{"id":20723,"date":"2025-10-20T13:49:37","date_gmt":"2025-10-20T11:49:37","guid":{"rendered":"https:\/\/kordon.app\/?p=20723"},"modified":"2025-10-20T13:53:05","modified_gmt":"2025-10-20T11:53:05","slug":"cybersecurity-news-worth-your-attention-this-week-2025-10-20","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/cybersecurity-news-worth-your-attention-this-week-2025-10-20\/","title":{"rendered":"Cybersecurity News Worth Your Attention This Week- 2025-10-20"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Same stuff different week. There were some wins on the law enforcement side but the adversaries aren&#8217;t doing too &#8220;bad&#8221; either.<br>Supply chain attacks in VS Code have gotten to a place where we need to include a review for VS Code extensions, in addition to all code changes.<\/p>\n\n\n\n<p><br>Also, included two longer food-for-thought style long form articles at the very end. I found both very interesting and they stayed with me for a while after reading them.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. Nation-State Hackers Breach F5 BIG-IP Development Environment, Steal Source Code and Vulnerability Data<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">F5 Networks confirmed that a \"highly sophisticated <strong>nation-state threat actor<\/strong>\" <strong>maintained long-term access to its BIG-IP product development and engineering knowledge platforms, exfiltrating portions of source code, undisclosed vulnerability details,<\/strong> and limited customer configuration data. <br><strong><br>F5\u2019s BIG-IP platform underpins application delivery and security<\/strong> for many large enterprises and government systems. It\u2019s <strong>widely used as a load balancer and reverse proxy, managing traffic and protecting critical web applications.<\/strong><br><br>The breach elevates risk for targeted attacks against unpatched F5 devices and has prompted CISA to mandate immediate inventory and patching for federal agencies.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Intrusion discovered in August 2025; <\/strong>public disclosure occurred Oct. 15 under DOJ guidance.<\/li>\n\n\n\n<li>Stolen files include segments of BIG-IP <strong>source code and vulnerability information still under mitigation.<\/strong><\/li>\n\n\n\n<li>CISA issued Emergency Directive ED 26-01, requiring federal civilian agencies to inventory and update BIG-IP devices by Oct. 22.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Apply the latest patches<\/strong> for BIG-IP, F5OS, BIG-IP Next, BIG-IQ, and APM clients immediately.<\/li>\n\n\n\n<li><strong>Consider replacing BIG-IP services <\/strong>as bad actors now have previously undisclosed vulnerabilities and the source code give them opportunity to create new exploits more easily.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at:<\/strong> <a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/f5-big-ip-environment-breached-nation-state-actor\">Dark Reading<\/a>, <a href=\"https:\/\/thehackernews.com\/2025\/10\/f5-breach-exposes-big-ip-source-code.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4073195\/source-code-and-vulnerability-info-stolen-from-f5-networks.html\">CSO Online<\/a>, <a href=\"https:\/\/cybersecuritynews.com\/f5-breached\/\">Cybersecurity News<\/a>, <a href=\"https:\/\/cyberscoop.com\/f5-breach-nation-state-actor-sec-8k-justice-department\/\">CyberScoop<\/a>, <a href=\"https:\/\/cybersecuritynews.com\/f5-security-updates\/\">Cybersecurity News<\/a>, <a href=\"https:\/\/cybersecuritynews.com\/over-269000-f5-devices-exposed\/\">Cybersecurity News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. Microsoft Revokes 200+ Abused Azure Code-Signing Certificates in Rhysida Ransomware Campaign<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Microsoft disrupted a Rhysida ransomware operation<\/strong> by revoking over 200 Azure Trusted <strong>Signing certificates that Vanilla Tempest used to sign fake Microsoft Teams installers with the Oyster backdoor<\/strong>. By abusing legitimate certificates and SEO-poisoned domains, attackers bypassed signature-based defenses and drove victims to malicious downloads.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Vanilla Tempest (aka Vice Society) <strong>hosted malicious MSTeamsSetup.exe on SEO poisoned domains<\/strong> <\/li>\n\n\n\n<li><strong>Fake installers dropped a loader that installed Oyster backdoor <\/strong>before deploying Rhysida ransomware.<\/li>\n\n\n\n<li>Attackers also acquired <strong>code-signing certificates from SSL.com, DigiCert and GlobalSign.<\/strong><\/li>\n\n\n\n<li><strong>Azure Trusted Signing requires a Microsoft Entra tenant and a three-year organizational history, raising vetting concerns.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/microsoft-disrupts-ransomware-abusing-azure-certificates\">Dark Readin<\/a>g<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Critical ASP.NET Core HTTP Request Smuggling Flaw Earns Record-high 9.9 CVSS<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Microsoft has released patches for CVE-2025-55315, a critical HTTP request smuggling bug in the Kestrel server component of ASP.NET Core that earned a 9.9 severity rating\u2014the highest ever for the framework. <strong>Authenticated attackers could embed malicious requests to bypass authentication, skip CSRF checks, or perform injection attacks, though actual impact depends on application logic and deployment.