Cyber Threat Intelligence Digest: Week 38

Executive Summary -
Highlights of Cyber Threat Intelligence Digest

Vulnerabilities

SolarWinds Patches Remote Code Execution (RCE) Vulnerability CVE-2025-26399 Affecting Web Help Desk - SolarWinds has released a patch for a critical remote code execution vulnerability, CVE-2025-26399, found in Web Help Desk versions 12.8.7 and earlier. The flaw could allow unauthenticated attackers to run malicious commands on affected systems.

Although no active exploitation has been reported, security experts strongly advise organisations to apply the update without delay. Insikt Group recommends upgrading to Web Help Desk version 12.8.7 hotfix 1 to ensure protection against potential attacks.

Google Patches Four Chrome Vulnerabilities Including Actively Exploited CVE-2025-10585 V8 Type Confusion Vulnerability in Google Chrome - Google has patched four Chrome vulnerabilities, one of which, CVE-2025-10585, was already being actively exploited. This flaw, a type confusion issue in the V8 JavaScript engine, could enable attackers to execute arbitrary code. The other vulnerabilities include two use-after-free flaws in Dawn and WebRTC, and a heap buffer overflow in ANGLE, all of which could lead to remote code execution if exploited.

While exploitation of the remaining flaws has not been observed, security teams are urged to update Chrome promptly. The patched versions are 140.0.7339.185/.186 for Windows and Mac, and 140.0.7339.185 for Linux. Organisations should also enable automatic updates and closely monitor deployments to ensure patches are applied swiftly across all systems.

Threat Actors Exploit GeoServer Vulnerability (CVE-2024-36401) to Access US Federal Agency Network - On 23 September 2025, CISA confirmed that unknown threat actors exploited CVE-2024-36401, a remote code execution flaw in GeoServer, to breach a Federal Civilian Executive Branch agency. The vulnerability, disclosed in June 2024 and added to CISA’s Known Exploited Vulnerabilities list the following month, enabled attackers to compromise two GeoServers and persist inside the network for about three weeks before detection.

The attackers used Burp Suite to identify the flaw, then executed scripts, cron jobs and web shells to maintain access. They created accounts, scanned the network with fscan, and brute-forced credentials to move laterally to web and SQL servers, where they deployed tools such as China Chopper. Attempts were made to escalate privileges via the Dirty COW vulnerability (CVE-2016-5195). They also used .php shells, abused BITS jobs, and staged files to avoid detection, while relying on the Stowaway proxy tool for command-and-control traffic.

Potential Threats

Lockbit 5.0 Linux and ESXi RaaS Samples Analysed on MalwareBazaar - On 17 September 2025, Insikt Group published an analysis of the Lockbit 5.0 Windows version, a ransomware-as-a-service (RaaS) that emerged in September 2019. On 20 September 2025, a MalwareBazaar user submitted Lockbit 5.0 Linux and ESXi samples. Sandbox analysis flagged the samples as malicious, with the Linux version also demonstrating defence evasion and ransomware capabilities. Execution actions include retrieving system and kernel information, monitoring its own process, rotating Syslog files, and reloading rsyslog’s configuration, likely for detection avoidance or persistence. The ESXi sample retrieves the installed VMware version.

The Lockbit 5.0 Linux sample additionally renames itself, retrieves CPU attributes, encrypts files appending a random sixteen-character extension, and drops a ransom note, “ReadMeForDecrypt.txt,” in multiple directories. The note instructs victims to contact the actors via a Tor chat service and references Lockbit’s leak site. This analysis includes Indicators of Compromise (IoCs) from the examined samples.

US-Based Cybersecurity Company SonicWall Confirms Cloud Backup Breach After Targeted Brute-Force Attack Exposes Firewall Configurations - On 18 September 2025, SonicWall disclosed a security incident in which threat actors accessed firewall configuration backup files stored in MySonicWall cloud accounts. Attackers used brute-force techniques against the cloud backup API and obtained preference files for fewer than 5% of deployed firewalls.

