow downloads, uploads, and printing—safeguarding intellectual property across managed, BYOD, and contractor environments. The solution gives CISOs and IT leaders policy-driven visibility and governance—essential in regulated industries—while preserving user productivity. Later this year, Google will embed its Gemini AI directly in Chrome to enable secure, in-browser automation and insights.
Key Details
- Data Loss Protection (DLP) policies control file downloads, uploads, and printing.
- Supports third-party contractors and BYOD with consistent security rules.
- Customizable Chrome policies help meet regulatory and data-governance requirements.
- Gemini AI integration planned for enterprises later this year to boost productivity.
Read more at
9. FortiSIEM RCE Vulnerability Disclosed as SSL VPN and FortiManager Attacks Spike
Fortinet patched CVE-2025-25256, an unauthenticated OS command injection flaw in FortiSIEM, after proof-of-concept code appeared in the wild. Researchers also reported a multi‐wave surge of brute‐force and FGFM protocol attacks against SSL VPN and FortiManager, a pattern that historically predicts new vulnerability disclosures within weeks.
Key Details
- CVE-2025-25256 impacts FortiSIEM 5.4–7.3.1 and allows remote code execution via phMonitor port 7900.
- Patches released; flaw generates no distinct indicators of compromise.
- GreyNoise saw ~780 unique IPs brute-forcing SSL VPNs, then pivoting to FortiManager via FGFM.
- 80% of past Fortinet attack spikes preceded a vulnerability disclosure within six weeks.
Next Steps
- Upgrade FortiSIEM to the latest fixed release immediately.
- Restrict phMonitor (port 7900) to known, trusted IP ranges.
- Monitor VPN and FortiManager logs for anomalous FGFM connections.
Read more at
- DarkReading: Fortinet Products in Crosshairs Again
- Fortinet PSIRT FG-IR-25-152 Advisory
- GreyNoise Blog: Fortinet VPN Bruteforce Spike
10. Chinese Criminal Groups Use “Ghost-Tapping” for Retail Fraud Money Laundering
Criminal syndicates in Southeast Asia are uploading stolen payment-card data onto burner phones and using hired mules to buy luxury goods in person, then reselling items via Telegram channels.
This "ghost-tapping" technique exploits intercepted one-time passwords and mobile-wallet integrations, creating a new layer of retail-fraud money laundering that evades typical card-not-present controls.
Key Details
- Criminals steal card data via phishing, malware and OTP interception, then load details onto burner phones.
- Devices are sold on Telegram channels (Huione, Xinbi, Tudou Guarantee) to syndicates hiring mules for in-store luxury purchases.
- Singapore reported 656 mobile-wallet credential phishing cases and $1.2 M in losses in Q4 2024, with several arrests tied to retail fraud syndicates.
- UNODC warns of rapid professionalization and regional expansion of scamming and laundering networks.
Next Steps
- Review spend limits on payment-cards
- Enable location aware security on payment-cards
Read more at
- The Record: Scammers turn to ‘ghost-tapping’ retail fraud to launder funds
- Singapore Police: Phished Card Transactions Warning
- UNODC: Cyberfraud Inflection in Mekong Region
11. Critical Privilege Escalation Vulnerability Discovered in Zoom Windows Clients
A critical vulnerability (CVE-2025-49457) in multiple Zoom Windows clients allows unauthenticated attackers to escalate privileges by exploiting an untrusted search path. This flaw requires only minimal user interaction and poses high risks of system takeover, data theft, and service disruption. Organizations using affected Zoom versions must urgently apply supplied patches to prevent exploitation.
Key Details
- The vulnerability has a CVSS score of 9.6, indicating critical severity.
- Affected products include Zoom Workplace, Zoom Workplace VDI, Zoom Rooms, Zoom Rooms Controller, and Zoom Meeting SDK for Windows versions older than 6.3.10.
- Exploitation requires only low-complexity user interaction, such as clicking a malicious link or opening a compromised file, and no prior privileges.
- The root cause involves insecure loading of files via untrusted search paths, enabling attackers to inject malicious DLLs or executables.
Next Steps
- Immediately update all Zoom Windows clients to version 6.3.10 or later.
- Enable automatic Zoom updates to reduce lag in patch deployment.
- Educate users about risks of interacting with unverified links or files.
Read more at
English 
Estonian