"In the digital age, the supreme art of war is to secure one's own data while making the enemy doubt theirs." - The Art of Cyber War

In this week's Seclog, the cybersecurity landscape reveals a dynamic interplay of sophisticated state-sponsored attacks, critical zero-day exploits, and evolving defensive strategies. A significant breach of a Chinese cybersecurity firm highlights the vast arsenal of state-backed hacking tools targeting multiple operating systems, while separately, researchers observed potential AI-orchestrated espionage campaigns, prompting a re-evaluation of AI's role in offensive operations. Multiple critical vulnerabilities are under scrutiny, including a Salesforce SOQL injection 0-day, Fortinet FortiWeb exploitation, and Cisco ISE/Citrix zero-days actively leveraged by APTs, underscoring the persistent threat from well-resourced adversaries. Amidst these disclosures, discussions on improving operational security and refining security vendor research practices emerge, alongside efforts to enhance privacy in AI computation and secure CI/CD pipelines. This week's content emphasizes the need for continuous vigilance, proactive vulnerability management, and a critical perspective on emerging threats and security narratives.

📚 SecMisc #

Open Ransomware Group Intelligence

Ransomlook.io provides an open and searchable intelligence platform for ransomware groups, offering live statistics, posts, and an API.

This resource is invaluable for threat intelligence analysts and incident responders to track ransomware trends, understand specific group activities, and enhance proactive defense strategies.

📰 SecLinks #

Cisco ISE and Citrix Zero-Day Exploitation

APTs are successfully chaining CVE-2025-20337 (Cisco ISE) and CVE-2025-5777 (Citrix) to bypass perimeter defenses, necessitating immediate validation of patch levels and a review of authentication logs for anomalous sessions.

The deployment of custom malware post-exploitation indicates a highly targeted espionage campaign, suggesting that standard endpoint detection might miss the initial foothold established through these trusted appliances.

China's State-Backed Hacking Tools Exposed

A major data breach at Chinese cybersecurity firm Knownsec has exposed over 12,000 classified documents, providing direct evidence of China's state-sponsored cyber espionage infrastructure.

The leaked materials detail a sophisticated arsenal of Remote Access Trojans (RATs) capable of compromising all major operating systems, including Linux, Windows, macOS, iOS, and Android, indicating a broad and multi-platform offensive capability.

The incident offers unprecedented insight into the technical capabilities and operational methods supporting China's intelligence-gathering efforts, demanding immediate attention from national security and corporate defense teams.

Google Private AI Compute Privacy Review

Google engaged NCC Group to conduct an in-depth security review of its Private AI Compute system, which aims to extend mobile AI capabilities to the cloud while maintaining user data privacy.

The review involved a comprehensive architecture assessment, followed by detailed cryptographic security analyses of components like the Oak Session Library, T-Log system, and IP-blinding relay.

This initiative highlights the critical need for rigorous third-party security assessments for cloud-based AI systems processing sensitive user data, particularly concerning cryptographic implementations and privacy-preserving designs.

November Patch Tuesday Review

The November 2025 security update review covers the latest patches released by Adobe and Microsoft, crucial for maintaining system integrity post-Pwn2Own Ireland.

Security professionals should prioritize applying these updates to mitigate newly disclosed vulnerabilities across widely used software.

Staying current with these monthly releases is a foundational practice for defending against known exploitation vectors and reducing the overall attack surface.

Cybersecurity Pros Turned Ransomware Criminals

Two former employees from reputable cybersecurity firms, Sygnia Consulting and DigitalMint, have been charged with orchestrating ransomware attacks and extorting millions from businesses.

This case highlights the severe insider threat potential where individuals with deep cybersecurity knowledge exploit their skills for criminal gain, bypassing traditional defenses.

The alleged activities involved hacking at least five businesses and receiving a nearly $1.3 million cryptocurrency ransom, emphasizing the financial incentives driving such sophisticated criminal enterprises.

Ubuntu rust-sudo-rs Vulnerabilities Patched

Ubuntu is preparing to release a patch for two moderate vulnerabilities (GHSA-q428-6v73-fc4q) affecting the rust-sudo-rs package.

System administrators running Ubuntu should monitor for the release of this update and apply it promptly to address potential security weaknesses in privilege escalation utilities.

This development underscores the importance of actively tracking and applying security updates for core system utilities, even those with moderate severity.

Related : https://github.com/advisories/GHSA-c978-wq47-pvvw

Salesforce SOQL Injection 0-Day

A zero-day SOQL injection vulnerability was discovered in Salesforce's aura://CsvDataImportResourceFamilyController/ACTION$getCsvAutoMap method, affecting thousands of deployments.

This flaw allows attackers to bypass SOQL limitations, enabling the extraction of sensitive user information and details of uploaded documents.

Organizations using Salesforce should assess their exposure and monitor for official patches or mitigation guidance, as this type of injection can lead to significant data breaches.

APT Exploits Cisco ISE & Citrix Zero-Days

An advanced persistent threat (APT) group is actively exploiting zero-day vulnerabilities in Cisco Identity Services Engine (ISE) (CVE-2025-20337) and Citrix systems (CitrixBleed2, CVE-2025-5777).

Attackers are leveraging these critical flaws to deploy custom malware, highlighting the sophisticated capabilities of nation-state or well-resourced criminal actors.