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>All supported ASP.NET Core versions (8, 9, 10) <\/strong>and legacy 2.3 are affected.<\/li>\n\n\n\n<li><strong>Attackers need only authenticated access<\/strong> to smuggle a second HTTP request past security checks.<\/li>\n\n\n\n<li>Microsoft\u2019s 9.9 score reflects worst-case security feature bypass \u201cchanging scope,\u201d not typical deployments.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Upgrade<\/strong> to .NET 8.0.21\/.NET 9.0.10\/.NET 10.0.0-rc.2 runtimes or Kestrel.Core 2.3.6.<\/li>\n\n\n\n<li>Review custom request-handling code for unchecked header parsing.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4074590\/critical-asp-net-core-vulnerability-earns-microsofts-highest-ever-severity-score.html\">CSO Online<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-fixes-highest-severity-aspnet-core-flaw-ever\/\">Bleeping Computer<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Attackers Exploit Cisco SNMP Flaw to Deploy Fileless Linux Rootkits on Legacy Switches<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>A new \"Operation Zero Disco\" campaign <\/strong>leverages CVE-2025-20352, an SNMP stack-overflow in Cisco IOS and IOS XE, to achieve <strong>remote code execution and install fileless Linux rootkits on unpatched 9400, 9300 and 3750G series switches.<\/strong> <br><br>The rootkits hook into the IOS daemon, set a universal \u201cdisco\u201d password, toggle or delete logs, reset timestamps and open a UDP-based backdoor, <strong>enabling persistent, stealthy access and potential lateral movement. <\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Targets Cisco 9400, 9300 and legacy 3750G switches <\/strong>running older Linux stacks without EDR.<\/li>\n\n\n\n<li>Rootkit hooks into IOSd memory, creates universal password containing \u201cdisco,\u201d hides configuration changes.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Apply Cisco\u2019s October 2025 patches<\/strong> for CVE-2025-20352.<\/li>\n\n\n\n<li>Restrict SNMP management-plane reachability and enforce ACLs.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2025\/10\/hackers-deploy-linux-rootkits-via-cisco.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4074585\/zero-disco-campaign-hits-legacy-cisco-switches-with-fileless-rootkit-payloads.html\">CSO Online<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-exploit-cisco-snmp-flaw-to-deploy-rootkit-on-switches\/\">BleepingComputer<\/a>, <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/j\/operation-zero-disco-cisco-snmp-vulnerability-exploit.html\">Trend Micro<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5. North Korean Hackers Adopt EtherHiding to Deliver Malware via Smart Contracts<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A DPRK-linked group (UNC5342) has begun <strong>embedding malicious JavaScript loaders inside Ethereum and BNB Smart Chain contracts using the EtherHiding technique. Marking the first state-sponsored use of blockchain as a resilient C2 and malware hosting platform.<\/strong> <br><br>The multi-stage attack chain\u2014deployed through fake recruiting lures\u2014fetches and updates payloads on-chain to steal developer data and siphon cryptocurrency without relying on takedown-prone servers.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>UNC5342<strong> targets developers via LinkedIn recruitment scams<\/strong>, moving chats to Telegram\/Discord.<\/li>\n\n\n\n<li><strong>Attack stages: <\/strong>initial npm downloader \u2192 BeaverTail stealer \u2192 JADESNOW loader \u2192 InvisibleFerret backdoor.<\/li>\n\n\n\n<li>Smart contracts on Ethereum and BSC store encrypted payloads (Base64\/XOR)<br>  <\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2025\/10\/north-korean-hackers-use-etherhiding-to.html\">The Hacker News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Europol-led Bust Disrupts SIM-Card Rental Network Behind \u20ac5 Million in Telecom Fraud<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>International law enforcement dismantled a network selling phone numbers from over 80 countries to scammers, seizing 40,000 SIM cards, 1,200 SIM boxes and five servers.  <\/strong><br><br>Investigators linked the service to more than 3,000 fraud cases and over \u20ac5 million in losses, while criminals <strong>used the infrastructure to create 49 million fake online accounts for phishing, extortion and other crimes.<\/strong>  <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Five suspects arrested in Latvia, <\/strong>including the alleged organizer.<\/li>\n\n\n\n<li>Two seized websites (gogetsms.com, apisim.com) powered a global SIM-provisioning platform.<\/li>\n\n\n\n<li>Fraud concentrated in Austria and Latvia, with <strong>combined losses exceeding \u20ac5 million.<\/strong><\/li>\n\n\n\n<li><strong>Service enabled creation of over 49 million fake accounts used in phishing, <\/strong>investment scams and CSAM distribution.