CCTR.45.NOV.25

Monday morning cyber coffee read CCTR.45.NOV.25

According to Cisco Talos IR’s Q3 2025 trends, threat actors increasingly exploited public-facing applications for initial access, making up over 60 percent of incidents, up from 10 percent last quarter, largely due to ToolShell attacks on on-prem Microsoft SharePoint.

Post-exploitation phishing using compromised valid accounts also rose, enabling lateral spread across organisations and partners.

Ransomware cases declined to 20 percent of incidents, though new variants Warlock, Babuk, and Kraken appeared alongside recurring families Qilin and LockBit.

• Strengthen MFA policies and implement detections for MFA abuse (ie impossible travel or concurrent logins).

• Centralise and monitor logs across identity, endpoint and network layers to identify abnormal access patterns.

• Apply timely patches to all public facing systems to mitigate exploitation of known vulnerabilities. Purple team these TTPs to test and validate detection, response and hardening controls.

https://blog.talosintelligence.com/ir-trends-q3-2025/

Under Home Affairs’ new directive, all non-corporate Commonwealth agencies must remove or justify any software deemed an “unacceptable security risk” under the Commonwealth Technology Standard deny list. This is a move to establish a unified, centralised risk-sharing framework across government. From February 2026, agencies will also be required to share their software risk assessments with Home Affairs to strengthen assurance and streamline approvals.

https://www.themandarin.com.au/301874-home-affairs-checks-agency-cyber-homework/

Some groundbreaking research by Dreadnode demonstrates that autonomous, C2-less malware is now technically feasible. By leveraging local NPUs (CoPilot+ PCs) or bundled AI models, attackers can enable malware to “live off the land” whilst executing and adapting without a central command server. This approach introduces the possibility of mesh-style, peer-to-peer agents capable of independent coordination.

Keep doing what you’re doing. Patch, Harden, Hunt and Monitor.

https://dreadnode.io/blog/lolmil-living-off-the-land-models-and-inference-libraries