Trust Erodes as Attackers Weaponize the Very Systems Designed for Security

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. The Assault on Trusted Access & Management Platforms

This trend involves the direct targeting of the critical infrastructure used to manage and access enterprise networks, exploiting the privileged position these systems hold.

• Critical Vulnerabilities in Management Consoles: The critical RCE flaw in Cisco’s Firepower Management Center (CVE-2025-20265) is a prime example, allowing unauthenticated attackers to seize control of the device that manages an entire security ecosystem.
• Enterprise Application Exploits for Lateral Movement: Attacks exploiting SharePoint vulnerabilities (CVE-2025-49704/49706) demonstrate how trusted internal collaboration platforms can be used as a springboard to deploy ransomware like LockBit and establish persistent backdoors.
• Cloud CRM Manipulation: The vishing campaigns against Salesforce users highlight how trusted Customer Relationship Management platforms, when compromised, become a goldmine for credential theft and massive data exfiltration using the platform’s own tools like Data Loader.

2. The Weaponization of Trusted Tools and Services

Attackers are increasingly bypassing advanced security controls by hiding malicious activity within legitimate, whitelisted services that are essential for business operations.

• Abuse of IT Support Tools: Ransomware groups like Chaos RaaS abuse Microsoft Quick Assist and other Remote Monitoring and Management (RMM) tools to gain initial access, mirroring legitimate IT support activities to avoid detection.
• Subversion of Email Security: The exploitation of link-wrapping services from Proofpoint and Intermedia shows how even email security gateways can be manipulated to give malicious links a veneer of legitimacy, bypassing user caution.
• Supply Chain Typosquatting: Attacks against developers via typosquatted PyPI domains (pypj[.]org) harvest credentials while seamlessly proxying users to the real site, making the theft virtually undetectable to the victim.

3. The Rise of Stealthy Linux & Cloud-Centric Attacks

A significant shift towards targeting Linux-based cloud and AI infrastructure is underway, using highly evasive techniques that traditional defenses are poorly equipped to handle.

• Container Escape & Host Takeover: The exploitation of the NVIDIA Container Toolkit flaw (CVE-2025-23266) allows attackers to break out of isolated container environments and compromise the entire host, directly threatening AI and GPU-accelerated workloads.
• Fileless Linux Backdoors: The DripDropper malware campaign uniquely patches the very Apache ActiveMQ vulnerability it exploited to prevent rival hackers, ensuring persistent, covert access via Dropbox C2 channels.
• Persistence Through Core Systems: The Plague PAM backdoor embeds within the Linux authentication modules themselves, ensuring it survives system updates and provides attackers with persistent SSH access.

4. Advanced Social Engineering & Human Manipulation

When technical controls are robust, attackers pivot to exploiting human psychology, designing lures that leverage urgency, curiosity, and familiarity.

• The “ClickFix” Technique: The CORNFLAKE.V3 campaign deceives users into pasting malicious PowerShell commands themselves under the guise of solving a CAPTCHA, completely bypassing automated security by making the user the unwitting executor.
• Vishing for Credentials: Multiple campaigns, including those by ShinyHunters and Crypto24, use phone-based vishing to trick employees into divulging credentials and MFA codes, exploiting trust in verbal communication.
• Linux Desktop File Masquerade: APT36’s attacks using .desktop files disguised as PDFs exploit user familiarity with document icons and file extensions, tricking them into executing code that deploys a powerful Go-based backdoor.

Proactive steps for the week 

1. Patch Immediately: Update Cisco FMC, Apple devices, NVIDIA tools, and any outdated software.
2. Isolate Critical Systems: Segment key networks like AI workloads and management consoles.
3. Enforce Strong MFA: Require phishing-resistant multi-factor authentication on all critical accounts.
4. Block High-Risk Files: Disable SVG scripts in emails and block unauthorized RMM tools.
5. Train Your Team: Alert users to new “ClickFix” and vishing scams.
6. Monitor Key Activity: Watch for abuse of legitimate tools and unusual cloud service connections.