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/therecord.media\/europe-sim-farms-raided-latvia-austria-estonia\">The Record<\/a>, <a href=\"https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/cybercrime-service-takedown-7-arrested\">Europol<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">7. New Pixnapping Attack Steals 2FA Codes and Screen Data on Android<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Researchers have demonstrated \u201cpixnapping,\u201d a side-channel exploit that lets a malicious Android app steal on-screen secrets from Google Authenticator 2FA codes to Signal messages, by capturing and reconstructing pixels in under 30 seconds. <\/strong><br>The vulnerability (CVE-2025-48561) <strong>affects modern devices running Android 13\u201316, <\/strong>including Google Pixel and Samsung Galaxy models, and Google\u2019s September patch was bypassed; a fuller fix is due in December\u2019s security bulletin. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Pixnapping abuses Android intents and semi-transparent activities to force victim app pixels into the rendering pipeline and infer their color via GPU timing.<\/strong><\/li>\n\n\n\n<li><strong>Demonstrated recovery:<\/strong> 2FA codes from Google Authenticator in under 30 seconds; messages from Signal, Gmail, Venmo  and Maps timelines also exfiltrated.<\/li>\n\n\n\n<li><strong>Affected devices tested: <\/strong>Pixel 6-9 and Galaxy S25 on Android 13-16; underlying API and hardware side-channel exist on most modern Android phones.<\/li>\n\n\n\n<li>Google\u2019s September patch (partial mitigation) was circumvented; <strong>full mitigation slated for December Android security bulletin.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enroll devices in beta December patch and validate overlay fixes.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/pixnapping-attack-attackers-2fa-android\">Dark Reading<\/a>,\n  <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-android-pixnapping-attack-steals-mfa-codes-pixel-by-pixel\/\">BleepingComputer<\/a>\n<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Microsoft Reports 32% Rise in Identity Attacks Fueled by Stolen Passwords<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Microsoft\u2019s H1 2025 Digital Defense Report shows identity-based attacks surged 32%, with over 97% relying on password guessing, leaks and social-engineering scams. Compromised credentials now drive account takeovers, data theft and ransomware, highlighting gaps in password hygiene and help-desk controls.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>97% of identity attacks are password-based,<\/strong> up 32% in six months.<\/li>\n\n\n\n<li>Infostealer malware and help-desk scams (vishing, Quick Assist) are on the rise.<\/li>\n\n\n\n<li><strong>Most targeted: <\/strong>IT companies and national\/local government agencies.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enforce MFA and conditional access on all user accounts.<\/strong><\/li>\n\n\n\n<li><strong>Harden help-desk workflows: <\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/therecord.media\/microsoft-warns-of-surge-identity-hacks-passwords\">The Record<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">9. TikTok-Based Campaign Uses Self-Compiling PowerShell Malware for AuroStealer Deployment<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Cybercriminals are tricking TikTok users into running a one-line PowerShell command under the guise of free software activation<\/strong>, which delivers a multi-stage malware chain culminating in AuroStealer data theft. The campaign employs scheduled-task persistence and on-the-fly C# compilation to inject shellcode in memory and evade detection. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Victims are instructed to run a malicious PowerShell command<\/strong> to fetch a first-stage PowerShell script (SHA256: 6D897B\u2026C6B23,17\/63 VT hits).<\/li>\n\n\n\n<li>The initial payload downloads updater.exe from file-epq [.] pages [.] dev, identified as AuroStealer targeting credentials and system data.<\/li>\n\n\n\n<li><strong>Persistence via scheduled tasks named like \u201cMicrosoftEdgeUpdateTaskMachineCore\u201d<\/strong> ensures execution at user logon.<br>  <\/li>\n\n\n\n<li>Third stage (source.exe, SHA256: db57e4\u202667011) compiles and runs C# code at runtime via csc.exe to perform in-memory shellcode injection.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Block or monitor PowerShell one-liners invoking irm\/iex from unknown domains<\/li>\n\n\n\n<li><strong>Audit new scheduled tasks matching \u201c*UpdateTaskMachine*\u201d for unauthorized entries<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/cybersecuritynews.com\/hackers-using-tiktok-videos-to-deploy-self-compiling-malware\/\">CybersecurityNews<\/a>\n<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">10. TigerJack Campaign Uses Malicious VS Code Extensions to Steal Code, Mine Crypto, and Persist Undetected<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Threat actor <strong>\"TigerJack\" has published at least 11 malicious Visual Studio Code and OpenVSX extensions that quietly exfiltrate source code, deploy cryptominers, and fetch remote JavaScript for backdoor control<\/strong>. <br><br><strong>Over 17,000 downloads<\/strong> of popular <strong>packages like<\/strong> <strong>\"C++ Playground\"<\/strong> and <strong>\"HTTP Format\"<\/strong>.