Author: blogmirnet

YOUTUBE | ARCHIVE | PERMALINK

Date: October 30,2025

Venue: BMCC, NYC
Webcast: ISOC.LIVE

Section 1 – Opening & Keynote

01 – Opening Remarks

Speaker: Steven Nuñez (BMCC)

• Welcomed attendees; first time the conference is hosted at BMCC.
• Highlighted BMCC’s non-degree cyber/IT training + apprenticeship tracks.
• Programs include cybersecurity, networking, cloud, data, software, AI (new 2026).
• Partnerships: CompTIA, ISC², AWS, Cisco, Palo Alto.
• Emphasized workforce development + student participation.
• Message: “Start here, work anywhere.”

02 – Keynote: Overcoming Fear and Failure

Speaker: Richard Greenberg

• Focused on mindset, resilience, leadership — not tech.
• Fear of failure = main blocker to innovation in cybersecurity.
• Shared shift from architecture to cybersecurity; risk leads to growth.
• Leadership = ethics, speaking truth, mentoring others, embracing mistakes.
• Quote: “Those who fail most, succeed most.”

Section 2 – Threats, Defense & Hybrid Security

03 – Threat Informed Defense (TID)

Speaker: Doug José Santos (Fortinet)

• Traditional defense = reactive; TID = proactive, adversary-focused.
• Use MITRE ATT&CK to map attacker techniques to real defenses.
• Build MITRE heat maps from internal telemetry — not generic threat feeds.
• Prioritize detection + purple team based on actual adversary behaviors.
• Demo: AI-driven SOAR investigating crypto-mining incident.

04 – Breaching Both Worlds (Cyber + Physical)

Speaker: Herbert “Trey” Decker III

• Cyber + physical teams don’t communicate — attackers exploit both.
• Example: terminated employee leaves Raspberry Pi + active badge access.
• Issues: ghost accounts, HR not informing IT, unlocked server rooms.
• Fixes: badge automation, HR/SOC alerts, joint tabletop drills.
• Quote: “What you do at home is convenience. At work, it’s security.”

Section 3 – Leadership, Culture & Human Risk

05 – Fighting the Dark Triad (Toxic Leadership)

Speaker: Matthew Webster (Cyvergence)

• Described toxic traits in leadership: narcissism, Machiavellianism, psychopathy.
• CISO reality: burnout, blame, fear of speaking truth.
• Shared personal story of being undermined by CIO.
• Survival tactics: document everything, set boundaries, build allies, plan exit.
• Quote: “You can’t protect the company if your leadership is destroying the team.”

Section 4 – AI in Cybersecurity: Risk, Abuse & Defense

06 – RAGe Against the Machine

Speaker: Brennan Lodge (FBI Cyber)

• Focus on RAG (Retrieval-Augmented Generation) + AI use in cyber operations.
• AI threats: phishing, malware generation, voice deepfakes, influence ops.
• RAG risks: prompt injection, data poisoning, leaking internal docs.
• FBI only uses AI in Isolated, non-classified environments.
• Key point: AI must be governed like any privileged insider.

07 – When Your AI Tool Becomes the Breach

Speaker: Thomas Ryan (Asymmetric Response)

• Main issue: AI isn’t the breach — humans make it the breach.
• Employees feed company data into ChatGPT, Gemini, etc.
• AI plugins with full access leak payroll, legal docs, internal repos.
• Shadow AI = biggest risk; unapproved tools with no logging.
• Fix: AI governance, access control, prompt logging, safe enterprise AI.

09 – Securing AI Innovation (Proactive Defense)

Speaker: Brice Daniels (Mandiant / Google Cloud)

• Defined AI systems: LLMs → Agents → Autonomous pipelines.
• Attack surfaces: prompt injection, memory scraping, tool misuse, RAG hacks.
• AI can bypass traditional controls (API auth, firewalls) by design.
• Recommendations:
  • Build AI threat models
  • Control tool execution; isolate agent environments
  • Add AI to red teaming + SOC simulations

Section 5 – Community & Workforce

08 – The Cyber Breakfast Club

Speaker: Mike Charobee (with Marc Drapcho, Safetica)

• Community initiative for mentorship, early-career professionals, networking.
• Encouraged students to show up, build projects, meet people, use AI wisely.
• Drapcho introduced Safetica – insider threat + data loss prevention.
• Message: community + soft skills = as critical as certifications.

