September 2025 – My information Resource (blog.mir.net)

NIST Publishes Report on Digital Product Cybersecurity Education and Awareness for Design-A-Thon Event

NIST has published Internal Report (IR) 8558, Report on the Design-A-Thon: Designing Effective and Accessible Approaches for Digital Product Cybersecurity Education and Awareness. The Design-A-Thon event was organized by NIST and hosted by the Symposium in Usable Privacy and Security (SOUPS) on August 11th, 2024. For the project, three teams developed cybersecurity education and awareness strategies based on mock Internet of Things (IoT) products described in the Design-A-Thon materials.

This report describes the project’s background, planning, execution, participants, and lessons learned.

Protecting Controlled Unclassified Information: A NIST Small Business Cybersecurity Webinar

Date: November 4, 2025

Time: 2:00PM – 3:00PM EST

Location: Virtual

Description:

Recently, NIST published a Small Business Primer for NIST Special Publication (SP) 800-171, Revision 3, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems, to help small and medium-sized businesses understand and implement security requirements for protecting CUI. During this webinar, NIST will provide attendees with an overview of the new primer, including:

A foundational overview of SP 800-171.
Key differences between SP 800-171 Revision 2 and Revision 3.
An overview of the relationship between SP 800-171 and SP 800-171A.
Considerations to be mindful of as small organizations begin implementing the requirements in SP 800-171.
Answers to frequently asked questions.

Time will be reserved to answer audience questions. Please bring your ideas. The speakers will want to hear from attendees to inform follow-on resource development in the form of other guides, webinar topics, etc., to support the small business community’s efforts to protect CUI.

Event Speakers:

Victoria Pillitteri, Co-Author of NIST SP 800-171, NIST
Daniel Eliot, Lead for Small Business Engagement, NIST

Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.

THREAT INTELLIGENCE:
Google reports targeted exploitation of CVE-2025-38352 and CVE-2025-48543 in the wild.

SYSTEMS AFFECTED:

Android OS patch levels prior to 2025-09-05

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution in the context of the affected component. Following the MITRE ATT&CK framework, exploitation of these vulnerabilities can be classified as follows:

Tactic: Execution (TA0002)

Technique: Exploitation for Client Execution (T1203):

A vulnerability in System that could allow for remote code execution. (CVE-2025-48539)

Details of lower-severity vulnerabilities are as follows:

A vulnerability in Android Runtime that could allow for elevation of privilege. (CVE-2025-48543)
Multiple vulnerabilities in Framework that could allow for elevation of privilege. (CVE-2025-0089, CVE-2025-32324, CVE-2025-32325, CVE-2025-32331, CVE-2025-32349, CVE-2025-32350, CVE-2025-48522, CVE-2025-48528, CVE-2025-48540, CVE-2025-48546, CVE-2025-48548, CVE-2025-48549, CVE-2025-48552, CVE-2025-48553, CVE-2025-48556, CVE-2025-48558, CVE-2025-48563)
Multiple vulnerabilities in Framework that could allow for information disclosure. (CVE-2025-0076, CVE-2025-32330, CVE-2025-48529, CVE-2025-48537, CVE-2025-48545, CVE-2025-48561, CVE-2025-48562)
Multiple vulnerabilities in Framework that could allow for denial of service. (CVE-2025-48538, CVE-2025-48542, CVE-2025-48550, CVE-2025-48554, CVE-2025-48559)
Multiple vulnerabilities in System that could allow for elevation of privilege. (CVE-2021-39810, CVE-2023-24023, CVE-2024-49714, CVE-2025-26454, CVE-2025-26464, CVE-2025-32321, CVE-2025-32323, CVE-2025-32326, CVE-2025-32327, CVE-2025-32333, CVE-2025-32345, CVE-2025-32346, CVE-2025-32347, CVE-2025-48523, CVE-2025-48526, CVE-2025-48531, CVE-2025-48532, CVE-2025-48535, CVE-2025-48541, CVE-2025-48544, CVE-2025-48547, CVE-2025-48581)
Multiple vulnerabilities in System that could allow for information disclosure. (CVE-2025-48527, CVE-2025-48551, CVE-2025-48560)
Multiple vulnerabilities in System that could allow for denial of service. (CVE-2025-48524, CVE-2025-48534)
Multiple vulnerabilities in Kernel could allow for elevation of privileges. (CVE-2025-21755, CVE-2025-38352)
A vulnerability in Widevine DRM. (CVE-2025-32332)
Multiple vulnerabilities in Arm components. (CVE-2024-7881, CVE-2025-1246, CVE-2025-3212)
Multiple vulnerabilities in Imagination Technologies. (CVE-2024-47898, CVE-2024-47899, CVE-2025-0467, CVE-2025-1706, CVE-2025-8109, CVE-2025-25179, CVE-2025-25180, CVE-2025-46707, CVE-2025-46708, CVE-2025-46710)
Multiple vulnerabilities in MediaTek components. (CVE-2025-20696, CVE-2025-20704, CVE-2025-20708, CVE-2025-20703)
Multiple vulnerabilities in Qualcomm components. (CVE-2025-27042, CVE-2025-27043, CVE-2025-27056, CVE-2025-27057, CVE-2025-27061)
Multiple vulnerabilities in Qualcomm closed-source components. (CVE-2025-21450, CVE-2025-21483, CVE-2025-27034, CVE-2025-21427, CVE-2025-21432, CVE-2025-21433, CVE-2025-21446, CVE-2025-21449, CVE-2025-21454, CVE-2025-21464, CVE-2025-21465, CVE-2025-21477, CVE-2025-21481, CVE-2025-21482, CVE-2025-21484, CVE-2025-21487, CVE-2025-21488, CVE-2025-27032, CVE-2025-27052, CVE-2025-27065, CVE-2025-27066, CVE-2025-27073, CVE-2025-47317, CVE-2025-47318, CVE-2025-47326, CVE-2025-47328, CVE-2025-47329)

