CCTR.42.OCT.25

Monday morning cyber coffee read CCTR.42.OCT.25

Velociraptor is a legitimate endpoint monitoring tool used by security and DFIR teams. Cisco Talos has confirmed that Storm-2603, a suspected China-based threat actor, is leveraging Velociraptor as part of active ransomware operations. Sophos also reported threat actors using Velociraptor as a command-and-control (C2) channel in August, likely by the same group. Attackers installed an outdated version of Velociraptor (v0.73.4.0) and exploited CVE-2025-6264 to gain elevated privileges, then used it as a C2 channel. This is an example of “dual-use tool abuse,” where legitimate security tools are weaponised by attackers.

Cisco https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/

Sophos https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/

A fire at the National Information Resources Service (NIRS) data centre in South Korea destroyed the government’s central cloud storage system, wiping out years of civil-service work and exposing critical flaws in its backup design. The platform lacked any external backup capability due to its large-capacity, low-performance storage architecture, resulting in a total loss of user-stored data. This incident serves as a good reminder that data redundancy is not optional, every system must be designed to withstand both logical failures and physical disasters.

When was the last time you tested a data centre fire scenario or total cloud data loss during your tabletop exercise?

https://koreajoongangdaily.joins.com/news/2025-10-01/national/socialAffairs/NIRS-fire-destroys-governments-cloud-storage-system-no-backups-available/2412936

Wiz has disclosed a critical Remote Code Execution (RCE) vulnerability, CVE-2025-49844 (CVSS 10.0), dubbed #RediShell, in Redis a widely used in-memory data store that powers caching, session management and messaging across cloud environments. Successful exploitation permits full system compromise, allowing attackers to steal, encrypt or wipe data, hijack resources and move laterally within cloud environments.

Redis is often deployed in trusted internal networks or containerised environments, lateral movement following exploitation could compromise the entire clusters or connected systems.

If Redis powers your workloads, patch immediately, lock down exposure and test your incident response plan for critical component compromises.

https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844

PreviousCCTR.43.OCT.25 NextCCTR.41.OCT.25

Last updated 2 months ago