Supply Chain, Firmware, and Fileless Attacks Erode Digital Trust

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Systemic Supply Chain Attacks Poison Critical Infrastructure

The software supply chain remains under intense assault, with attackers moving beyond compromising single packages to hijacking the accounts of maintainers responsible for foundational libraries used by millions.

• npm Ecosystem Compromise: In a massive operation, attackers used a phishing campaign to hijack the account of a prominent maintainer (qix), poisoning 18 critical npm packages with billions of weekly downloads (including chalk, debug, ansi-styles). The malicious code specifically targeted web applications, hijacking browser APIs to silently redirect cryptocurrency transactions to attacker-controlled wallets, demonstrating a highly sophisticated and financially motivated payload.
• SVG Phishing Campaigns: Attackers are increasingly abusing the SVG file format to hide malicious JavaScript that renders fake login portals. A campaign impersonating Colombia’s judicial system used this technique to deliver password-protected archives containing malware, evading traditional detection until uncovered by AI-powered analysis.

2. Firmware and Bootkit Threats Target System Integrity

Attackers are moving higher up the stack, and deeper into the system, by targeting the firmware and boot processes that are the bedrock of device security, rendering traditional OS-level defenses ineffective.

• HybridPetya UEFI Bootkit Ransomware: This new strain combines the destructive MFT encryption of historical Petya ransomware with a UEFI bootkit that exploits a patched vulnerability (CVE-2024-7344) to bypass Secure Boot. It installs a malicious EFI application that displays a fake CHKDSK screen while encrypting the disk, demonstrating a dangerous evolution towards low-level, persistent ransomware.
• Docker API Exploitation for Botnet Building: A campaign targeting exposed Docker APIs (port 2375) has evolved from simple cryptomining to building a sophisticated botnet. The malware now establishes persistence, blocks competing access, and autonomously scans for and infects other vulnerable Docker hosts, laying the groundwork for large-scale, resilient botnet infrastructure.

3. Critical Vulnerability Patching and Protocol Hardening

The continuous discovery of critical vulnerabilities necessitates urgent patching and fundamental changes to protocol configurations to mitigate widespread exploitation risks.

• Microsoft Patch Tuesday: The September release addressed 81 vulnerabilities, including two publicly disclosed zero-days: CVE-2025-55234 in Windows SMB Server (allowing relay attacks) and CVE-2024-21907 in Newtonsoft.Json via SQL Server (causing Denial of Service). These flaws highlight risks in core Windows services and third-party components bundled with enterprise software.

Proactive Steps for the Week

Emergency Supply Chain Review:

• npm Audits: Immediately audit all projects for the listed malicious npm package versions. Use npm ls and inspect lockfiles. Rebuild and redeploy any application that pulled dependencies during the exposure window (Sep 8, 2025, 09:00–11:30 ET / 13:00–15:30 UTC / 18:30–21:00 IST).
• Dependency Hardening: Enforce strict lockfiles (package-lock.json), use npm ci in CI/CD pipelines, and consider hosting a private, vetted npm proxy to delay and scan new package versions.

Secure Boot and Firmware Integrity:

• Validate Secure Boot: Ensure UEFI Secure Boot is enabled on all endpoints. Apply firmware updates that mitigate CVE-2024-7344.
• Harden Docker APIs: Immediately ensure Docker API ports (2375, 2376) are not exposed to the internet. Enforce authentication and implement network segmentation for container management networks.

Hunt for Fileless and Cross-Platform Threats:

• Monitor for DLL Sideloading: Use EDR tools to detect legitimate executables (e.g., for macOS, Windows) loading DLLs from unusual paths.
• Detect gRPC C2: Monitor outbound network traffic for gRPC connections to unknown external endpoints, which could indicate EggStreme or similar C2 activity.
• Expand OS Coverage: Ensure security monitoring and endpoint detection capabilities are equally robust across Windows, Linux, and macOS environments.

Prioritize Critical Patching and Protocol Hardening:

• Apply Microsoft Patches: Urgently deploy the September 2025 Patch Tuesday updates, prioritizing systems affected by the SMB and SQL Server zero-days (CVE-2025-55234, CVE-2024-21907).
• Harden SMB: Enable SMB signing and Extended Protection for Authentication (EPA) on servers, using Microsoft’s new auditing features to test compatibility before full enforcement.

Enhance Email and File Security:

• Block Malicious SVGs: Implement content filtering at email and web gateways to quarantine SVG files from untrusted sources. Educate users on this novel phishing vector.

Strengthen Identity and Access Management:

• Hardware 2FA for Developers: Enforce FIDO2/WebAuthn hardware security keys for all developer accounts on platforms like npm, GitHub, and PyPI to prevent account takeover via phishing.