Organizations using Cisco ISE or Citrix systems must prioritize immediate review of their environments for indicators of compromise and apply patches as soon as they become available for these actively exploited zero-days.

Debating AI's Role in Cyber Espionage

Anthropic researchers claimed to observe the "first reported AI-orchestrated cyber espionage campaign," with a Chinese state-sponsored group using Claude Code to automate up to 90% of attack work.

However, outside researchers are questioning the "90% autonomous" claim, suggesting a more measured view of AI's current role in directly orchestrating full-scale cyberattacks.

This discussion is crucial for understanding the true capabilities and limitations of AI in offensive cybersecurity, guiding realistic threat modeling and defensive strategies.

Critical Fortinet FortiWeb 0-Day Exploited

A critical vulnerability (CVE-2025-64446) in Fortinet FortiWeb, a Web Application Firewall, is being actively exploited in the wild.

The exploit allows unauthenticated attackers to gain administrator-level access to the FortiWeb Manager panel and websocket command-line interface.

Organizations utilizing FortiWeb products must immediately apply patches and investigate for signs of compromise, as this vulnerability grants full control over the WAF.

Critiquing Security Vendor Research

This analysis critiques common "sins" in security vendor research, such as fear-mongering, sensationalism, and presenting statistics without crucial context.

It highlights the importance of media literacy for security professionals to critically evaluate vendor-produced research and distinguish actionable intelligence from marketing.

The piece advocates for vendors to avoid these pitfalls, arguing that transparent and well-contextualized research ultimately builds trust and better informs the cybersecurity community.

LLM Vulnerabilities in Gemini Explored

Research into hacking Gemini revealed a multi-layered approach to exploiting vulnerabilities in Large Language Model (LLM) chat applications, specifically focusing on data exfiltration.

It notes that Markdown image injection vulnerabilities, previously used to leak Workspace data, have been fixed in Gemini due to multiple reports.

This indicates the ongoing cat-and-mouse game in securing LLM interfaces and the importance of understanding complex rendering processes to identify new attack vectors beyond initial fixes.

Understanding GitHub Actions Security Risks

The widespread adoption of GitHub Actions, coupled with insufficient security awareness, creates significant appeal for attackers looking for new exploitation avenues.

This resource aims to educate security professionals on the main concepts and terminology of GitHub Actions to better understand associated security risks.

Understanding how attackers leverage CI/CD pipelines through GitHub Actions is crucial for developing robust defense strategies and implementing secure development practices.

🐦 SecX #

OSINT & Minecraft RCE Revelations

Discussions highlight the power of granular OSINT (Open Source Intelligence), demonstrating how small environmental details like light switches or wood patterns can expose significant information.

OtterSec announced achieving client-side Remote Code Execution (RCE) on Minecraft Bedrock Edition via a heap overflow, indicating a bypass of ASLR and CFG, with a detailed writeup forthcoming.

These insights showcase both advanced intelligence gathering techniques and the continuous discovery of critical vulnerabilities in widely used software, emphasizing the need for deep technical analysis.

Deconstructing Visual Obfuscation via OSINT

This analysis demonstrates how granular physical details—such as wood grain patterns and light switch alignment—can fingerprint "identical" secure locations, effectively defeating location obfuscation attempts by high-value targets.

For security teams managing VIPs or secure facilities, this highlights the critical need to "sterilize" video backdrops against high-resolution visual analysis to prevent side-channel information leakage.

🎥 SecVideo #

Cybersecurity Insights & Discussions

Featured videos include an interview between Dan Boneh and OpenAI CEO Sam Altman, offering expert perspectives on advanced cybersecurity challenges and AI's role.

Content also includes discussions on homeland security with Nicholas Eftimiades, providing insights into broader national security implications of cyber threats.

These resources offer valuable high-level discussions and expert opinions for security professionals looking to understand the strategic and policy aspects of cybersecurity and AI.

Strategic Overview of Chinese Espionage Tactics

This discussion provides a strategic breakdown of varying espionage tactics, offering intelligence analysts a framework for distinguishing between opportunistic IP theft and coordinated state-sponsored operations.

Understanding the human recruitment lifecycle detailed here aids insider threat programs in identifying early behavioral warning signs of compromise within sensitive organizations.

💻 SecGit #

Privacy-Centric Local PDF Manipulation Toolkit

This toolkit processes sensitive documents entirely locally, mitigating data leakage risks associated with employees using cloud-based PDF conversion utilities for internal documents.

It provides a verifiable method for sanitizing or modifying documents before sharing, which is crucial for maintaining strict data handling compliance in regulated environments.

Stateful Subdomain Enumeration for Reconnaissance

By combining passive data sources with active resolution and maintaining state, this tool reduces redundant queries and improves coverage stability during large-scale attack surface mapping.

The inclusion of user-specific databases allows red teams to tailor enumeration against specific naming conventions, potentially revealing shadow IT assets that standard wordlists miss.

Learning Security Through Operational Failures

This repository catalogs real-world examples of operational security failures, serving as an effective training resource for red teams to identify exploit chains based on human error rather than software bugs.

Analyzing these case studies helps defenders anticipate non-technical leaks, such as metadata exposure or background visual cues, which are often overlooked in automated security scans.

← Back to Seclog