پارتیان ابتکار پایدار

F5 Data Breach Attack

What is the Attack?	A sophisticated nation-state actor gained long-term access to F5’s corporate networks and exfiltrated files from BIG-IP product development and engineering knowledge-management systems, including portions of BIG-IP source code and information about previously undisclosed vulnerabilities. F5 has released security updates and advisories covering affected products. The stolen data could accelerate exploit development and raise the risk of targeted attacks due to the following factors: • High exposure: BIG-IP devices are widely deployed and often internet-facing. • Increased risk: Stolen source code shortens the time needed to develop exploits. • Critical role: Compromise of BIG-IP can lead to credential theft, lateral movement, and data exfiltration. In response to F5's disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive ED 26-01: Mitigate Vulnerabilities in F5 Devices \| CISA.
What is the recommended Mitigation?	Patch immediately - Apply the latest F5 updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients as soon as possible, as mentioned on the advisory. Quarterly Security Notification (October 2025) Restrict access: Limit BIG-IP management interfaces to trusted networks only. Monitor for anomalies: Watch for unusual admin logins, large data transfers, or new repositories. Hunt proactively: Check for suspicious activity involving F5 appliances or related infrastructure.
What FortiGuard Coverage is available?	Active tracking: FortiGuard Labs is monitoring this campaign and will release IPS, WAF, and threat intelligence updates as exploit activity evolves. IoT Device Detection: FortiGuard’s IoT Device Detection Service helps identify F5 devices across your network. IoT Device Detection \| FortiGuard Labs Incident Response: Organizations suspecting compromise can contact the FortiGuard Incident Response team for rapid containment and remediation support.

RediShell RCE Vulnerability

What is the Vulnerability?	A Use-After-Free (UAF) bug in Redis’s Lua scripting subsystem (tracked as CVE-2025-49844, “RediShell”) allows an authenticated attacker who can run Lua scripts to escape the Lua sandbox and achieve arbitrary native code execution on the Redis host. This is a critical (CVSS 10.0), high-impact vulnerability because Lua scripting is enabled by default and many deployments lack proper authentication or are internet-exposed, leading to theft of credentials, deployment of malware/miners, lateral movement, exfiltration, and loss of availability.
What is the recommended Mitigation?	Patches were released on October 3, 2025. Redis Cloud was automatically patched, but self-managed instances must be upgraded immediately. Upgrade all self-managed Redis instances to one of the fixed versions listed in the Redis advisory. Redis Cloud customers were auto-patched. If you cannot patch immediately, apply temporary mitigations: Disable Lua scripting where it’s not required for application functionality. If Lua is required, restrict which identities can run scripts and monitor their usage.
What FortiGuard Coverage is available?	Lacework FortiCNAPP automatically detects this vulnerability via the Vulnerability Management module when Redis is installed via a package manager on a host or container. How does Lacework FortiCNAPP Protect from... - Fortinet Community FortiCNAPP also detects usage of the official Redis Docker image via alerts and will escalate the alert severity to 'Critical' when this exploit is detected to be actively in use. Cloud Vulnerability and Threat Detection \| FortiGuard Labs Intrusion Prevention System (IPS): FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2025-49844. Intrusion Prevention \| FortiGuard Labs FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface. Endpoint Vulnerability \| FortiGuard Labs The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

npm Supply Chain Attack

What is the Attack?	On September 8, 2025, attackers phished the npm maintainer “qix” and stole their two-factor authentication (2FA) credentials. With that access, they published malicious versions of some very popular npm packages (including debug, chalk, and ansi-styles). The impact is considered high risk for applications that serve frontend JavaScript, especially those handling payments, cryptocurrency, or wallet flows. Reports indicate that these compromised versions were live for about two hours before removal. According to the CISA Alert on this incident, the campaign also involved a self-replicating worm publicly known as “Shai-Hulud,” which compromised over 500 packages. After gaining initial access, the malicious actor deployed malware that scanned environments for sensitive credentials. The attacker specifically targeted GitHub Personal Access Tokens (PATs) and API keys for major cloud platforms, including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.
What is the recommended Mitigation?	Dependency Controls - Pin dependencies to known-safe versions. - Blocklist malicious versions in private registries/proxies. - Rebuild from a clean state and invalidate CDN caches. Credential Hygiene - Rotate npm, GitHub, and cloud tokens. - Enforce phishing-resistant MFA (e.g., hardware keys). CI/CD Hardening - Audit secrets, webhooks, and GitHub Actions. - Enable secret scanning and branch protections. - Add guardrails to detect tampered dependencies before production build. Network & Runtime Defense - Block outbound traffic to known exfiltration domains. - Continuously monitor for new IoCs related to npm compromise.
What FortiGuard Coverage is available?	FortiCNAPP Cloud-Native Application Protection Platform can help protect and detect related threats using the following services and features: How does Lacework FortiCNAPP Protect from... - Fortinet Community Vulnerability Management & SCA: Detects the presence of compromised NPM Packages. SAST: Detects malicious scripts present if compromised NPM packages are downloaded. Runtime Threat Detection: If a compromise occurs, runtime threat detection will detect associated actions with this attack through Composite Alerts. Web Filtering: Blocks access to domains controlled by attackers. Indicators of Compromise (IOCs) Service: FortiGuard Labs has blocked all known linked Indicators of Compromise (IOCs), and the team is continuously monitoring for emerging threats and new IOCs. FortiGuard Antivirus & Behavior Detection: Detects malicious JS/HTML payloads (Shai-Hulud) from poisoned npm packages and advanced behavioral analysis to detect and block unknown threats. FortiEDR / FortiClient: Detects suspicious script execution and unauthorized Git/token harvesting on endpoints. Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

