Monday, Oct 20, 2025 // (IG): BB // GITHUB // SN R&D
PoC Released for Linux-PAM Vulnerability (CVE-2025-8941): Local Exploit Grants Root Privileges
Bottom Line Up Front (BLUF): A high-severity local privilege escalation vulnerability (CVE-2025-8941) in the pam_namespace module of Linux-PAM has been weaponized, with proof-of-concept (PoC) code now publicly available. Attackers can exploit a race condition and symlink mismanagement to escalate privileges from a low-privilege user to root. Major Linux distributions like Ubuntu, Fedora, and RHEL are affected. Patch deployment is now critical, especially in shared multi-user environments.
Analyst Comments: It’s not flashy, but it’s reliable—and now there’s working PoC code. If your systems allow untrusted local users (e.g., university labs, shared development servers, misconfigured cloud VMs), you’re in the danger zone. While remote exploitation isn’t possible, this kind of vuln is gold for post-compromise escalation or lateral movement. Admins should not wait for automated patch cycles. Pull the patch, restrict PAM namespace features, and harden file permission monitoring immediately.
READ THE STORY: freebuf // GBhackers
North Korean APT Uses Blockchain Smart Contracts to Distribute Malware in EtherHiding Campaign
Bottom Line Up Front (BLUF): Google’s Threat Intelligence Group (GTIG) has confirmed that North Korean APT group UNC5342 is using blockchain smart contracts as malware distribution infrastructure—a technique dubbed EtherHiding. This marks the first observed case of a nation-state actor leveraging blockchain immutability to host malicious code, making takedown efforts significantly harder.
Analyst Comments: UNC5342’s use of smart contracts as C2 infrastructure signals a strategic shift toward “bulletproof” hosting. Unlike traditional infrastructure, blockchain-based delivery is decentralized, persistent, and resilient to takedown. It’s no longer just cybercriminals using Web3—APT actors are now building malware platforms on-chain. That should worry defenders, especially those relying on URL or domain-based blocklists. Detection must now pivot to behavioral analysis and smart contract interaction monitoring. Don’t expect firewalls or DNS filtering to save you here.
READ THE STORY: freebuf
Five Actively Exploited Vulnerabilities Added to CISA’s KEV Catalog, Including Oracle EBS and Microsoft SMB Flaws
Bottom Line Up Front (BLUF): CISA has added five new exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog as of October 20, 2025. These include critical flaws in Oracle E-Business Suite (EBS), Microsoft Windows SMB Client, Kentico Xperience CMS, and Apple’s JavaScriptCore engine. One of the Oracle vulnerabilities, CVE-2025-61882, is already linked to suspected Cl0p ransomware operations, while others present high-impact remote code execution or privilege escalation risks.
Analyst Comments: Oracle EBS has become an increasingly attractive target, especially for ransomware crews looking to pivot from data theft to business disruption. The unauthenticated SSRF flaw (CVE-2025-61884) and its companion RCE (CVE-2025-61882) are especially dangerous for enterprises running exposed Oracle infrastructure. The inclusion of Kentico auth bypasses is notable—CMS platforms remain soft targets for lateral movement or watering-hole attacks. Microsoft and Apple flaws further reinforce the broad target surface.
READ THE STORY: THN
Argentina Central Bank, US Treasury Sign $20 Billion Swap Deal
Bottom Line Up Front (BLUF): Argentina’s central bank has signed a $20 billion bilateral currency swap agreement with the U.S. Treasury, aiming to bolster its foreign reserves, stabilize the peso, and support economic growth. The announcement lands just days before President Javier Milei faces a pivotal midterm election that could determine the viability of his libertarian economic reforms.
Analyst Comments: The swap line gives the central bank breathing room—at least cosmetically—to defend the peso ahead of the election. But structurally, it does little to address Argentina’s underlying fiscal and monetary dysfunction. If Milei loses congressional backing, expect capital flight and renewed pressure on the peso, regardless of this short-term liquidity injection. For global risk desks, the U.S. backing signals political alignment, but it’s not a vote of confidence in Argentina’s solvency.
