Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) published a joint Cybersecurity Advisory (CSA) to warn network defenders about threat actors exploiting legitimate remote monitoring and management (RMM) software to conduct malicious activity.
The European Union Agency for Cybersecurity (ENISA) has released a new resource called AR-in-a-Box (Awareness Raising in a Box). AR-in-a-Box is described as “a comprehensive solution for cybersecurity awareness activities designed to meet the needs of public bodies, operators of essential services, and both large and small private companies.” The collection includes multiple guidelines and instructions covering the different aspects an organization needs to be aware of when organizing a cybersecurity awareness campaign, as well as an awareness quiz and game for use by employees.
Palo Alto Networks published a blog discussing research by its Unit 42 of a newly discovered variant of PlugX malware. This variant has a few unique capabilities, including the ability to hide itself within a USB using a novel technique that’s effective on the current Windows OS and that can only be detected using specialized forensic tools. It then copies all Adobe PDF and Microsoft Word files from the attached machine and spreads to any other removable drives (e.g., floppy, thumb, or flash) connected to the system.
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
Attackers are now exploiting Microsoft OneNote attachments in phishing emails to compromise users with remote access malware, which are likely to be used to deliver additional malware, steal credentials, and other financial information.
Once again, the infamous Emotet malware re-emerges with new evasion tactics to increase its chances of remaining undetected and propagate to more victims. As a reminder, successful Emotet attacks typically lead to the delivery of additional malware, including ransomware.
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
Alerts, Updates, and Bulletins:
Avanan posted a blog covering its research into what they are calling the “Blank Image Attack,” a newly observed technique where attackers place an empty image file within an HTML file. In the wild, Avanan researchers observed the following steps to the attack. First, the victim is prompted to download an HTML file attached to a spoofed DocuSign lure. This file only consists of a blank SVG image that contains code which automatically redirects the victim to a malicious website – giving the victim the impression that nothing happened.
Cisco Talos posted a blog covering its research into threat actor activity in the aftermath of Microsoft’s July 2022 action of blocking all VBA macros by default in documents downloaded from the internet. This action mitigated a common technique frequently used by attackers to gain access to networks and devices.
On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) updated its Best Practices Guide for MITRE ATT&CK® Mapping. CISA uses ATT&CK as a lens through which to identify and analyze adversary behavior. ATT&CK provides details on 100-plus threat actor groups, including the techniques and software they are known to use.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