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate patches provided by Google to vulnerable systems, immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. Inform and educate users regarding threats posed by hypertext links contained in emails or attachments, especially from un-trusted sources. (M1017: User Training)
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

APT29 Threat Analysis Report

APT29, also known as Cozy Bear, Midnight Blizzard, The Dukes, Dark Halo, and NobleBaron, is a Russian state-sponsored cyber group linked to the Foreign Intelligence Service (SVR). APT29 has recently advanced its tradecraft by leveraging legitimate cloud services and Software-as-a-Service (SaaS) platforms to conduct covert, highly targeted cyber espionage campaigns. Their operations have primarily focused on Western governments, diplomatic entities, and critical infrastructure. This shift toward cloud-native techniques allows their activity to blend into normal network traffic, significantly reducing the effectiveness of traditional security tools.

This evolution is part of a broader trend among nation-state actors using “living off the land” techniques to evade detection and maintain long-term access to compromised environments.

As geopolitical tensions continue to rise, organizations in targeted sectors must reassess their cloud security posture and detection strategies to defend against increasingly stealthy and persistent threats like APT29.
Continue reading…

Local Municipality Impersonation to Steal Data and Funds

The NJCCIC received reports of threat actors impersonating multiple New Jersey local municipalities to steal sensitive data and funds and exploit public trust. Threat actors take advantage of residents who interact with their local municipalities regularly and are more likely to trust communications appearing to be official. They pose as local officials and contact residents through unsolicited communications to demand information or money using threats and deceptive tactics such as stolen branding and logos, unofficial or spoofed email addresses and phone numbers, and fake documents.

In the above example, threat actors impersonate a local municipality in an unsolicited email to create urgency and legitimacy by demanding additional payment to avoid delays in the bulk variance application approval process. The sender’s display name is “Planning Commission [local municipality name].” In the sender’s email address, the username is “planning-commission.[local municipality name]nj” with a “usa” domain name and .com top-level domain (TLD), unlike the official local municipality. The subject line displays “Settlement of Application Review and Approval Fee Invoice” and includes an attached Adobe PDF file.

The attached Adobe PDF file appears to be an official and legitimate invoice, but it contains stolen branding and logos in the watermark in the background and on the letterhead. The fraudulent invoice itemizes various fees due upon receipt. Unlike typical payment methods of checks or official portals, the remittance instructions in the invoice indicate payment is only through wire transfer, and the threat actors will provide those instructions upon request. If requested, the bank account information provided is not affiliated with the local municipality and may be linked to an out-of-state bank account. The threat actors further instruct their target to email them a signed copy of the invoice and the wire transfer payment receipt for confirmation. The invoice also states that this fee supports the administrative processing, legal evaluation, zoning compliance verification, and public notification procedures directly tied to the recipient’s application. If this fraudulent scheme is successful, the threat actors steal the funds and use the victim’s sensitive information and signature to commit identity theft, financial fraud, and other malicious activity.

Threat Actors Want Your Remote…Access

The NJCCIC has observed threat actors continuing to exploit remote monitoring and management (RMM) tools such as PDQ Connect, ScreenConnect, ITarian, and Atera to remotely access target environments. The use of RMM software enables threat actors to gain initial access, often without triggering security alerts due to the legitimate nature of these programs. Once installed, RMM tools can be used similarly to remote access trojans (RATs), enabling threat actors to exfiltrate data, maintain persistent access, move laterally, and even download malware.

In these types of campaigns, threat actors use social engineering to persuade their targets to download and install their software. They often employ urgency or scare tactics to prompt quick action before the victim realizes they are being targeted. In the above campaign, users receive a phishing email that appears to be from the Social Security Administration.

Upon clicking the URL in the phishing email, users are directed to a website with instructions that claim certain software must be installed before they can access their secure files. After installing the software and running it as an administrator, threat actors can gain full remote control of the victim’s system. The NJCCIC has also recently reported on campaigns distributing PDQ Connect, Microsoft Quick Assist , and ScreenConnect.

Random Number Generation Using DRBGs | Pre-Draft Call for Comments on SP 800-90A

NIST Special Publication (SP) 800-90Ar1 (Revision 1), Recommendation for Random Number Generation Using Deterministic Random Bit Generators (DRBGs), provides guidelines for generating cryptographically secure random numbers using deterministic methods. This recommendation specifies approved DRBG mechanisms based on hash functions and block ciphers.

NIST is planning a second revision of SP 800-90A to reflect advancements in cryptographic research and maintain consistency across related standards. A public comment period on all aspects of the current SP 800-90A will be open until November 4, 2025. See the full announcement for more details.