12 Cybersecurity News Worth Your Attention this Week Summarised – 2025-08-25

Third or forth week in a row, there’s a lot of action coming from the groups linked to Russia. Did they get the new quarterly goals? But there were also a few good news like the fact that over a 1000 people arrested in a join operation in Africa.

There’s a bad zero day on Apple devices, another malicious Chrome extension from a previously featured app no less! And yes, it seems like if there’s a built in LLM chat somewhere, it can be exploited quickly and badly.

P.S. You can also get this summary on your e-mail every week. Scroll down to subscribe ⬇️

P.P.S. Sorry for the late publishing today. I have a piece of code that downloads all the news for me for my review and I decided to “make it better” before publishing this weeks post. Of course I first completely broke it down and spent a day reassembling instead 🙂

1. New HTTP/1.1 Smuggling Technique Injects Unauthorized Backend Requests

Researchers have uncovered a novel HTTP request smuggling technique that exploits malformed chunked transfer encoding extensions—specifically bare semicolons—to induce parsing discrepancies between front-end proxies and back-end servers, enabling attackers to bypass WAFs and inject hidden secondary requests. This HTTP/1.1 weakness threatens any web application relying on text-based parsing.

Key Details

• Attackers send a chunk-size line ending with “;” but no extension name
• Front-end treats the data as one request; back-end sees a chunk boundary
• Smuggled requests bypass CDNs, load balancers and WAFs to reach backend
• Patches released for affected HTTP/1.1 parsers; HTTP/2 framing removes ambiguity

Next Steps

• Confirm all HTTP/1.1 parsers are up to date with vendor patches
• Plan and prioritize migration of critical services to HTTP/2

Read more at Cybersecurity News, Imperva

2. Microsoft restricts Chinese firms’ access to vulnerability warnings after hacking concerns

Microsoft has revoked proof-of-concept code access in its Microsoft Active Protections Program for certain Chinese security vendors, following suspicions that leaked early-warning data fueled a wave of SharePoint zero-day exploits impacting over 400 organizations, including the U.S. National Nuclear Security Administration.  While the move aims to curb threat actors’ ability to accelerate attacks, it risks creating intelligence blind spots and adds complexity for multinational enterprises balancing global operations and compliance.

Key Details

• MAPP historically provided proof-of-concept code to participants so they could build defenses pre-disclosure.
• Microsoft’s move stops only PoC code delivery, not broader vulnerability notifications.

Read more at CSO Online, Reuters

3. CISA Mandates Federal Patch for Apple Zero-Day Exploited in Targeted Attacks

CISA has added CVE-2025-43300 to its Known Exploited Vulnerabilities catalog, giving civilian agencies until September 11 to patch a zero-click ImageIO flaw(CVSS 8.8) actively used in “extremely sophisticated” targeted attacks.

Key Details

• Flaw in Apple’s ImageIO framework allows out-of-bounds writes and memory corruption.
• Zero-click exploit requires no user interaction—malicious images trigger code execution.
• CVSS 3.1 score of 8.8; added to CISA’s KEV catalog on August 21, 2025.
• Affected platforms: iOS 18.6-18.6.2, iPadOS 17.7-17.7.10, macOS Ventura, Sonoma, Sequoia.

Next Steps

• Update Apple’s iOS 18.6.2, iPadOS 17.7.10 and macOS 13.7.8/14.7.8/15.6.1 to at least these versions.

Read more at The Record, CISA

4. FSB-linked group “Static Tundra” exploits old CVE-2018-0171 to breach unpatched Cisco devices

Russian state–backed hackers have spent years exploiting a 2018 Smart Install vulnerability (CVE-2018-0171) in end-of-life Cisco devices to harvest configuration files and deploy persistent implants across telecom, manufacturing and education networks. This campaign enables long-term espionage, industrial control system reconnaissance and the potential for disruptive operations against critical infrastructure.

Key Details

• Although the vulnerability is years old, still in the past year, thousands of Cisco routers and switches were compromised to collect startup configs.
• Attackers modified device configurations to enable local TFTP, capture SNMP credentials and install SYNful Knock.
• Smart Install was enabled by default and many vulnerable devices remain unpatched or past end-of-life.

