Cyber Frogy

2025-11-24

PUBLISHED ON NOV 24, 2025 / 9 MIN READ

Threat Landscape Update

Weekly Threat Landscape Briefing

Report Date (UTC)
2024-05-21T16:00:00Z

Executive Summary

Immediate Priority Actions

  1. Patch Immediately: Prioritize patching Oracle Identity Manager for CVE-2025-61757, as it is under active exploitation.
  2. Patch & Hunt: Apply the patch for the WSUS vulnerability (CVE-2025-59287) and hunt for signs of post-exploitation activity, such as unusual processes spawned by WSUS services.
  3. Audit Developer Environments: Instruct development teams to audit all npm packages for signs of the "Shai-Hulud" campaign and remove the malicious "prettier-vscode-plus" VSCode extension.
  4. Update Grafana: Immediately update Grafana instances to remediate the critical CVE-2025-41115 vulnerability, especially where SCIM is used for user provisioning.
  5. Monitor Supply Chain: Review access logs for third-party applications connected to Salesforce following the Gainsight breach and notify customers of the Iberia Airlines supplier breach if relevant.

Additional Intelligence Sections

Vulnerability & Exploitation Watch

CVEProduct/VersionCVSS v3.1EPSS (%)KEV?Exploit AvailabilityAffected in estate?Patch/Config FixPriorityRationaleSources (URL, UTC)
CVE-2025-61757Oracle Identity Manager9.8YesIn the WildUnknownPatch availableP1Critical RCE in an identity product, confirmed exploited. Mandated by CISA KEV.CISA (2025-11-21T12:00:00Z)
CVE-2025-59287Microsoft Windows Server Update Services (WSUS)NoIn the WildUnknownPatch availableP1Actively exploited RCE in a core infrastructure management tool, leading to ShadowPad deployment.Security Affairs (2025-11-24T12:35:42Z)
CVE-2025-41115Grafana (SCIM Component)10.0NoTheoreticalUnknownPatch availableP2Maximum severity vulnerability allowing privilege escalation in a widely used analytics platform.SOC Prime (2025-11-24T11:24:23Z), THN (2025-11-21T21:10:00+0530)
CVE-2025-110017-ZipNoPoC AvailableUnknownManual update to v25.01P2Critical vulnerability with a public exploit in a ubiquitous file archive utility.HackRead (2025-11-23T12:48:05Z)
CVE-2025-58034Fortinet FortiWeb6.7NoIn the WildUnknownPatch availableP2Authenticated OS command injection vulnerability confirmed exploited in the wild.THN (2025-11-19T09:50:00+0530)
CVE-2025-40601SonicWall SonicOS (SSLVPN)7.5NoTheoreticalUnknownPatch availableP2High-severity buffer overflow can cause firewall crashes (Denial of Service).Security Affairs (2025-11-23T10:34:28Z)
CVE-2025-41733METZ CONNECT EWIO29.8NoTheoreticalUnknownUpdate to firmware v2.2.0P3Critical authentication bypass in an ICS product allows root credential setting.CISA (2025-11-18T12:00:00Z)
CVE-2024-3871Emerson Appleton UPSMON-PRO9.8NoTheoreticalUnknownEnd-of-Life product. Block UDP port 2601.P3Critical stack-based buffer overflow in an End-of-Life ICS product.CISA (2025-11-20T12:00:00Z)

Indicators of Compromise (IOCs)

No new, high-confidence indicators of compromise were identified in the provided sources this week. Most reporting focused on vulnerabilities and TTPs rather than specific infrastructure.

Threat Actors & Campaigns

  • Name: China-linked APTs
  • Sponsor/Motive: State-sponsored / Espionage, Information Theft
  • Targeting: Broad, including Russian IT sector (APT31), aerospace, and various entities in Taiwan.
  • Typical TTPs: T1190 (Exploit Public-Facing Application), T1588.002 (Tool: Code Repositories), T1059.001 (PowerShell), T1574.002 (DLL Side-Loading).
  • Recent Activity:
  • Observed exploiting CVE-2025-59287 (WSUS) to deliver ShadowPad malware (The Hacker News, 2025-11-24T12:48:00+0530).
  • APT24 (aka BadAudio group) conducted a nearly three-year campaign using supply chain attacks to deploy the BADAUDIO malware (The Hacker News, 2025-11-21T16:12:00+0530).
  • APT31 targeted the Russian IT sector between 2024-2025 using cloud services to maintain persistence (The Hacker News, 2025-11-22T20:49:00+0530).
  • Confidence: High

