This week saw high-impact technical threats: WSUS servers actively exploited, LockBit ransomware’s upgraded return, dozens of new zero-days unveiled at Pwn2Own Ireland, advanced social engineering campaigns (ClickFix), and major underground coordination—each demanding proactive CISO action.

>>Outpace Attackers With AI-Based Automated Penetration Testing

New Hacking Techniques

ClickFix Fullscreen Update Scam (Oct 27)

Attackers deploy a convincing fullscreen Windows update screen, leveraging CAPTCHAs and clipboard hijacking. Victims unknowingly paste a PowerShell infostealer (“Radamanthis”) into the Run dialog. Payloads use AMSI bypass, RC4 encryption, and scheduled tasks for persistence. Exploits browser process spawning (chrome.exe → powershell.exe) for evasion.

CISO Takeaway

Restrict PowerShell to signed scripts, disable Windows Run dialog for users, and monitor PowerShell invoked by browsers.

Critical Attack Techniques & CVEs

CVE-2025-59287: WSUS RCE
(Out-of-band patch: Oct 23, 2025, CVSS 9.8)

Unauthenticated remote code execution via unsafe deserialization in WSUS SOAP/ReportingWebService endpoints. Attackers exploit binaryFormatters with AES-128-CBC and zero IV, SYSTEM-level access, and immediate public PoC weaponization.

CISO Takeaway

Patch now, remove WSUS interfaces from internet, hunt for powershell.exe/cmd.exe child processes from wsusservice.exe, segment WSUS VLANs.

LockBit 5.0 Ransomware (Oct 22–23)

LockBit returns with ESXi/Linux/Windows support, randomized file extensions, anti-analysis, and advanced encryption (ChaCha20+RSA). Affiliates use defrag.exe for process hollowing, enhanced self-spread, and aggressive double-extortion tactics.

CISO Takeaway

Harden hypervisor/ESXi, validate backup restores (including cloud), EDR for defrag.exe, Rclone events, and enforce MFA.

Pwn2Own Ireland 2025 (Oct 21–23)

Researchers demonstrated 73 zero-days (via USB, NFC, network) in iPhone 16, Galaxy S25, QNAP/Synology NAS, smart home/IoT, WhatsApp (zero-click RCE disclosed privately).

CISO Takeaway

Expedite patching for Pwn2Own targets, isolate at-risk devices, disable USB/NFC where possible, and track ZDI advisories.

Darkweb Threats and Underground Chatter

Ransomware Forums Consolidation & “Trinity of Chaos”

XSS, RAMP, Dread, and emerging DarkForums host LockBit affiliate recruitment, credential dumps, and data leak auctions. Alliance: ShinyHunters, LAPSUS$, Scattered Spider merge to deploy a megaleak site and combine SQLi, vishing, MFA fatigue, and insider tactics.

Telegram-first data marketplaces spike, AI-driven phishing and malware kits spread.

CISO Takeaway

Deploy darkweb monitoring, verify vendor exposures, enforce credential hygiene/MFA, and monitor for supply chain mentions.