Cyber Weekly Digest #26
Cyber Vigilance
Security for an intelligent future... Protecting organisations through technical excellence and disruptive technology.
👋 Welcome to the 26th edition Cyber Weekly Digest of 2025
This week we celebrated not 1 but 2 work anniversaries at Cyber Vigilance HQ
First up is the OG, The Icon, The Legend, Podcast Extraordinaire - Katie Maxted. Magic by name, magic by nature... 5 years in the game and we couldn't do it without you!
Secondly, every Queen needs a King and we have our very own King of the Cotswolds, karaoke superstar and all around tech guru... Chris Faulkner. 1 year in and we're not sure how we ever managed without him!
⭐️ Vendor of the Week ⭐️
Criminal organisations are already using highly automated attack tools to execute ransomware attacks and other campaigns successfully. In Gartner’s latest Security Hype Cycle, Autonomous Pentesting is a rising category, recognising the potential for applying machine learning & AI to conduct offensive cyber operations.
🔮 Enter the Future of Security...
Horizon3.ai
Not only do they gift their staff custom made Air Max 90's... The NodeZero™ platform empowers organisations to continuously find, fix, and verify their exploitable attack surface.
Reduce security risks by autonomously finding weaknesses in your network, knowing how to prioritise and fix them, and immediately verifying that your fixes work.
NodeZero delivers production-safe autonomous pentests and other key assessment operations that scale across your largest internal, external, cloud, and hybrid cloud environments.
No required agents, no code to write, and no consultants to hire
🧐 Want to learn more about Horizon3.ai? Click here
New and noteworthy from our Tech Community this week:
🔥 Is your organisation ready for threats like Scattered Spider?
Scattered Spider, a hacking group known for sophisticated social engineering tactics, has caused hundreds of hundreds of millions in damages - targeting industries like telecom, retail, finance, and now US airlines. Their success underscores a critical truth: technical defences alone aren’t enough.
Kevin Breen, Immersive Senior Director of Cyber Threat Research, highlights this urgent reality in a recent interview with The Independent:
“Scattered Spider attacks show that no matter how much is spent on cyber defences, people remain a critical line of defence. Even experienced IT staff can fall for social engineering, especially when tired, so targeted cyber skills development for all employees is essential.”
Protect your organisation by investing in your people, not just your technology.
Empower every employee with the knowledge and skills to identify these threats and be ready to defend against them.
🔥 Microsoft Fends Off ~600 Million Identity Attacks Every Single Day...
But the ones that make the headlines almost always start the same way:
‼️ A dormant admin role nobody turned off
‼️ An account still running without MFA
Microsoft’s latest stats show 99.9% of breached accounts had no MFA in place. In 2025, that’s like leaving your front door wide open.
Here's a 10-minute self-check:
🚩 Pull your Entra roles and flag any account unused ≥30 days
🙅 Disable Basic/legacy auth tenant-wide
👤 Enforce MFA for every admin
🔗 If you need help finding all the admins in your tenant, try this free tool from CoreView
🔥 CVE-2025-5777, aka #CitrixBleed 2...
Allows leaking of memory in the response which can allow for compromising session tokens, and other sensitive information.
Indicators of Compromise:
🔹 Depending on logging configurations, log entries in ns.log with non-printable characters are a pretty good indicator that something is amiss.
🔹 The Citrix advisory recommends terminating existing ICA and PCoIP sessions, which leads us to believe that endpoints related to those features are being targeted. Entries for those logs may similarly contain contents of leaked memory, which may or may not include session tokens.
🔹 Auditing active sessions is also recommended. As an example, a single session being used from multiple client IP addresses could be an indicator that the session may have been compromised.
Active sessions for NetScaler Gateway can be found in the WebUI via “NetScaler Gateway -> Active User Sessions -> Select applicable context -> Continue” Session information can also be viewed on the command line by running commands such as “show sessions” or “show <service> session”
If you’re using NetScaler ADC or Gateway, don’t wait. Run a #NodeZero Rapid Response test to validate exposure in your environment - safely, in production, and without delay.
💡 Did you know that Cyber Vigilance offer Horizon3 Breach Assessments? Helping organisations find exploits in their environments and ultimately helping to fix these gaps with our fabulous portfolio of cutting edge Cyber Security Solutions!
Not only that but we can continuously validate the fixes and find new exposures moving forward with our Continuous Managed Exposure Service powered by Node Zero
🧐 Horizon3.AI sound interesting? Contact us here
🔥 Like much of the security community, we’re cautious of big breach headlines
The latest report: 16 billion credentials exposed across 30 datasets - reportedly a mix of infostealer logs, credential stuffing sets, and repackaged leaks.
Could the story be exaggerated? Possibly. Does that make it irrelevant? Not at all. Because even if only a small percentage are valid, the underlying risk is very real - and we’re seeing it play out in real customer environments every day:
🔸 Reused credentials across SaaS apps and identity providers
🔸 MFA gaps traditional tools overlook
🔸 Shadow SaaS and AI tools spreading unnoticed
🔸 Sensitive data shared across Slack, Teams, and ChatGPT
You don’t need a mega-leak to be compromised. You just need a reused password your tooling didn’t catch. Regardless of what the latest breach report is, behaviours that lead to account compromise are happening daily, and often undetected by organisations.
CultureAI have launched a free 7-day trial of their platform, focused on helping security teams to uncover real user-driven risks, like reused or weak passwords, in under 24 hours of connecting to their stack.
👀 If you're curious where your blind spots might be, start here
🧐 Want to learn more about CultureAI? Contact us here
🔥 The pace of innovation in the AI space isn't just fast – it's relentless!