Salesloft Drift Supply Chain Attack

What is the Attack?	Threat actors tracked as UNC6395 exploited the Salesloft Drift integration, a SaaS AI chatbot tool linked to Salesforce and other platforms, to steal OAuth and refresh tokens. These tokens allowed them to bypass normal authentication controls and gain access to target environments without directly breaching Salesforce accounts. The attackers then systematically exported sensitive credentials from dozens, and potentially hundreds, of Salesforce customer instances. Exfiltrated data included AWS access keys, Snowflake authentication tokens, VPN credentials, passwords, and API keys. With these tokens, UNC6395 was able to infiltrate not only Salesforce but also Google Workspace, Cloudflare, Zscaler, Palo Alto Networks, and other connected systems. This expanded the impact well beyond CRM data, exposing a wide range of enterprise environments. While initial reports suggested the breach was limited to Salesforce integrations, subsequent investigations confirmed that all Salesloft Drift integrations should be considered compromised.
What is the recommended Mitigation?	• Review Salesloft Advisory and any other partner advisory affected by the breach. Salesloft Trust Portal \| Widespread Data Theft Targets Salesforce Instances via Salesloft Drift \| Google Cloud Blog • Revoke and Reissue Tokens Immediately disconnect and regenerate all tokens associated with Salesloft Drift and any connected integrations. • Audit and Monitor Activity Review logs in Salesforce, Google Workspace, and other integrated platforms for signs of unusual data exports, hidden jobs, or suspicious API calls. • Tighten Integration Permissions Enforce least privilege, restrict API scopes, and apply IP-based access controls to reduce exposure. • Rotate All Exposed Secrets Replace compromised or potentially exposed credentials, including AWS keys, Snowflake tokens, VPN accounts, and API tokens. • Defend Against Phishing and Impersonation Monitor for social engineering attempts targeting employees or customers using leaked contact data.
What FortiGuard Coverage is available?	• FortiGuard Labs recommends users to follow best practices and enforce Zero-Trust Security to ensure minimal impact and sensitive data remains tightly restricted. • FortiGuard Labs blocks access to malicious domains, C2 servers, or phishing sites associated with the campaign. • FortiGuard Labs has blocked all the known linked Indicators of Compromise (IOCs) and the team is continuously monitoring for new IOCs. • Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

Oracle E-Business Suite RCE Vulnerability

What is the Vulnerability?	CVE-2025-61882 is a critical (CVSS 9.8) unauthenticated remote code execution vulnerability in the BI Publisher integration of Oracle E-Business Suite’s Concurrent Processing component. The flaw is remotely exploitable over HTTP without authentication, allowing attackers to execute arbitrary code and fully compromise affected systems. This vulnerability has been actively exploited as a zero-day in data theft and extortion campaigns, with activity linked to the Cl0p ransomware group. Successful exploitation enables complete takeover of Oracle Concurrent Processing, opening the door to lateral movement, sensitive data exfiltration, and potential ransomware deployment. Oracle has released an out-of-band security patch and IoCs to address the issue. Immediate patching or compensating controls are strongly recommended for all vulnerable EBS deployments.
What is the recommended Mitigation?	Apply Oracle’s emergency patch immediately for CVE-2025-61882. Oracle Security Alerts CVE-2025-61882 Block known malicious IPs / connections identified in Oracle’s IoC list and vendor threat feeds. Hunt for compromise by scanning EBS servers for signs of web shells, unexpected cron jobs, suspicious processes, or new users.
What FortiGuard Coverage is available?	Intrusion Prevention System (IPS): FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2025-61882. Intrusion Prevention \| FortiGuard Labs Indicators of Compromise (IOC) and Web Filtering Service: Implemented protections against malicious traffic and C2 infrastructure, and known Indicators of Compromise (IoCs) related to this campaign, and is currently investigating for further protections. FortiGuard Sandbox Service: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats. FortiGuard Incident Response: Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

BRICKSTORM Espionage Campaign

What is the Attack?