Although the files were encrypted, they contained sensitive information such as authentication tokens, shared secrets, and device settings that could allow further exploitation. SonicWall notified affected customers through account banners and stated there is no evidence the files were leaked online. The company also confirmed the incident was unrelated to ransomware.

Iranian State-Sponsored Threat Group Nimbus Manticore Targets European Defense, Telecom, and Aerospace Sectors Using MiniJunk and MiniBrowse Malware - On September 22, 2025, Checkpoint reported that an Iranian state-sponsored threat group, Nimbus Manticore, has been targeting Western European defense, telecommunications, and aviation industries in a long-running campaign. Nimbus Manticore used recruiter-themed spearphishing to deliver the MiniJunk backdoor and MiniBrowse stealer. 

The infection chain begins with a recruiter-themed spearphishing link that directs victims to a fake career portal. After authenticating with pre-shared credentials, victims download a malicious archive and run a legitimate Setup.exe, which sideloads userenv.dll. Setup.exe then launches SenseSampleUploader.exe.

General News

Major European airports work to restore services after cyberattack on check-in systems - Europe’s busiest airports are still facing disruptions after a suspected ransomware attack on Collins Aerospace, a U.S. aviation technology provider, which affected its vMUSE self-service check-in software. The outage, starting Friday night, impacted airports in London, Brussels, Berlin and Dublin, causing long queues, flight delays, and cancellations. ENISA confirmed the incident was a “third-party ransomware” attack, though the ransomware type and threat actor remain undisclosed.

Brussels Airport cancelled nearly half of Monday’s departures, while Dublin and Heathrow continued partial operations with manual check-in and baggage processing. Berlin saw some improvement, but delays persisted. Collins Aerospace and parent company RTX said the impact was limited to electronic check-in and baggage drop, with manual systems providing a workaround. The aviation sector has faced multiple cyber incidents recently, including attacks on Russian airports and a July breach of Qantas, with U.S. authorities warning of threats from groups such as Scattered Spider.

Jaguar Land Rover extends shutdown again following cyberattack - Jaguar Land Rover (JLR) has extended the shutdown of its global operations until at least next month following a cyberattack, halting all vehicle and parts production since early September. The company is working with cybersecurity experts, the NCSC and law enforcement to safely restart operations. The shutdown directly affects over 30,000 employees, with thousands of agency and temporary workers sent home or on reduced pay, while unions have called for a furlough scheme to support staff.

The cyberattack is causing major supply-chain disruptions, impacting around 150,000 associated jobs and causing significant financial losses, estimated at £50-70 million per day. Government officials, including the business secretary and minister for industry, have engaged with JLR and its suppliers to assess support measures, though no direct taxpayer funding is planned. Analysts warn the incident represents a broader economic security concern, with supplier shares, such as Autins, already plummeting due to the disruption.

GitHub tightens npm security with mandatory 2FA, access tokens - GitHub is introducing new security measures to defend against supply-chain attacks that recently compromised thousands of accounts and private repositories, causing significant data loss and remediation costs. Recent incidents include the “s1ngularity” attack in August, the “GhostAction” campaign in early September, and the worm-like “Shai-Hulud” attack. To reduce risks, GitHub will gradually enforce two-factor authentication (2FA) for local publishing, adopt short-lived granular tokens, expand trusted publishing, deprecate classic tokens and TOTP 2FA, and restrict publishing access by default. Developers, particularly NPM maintainers, are urged to switch to trusted publishing, enable 2FA, and use WebAuth instead of TOTP.

Ruby Central has also announced tighter governance over the RubyGems package manager following similar attacks, including campaigns distributing 60 malicious gems and typosquatting popular projects. Until new policies are finalised, only Ruby Central staff will hold admin access, with a future shift planned towards a transparent, community-led model. Both platforms emphasise that supply-chain security is a collective responsibility, and developers are expected to adopt the enhanced protections to safeguard their ecosystems.

Threat Actor Weekly Graph

Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.

Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.

Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.

Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.