INTRODUCTION:
Yesterday's security developments from Saturday, September 27, 2025. We reviewed fifteen security articles across threat intelligence, malware analysis, vulnerabilities, and new security tools.
MAIN CONTENT:
Threat Intelligence.
Gist reported a sophisticated phishing campaign targeting users through fake Google Careers recruitment emails. The attackers use legitimate Salesforce infrastructure for initial delivery, then redirect victims to Cloudflare-protected sites that harvest Google account credentials and can prompt for additional authentication like SMS verification. Defenders should monitor for suspicious recruitment communications and implement the provided indicators of compromise.
ArXiv published research demonstrating an automated pipeline for collecting cyber threat intelligence from Telegram channels. Researchers gathered over 145,000 messages and extracted 86,509 malicious indicators using a BERT-based classifier with 96.64% accuracy. This highlights Telegram's value as a timely source for threat intelligence that can help defenders anticipate emerging threats.
Talos Intelligence identified ArcaneDoor, a state-sponsored espionage campaign targeting perimeter network devices across multiple vendors. Recent activity specifically exploits Cisco ASA 5500-X Series devices through three new CVEs. The campaign focuses on telecommunications and energy sectors, where compromised perimeter devices enable network pivoting and traffic monitoring. Organizations should prioritize patching affected devices and enhance perimeter monitoring.
Malware.
The AFF Working Group analyzed Ascension Healthcare's Black Basta ransomware incident from May 2024, which resulted in $1.3 billion in losses and forced hospitals to revert to paper processes for over a month. The breach originated from an employee accidentally downloading a malicious file. Senator Wyden highlighted underlying Microsoft Active Directory vulnerabilities that enabled lateral movement throughout the network.
Vulnerabilities.
Red Crow Lab demonstrated bypassing BIOS Secure Boot protections on Dell G15 laptops through physical firmware extraction and modification. While the attack requires physical access and specialized hardware tools like chip programmers, it shows how firmware-based protections can be circumvented through direct chip manipulation.
Google Project Zero discovered a novel technique for remotely leaking memory addresses to bypass ASLR through pointer-keyed data structures in serialization processes. The vulnerability was demonstrated on macOS using NSKeyedArchiver and has been patched by Apple as of March 31, 2025. This represents a new class of information disclosure vulnerabilities affecting systems handling untrusted serialized data.
Security Tools.
GitHub announced several new security research tools. AIDR-Bastion provides comprehensive GenAI protection against prompt injection attacks using over 1,200 Sigma rules. SetupHijack exploits race conditions in Windows installer processes for privilege escalation research. Wyrm offers a new red team framework written in Rust with encrypted communications and memory obfuscation. WerDump enables LSASS memory dumping by exploiting Windows Error Reporting processes. DocuSeal provides an open-source DocuSign alternative, and pipe-intercept enables Named Pipes communication analysis through HTTP proxies.
Training Effectiveness.
UC San Diego published research involving over 19,500 healthcare employees showing that current cybersecurity training programs, including annual mandatory training and embedded phishing exercises, demonstrate no significant effectiveness at reducing employee susceptibility to phishing attacks across ten different campaign tests.