Keeping tabs on every breakthrough can be daunting, and navigating the expanding ecosystem of tools and vendors built to secure this AI-driven transformation is a challenge in itself.
That's why we're excited about the recent 2025 AI Security Report from James Berthoty and the team at Latio. It's a great resource for security executives looking to cut through the noise, gain clarity, and identify the right solutions for their specific needs.
We're also proud to see SplxAI highlighted as a leading provider in the AI Application Protection category! The team are working around the clock to enhance the SplxAI Platform with powerful new features, enabling enterprises to confidently deploy secure and compliant AI apps and workflows at scale - so stay tuned for more updates soon!
🔗 Check out a preview and get access to the full report here
🧐 Want to learn more about SplxAI? Contact us here
🔥 The Next Target Scattered Spider Has Entangled in its Webs is the Airline Industry
The threat group often targets entire industries at once, as evidenced by the attacks on retail, financial, and telecom sectors, amongst others.
A sound defensive strategy against Scattered Spider should include a full lifecycle protection layer to reduce and monitor the identity attack surface, as well as detect, block, and respond to the use of compromised identities for malicious access.
In this webinar, the research team at Silverfort dissects a real-life scenario in which they were called to build and execute a response plan while attackers were moving inside an organisation’s hybrid environment.
Watch now to gain insight into:
🕷️ The history of Scattered Spider
🕷️ Alignment of Scattered Spider’s actions with the MITRE ATT&CK Framework
🕷️ Steps taken in real-time to stop all lateral movement
🧐 Want to learn more about Silverfort? Click here
🔥 Think CVEs and KEVs are enough to prioritise vulnerability risk? They’re not.... and in 2025, that approach is falling apart
40,000+ CVEs were published in 2024 alone.
CISA KEVs help, but even 1,300+ “known exploits” don’t tell you which ones matter to you.
⚠️ Risk isn’t in the list - it’s in the context:
- Where the vulnerability lives
- How your controls are configured
- What your tools don’t cover
Exposure isn’t a score. It’s a system failure. And Nagomi was built to reveal it.
🔗 Check out this new blog
🧐 Want to know more about Nagomi? Book a call here
Last but not least...
🔥 Multiple US Government Agencies Have Warned Organisations to Stay Vigilant for Potential Iran-Affiliated Cyber Activity.
👀 Censys studied exposure of 4 vendors previously known to be of interest to IR-affiliated groups and you can read the findings in this blog
Maintaining the authoritative map of global Internet infrastructure used by organisations worldwide to uncover risks faster, respond more effectively & prevent breaches before they happen and trusted by Government, Global 2000 and Cyber Companies worldwide, Censys is The Authority for Internet Intelligence and Insights
Now, let's take a look at our top Cyber Security News picks of the week
The French cybersecurity agency on Tuesday revealed that a number of entities spanning governmental, telecommunications, media, finance, and transport sectors in the country were impacted by a malicious campaign undertaken by a Chinese hacking group by weaponizing several zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices.
The campaign, detected at the beginning of September 2024, has been attributed to a distinct intrusion set codenamed Houken, which is assessed to share some level overlaps with a threat cluster tracked by Google Mandiant under the moniker UNC5174 (aka Uteus or Uetus).
"While its operators use zero-day vulnerabilities and a sophisticated rootkit, they also leverage a wide number of open-source tools mostly crafted by Chinese-speaking developers," the French National Agency for the Security of Information Systems (ANSSI) said. "Houken's attack infrastructure is made up of diverse elements -- including commercial VPNs and dedicated servers."
Cisco has removed a backdoor account from its Unified Communications Manager (Unified CM), which would have allowed remote attackers to log in to unpatched devices with root privileges.
Cisco Unified Communications Manager (CUCM), formerly known as Cisco CallManager, serves as the central control system for Cisco's IP telephony systems, handling call routing, device management, and telephony features.
The vulnerability (tracked as CVE-2025-20309) was rated as maximum severity, and it is caused by static user credentials for the root account, which were intended for use during development and testing.
North Korean state-backed hackers have been using a new family of macOS malware called NimDoor in a campaign that targets web3 and cryptocurrency organizations.
Researchers analyzing the payloads discovered that the attacker relied on unusual techniques and a previously unseen signal-based persistence mechanism.
The attack chain, which involves contacting victims via Telegram and luring them into running a fake Zoom SDK update, delivered via Calendly and email, resembles the one Huntress managed security platform recently linked to BlueNoroff.
More than 40 fake extensions in Firefox’s official add-ons store are impersonating popular cryptocurrency wallets from trusted providers to steal wallet credentials and sensitive data.
Some of the extensions pretend to be wallets from Coinbase, MetaMask, Trust Wallet, Phantom, Exodus, OKX, Keplr, and MyMonero, and include malicious code that sends stolen information to attacker-controlled servers.
The Canadian government has ordered Hikvision’s subsidiary in the country to cease all operations following a review that determined them to pose a national security risk.
The order was forwarded to Hikvision last Friday, and the matter was made public over the weekend by Mélanie Joly, Canada's Minister of Innovation, Science and Industry.
“Following a National Security Review under the Investment Canada Act, the Government of Canada has ordered Hikvision Canada Inc. to cease all operations in Canada and close its Canadian business,” reads the announcement.
That's it for this weeks tasty morsels...
Much 🧡 Stay Safe
The CV Team
Security for an intelligent future...
Chief Revenue Officer (CRO) - Cyber Vigilance Ltd
2moBelter and cracking anniversaries! Congrats to Katie Maxted and Chris Faulkner! Proper team players making the difference always!
Channel Account Manager– Defending organisations at the Human Layer
2moIt’s not really Friday until I have a lil read of the weekly digest! Another great addition!