CCTR.52.DEC.25

Monday morning cyber coffee read CCTR.52.DEC.25

Cisco Talos is tracking active exploitation of Cisco AsyncOS by a Chinese nexus threat actor affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances since at least late November. This allows attackers to execute system-level commands and deploy a persistent Python-based backdoor known as AquaShell, creating ongoing risk of unauthorised access and long-term compromise.

Compromise of these platforms provides attackers with high-privilege access to email and web security systems.

Limit administrative access to trusted networks only, enforce strong authentication and review privileged account usage.

Assume logs may have been tampered with. Correlate appliance logs with network, identity and EDR telemetry where available.

https://blog.talosintelligence.com/uat-9686/

Amazon Threat Intelligence has identified a long-running Russian state-sponsored campaign active from 2021 to 2025 targeting global critical infrastructure. Over time, the threat actors shifted away from heavy reliance on zero-day and N-day exploitation towards abusing misconfigured network edge devices as their primary initial access vector.

Campaign evolution (2021–2025)

• 2021–2022: WatchGuard exploitation (CVE-2022-26318) and early targeting of misconfigured edge devices

• 2022–2023: Confluence exploitation (CVE-2021-26084, CVE-2023-22518) alongside continued misconfiguration abuse

• 2024: Veeam exploitation (CVE-2023-27532) with ongoing edge device targeting

• 2025: Sustained focus on misconfigured network edge devices and reduced vulnerability exploitation

Harden network edge devices and monitor edge telemetry

Assume persistence risk and Purple Team!

https://aws.amazon.com/blogs/security/amazon-threat-intelligence-identifies-russian-cyber-threat-group-targeting-western-critical-infrastructure

Microsoft 365 phishing and MFA bypass are not new, but Proofpoint has identified an evolving campaign where threat actors abuse OAuth device codes to gain access. Users are socially engineered via emails, links, or QR codes to enter a device code on Microsoft’s legitimate verification page, unknowingly authorising a malicious application. This results in account takeover, data access, and persistent access via OAuth tokens, while bypassing traditional phishing and MFA defences.

Regularly audit enterprise applications and remove unknown, unused, or overly permissive OAuth app registrations.

Train users that Microsoft will not send unsolicited device codes or ask them to enter codes from emails or messages.

https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover