Deep Trust, Deeper Threats: From Cache Smuggling to Firmware Rootkits

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Human-Triggered, Stealth-Delivered Intrusions

Cybercriminals evolve social engineering into silent compromise paths, hiding payloads in caches, on-chain contracts, and “test” apps to sidestep controls.

FileFix Attack – Cache Smuggling in Fortinet VPN Lure
A Fortinet “Compliance Checker” lookalike tricks users into pasting a path that secretly includes a PowerShell command padded with spaces. It harvests a ZIP already smuggled into Chrome’s cache (no visible download) and runs a fake checker to drop infostealers (e.g., DeerStealer/Odyssey).

UNC5342 “EtherHiding” – Blockchain-Hosted Malware via Recruiter Lures
Developer “assessments” delivered over LinkedIn → Telegram/Discord pull JavaScript stages from Ethereum/BNB smart contracts (resilient, takedown-resistant dead-drops). Delivered payloads (BeaverTail, InvisibleFerret) steal creds and wallets across Windows/macOS/Linux.

BeaverTail + OtterCookie v5 – Converged Espionage Toolkit
Fake coding tests and booby-trapped npm packages install a unified stealer/RAT with keylogging, screenshots, clipboard theft, browser/wallet harvesting, and remote shell — a step up from prior split tooling.

2. SaaS & Supply-Chain Access Hijacking

Threat actors expand reach by abusing trusted integrations, OAuth tokens, and vendor environments.

Salesloft/Drift OAuth Abuse (UNC6395)
Stolen OAuth tokens let the actor query Salesforce and (in limited cases) Google Workspace to siphon contacts, cases, and embedded secrets — no platform exploit required.

F5 Development Breach – Source Code & Zero-Day Intelligence
A year-long intrusion into F5’s build environment leaked BIG-IP source and undisclosed vulnerability data, raising downstream exploit risk and prompting emergency patch directives.

3. Below-the-OS Persistence: Firmware & Network Control Plane

Adversaries target layers traditional EDR barely sees — UEFI and switch OS processes — to persist and evade.

Operation Zero Disco – Cisco SNMP RCE to In-Memory Rootkits
Exploitation of a Cisco SNMP flaw leads to fileless hooks inside IOSd, a stealth “universal” password containing “disco,” hidden config changes, and log tampering across Catalyst gear; legacy Telnet bugs were probed alongside.

Framework Secure Boot Bypass – Signed UEFI Shell Exposure
Signed UEFI shells shipped with an mm memory edit command that can disable Secure Boot, enabling durable bootkits (e.g., BlackLotus) and reinstall-proof persistence.

4. Industrial-Scale IoT Exploitation & DDoS Platforms

Botnet crews automate multi-vendor takes to swell DDoS muscle and footholds at the edge.

RondoDox Botnet – Loader-as-a-Service Across 30+ Vendors
Automated exploitation of 50+ flaws (many old, some unassigned) in routers/DVR/NVR/IoT folds devices into a service that drops Mirai/Morte for HTTP/UDP/TCP DDoS and further spread.

Proactive Steps for the Week

• Patch Immediately: Apply updates for Cisco (CVE-2025-20352), Framework firmware, and F5 products.

• Restrict Execution: Block PowerShell from File Explorer and disable untrusted browser caching.

• Segment and Harden: Isolate IoT, admin, and development networks; restrict access to management interfaces.

• Secure the Supply Chain: Validate npm dependencies, review OAuth token scopes, and monitor build pipelines.

• Enhance Human Defense: Conduct phishing and recruiter-lure simulations, emphasize command-copying risks, and require secondary verification for any code or credential actions.