READ THE STORY: Bloomberg
New Tool “DefenderWrite” Enables Arbitrary Writes into AV Directories
Bottom Line Up Front (BLUF): A new post-exploitation tool dubbed DefenderWrite allows attackers to write arbitrary files—including malicious DLLs—into the protected directories of antivirus software like Microsoft Defender, BitDefender, and Avast. Developed by the research group Two Seven One Three, the tool abuses whitelisted Windows processes to bypass directory protections, enabling malware persistence and evasion.
Analyst Comments: By identifying benign Windows executables allowed to write into otherwise restricted antivirus folders, attackers gain a stealthy path to persistence without needing kernel-level access. It’s not a zero-day, but it’s a textbook example of how security architecture can be turned against itself. With the tool now publicly available, defenders should assume red teams and adversaries are testing this in the wild. Expect this technique to show up in real-world campaigns, especially against environments that overly rely on AV as their first and last line of defense.
READ THE STORY: freebuf
Morgan Stanley Recommends Shorting the Dollar in ‘Goldilocks’ Market Scenarios
Bottom Line Up Front (BLUF): Morgan Stanley analysts advise shorting the U.S. dollar during so-called “Goldilocks” market conditions—periods where equities rally strongly while Treasury yields and the dollar show minimal downside movement. Historical data suggests that in these environments, particularly over the last 25 years, the dollar tends to underperform, especially against currencies like the British pound and Australian dollar.
Analyst Comments: What’s notable is Morgan Stanley’s quantitative backing—pointing to statistically significant setups where equities outperform while USD and Treasury yield moves remain constrained. It’s another example of how FX is increasingly a derivative of macro sentiment and market structure, not just rate differentials. Watch for further dollar weakness in markets where volatility remains suppressed and U.S. growth surprises on the upside. However, this strategy leans on historical correlation, so geopolitical or inflation-driven shocks could still break the pattern.
READ THE STORY: Bloomberg
Fake Ivanti VPN Sites Top Bing Search Results, Distribute Digitally Signed Malware
Bottom Line Up Front (BLUF): Zscaler researchers have uncovered an active SEO poisoning campaign delivering trojanized Ivanti Pulse Secure VPN installers via fake websites placed high in Bing search results. These malicious installers are digitally signed, bypassing most antivirus detection, and include credential-stealing DLLs targeting enterprise VPN configurations. The campaign likely serves as an initial access vector for ransomware operators, including Akira.
Analyst Comments: SEO poisoning has been around, but signing the malware and triggering the full payload only when referred from Bing search results shows real operational maturity. The fact that only 2 out of 58 AV engines detected the sample during Zscaler’s analysis highlights the ongoing weakness of signature-based defenses. Expect this technique to be reused across multiple verticals, especially as VPN clients are high-trust targets in remote access environments. If you’re not validating software supply chains—and relying on search engines for downloads—you’re inviting compromise.
READ THE STORY: GBhackers
GlassWorm Supply Chain Worm Uses Invisible Unicode and Solana Blockchain for Stealth C2
Bottom Line Up Front (BLUF): GlassWorm, a self-propagating supply chain worm targeting VS Code extensions. The malware uses invisible Unicode characters to embed hidden payloads and relies on Solana blockchain transactions and Google Calendar events for resilient command-and-control (C2). At least 35,800 installations have been compromised, with multiple malicious extensions still active in both the OpenVSX and Microsoft VS Code marketplaces.
Analyst Comments: The use of Unicode variant selectors makes the code nearly undetectable to human eyes and most automated scanners, while Solana-based C2 ensures takedown resistance. Add in Google Calendar as a backup C2, and you have an infrastructure that’s cheap, anonymous, and incredibly hard to disrupt. Organizations relying on developer platforms should treat this as a live-fire event, not a historical case study—GlassWorm is actively spreading right now.