10 – Closing Remarks

Speaker: Steven Nuñez (BMCC)

• Thanked speakers, organizers, sponsors, BMCC staff and students.
• Reinforced need to sustain industry–education partnerships.
• Encouraged LinkedIn connections + ongoing collaboration.
• “This should not be a one-day event — this is the start of a pipeline.”

Multiple vulnerabilities have been discovered in Cisco products, the most severe of which could allow for remote code execution. Cisco is a leading technology company best known for its networking hardware and software, such as routers and switches, that form the backbone of the internet and enterprise networks. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution as root, which may lead to the complete compromise of the affected device.

THREAT INTELLIGENCE:

The Cisco Product Security Incident Response Team (PSIRT) is aware of attempted exploitation of CVE-2025-20354 and CVE-2025-20358. A detection guide can be found in the references section further down this advisory.

SYSTEMS AFFECTED:

• Cisco Unified Contact Center Express versions 12.5 SU3 and earlier

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Cisco products, the most severe of which could allow for remote code execution. Details of the vulnerability are as follows:

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

• CVE-2025-20354: Cisco Unified CCX Remote Code Execution Vulnerability. The vulnerability exists in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX, which originates from an improper authentication mechanism associated with specific Cisco Unified CCX features. An attacker could exploit this vulnerability by uploading a crafted file to an affected system through the Java RMI process. Successful exploitation of the vulnerability may allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with root permissions on an affected system.

• CVE-2025-20358: Cisco Unified CCX Editor Authentication Bypass Vulnerability. The vulnerability exists in the Contact Center Express (CCX) Editor application of Cisco Unified CCX, which originates from an improper authentication mechanism in the communication between the CCX Editor and an affected Unified CCX server. An attacker could exploit this vulnerability by redirecting the authentication flow to a malicious server and tricking the CCX Editor into believing the authentication was successful. Upon successful exploitation, an attacker may create and execute arbitrary scripts on the underlying operating system of an affected Unified CCX server as an internal, non-root user account.

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution as root, which may lead to the complete compromise of the affected device.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply appropriate updates provided by Cisco or other vendors which use this software to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.

• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.

• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.

• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Cisco:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwq36528

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwq36573

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20358

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20354

APT44, also known as Sandworm, FROZENBARENTS, Seashell Blizzard, and Voodoo Bear, is a Russian state-sponsored cyber group attributed to GRU Unit 74455. APT44 has significantly evolved its operations in recent years, expanding from traditional cyber espionage into a full-spectrum capability encompassing sabotage, psychological operations, and battlefield support. Its campaigns have targeted Ukraine and NATO countries, with a growing focus on critical infrastructure such as energy, water, and telecommunications.

APT44’s operations increasingly leverage a combination of custom wiper malware, “living-off-the-land” (LOTL) techniques, and publicly available tools to conduct destructive attacks while minimizing attribution and detection. The group has also employed hacktivist personas and false-flag operations to obscure its involvement and sow confusion in the information space.

This shift reflects a broader strategic trend in Russian cyber doctrine, where cyber operations are fully integrated into military campaigns and geopolitical influence efforts. As hybrid conflict becomes the norm, organizations supporting critical functions must prepare not just for espionage, but pre-positioning and sabotage by highly capable actors like APT44.

Key Points

• APT44 is a Russian state-sponsored cyber sabotage and espionage group linked to GRU Unit 74455, known for targeting Ukraine, NATO member states, and global critical infrastructure.
• The group has expanded its mission set from military intelligence collection to including destructive operations, information warfare, and support for military campaigns.
• APT44 employs a hybrid toolkit combining custom wiper malware, commodity RATs, and LOTL techniques, often delivered through supply-chain compromises, phishing, and edge device exploitation.
• APT44’s tactics enable it to operate covertly within civilian networks, undermining traditional perimeter defenses and increasing operational risk for infrastructure operators, especially in energy, water, and telecom sectors.

