November Cyber Threat Download™

Each month, the Pondurance team of experts in threat intelligence, incident response, security operations, vulnerability management, and compliance share insights with our clients and partners to help them stay on top of recent trends in cybersecurity and take action to prevent harm to their organizations. Please feel free to share this information with colleagues and other interested parties on social media. 

Ransomware as a service

Ransomware and business email compromise (BEC) attacks make up 70% of all incidents that require emergency response and forensic investigation by the digital forensics and incident response team. The primary attack vectors include exposed remote desktop protocol (RDP) endpoints and weak credentials, virtual private networks (VPNs), and supply chain and managed service provider compromises. In particular, ransomware as a service is on the rise in the healthcare, manufacturing, and financial services sectors, and there’s a triple-extortion evolution taking place where threat actors combine file encryption, data theft with leak threats, and distributed denial-of-service attacks to maximize pressure on victims. 

The team discussed threat actor group Akira and the SonicWall vulnerability that was first exploited in 2024. In a SonicWall attack, threat actors exploit improper access control flaws that allow them to use weak or misconfigured security settings to gain access to sensitive systems. From there, threat actors connect to known systems from the configurations of the VPN appliance. Patches were made available, but even the patched devices remained vulnerable due to new services being off by default and user credentials not being properly reset. In 2025, using ransomware as a service, Akira hired other threat actors to exploit the vulnerabilities, but because these threat actors are more aggressive and careless, they are often stopped by endpoint detection and response solutions.

Now, there’s a new ransomware pattern that has emerged. Groups like Akira are testing out their tactics, techniques, and procedures (TTPs) in South America and the Caribbean, where the reporting requirements are less stringent, to refine their processes before pivoting to victims in the United States. In addition, the new threat actor groups often post a few victims to their leak sites, then go dark. The team expects to see continued use of these new patterns throughout the holiday period and into the new year.

Notable vulnerabilities

More than 4,300 vulnerabilities were newly disclosed in September, back to normal from a slight drop in August, and 16 of those disclosed vulnerabilities were actively exploited. Six of the 16 disclosed vulnerabilities involved Cisco and TP-Link products. Eight proof-of-concept codes were released on the internet, making the information available for threat actors to use to exploit vulnerabilities. In the wild, critical vulnerabilities included command injections, authentication bypasses, and buffer overflows.

During Microsoft Patch Tuesday in September, 84 reported vulnerabilities were addressed, a dip from previous months. Of those 84, eight were critical vulnerabilities, and two were zero-day exploits. Multiple patches were released for the affected products. The team briefly discussed two of the critical vulnerabilities:

• Sitecore. This deserialization vulnerability impacted Sitecore’s Experience Manager, Experience Platform, and Experience Commerce. For exploitation, these products must have been deployed using a machine key provided in deployment guides from 2017 and earlier. During initial access, the machine key is used to interact with the sitecore/blocked.aspx file, which accepts the ViewState protocol to save information from completed forms, and creates the signed/encrypted ViewState instance. During the exploit, the threat actor creates local administrative accounts, moves laterally over the RDP, and uses 7-Zip archives to exfiltrate data through the command-and-control server.

• Cisco Adaptive Security Appliances (ASA). For this exploit, a buffer overflow vulnerability and a missing authorization vulnerability were chained together to impact Cisco ASA 5500-X Series devices. Using the two chained vulnerabilities, the threat actor can gain complete control over the VPN and the WebVPN services and, ultimately, exfiltrate a large amount of data from the compromised network.

During Microsoft Patch Tuesday in October, 172 reported vulnerabilities were addressed, which was an increase from September. Of those 172, eight were critical vulnerabilities, and three were zero-day exploits. Two of the zero days were privilege elevation vulnerabilities, and the other one was a secure boot bypass vulnerability. Microsoft released patches for the zero days and the critical vulnerabilities, including Windows Server Update Services, Microsoft Office, Microsoft Azure, and LibTIFF.

The team reminded clients that, effective Oct. 14, Microsoft no longer supports Windows 10. However, Microsoft does offer extended security updates for critical vulnerabilities that are discovered, but clients must first upgrade to Microsoft Windows version 22H2 to receive those critical patches. 

SOC trends

The security operations center (SOC) team is always looking for new trends in threat activity so it can respond to changes and keep clients safe. Currently, the SOC team is seeing the following trending activity:

• Simple mail transfer protocol (SMTP) forwarding attempts. Unauthorized SMTP email forwarding rules are large vectors for data exfiltration. The team encourages clients to establish stronger preventative controls within the organization and provide clear designations on whether domains are allowed or restricted. As much as 90% of successful BECs include the generation of malicious inbox rules.

• Holiday-focused phishing emails and domains. The team reminded clients that new employees and users are more likely to fall victim to phishing and social engineering scams. Common topics for attacks include holiday events, annual budgets, audits, and other end-of-year activities. Policies on documentation, approval, and ability to audit unusual travel conditions can protect networks and prevent unauthorized access. 

• Executables with benign naming but malicious hashes. Recently, there has been an increase in files with “safe” names that, upon quick analysis, come back with a malicious intelligence reputation. The team encourages clients to set policies that restrict the use of .exe files with the principle of least privilege.

ClickFix phishing attacks

The engineering team has seen a recent uptick in the popularity of ClickFix phishing attacks.  This social engineering technique deceives users into running commands on their devices as they try to solve their own technical issues. The commands usually appear benign or inconsequential, and they typically involve fixing something that is out of date or can’t be viewed or proving that the user is human. 

To execute the attack, the threat actor injects a legitimate-looking command into a user’s clipboard. Then, the user is directed to press Win+R or open a terminal, paste the command, and hit Enter. The command downloads and executes a payload, such as an infostealer, remote access trojan, loader, or rootkit, that may run in memory or use living-off-the-land binaries. Because the user is executing the command himself and since no obvious malicious file downloads right away, the attack often evades detection. The team also sees some commands that avoid using the Mark of the Web, making the attacks even more stealthy.

To identify ClickFix phishing attacks, the team looks for excessive spaces in the command itself and encoded and obfuscated commands, often with Base64 encoded in them. 

About the Pondurance threat intelligence team

The Pondurance threat intelligence team consists of cybersecurity experts across our organization dedicated to providing exceptional threat intelligence research and insights to optimize the efficacy of proactive threat prevention efforts, as well as threat detection and response. By monitoring emerging cybersecurity trends and collaborating with our SOC, we provide real-time insights and actionable intelligence. Through knowledge sharing and advisory posts, we empower organizations to strengthen their cybersecurity posture and foster a more secure digital landscape.