AUSCERT Week in Review for 19th September 2025

Greetings,

This week, we have released an exciting new episode of the Share Today, Save Tomorrow podcast, Episode 45: Phishing, Passion & Progress: A Conversation with Shane Lim.

Our host Bek Cheb sits down with Shane, one of our valued analysts at AUSCERT, for a deep dive into his journey from IT generalist to cyber security specialist. This episode also features an insider look at one of AUSCERT’s most vital member services, Phishing Takedowns. Shane breaks down how the process works, why phishing remains a persistent threat, and the technical and human challenges involved in taking malicious sites offline.

This is an episode you won’t want to miss, and it’s available on Spotify, Apple Podcasts, and Soundcloud now.

SonicWall has warned customers to reset credentials following a breach that exposed firewall configuration backup files linked to MySonicWall accounts. Attackers exploited the company’s cloud backup API service using brute-force methods, affecting fewer than 5% of its firewall install base. While the files contained encrypted passwords, SonicWall cautioned that they also held details that could make it easier for attackers to exploit impacted devices.

The company has since blocked attacker access, launched an investigation with law enforcement and cyber security partners, and published guidance for administrators. Recommendations include restricting WAN access, resetting all credentials, and updating keys and tokens across related services. SonicWall emphasised this was not a ransomware event but a series of targeted brute-force attacks, adding there is no evidence that the files have been leaked online.

Apple backports zero-day patches to older iPhones and iPads
Date: 2025-09-16
Author: Bleeping Computer

[See AUSCERT bulletin https://portal.auscert.org.au/bulletins/ESB-2025.6540]​
Apple has released security updates to backport patches released last month to older iPhones and iPads, addressing a zero-day bug that was exploited in "extremely sophisticated" attacks.
This security flaw is the same one Apple has patched for devices running iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, and macOS (Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8) on August 20.
Tracked as CVE-2025-43300, this vulnerability was discovered by Apple security researchers and is caused by an out-of-bounds write weakness in the Image I/O framework, which enables apps to read and write image file formats.

From ClickFix to MetaStealer: Dissecting Evolving Threat Actor Techniques
Date: 2025-09-17
Author: Bleeping Computer

During the past fifteen business days, Huntress analysts have observed increased threat activity involving several notable techniques. One case involved a malicious AnyDesk installer, which initially mimicked a standard ClickFix attack through a fake Cloudflare verification page but then utilized Windows File Explorer and an MSI package masked as a PDF to deploy MetaStealer malware.

FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data
Date: 2025-09-14
Author: Bleeping Computer

The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal data and extort victims.
"The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions," reads the FBI's FLASH advisory.

Threat Actors Leverage Several RMM Tools in Phishing Attack to Maintain Remote Access
Date: 2025-09-15
Author: Cyber Security News

Cybercriminals are increasingly exploiting legitimate remote monitoring and management (RMM) tools to establish persistent access to compromised systems through sophisticated phishing campaigns.
Joint research conducted by Red Canary Intelligence and Zscaler threat hunters has identified multiple malicious campaigns utilizing ITarian (also known as Comodo), PDQ, SimpleHelp, and Atera RMM solutions as attack vectors.

HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks
Date: 2025-09-15
Author: The Hacker News

Chinese-speaking users are the target of a search engine optimization (SEO) poisoning campaign that uses fake software sites to distribute malware.
"The attackers manipulated search rankings with SEO plugins and registered lookalike domains that closely mimicked legitimate software sites," Fortinet FortiGuard Labs researcher Pei Han Liao said. "By using convincing language and small character substitutions, they tricked victims into visiting spoofed pages and downloading malware."

ESB-2025.6633 – Linux kernel: CVSS (Max): 9.1*

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

ESB-2025.6569 – pcp: CVSS (Max): 8.8

This update for pcp fixes the following issues, exposure of the redis server backend allows remote command execution via pmproxy.

ESB-2025.6567 – Mozilla Firefox: CVSS (Max): 8.8*

Memory safety bugs are present. Some of these bugs showed evidence of memory corruption and it's presumed that with enough effort some of these could have been exploited to run arbitrary code.

ESB-2025.6636 – Google Chrome: CVSS (Max): None

Google released security updates for the Chrome web browser, to addresses four vulnerabilities, including one that it said has been exploited in the wild. The vulnerability has been described as a type confusion issue in the V8 JavaScript and WebAssembly engine.

ESB-2025.6555 – Delta Electronics DIALink: CVSS (Max): 10.0

Delta Electronics DIALink has an Improper Limitation of a Pathname to a Restricted Directory vulnerability which could allow an attacker to bypass authentication.

Stay safe, stay patched and have a good weekend!

The AUSCERT team