Risk Assessment

The NJCCIC has assessed that APT44 poses a significant and escalating threat to organizations that operate critical infrastructure, higher education networks, and government systems. By deploying destructive malware, targeting industrial control systems, and integrating LOTL techniques with newer cloud and AI-enabled capabilities, the group can achieve both immediate disruption and sustained covert access.

This evolution is particularly concerning for organizations with operational technology dependencies and hybrid cloud environments, where visibility into lateral movement, identity abuse, and process manipulation are often limited. APT44 has previously conducted highly disruptive attacks such as NotPetya and Industroyer2 against similar targets, and its malware families have been observed exploiting vulnerabilities common across enterprise and industrial systems.

These tactics align with persistent weaknesses in cloud security, OT/IT integration, and incident response readiness, increasing the likelihood of severe service disruption, data loss, or reputational harm. The group’s destructive mandate, combined with its ability to blend disruption with stealthy persistence, underscores the urgent need for enhanced detection, network segmentation, and resilience planning against APT44 campaigns.

Threat Actor Summary

APT44, associated with the GRU’s Unit 74455 (Sandworm), primarily targets government, energy, critical infrastructure, technology, and education sectors in countries such as Ukraine, the United States, NATO members, and other Western allies. Since 2009, the group has been actively tracked by the cybersecurity community and is regarded as one of Russia’s most destructive and disruptive cyber units, supporting Moscow’s military and geopolitical objectives.

Technical Analysis

Tactics, Techniques, & Procedures

APT44 is known for its destructive and disruptive cyber operations in support of Russian military objectives. The group often gains access through spearphishing campaigns, exploitation of edge vulnerabilities, and supply chain compromises. They also employ LOTL techniques to blend into normal network activity and establish persistence.

Once inside, APT44 deploys custom malware families such as NotPetya, BlackEnergy, Industroyer, and Industroyer2, designed to wipe data, disrupt systems, or directly manipulate industrial control systems (ICS). Unlike espionage-focused groups, APT44 frequently times operations with kinetic military actions and leverages wipers, ICS-targeting tools, and destructive payloads to maximize impact.

Infrastructure

APT44 maintains a diverse and adaptable infrastructure to support its operations. This includes the use of compromised servers, hijacked domains, and VPNs for command-and-control (C2). They have also leveraged hardcoded infrastructure within destructive malware, creating global spillover effects, as seen in the NotPetya campaign. In recent activity, APT44 has increasingly relied on compromised network devices and legitimate administrative tools to maintain access and facilitate attacks.

Victims

APT44’s targeting closely aligns with Russia’s military and geopolitical priorities, focusing on disruption rather than espionage. Victims have included critical infrastructure operators, energy providers, higher education institutions, and government agencies, particularly those supporting Ukraine or NATO allies. Their operations are designed to undermine stability, cause economic damage, and erode confidence in Western institutions.

Target Sectors

• Government and Defense Institutions
• Energy and Critical Infrastructure (including ICS/SCADA systems)
• Higher Education and Research
• Technology and Telecommunications
• Media and Olympics

Geographic Focus

• Ukraine
• United States
• NATO Member States
• European Union Countries
• Western Allies supporting Ukraine

Attribution

APT44 has been widely attributed to the Russian GRU’s Main Center for Special Technologies (Unit 74455), commonly referred to as Sandworm. This attribution is supported by forensic evidence, including the reuse of destructive malware families, infrastructure overlaps, operational timing aligned with Russian military campaigns, and strategic targeting consistent with Russian state objectives. The group’s working patterns, Russian language artifacts, and repeated coordination with broader GRU operations reinforce its role as a core offensive cyber unit of the Russian state.