Next Steps

• Scan networks for CVE-2018-0171 exposures and disable Smart Install on all devices.

Read More CSO Online, FBI Advisory, Cisco Talos Advisory

5. Critical XSS Flaw in Lenovo’s GPT-4 Chatbot Permits Session Cookie Theft

Researchers discovered a cross-site scripting vulnerability in Lenovo’s AI chatbot “Lena” that allows attackers to steal support-agent session cookies with a single malicious 400-character prompt. This flaw can grant unauthorized access to customer support systems, enable backdoor installation, lateral movement, and data exfiltration if AI input/output isn’t properly sanitized.

Key Details

• Attack payload instructs GPT-4 to output HTML containing <img onerror> tags that exfiltrate cookies.
• Improper input and output sanitization in Lenovo’s “Lena” chatbot enables the XSS attack.
• Stolen cookies allow logging into the customer support portal as an agent.
• Beyond cookie theft, attackers could deploy keyloggers, phishing redirects, or execute system commands.

Next Steps

• Treat AI chatbots as full applications in security reviews.

Read more at CSO Online

6. Interpol Operation Serengeti 2.0 Yields 1,209 Arrests, $97.4 Million Recovered

Interpol’s Operation Serengeti 2.0 brought together law enforcement from 18 African countries and the UK to arrest 1,209 suspects behind ransomware, online scams and business email compromise, recovering $97.4 million stolen from 88,000 victims worldwide.  Key targets included 25 illicit cryptocurrency-mining centers in Angola (with $37 million in equipment seized) and a $300 million fake-investment scheme in Zambia that defrauded 65,000 people.  

Key Details

• Operation ran June–August 2025 under the African Joint Operation against Cybercrime.
• Angolan raids shut down illicit mining farms and power stations draining the national grid.
• Zambia arrests (15 suspects) yielded domains, bank accounts and mobile numbers tied to the scam.
• Côte d’Ivoire unit dismantled a transnational inheritance scam causing $1.6 million in losses.

Read more at Interpol, The Record

7. Disgruntled Developer Sentenced to Four Years for Logic-Bomb Sabotage

A former senior developer at Eaton Corporation received a four-year prison term after planting logic bombs and a kill-switch in his employer’s network following a 2018 demotion.  His malicious code crashed production servers and, when his Active Directory account was disabled, automatically deleted user profiles, locking out employees and causing substantial financial losses.

Key Details

• Infinite-loop logic bomb spawned Java threads until servers crashed (Aug 4, 2019).
• “IsDLEnabledinAD” kill-switch deleted AD profiles when his access was revoked.
• Sabotage estimated to cost “hundreds of thousands” in remediation and downtime.
• Logs and named routines revealed Lu’s identity; internet searches showed privilege-escalation research.

Next Steps

• Review and tighten developer privileges post-reorg.

Read more at CSO Online

8. Silk Typhoon Exploits Cloud Supply Chain to Spy on North American Organizations

Since 2023, Silk Typhoon (aka Murky Panda/Hafnium) has shifted from direct Exchange exploits to targeting third-party cloud and SaaS providers, abusing built-in trust relationships to access government, technology, academic, legal, and professional services tenants in North America.  
The group weaponizes appliance zero-days and SaaS misconfigurations, then deploys its CloudedHope Linux RAT to maintain stealthy persistence and siphon emails.

Key Details

• Observed abusing trusted-relationship compromises at cloud-based software and service providers to reach downstream customers.
• In two incidents, attackers exfiltrated SaaS app registration secrets to authenticate as the application in victim tenants.
• Compromised a Microsoft cloud solution provider’s “admin agent” account to gain Global Administrator rights over multiple Entra ID tenants.
• Deployed CloudedHope, a custom Golang Linux RAT with anti-analysis and decoy capabilities, focused on targeted email exfiltration.

Next Steps

• Audit and restrict service principal and cross-tenant permissions in cloud environments.
• Follow a consistent and structured vendor onboarding / monitoring process to minimize third party risk.

Read more at Dark Reading

9. Critical “ReVault” Firmware Flaw Exposes Millions of Dell Laptops to Persistent Attacks

Researchers uncovered multiple vulnerabilities in the Control Vault firmware—used in Dell Latitude and Precision business laptops—that let any local user access undocumented APIs to trigger memory corruption, extract device-unique keys, and install persistent malicious code below the OS. Broadcom and Dell have issued Windows-delivered patches. 