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>11 extensions across three publisher accounts<\/strong> (ab-498, 498, 498-00).<\/li>\n\n\n\n<li>\u201cC++ Playground\u201d and \u201cHTTP Format\u201d amassed 17,000+ downloads before VS Code removal.<\/li>\n\n\n\n<li><strong>Extensions poll hardcoded endpoints every 20 minutes to execute new payloads.<\/strong><\/li>\n\n\n\n<li>OpenVSX marketplace hosts active variants due to minimal malware scanning.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Inventory and remove unverified VS Code\/OpenVSX extensions<\/strong><\/li>\n\n\n\n<li><strong>Require peer review and sandbox testing for new developer tools.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4072829\/tigerjacks-malicious-vscode-extensions-mine-steal-and-stay-hidden.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading has-text-align-center\">Food for Thought Long Form Recommendations<\/h1>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Enterprises\u2019 Phishing Training Proves Ineffective, Calls for New Behavioral Approaches<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Despite widespread annual and embedded phishing exercises, recent research shows no measurable drop in employees\u2019 click-through rates or susceptibility. Low engagement\u2014up to half of simulated phishing trainings go uncompleted\u2014and poor information retention mean organizations remain exposed. Phishing training must shift from checkbox compliance to behavior-driven, context-aware interventions and back them with metrics and technical controls.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Phishing causes 15% of data breaches, per IBM.<\/li>\n\n\n\n<li>Study of ~20,000 UCSD Health staff found no difference in failure rates post-training.<\/li>\n\n\n\n<li>37\u201351% of embedded phishing trainings see zero engagement.<\/li>\n\n\n\n<li>PC users click risky links more often than mobile users, suggesting device impacts behavior.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Track real\u2010world phishing click-rates by cohort and device.<\/li>\n\n\n\n<li>Introduce gamified, scenario-based exercises with small rewards.<\/li>\n\n\n\n<li>Augment training with two-factor authentication and automated phish detection.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4071289\/what-to-consider-to-make-your-enterprise-phishing-training-effective.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">12. The Truth About Consistent Chinese Espionage in the UK<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">UK officials uncovered a Chinese-sponsored breach that accessed \u201cofficial-sensitive\u201d and \u201csecret\u201d government data via a critical data exchange hub for at least ten years after its sale to a China-aligned entity. Ministers even considered razing the facility to eliminate hidden backdoors before choosing a targeted incident response and patching approach.  The episode highlights the imperative for CISOs to enforce stringent supply-chain oversight, continuous threat hunting, and robust controls over edge devices and VPN access.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Breaches spanned low- and mid-classification networks; no \u201ctop secret\u201d data was exfiltrated.<\/li>\n\n\n\n<li>Then-PM Boris Johnson commissioned a classified review of Chinese digital surveillance and cyber threats.<\/li>\n\n\n\n<li>Experts suggest the initial compromise likely exploited a VPN vulnerability, followed by privilege escalation.<\/li>\n\n\n\n<li>State-linked APTs may employ Operational Relay Boxes to mask long-term presence and evade detection.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.spectator.co.uk\/article\/here-be-dragons-the-truth-about-chinese-espionage\/\">The Spectator<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Subscribe<\/h2>\n\n\n\n<p>Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.<\/p>\n\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>\n            \n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary of latest cybersecurity news from October 2025.<\/p>","protected":false},"author":1,"featured_media":20813,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-20723","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20723","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=20723"}],"version-history":[{"count":94,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20723\/revisions"}],"predecessor-version":[{"id":20819,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20723\/revisions\/20819"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/20813"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=20723"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=20723"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=20723"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}