READ THE STORY: freebuf
131 Malicious Chrome Extensions Hijack WhatsApp Web for Spam Campaigns
Bottom Line Up Front (BLUF): Researchers from the Socket Threat Team have identified 131 Chrome extensions abusing WhatsApp Web to run bulk messaging spam campaigns. Originating from Brazilian firm DBX Tecnologia and its affiliates, these extensions clone a single automation tool under different branding and bypass Chrome Web Store and WhatsApp policies. Over 20,000 users are actively affected, with the campaign operating largely unchecked for months.
Analyst Comments: The franchise-style model—one codebase, dozens of rebrands—is reminiscent of affiliate malware networks, only here it’s masquerading as a legitimate SaaS. Chrome’s vetting processes clearly failed to detect policy violations at scale, and WhatsApp Web’s trust model offers minimal client-side resistance. Enterprises should treat browser extensions like third-party apps: inventory them, restrict installation, and monitor for automation behaviors. If your workforce uses WhatsApp Web, consider this a real threat vector—not hypothetical.
READ THE STORY: GBhackers
ClickFix Attacks: Copy-Paste Lures Bypass Traditional Defenses and Hit Endpoints Hard
Bottom Line Up Front (BLUF): ClickFix-style attacks are exploiting user trust and browser behavior to execute malicious code via clipboard interaction—bypassing email-based defenses entirely. These hybrid browser-to-endpoint exploits are being used by ransomware gangs and APTs to breach organizations by tricking users into pasting malicious code, often via seemingly benign prompts like CAPTCHAs. With delivery vectors like SEO poisoning and malvertising, detection is minimal until it’s too late—leaving EDR as the last (and often insufficient) line of defense.
Analyst Comments: By skipping email and embedding lures directly into compromised or malicious web pages, attackers sidestep phishing filters entirely. The social engineering here is subtle and insidious—asking users to copy commands to “fix” something they think is broken. It’s a modern twist on classic clipboard hijacking, now blended with advanced targeting via ad platforms. Most EDRs can’t reliably detect this unless the payload is both known and obviously malicious. BYOD environments are especially vulnerable. Detection needs to shift left—into the browser—because once it hits the endpoint, it’s often too late.
READ THE STORY: THN
Items of interest
Massive AWS Outage Disrupts Global Services: DNS Failure in US-East-1 Hits Snapchat, Prime Video, Canva, and More
Bottom Line Up Front (BLUF): A major outage in Amazon Web Services’ US-East-1 region (Northern Virginia) caused widespread disruptions across the internet early on October 20, 2025. A DNS resolution failure originating from DynamoDB led to cascading failures in EC2, S3, and other AWS core services. Impacted platforms included Snapchat, Amazon Prime Video, Canva, Roblox, Reddit, and multiple financial and healthcare systems. Though resolved within hours, the incident exposed the dangers of heavy reliance on a single cloud provider.
Analyst Comments: A DNS failure in just one AWS region effectively broke huge chunks of the internet. From consumer apps to critical services like healthcare and finance, the blast radius was massive. It reinforces a truth defenders and architects often ignore under budget or time pressure: US-East-1 is a single point of global failure. Redundancy on paper doesn’t matter if everything routes through the same chokepoint. Cloud monocultures are brittle. Multi-region, multi-cloud, or hybrid approaches aren’t just “nice to have” anymore—they’re operationally necessary.
READ THE STORY: GBhackers
Amazon cloud computing outage disrupts Snapchat, Robinhood, and many other online services (Video)
FROM THE MEDIA: Amazon said its cloud computing service was recovering from a major outage that disrupted online activity around the world on Monday.
Amazon’s AWS recovering after major outage disrupts services worldwide (Video)
FROM THE MEDIA: Amazon’s cloud services unit AWS was recovering from a widespread outage that knocked out thousands of websites, along with some of the world’s most popular apps, and disrupted businesses globally.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.