Have you received a text message regarding an unpaid toll or package misdelivery lately? You are not the only one. Researchers discovered a SMiShing (SMS text phishing) campaign attributed to the “Smishing Triad” that has been circulating since April 2024. A China-based threat actor has been impersonating a variety of international services within critical infrastructure, including banking, cryptocurrency, e-commerce, healthcare, law enforcement, and social media. The campaign places a significant focus on targeting US residents by impersonating organizations, such as commercial and state-owned mail and package delivery services, state vehicles and licensing agencies, and state and federal tax services or agencies. The “Smishing Triad” employs standard tactics by sending text messages that create urgency to trick victims into acting immediately. Once victims click on an included link, they are directed to a phishing page that captures sensitive information, including Social Security numbers, addresses, payment information, and login credentials.

This threat actor has been challenging to detect due to their operation and hosting infrastructure. Researchers have identified 194,000 malicious domains linked to the operation. The attack infrastructure is primarily hosted on popular US cloud services, despite the malicious domains being registered through a Hong Kong-based registrar and utilizing Chinese nameservers. A majority of the “Smishing Triad” root domains were created with a hyphenated series of strings followed by a top-level domain (TLD) (e.g., [string1]-[string2].[TLD]). For example, one of the domains linked to this threat actor is “ezpassnj[.]gov-mhmt[.]xin,” which could be mistaken for the legitimate ezpassnj.gov. Notably, this campaign is evolving to impersonate many types of services, as there has been a significant increase in the registration of “.gov” TLDs in the past three months.

Document Review Detours to Legitimate Jotform Platform

Jotform is used to create online forms and apps to collect data, process payments, and automate workflows without coding. It is a versatile tool for businesses and individuals in legitimate use cases. However, Jotform can also create opportunities for threat actors to exploit it for malicious purposes, such as phishing, information gathering, and malware distribution.

Threat actors compromised the user’s account and utilized the user’s signature and organization branding to send multiple phishing emails. The emails purport to be powered by Docusign and claim to be a document for review. Depending on the campaign, the subject line indicates a file transfer notification (which differs from the message content as shown in the above image) or a named document for review.

If the “Review Documents” button is clicked, the target is directed to the Jotform platform, which displays a fake form to convince users to “install” an app. Threat actors use the sender’s organization name from the compromised account to label the form title in the web browser’s tab and app, making it appear legitimate. Installing an app to view a document is typically a red flag, especially for popular Microsoft or Adobe products and services, as many businesses currently utilize them for work assets. If the “app” is installed, it is added to the home screen and claims to open and run safely in a focused window, offer quick access options such as pinning to the taskbar or start menu, and sync across multiple devices. Additionally, the user is prompted with a Cloudflare check to verify that they are human and “activate” safe browsing features.

A Microsoft phishing page is displayed, featuring stolen branding, to trick users into entering their account credentials to review the supposed document. Another red flag is the URL because it does not contain “Microsoft” in the domain name. Instead, it includes “document365s” and uses “.com” appended with a sneaky “.de” top-level domain (TLD) to appear legitimate.

This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

A vulnerability has been discovered in Microsoft Windows Server Update Services (WSUS) which could allow for remote code execution. WSUS is a tool that helps organizations manage and distribute Microsoft updates across multiple computers. Instead of every PC downloading updates from Microsoft’s servers, WSUS downloads the updates and stores them, then distributes them to all computers on the network that connect to it. Successful exploitation of the vulnerability could allow a threat actor to gain full control of the WSUS server and distribute malicious updates to client devices.

Threat Intelligence

Proof-of-concept exploit code was released according to open source reporting. Additionally, CISA added CVE-2025-59287 to the Known Exploited Vulnerabilities (KEV) catalog.

Systems Affected

Windows Server 2012 R2 versions prior to build 6.3.9600.22826 Windows Server 2012 versions prior to build 6.2.9200.25728 Windows Server 2016 versions prior to build 10.0.14393.8524 Windows Server 2025 versions prior to build 10.0.26100.6905 Windows Server 2022, 23H2 Edition (Server Core installation) versions prior to build 10.0.25398.1916 Windows Server 2022 versions prior to build 10.0.20348.4297 Windows Server 2019 versions prior to build 10.0.17763.7922

Risk

Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by Microsoft or other vendors which use this software to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References

Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287 HelpNetSecurity: https://www.helpnetsecurity.com/2025/10/24/wsus-vulnerability-cve-2025-59287-exploited/

Multiple vulnerabilities have been discovered in Oracle products, the most severe of which could allow for remote code execution.