Key Details

• Five CVEs affect the embedded Control Vault (aka Unified Secure Hub) handling fingerprint and smart-card readers.
• Flaws include firmware memory corruption and stack overflow enabling code execution on the security chip.
• Attackers can extract secret keys, bypass authentication (e.g., fingerprint spoofing), and permanently alter firmware.
• Patches released by Broadcom and distributed by Dell automatically via Windows Update.

Next Steps

• Confirm Control Vault firmware updates applied across laptop fleet.
• Review endpoint management logs for recent driver and firmware changes.
• Limit local administrative rights to prevent unauthorized API interactions.

Read more at Dark Reading

10. FreeVPN.One Chrome Extension Secretly Captures and Exfiltrates User Screenshots

FreeVPN.One, a “Featured” and verified Chrome VPN extension with over 100,000 installs, has been discovered taking screenshots of every webpage users visit and transmitting them to a remote server without consent. 

Key Details

• Two-stage capture: content script delays 1.1 seconds then signals the background worker, which invokes chrome.tabs.captureVisibleTab().
• Exfiltrated data (screenshots, URLs) is sent to aitd.one/analyze.php despite UI claiming only local scans.
• Maintained “Featured” badge on Chrome Web Store; privacy policy buried permission to upload screenshots.
• Over 100K installs amplify risk for BYOD and remote-work environments lacking extension governance.

Next Steps

• Consider allowing only pre-approved extensions on employees Chrome installations.

Read more at CSO Online

11. Malicious Go Module Disguised as SSH Brute-Forcer Exfiltrates Credentials via Telegram Bot

Security researchers at Socket.dev have uncovered a Go module on pkg.go.dev—“golang-random-ip-ssh-bruteforce”—that poses as an SSH brute‐force tool but secretly sends any valid credentials it finds to a hard-coded Telegram bot. The module scans random IPv4 addresses on port 22 using a minimal username/password list, disables host key verification for speed, and exfiltrates IPs, usernames, and passwords over HTTPS to api.telegram.org.

Key Details

• Published June 24, 2022; GitHub repo “IllDieAnyway” removed but module still live on pkg.go.dev.
• Uses ssh.InsecureIgnoreHostKey() to bypass SSH host key checks and speed brute-forcing.
• Wordlist pairs “root” and “admin” with common weak passwords (12345678, qwerty, admin, etc.).
• Exfiltrates first successful credentials via Telegram Bot API (@sshZXC_bot → @io_ping).

Next steps:

• If something looks too good to be true, it probably is and it might be dangerous instead 🙂

Read more at Socket.dev, The Hacker News

12. NIST Publishes SP 800-53 Control Overlays for AI System Security

NIST has released a concept paper introducing specialized overlays for SP 800-53 controls to address cybersecurity risks in AI systems, and launched a collaborative project to refine them. This framework targets generative, predictive, single-agent, and multi-agent AI, emphasizing governance, data integrity, and model validation.Security and risk teams should engage via the COSAIS Slack channel to shape practical controls before final publication.

Analysts warn NIST’s AI security overlays lack concrete mitigation tactics and depend heavily on community feedback, risking watered-down controls if AI agents flood comments. Experts highlight visibility gaps—unknown model usage, data lineage, and legal provenance—that undermine the ability to secure AI pipelines.

Key Details

• Released August 14, 2025 as a concept paper for “NIST SP 800-53 Control Overlays for Securing AI Systems”
• Covers four AI use cases: generative, predictive, single-agent, and multi-agent architectures
• Proposes controls for model validation, training-data integrity, algorithmic transparency, and continuous monitoring
• NIST concept paper outlines risks but solicits industry-provided mitigation approaches
• Launches the COSAIS project and #NIST-Overlays-Securing-AI Slack channel for stakeholder feedback

Next Steps

• Join the COSAIS Slack channel and review the concept paper
• Map existing SP 800-53 controls to your AI project workflows
• Document AI governance and monitoring processes before overlay finalization

Read more at Cybersecurity News, NIST CSRC, CSO Online, NIST Concept Paper

Subscribe?