BRICKSTORM is a stealthy, Go-based backdoor deployed by the China-nexus actor UNC5221, enabling long-term persistence and espionage via compromised network appliances in US organizations.

Since March 2025, GTIG (Google Threat Intelligence Group) and Mandiant have tracked BRICKSTORM activity impacting legal services, SaaS, BPO, and technology firms. The campaign suggests objectives beyond espionage - including theft of intellectual property, support for zero-day development, and establishing supply-chain pivot points.

BRICKSTORM capabilities include:

Stealthy persistence by embedding in startup scripts.
Proxying internal/external traffic.
Credential theft.
Exfiltration of sensitive data and mailbox access.
Anti-forensics to evade detection.

What is the recommended Mitigation?

Patch & Harden Appliances: Apply vendor updates and restrict outbound connectivity from management interfaces.
Network Monitoring: Watch for unusual DNS-over-HTTPS (DoH) activity or outbound traffic from appliances.
Threat Hunting: Use YARA rules and forensic scans on appliances/backups to detect BRICKSTORM.
Access Controls: Enforce MFA for vCenter and monitor VM cloning activity.
Incident Response: Treat compromised appliances as untrusted and rebuild with verified images.

What FortiGuard Coverage is available?

Antimalware Service: Released AV detections for known BRICKSTORM binaries, webshells, and YARA rules.
Indicators of Compromise (IOC) and Web Filtering Service: Implemented protections against malicious traffic and C2 infrastructure observed in this campaign.
FortiGuard Sandbox Service: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats.
Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

AndroxGh0st Malware Actively Used in the Wild

FortiGuard Labs is aware that AndroxGh0st malware is actively used in the field to primarily target .env files that contain confidential information such as credentials for various high profile applications such as - AWS, O365, SendGrid, and Twilio from the Laravel web application framework.

Why is this Significant?

This is significant as AndroxGh0st malware is actively used in the field to target Laravel .env files that contain sensitive information such as credentials for AWS, O365, SendGrid, and Twilio. FortiGuard Labs observes in the wild attempts by the AndroxGh0st malware more than 40,000 Fortinet devices a day.

What is AndroxGh0st Malware?

AndroxGh0st is a Python malware designed to search for and extract .env files from the Laravel Laravel application.

AndroxGh0st supports numerous functions to abuse SMTP such as scanning and exploiting exposed credentials and APIs, and web shell deployment.

What is the Status of Protection?

FortiGuard Labs has the following AV signatures in place for known AndroxGh0st malware samples:

Python/AndroxGhost.A!tr
Python/AndroxGhost.HACK!tr
PHP/AndroxGhost.AZZA!tr
W32/AndroxGhost.HACK!tr
W32/AndroxGhost.BEAE!tr
MSIL/AndroxGhost.HACK!tr

FortiGuard Labs has the following IPS signature in place for AndroxGh0st:

AndroxGh0st.Malware

Genesis Market Malware Attack

What is the attack?	The FortiGuard Lab's EDR team recently identified malware infection exhibiting strong similarities to the previously reported Genesis Market malicious campaign that was dismantled by law enforcement in early 2023. The investigation traced some initial compromises to tools used for circumventing software licensing and counterfeit GPG MSI installers embedded with PowerShell scripts. Following the initial infection, the malware deploys a victim-specific DLL into the machine's memory. This malware targets Edge, Chrome, Brave, and Opera browsers by installing a "Save to Google Drive" extension, which it uses to steal login credentials and sensitive personal data.
What is Genesis Market?	Genesis Market is a black market that deals in stolen login credentials, browser cookies, and online fingerprints. Its operation involves infecting victims, extracting data from their browsers, and maintaining persistence on the victim's machine to steal new data. Although law enforcement agencies dismantled it in the first half of 2023, recent traces of infections suggest a possible attempt to revive its operations.
What is the recommended Mitigation?	Maintain general awareness and training about the risk of phishing and social engineering attacks. Ensure that all systems and software are kept up-to-date with the latest patches. Organizations can raise the security awareness of their employees that are being targeted by phishing, drive-by download and other forms of cyberattacks using Security Awareness Training.
What FortiGuard Coverage is available?	FortiEDR in full prevention mode prevents these attacks from propagating onto the machine pre-infection and can prevent exfiltration of data. FortiGuard AV service detects and blocks all the known malware and Web Filtering service has blocked all the known IoCs related to the campaign.

ArcaneDoor Attack (Cisco ASA Zero-Day)