AUSCERT Week in Review for 27th June 2025

Greetings,

Cyber criminals are increasingly adopting and selling "uncensored" Large Language Models (LLMs) on dark web forums like BreachForums. Rather than building malicious AI tools from scratch, they are "jailbreaking" legitimate, powerful models from mainstream companies like xAI (the creator of Grok) and the French firm Mistral AI (creator of Mixtral). Many of these tools are being sold as WormGPT or variants with similar names and functionality, including FraudGPT and EvilGPT. On a potentially related note, research claims a 90% success rate in jailbreaking LLMs.

AUSCERT is urging its members and the wider community to prepare for a surge in cyber incidents as the End of Financial Year (EOFY) approaches. Cybercriminals are once again exploiting this high-activity period—this time with more sophisticated tactics than ever before.

AUSCERT has observed a sharp and consistent rise in phishing scams, particularly those impersonating trusted government and taxation agencies. The increased volume of payments, invoicing, and accounting activity during EOFY creates ideal conditions for threat actors to target already time-poor and pressured organisations.

To help you stay prepared, AUSCERT has compiled key insights and practical guidance in our latest article. Read it here to learn how to better protect your organisation during this critical time.

Citrix Releases Emergency Patches for Actively Exploited CVE-2025-6543 in NetScaler ADC
Date: 2025-06-25
Author: The Hacker News

[AUSCERT has published security bulletins for these updates: https://portal.auscert.org.au/bulletins/ESB-2025.4172]
[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Citrix has released security updates to address a critical flaw affecting NetScaler ADC that it said has been exploited in the wild.
The vulnerability, tracked as CVE-2025-6543, carries a CVSS score of 9.2 out of a maximum of 10.0.
It has been described as a case of memory overflow that could result in unintended control flow and denial-of-service. However, successful exploitation requires the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

Flaw in Notepad++ installer could grant attackers SYSTEM access (CVE-2025-49144)
Date: 2025-06-25
Author: Help Net Security

A high-severity vulnerability (CVE-2025-49144) in the Notepad++ installer could be exploited by unprivileged users to gain SYSTEM-level privileges through insecure executable search paths.
There is currently no indication that the vulnerability is being leveraged by attackers, though technical details and a proof-of-concept (PoC) have been published – and redacted shortly after for security reasons.

No, the 16 billion credentials leak is not a new data breach
Date: 2025-06-19
Author: Bleeping Computer

News broke today about "one of the largest data breaches in history," sparking wide media coverage filled with warnings and fear-mongering. However, it appears to just be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks.
To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials.
Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet.

Reported Impersonation Scams Surge 148% as AI Takes Hold
Date: 2025-06-24
Author: Infosecurity Magazine

The volume of impersonation scams has soared 148% year-on-year (YoY) thanks in part to AI tools making life easier for cybercriminals, according to the Identity Theft Resource Center (ITRC).
The US non-profit’s new 2025 Trends in Identity Report is based on analysis of identity crimes (compromise, theft and misuse) reported to it by victims from April 1 2024 to March 31 2025.

Identity Is the New Perimeter: Why Proofing and Verification Are Business Imperatives
Date: 2025-06-24
Author: Security Week

Digital transformation has unlocked new opportunities – not just for innovation and growth, but also for cybercriminals seeking to exploit personal and sensitive information. According to the Future of Global Identity Verification report, more than two-thirds (69%) of organizations have experienced an increase in fraud attempts. Among companies with over 5,000 employees, the average annual direct cost of identity fraud is $13 million. That figure rises sharply with organizational size; for enterprises with more than 10,000 employees, 20% report annual direct and indirect identity fraud costs exceeding $50 million.

ESB-2025.4180 – NetScaler ADC and NetScaler Gateway

Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).

ESB-2025.4160 – Cisco Products

Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user.

ESB-2025.4093 – Apache Log4j

Apache Log4j could be made to run programs as your login if it opened a specially crafted file. An attacker could possibly use these issues to enable the execution of arbitrary code. ( CVE-2022-23302 , CVE-2022-23305 , CVE-2022-23307 )

ESB-2025.4080 – IBM Security QRadar SIEM

IBM QRadar SIEM includes vulnerable components (e.g., framework libraries) that could be identified and exploited with automated tools. These have been addressed in the update.

Stay safe, stay patched and have a good weekend!

The AUSCERT team