• Likelihood: High
• Impact: High
• Overall Priority: P1 (Rationale: In-the-wild zero-day exploitation of a widely used mobile device to install potent spyware.)

Facts:

• A now-patched zero-day vulnerability, CVE-2025-21042 (CVSS 8.8), in a Samsung Android image processing library (libimagecodec.quram.so) was exploited in targeted attacks (Unit 42, 2025-11-07 11:00:23 UTC; Security Affairs, 2025-11-07 21:54:22 UTC).
• The exploit was delivered via zero-click messages, such as WhatsApp, containing a malicious image, to deploy a previously unknown commercial-grade Android spyware named LANDFALL (BleepingComputer, 2025-11-07 13:23:25 -0500; The Hacker News, 2025-11-07 23:30:00 +0530).
• The campaign, which ran for approximately nine months, targeted entities in the Middle East (The Record, 2025-11-07 17:12:43 GMT).
• LANDFALL spyware possesses capabilities to collect sensitive user data, including contacts, call logs, messages, location data, and files (Unit 42, 2025-11-07 11:00:23 UTC).
• Samsung has released a patch for the vulnerability. The specific patch date was not detailed in the sources (Security Affairs, 2025-11-07 21:54:22 UTC).

Assessment:

• We assess with high confidence that this campaign was conducted by a sophisticated actor, likely a commercial spyware vendor, given the use of a zero-day exploit and the advanced capabilities of the LANDFALL spyware. The zero-click nature of the exploit makes it particularly dangerous as it requires no user interaction to succeed.
• The targeting of individuals in the Middle East is consistent with the operational patterns of several known commercial surveillanceware providers.
• While a patch is available, the long duration of the campaign suggests that many devices may have been compromised. The risk of compromise for unpatched devices remains high.

Relevance:

• This threat is relevant to our organization due to the widespread use of Samsung Android devices among employees for both corporate and personal use. A compromise could lead to the loss of sensitive corporate data, credentials, and PII.
• Affected in estate? Unknown. Asset management must identify all corporate-managed Samsung devices and verify patch status with device owners.

ATT&CK:

• T1400: Exploit via Charging/Tethering Port
• T1404: Exploitation for Client Execution
• T1417: Input Capture
• T1426: System Information Discovery
• T1432: Access Contact List
• T1433: Access Calendar
• T1637: Steal Application Data
• Malware: LANDFALL Spyware

Detection Ideas:

• Monitor mobile device management (MDM) logs for unpatched Samsung devices.
• Deploy Mobile Threat Defense (MTD) solutions capable of detecting spyware behavior and anomalous application activity.

Mitigations:

• Ensure all Samsung devices are updated with the latest security patches immediately.
• Educate users about the risk of zero-click exploits and the importance of timely updates.
• Restrict the installation of applications from untrusted sources on all mobile devices.

• Likelihood: High
• Impact: High
• Overall Priority: P1 (Rationale: Active exploitation of critical edge network devices with a new attack variant that causes service disruption.)

Facts:

• Cisco has warned that two previously disclosed zero-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, are now being targeted by a new attack variant (BleepingComputer, 2025-11-07 10:44:31 -0500; Security Affairs, 2025-11-06 18:26:17 +0000).
• The new attack can cause unpatched Cisco Secure Firewall Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) devices to unexpectedly reload, resulting in a denial-of-service (DoS) condition (The Hacker News, 2025-11-06 20:28:00 +0530).
• These vulnerabilities were initially exploited in the wild before patches were available, and are now being leveraged for this new purpose (BleepingComputer, 2025-11-07 10:44:31 -0500).

Assessment:

• We assess with high confidence that threat actors are expanding their use of these vulnerabilities beyond initial access and espionage to include disruptive attacks. This indicates that the flaws are well-understood and widely exploited.
• Organizations that have not yet patched are at immediate risk of network outages from these DoS attacks. The impact on business operations could be significant, especially for public-facing services.

Relevance:

• This threat is directly relevant as Cisco ASA/FTD firewalls are deployed at our network edge. A successful DoS attack would disrupt internet connectivity and access to critical services.
• Affected in estate? Unknown. Network operations must confirm the patch status of all Cisco firewall appliances.

ATT&CK:

• T1499: Endpoint Denial of Service
• T1499.003: OS Exhaustion Flood

Detection Ideas:

• Monitor firewall logs for unexpected reboots or crashes.
• Implement network monitoring to detect anomalous traffic patterns targeting firewall management interfaces.
• Review logs for any indicators of compromise related to the initial exploitation of these CVEs.

Mitigations:

• Apply the security updates provided by Cisco for CVE-2025-20333 and CVE-2025-20362 immediately.
• Restrict access to firewall management interfaces to a limited set of trusted IP addresses.

• Likelihood: Medium
• Impact: High
• Overall Priority: P2 (Rationale: A novel supply chain attack with a delayed, high-impact payload presents a hidden risk to software development and operational technology.)

Facts:

• Several malicious packages have been discovered on the NuGet package manager containing sabotage payloads scheduled to activate in August 2027 and 2028 (BleepingComputer, 2025-11-07 15:53:48 -0500).
• The nine packages were published in 2023 and 2024 by a user named "shanhai666" (The Hacker News, 2025-11-07 17:25:00 +0530).
• The delayed "time bomb" payloads are designed to disrupt database implementations and corrupt Siemens S7 industrial control devices (BleepingComputer, 2025-11-07 15:53:48 -0500).

Assessment:

• We assess with high confidence that this is a deliberate and patient attempt to compromise software supply chains for future sabotage. The long delay between installation and payload activation is designed to evade detection and maximize impact.
• The targeting of both general database implementations and specific ICS hardware suggests the actor may have broad objectives, ranging from widespread disruption to targeted attacks on industrial environments. The risk is significant for any organization that has unknowingly incorporated these packages into their software.

Relevance:

• This threat is highly relevant to our software development lifecycle. Our developers use NuGet for managing dependencies, and an inadvertent inclusion of these packages could embed a latent threat in our proprietary applications.
• Affected in estate? Unknown. A full scan of our software repositories and build environments is required to determine if these packages are present.

ATT&CK:

• T1195: Supply Chain Compromise
• T1195.001: Compromise Software Dependencies and Development Tools
• T1499: Endpoint Denial of Service
• T1485: Data Destruction

Detection Ideas:

• Utilize Software Composition Analysis (SCA) tools to scan all code repositories for the identified malicious packages published by "shanhai666".
• Monitor build server logs for any connections to suspicious domains or execution of unexpected commands during package installation.

Mitigations:

• Immediately remove any identified malicious packages from development environments, build servers, and deployed applications.
• Implement stricter policies for vetting third-party libraries, including checking author reputation and package download statistics.
• Educate developers on the risks of typosquatting and malicious packages in open-source repositories.