SECURITY BRIEFING SCRIPT
INTRODUCTION:
Yesterday's security developments from Monday, September 29th, 2025 cover three notable threat intelligence updates. All attribution is by the article authors. All article analysis is automated.
CRITICAL VULNERABILITY ALERT:
Before we continue with today's briefing, we have a critical security alert. CVE-2025-20352 has just been added to the CISA Known Exploited Vulnerabilities catalog. This is a critical SNMP stack overflow vulnerability in Cisco IOS and IOS XE that allows remote code execution with high privileges or denial of service with low privileges. Organizations should immediately check their exposure and apply available security updates.
MAIN CONTENT:
The AhnLab Security Intelligence Center reported on attacks against poorly managed MS-SQL servers using XiebroC2, an open-source command and control framework similar to CobaltStrike. The attackers exploited weak credentials to gain initial access, then deployed JuicyPotato for privilege escalation before installing XiebroC2 for persistent control of compromised systems. This framework provides remote control, information gathering, and evasion capabilities that make it particularly effective for maintaining long-term access.
Resecurity published research on an alliance between three major English-speaking cybercrime groups: LAPSUS$, ShinyHunters, and Scattered Spider. These groups have formed an increasingly connected partnership since 2023, primarily targeting Fortune 100 corporations and government agencies through social engineering attacks. Their approach involves impersonating employees to deceive IT help desks, representing a shift toward exploiting human weaknesses rather than relying on advanced technical exploits.
The DFIR Report documented a nearly two-month intrusion conducted by the Lunar Spider threat group that began with a malicious JavaScript file disguised as a tax form. The attackers deployed multiple malware families including Latrodectus, Brute Ratel C4, and Cobalt Strike throughout the extended campaign. During their prolonged access, they harvested credentials from various sources, performed lateral movement across the network, and successfully exfiltrated data using Rclone and FTP tools.