TT-CSIRT – 453.24.09.25 – Shai-Hulud Self-Replicating Worm Supply Chain Compromise

TT-CSIRT – 453.24.09.25 – Shai-Hulud Self-Replicating Worm Supply Chain Compromise

Please be advised, CISA has issued a critical alert regarding a widespread supply chain attack involving npmjs.com, the largest JavaScript package registry. A self-replicating worm named “Shai-Hulud” has compromised over 500 npm packages. After initial access, the attacker deployed malware scans for sensitive credentials such as GitHub Personal Access Tokens (PATs) and cloud service API […]

TT-CSIRT – 452.23.09.25 – Security Alert: New Inboxfuscation Tool That Bypasses Microsoft Exchange Inbox Rules and Evades Detection

Please be aware, newly discovered is a sophisticated new attack framework called Inboxfuscation, developed by Permiso Security to demonstrate critical vulnerabilities in Microsoft Exchange inbox rule detection systems. This Unicode-based obfuscation technique enables the creation of malicious inbox rules that can completely evade traditional security monitoring and detection mechanisms, representing a significant advancement in email-based […]

TT-CSIRT – 451.13.09.25 – Malware Alert: Azure Function Abuse

Please be advised there has been a discovery of a highly evasive attack using a malicious ISO image named Servicenow-BNM-Verify.iso, containing four files, with two openly visible and two hidden. The visible files include a Windows shortcut, servicenow-bnm-verify.lnk, which launches PanGpHip.exe; a legitimate Palo Alto Networks binary. Hidden are libeay32.dll, a genuine OpenSSL library, and […]

TT-CSIRT – 450.29.08.25 – FreePBX Vulnerability

Please be advised, A critical vulnerability has been discovered in the FreePBX Endpoint module, affecting versions 15, 16, and 17. The vulnerability arises from improper sanitization of user-supplied data, which can be exploited by unauthenticated attackers to gain unauthorized access to the FreePBX Administrator Control Panel. Successful exploitation can result in arbitrary database manipulation and remote […]

TT-CSIRT – 449.22.08.25 – Microsoft 365 ADFS Exploit

Please be advised, a sophisticated phishing campaign have been uncovered, that exploits Microsoft’s Active Directory Federation Services (ADFS) to create legitimate-looking login URLs that redirect users to malicious credential-harvesting sites, effectively turning Microsoft’s own infrastructure into an unwitting accomplice in credential theft operations. Exploit Malicious Google ads clicked on by users who are then redirected […]

TT-CSIRT – 448.16.08.25 – Windows Out-of-Box-Experience (OOBE) Exploit

Be advised, a new security vulnerability has been identified to exploit Windows Out-of-Box-Experience (OOBE) that bypasses existing protections, granting administrative command line access to Windows machines. The vulnerability allows low-privileged domain users to effectively gain local administrative access. This technique works even when Microsoft’s recommended security measure, the DisableCMDRequest.tag file, is implemented to block the well-known […]

TT-CSIRT – 447.14.08.25 – Microsoft Office Vulnerabilities

Be advised, Microsoft released critical security updates, addressing three serious vulnerabilities in Microsoft Office that could allow attackers to execute remote code on affected systems.  The vulnerabilities, tracked as CVE-2025-53731, CVE-2025-53740, and CVE-2025-53730, affect Microsoft Office versions 2016 – 2024, including Microsoft Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 […]

TT-CSIRT – 446.07.08.25 – Privilege Escalation Vulnerability in Microsoft Exchange Hybrid Deployments

Please be advised of a high-severity vulnerability, CVE-2025-53786, affecting Microsoft Exchange hybrid deployments. This vulnerability allows a threat actor with administrative access to an on-premise Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations. No active exploitation observed, but CISA urges organizations to implement Microsoft’s Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability guidance […]

TT-CSIRT – 445.06.08.25 – Critical RCE Vulnerabilities in Trend Micro Apex One (On-Premise) Management Console

Please be advised that Trend Micro has identified and issued mitigations for two critical command injection vulnerabilities, CVE-2025-54948 and CVE-2025-54987, affecting the Apex One (On-Premise) Management Console. Both vulnerabilities may allow unauthenticated remote attackers to execute arbitrary commands on affected systems. Importantly, Trend Micro has observed active exploitation attempts in the wild (ITW) for at least […]

TT-CSIRT – 444.05.08.25 – Increased Threat Activity Targeting SSLVPN on Gen 7 SonicWall Firewalls

Please be advised that SonicWall has detected a substantial rise in cyber incidents within the past 4 days concerning Gen 7 SonicWall Firewalls that have SSL VPN activated. An ongoing investigation is being conducted to ascertain if the threat activity is associated with a previously disclosed vulnerability or a newly identified one. Impact Remote attackers […]