Sector & Geo Risk Signals

  • Technology Sector: Russian IT companies, particularly those serving as government contractors, were targeted by China-linked APT31 in long-term espionage campaigns (The Hacker News, 2025-11-22T20:49:00+0530).
  • Travel/Aviation Sector: Iberia Airlines notified customers of a data breach stemming from a compromise at a third-party supplier (BleepingComputer, 2025-11-23T08:46:25-0500).
  • Legal & Regulatory: The U.S. SEC has voluntarily dismissed its lawsuit against SolarWinds and its CISO, a significant development in the legal landscape regarding CISO liability for security incidents (The Hacker News, 2025-11-21T13:35:00+0530).

Third-Party & Supply Chain Notes

  • UPDATE: Iberia Airlines has disclosed a data breach originating from a third-party supplier, days after a threat actor claimed to have stolen 77GB of data (Security Affairs, 2025-11-23T17:25:24+0000). The scope of exposed customer data is not yet fully detailed.
  • NEW: Salesforce / Gainsight: Salesforce issued a security advisory regarding unusual activity involving Gainsight-published applications, which may have enabled unauthorized access to some customers' Salesforce data (The Hacker News, 2025-11-21T11:02:00+0530).
  • NEW: npm Registry: The "Shai-Hulud" campaign represents a significant supply chain threat, compromising hundreds of developer packages to steal credentials via preinstall scripts (The Hacker News, 2025-11-24T18:33:00+0530).
  • NEW: VSCode Marketplace: A malicious extension named 'prettier-vscode-plus' was identified and removed from the official marketplace. It was designed to deploy the Anivia Stealer malware on developer machines (HackRead, 2025-11-24T12:43:57+0000).

Detections & Response Playbook Updates

  • New/Updated Sigma Rules:
  • 9d58e38bbcd2: Updated rule for "Potential CVE-2024-3400 Exploitation" to improve selection criteria (SigmaHQ GitHub, 2025-11-24T08:54:29.000Z).
  • bbbfb67ab0a2: Added new rules for "Atomic MacOS Stealer" persistence and file grabber activity (SigmaHQ GitHub, 2025-11-24T02:52:52.000Z).
  • 37024247ae01: Added a new rule for "Suspicious Kerberos Ticket Request via CLI" (SigmaHQ GitHub, 2025-11-23T15:27:40.000Z).
  • 0d7658fb3a66: Added new rules for "Windows Default Domain GPO Modification" (SigmaHQ GitHub, 2025-11-23T14:51:08.000Z).
  • 5121401b0184: Added new rule for "HackTool - WSASS Execution" and updated detection for PPL Tampering via WerFaultSecure (SigmaHQ GitHub, 2025-11-23T14:15:17.000Z).

Assumptions, Gaps, and Tasking

  • Assumptions:
  • We assume the organization operates a standard enterprise environment that includes Microsoft Windows Servers (and potentially WSUS), identity management solutions, and software development teams using common tools like npm and VSCode. (Confidence: High)
  • Intelligence Gaps:
  • The specific compromised npm packages in the "Shai-Hulud" campaign are not listed in the provided sources.
  • Specific Indicators of Compromise (IPs, domains, hashes) for the active exploitation of CVE-2025-61757 (Oracle) and CVE-2025-59287 (WSUS) are not available in these reports.
  • The full scope and impact of the Iberia and Gainsight/Salesforce supply chain incidents are still unknown.
  • Tasking:
  • Asset Management: Identify all instances of Oracle Identity Manager, WSUS servers, and Grafana installations within the environment. Confirm their patch status and exposure.
  • SOC/Threat Hunting:
  • Initiate a 30-day retro-hunt for anomalous process chains on all WSUS servers.
  • Hunt for evidence of the 'prettier-vscode-plus' extension or its associated malware, Anivia Stealer, on developer endpoints.
  • Development/DevSecOps:
  • Communicate the threat of the "Shai-Hulud" campaign to all development teams.
  • Mandate scans of all active projects for dependencies potentially affected by this or similar campaigns.

Source Log

Generated automatically from source markdown.