Cyber Threat Intelligence Digest: Week 41

Executive Summary -
Highlights of Cyber Threat Intelligence Digest

Vulnerabilities

Threat Actors Actively Exploit Wordfence Service Finder Bookings Flaw, CVE-2025-5947 - On October 7, 2025, Wordfence Intelligence reported active exploitation of CVE-2025-5947 affecting Service Finder Bookings plugin (versions ≤ 6.0), allowing threat actors to bypass authentication and impersonate any user, including administrators. No publicly confirmed number of organisations has been disclosed; however, Wordfence has blocked over 13,800 exploit attempts.

CVE-2025-5947 allows unauthenticated account takeover and privilege escalation due to improper validation of the original_user_id cookie in the service_finder_switch_back() function. This flaw enables threat actors to trigger the wp_set_auth_cookie() function through a crafted HTTP GET request, leading to complete site compromise. Aonetheme patched CVE-2025-5947 in version 6.1 on July 17, 2025. However, many sites may remain unpatched. 

Technical Blog and Alleged PoC for Control Character Injection Vulnerability in OpenSSH ProxyCommand (CVE-2025-61984) - OpenSSH control-character injection allows command execution. Researcher David Leadbeater published a technical write-up (Oct 7, 2025) describing CVE-2025-61984: a control-character injection flaw in OpenSSH’s ProxyCommand handling that lets attackers embed control characters (eg. newline \n) in usernames to break shell parsing and execute subsequent commands. OpenSSH 10.1 (released Oct 6, 2025) fixes the bug by rejecting control characters in valid_ruser (using iscntrl()).

The issue arises when ProxyCommand expands the %r token into a shell command and the username contains control characters: shells like Bash, Fish and csh can continue execution after a syntax error, allowing an injected newline to run attacker-controlled commands.

CVE-2025-20362, an Actively Exploited Missing Authorisation Vulnerability in Cisco ASA and FTD - Cisco ASA/FTD WebVPN auth bypass and overflow exploited in the wild, Rapid7 (Oct 6, 2025) disclosed CVE-2025-20362, a path-traversal that allows unauthenticated access to the WebVPN file upload handler; CISA added CVE-2025-20362 (and linked CVE-2025-20333) to its KEV on Sept 25, 2025 and Insikt Group reported threat actors chaining the two (Sept 26) to deploy RayInitiator and LINE VIPER.

The issue arises when a //.. traversal reaches file_action.html and, when paired with the Lua upload handler bug, an oversized multipart boundary can overflow an 8,192-byte buffer (crash/reboot and potential further exploitation).

Potential Threats

Cl0p Exploited CVE-2025-61882, an Oracle E-Business Suite Zero-Day Vulnerability, for Data Theft - An Oracle EBS zero-day has been exploited by CL0P. Insikt/GTIG/Mandiant reporting and Oracle’s emergency advisory confirm CVE-2025-61882 is a critical, unauthenticated RCE in Oracle E-Business Suite that has been actively exploited since mid-2025 in extortion/data-theft operations attributed to CL0P-linked actors. Evidence shows multiple exploit chains were used to create malicious XSL/DB templates that execute Java payloads in memory, and that attackers later performed post-compromise reconnaissance and data exfiltration. 

Campaign activity included targeted executive extortion emails and use of compromised third-party mailboxes to increase credibility; public reporting and telemetry point to scanning/probing and C2 infrastructure tied to the campaign.

Loader Dropped by Trojanized Termius App to Deliver ZuRu macOS Backdoor - On 11 July 2025, Insikt Group published a TTP instance on a campaign reported by SentinelOne in which threat actors deployed a new ZuRu variant via a trojanised Termius application bundle. ZuRu is a persistent macOS backdoor first observed in 2021 and previously distributed through poisoned Baidu search results. It resurfaced in May 2025 embedded within a trojanised copy of Termius, a legitimate secure-shell (SSH) management application.

The trojanised Termius app embeds two unauthorised binaries into the Termius Helper application: “.Termius Helper1”, a modified helper binary, and “.localized”, a Mach-O loader. This loader marks a tradecraft shift for ZuRu by replacing the prior dylib-based loading technique with an embedded helper binary strategy. The loader stages, executes and updates a secondary payload: a modified Khepri command-and-control beacon.

Threat Actor TA585 Delivers Stealer Malware via ClickFix and GitHub-Themed Phishing Campaigns  - Between April and August 2025, threat actor TA585 ran phishing campaigns using ClickFix and GitHub-themed lures to deliver stealer malware such as LummaC2, Rhadamanthys, and MonsterV2, according to Proofpoint’s 13 October report. The group managed its operations through an infrastructure cluster dubbed “CoreSecThree,” which handled filtering, delivery, and malware deployment without relying on external brokers.

TA585’s ClickFix campaign redirected victims via injected JavaScript on legitimate sites, displaying fake CAPTCHA overlays that prompted users to run a PowerShell command downloading SonicCrypt-packed MonsterV2 and Rhadamanthys. The GitHub-themed operation exploited legitimate notification emails from fake issues in actor-controlled repositories, leading to similar PowerShell execution and payload delivery. Across both campaigns, infections enabled credential theft, data exfiltration, and remote access on compromised systems.

General News

UK hit by record surge in major cyberattacks - The National Cyber Security Centre (NCSC) will announce a record number of “nationally significant” cyber incidents in its 2024 Annual Review, revealing that staff responded to 429 attacks between September 2024 and August 2025. Of these, 204 were classed as nationally significant, more than double the 89 recorded the previous year. 18 attacks were deemed “highly significant,” the second-most severe category, affecting central government, critical services, or major economic sectors.

The spike follows a wave of disruptive attacks on UK industries, including the month-long outage at Jaguar Land Rover (JLR), which experts described as “an economic security incident” rather than a mere corporate disruption. In response, the government is writing to FTSE 350 CEOs and chairs urging “concrete action” to bolster defences amid what officials call a surge in “intense, frequent, and sophisticated” cyber threats targeting British enterprises.

Ukraine moves closer to forming dedicated military Cyber Force - Ukraine’s parliament has advanced plans to establish a new Cyber Force within the Armed Forces, approving a bill in its first reading that would unite the country’s offensive and defensive cyber capabilities under a single command. If passed in a second vote and signed by President Volodymyr Zelensky, the Cyber Force would conduct military cyber operations, gather intelligence, defend critical systems, and align Ukraine’s capabilities more closely with NATO standards as it seeks full membership.

The new branch would initially receive a 14 million hryvnia ($336,000) budget in 2025 to build its infrastructure. A key feature of the proposal is the creation of a cyber reserve, a pool of civilian tech experts who can be mobilized to support military operations without enlisting full-time. Cybersecurity leaders have welcomed the initiative, saying it would strengthen collaboration between Ukraine’s military and its world-renowned tech sector, which has played an active role in digital defence since Russia’s invasion.

4chan fined by UK regulator under Online Safety Act - Ofcom has fined imageboard 4chan £20,000 ($26,000) for failing to comply with the UK’s Online Safety Act, marking the first financial penalty issued to a major online platform under the new law. The fine will rise by £100 ($133) per day from Tuesday until compliance is achieved. While modest in value, the move signals an escalating regulatory stance that could ultimately see British internet service providers ordered to block access to 4chan entirely.

The Online Safety Act requires platforms hosting user-generated content to safeguard users from harmful or illegal material. Ofcom has already warned adult content sites that failure to verify users’ ages by July could result in fines of up to £18 million or 10% of global turnover, alongside potential domain blocks.

Threat Actor Weekly Graph

Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.

Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.

Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.

Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.