1 Aug 2025
Week in review
Greetings,
This week, our team participated in the annual APCERT Cyber Drill 2025 alongside 24 Computer Incident Response Teams (CIRTs) from 18 economies This year’s theme “When Ransomware Meets Generative AI” tested the response capabilities of leading Asia-Pacific teams, emphasising the growing risks from the malicious use of this rapidly evolving technology.
The simulated scenario, involving AI-generated malicious code and exploited open-source vulnerabilities, challenged participants to review and strengthen their incident response procedures. The drill highlighted the need for proactive preparedness as Generative AI reshapes the cyber threat landscape.
AUSCERT is proud to support APCERT’s vision of fostering a safe and reliable cyberspace across the Asia–Pacific through global collaboration and shared expertise.
The ACSC, alongside the FBI, CISA and NCSC UK, has released a new advisory on Scattered Spider — one of 2025’s most active and dangerous cybercrime groups. Linked to major breaches, the group targets large enterprises using identity-based attacks and sophisticated social engineering, including phishing, vishing, MFA fatigue, and SIM swaps.
Once in, they hide behind legitimate remote access tools (AnyDesk, TeamViewer, Teleport), steal credentials, and deploy DragonForce ransomware with the intention of executing large-scale data theft.
The advisory urges organisations to act now: adopt phishing-resistant MFA (like hardware keys), drop SMS or push-only authentication, tighten helpdesk verification, and monitor or restrict remote access tools. Offline, tested backups, detailed logging, and updated detection using IOCs and MITRE ATT&CK are also critical.
Scattered Spider’s tactics are evolving fast. Strengthening MFA, access controls, helpdesk security and maintaining public awareness and education is essential to staying ahead.
High-Severity SQL Injection (CVE-2025-52914) in Mitel MiCollab Allows Data Access, Command Execution
Date: 2025-07-25
Author: Securityonline.info
[AUSCERT has notified potentially affected members via email (where possible)]
Mitel has released a security advisory addressing a high-severity SQL injection vulnerability in its MiCollab platform—an issue that could allow authenticated attackers to execute arbitrary database commands and compromise user provisioning data. Tracked as CVE-2025-52914, the vulnerability carries a CVSS score of 8.8.
The vulnerability resides in the Suite Applications Services component of MiCollab, a key unified communications platform used by businesses worldwide.
Fire Ant Exploits VMware Flaws to Compromise ESXi Hosts and vCenter Environments
Date: 2025-08-24
Author: The Hacker News
Virtualization and networking infrastructure have been targeted by a threat actor codenamed Fire Ant as part of a prolonged cyber espionage campaign.
The activity, observed this year, is primarily designed Now to infiltrate organizations' VMware ESXi and vCenter environments as well as network appliances, Sygnia said in a new report published today.
CISA Warns of Exploited Vulnerabilities in Cisco Products
Date: 2025-08-29
Author: Infosecurity Magazine
[See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ESB-2025.4160.4]
The US Cybersecurity and Infrastructure Security Agency (CISA) added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on July 28.
These include two highly critical vulnerabilities in Cisco Identity Services Engine (ISE) Software, a network security policy management platform that provides secure access control, authentication, authorization and accounting (AAA) services for users and devices connecting to enterprise networks.
Both vulnerabilities, tracked as CVE-2025-20281 and CVE-2025-20337, were discovered by security researchers working with the Trend Micro Zero Day Initiative and disclosed by Cisco on June 25.
What if your passkey device is stolen? How to manage risk in our passwordless future
Date: 2025-08-28
Author: ZDNET
Part of the "passkeys are more secure than passwords" story is derived from the fact that passkeys are non-human-readable secrets — stored somewhere on your device — that even you have very limited access to.
OK, so what happens to those passkeys if your device is stolen?
ShinyHunters behind Salesforce data theft attacks at Qantas, Allianz Life, and LVMH
Date: 2025-08-30
Author: Bleeping Computer
A wave of data breaches impacting companies like Qantas, Allianz Life, LVMH, and Adidas has been linked to the ShinyHunters extortion group, which has been using voice phishing attacks to steal data from Salesforce CRM instances.
In June, Google's Threat Intelligence Group (GTIG) warned that threat actors tracked as UNC6040 were targeting Salesforce customers in social engineering attacks.
In these attacks, the threat actors impersonated IT support staff in phone calls to targeted employees, attempting to persuade them into visiting Salesforce's connected app setup page. On this page, they were told to enter a "connection code", which linked a malicious version of Salesforce's Data Loader OAuth app to the target's Salesforce environment.
ESB-2025.5186 – Tenable Patch Management
An unauthenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database, resulting in the disclosure or manipulation of arbitrary data.
An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. ( CVE-2025-6965 )
ESB-2025.4160.4 – Cisco Products
A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root.
Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.
Stay safe, stay patched and have a good weekend!
The AUSCERT team