Threat Intelligence

Watchtowr reports CVE-2025-61882 and CVE-2025-61884 were exploited in the recent wave of Cl0p data theft attacks and subsequent extortion campaign.

Systems Affected

Risk

Government: – Large and medium government entities: High – Small government entities: High

Businesses: – Large and medium business entities: High – Small business entities: High

Home Users: Low

Recommendations

Apply appropriate patches or appropriate mitigations provided by Oracle to vulnerable systems immediately after appropriate testing. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Apply the Principle of Least Privilege to all systems and services and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems, which could include suspicious process, file, API call, etc. behavior. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References

Oracle: https://www.oracle.com/security-alerts/cpuoct2025.html https://www.oracle.com/security-alerts/alert-cve-2025-61882.html https://www.oracle.com/security-alerts/alert-cve-2025-61884.html

This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

A vulnerability has been discovered in Oracle E-Business Suite, which could allow for remote code execution. Oracle E-Business Suite (EBS) is a comprehensive suite of integrated business applications that runs core enterprise functions. Successful exploitation of this vulnerability could allow a threat actor to execute code in the context of the affected component. A threat actor could then install programs; view, change, or delete data; or create new accounts with full user rights.

Threat Intelligence

Oracle is aware that CVE-2025-61882 has been exploited in the wild.

Systems Affected

Oracle E-Business Suite, versions 12.2.3-12.2.14

Risk

Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by Oracle or other vendors which use this software to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

Reference

Oracle: https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

Ransomware remains a persistent and ever-evolving threat to businesses of all sizes and sectors.  While the tactics, techniques, and procedures (TTPs) may vary, the end goal is often the same – a substantial payday.

After months of silence, LockBit recently reemerged with an announcement of its “LockBit 5.0 Affiliate Program,” which grants its affiliates the ability to target critical infrastructure usually off-limits under standard ransomware-as-a-service (RaaS) rules. Shortly after LockBit reentered the ransomware scene, three well-known groups—Qilin, LockBit, and DragonForce—announced they were forming an alliance. Their goal is to collaborate and share techniques, infrastructure, and resources.

Another cybercrime group known for deploying ransomware, Storm-1175, has been exploiting a vulnerability in GoAnywhere MFT. During their multi-stage attack, they exploited CVE-2025-10035, which enabled remote code execution. After gaining access, they installed remote device management tools, such as SimpleHelp and MeshAgent, to allow them to drop web shells and move laterally across networks using Windows utilities. In one attack, they were able to drop RClone and Medusa ransomware.

Ransomware attacks are typically opportunistic, and a wide range of businesses have become victims. Asahi Group Holdings, a Japanese brewery and food giant, recently experienced an attack on its manufacturing operations, with Qilin RaaS claiming responsibility for the incident. While Asahi immediately shut down operations and isolated affected systems, it is still working to fully restore its systems and get everything back online.

Salt Typhoon continues to target US critical infrastructure through sustained and coordinated cyber operations. The group, an advanced persistent threat (APT) linked to the People’s Republic of China (PRC), focuses much of its activity in communications, government, and defense. These intrusions enable the theft of sensitive national security information while advancing China’s efforts to expand its disruptive cyber capabilities. This access could be leveraged to impede the US military’s ability to respond effectively during a crisis or conflict.

The NJCCIC has assessed that Salt Typhoon poses a high-risk threat to public and private infrastructure in the United States, including organizations in New Jersey. Our latest threat analysis report provides an in-depth Threat Actor Profile (TAP) that includes:

An overview of ongoing threat activity, targeting patterns, objectives, and key incidents. A risk assessment evaluating the likelihood and potential impact of attacks. An outline of the tactics, techniques, and procedures (TTPs) employed. Examples of real-world cyber intrusions and campaigns. Defensive guidance and resources for network administrators and critical infrastructure operators.