Sunday Edition - Sunday Edition — 2025‑10‑19

F5 breached, Patch Tuesday fallout, KEV escalations, exploited MFT, AI‑browser OAuth worries — and a CTI memo reminding you to fix the basics.

Intro
KryptoKat: Long week. A nation‑state stole BIG‑IP source code and vuln intel, CISA issued an Emergency Directive, and the usual Patch Tuesday pile‑on produced two Windows EoPs already exploited in the wild. This edition pulls those threads together, gives you prioritized actions, and lays out hunt ideas you can hand to your SOC.
UncleSp1d3r: Also: GoAnywhere MFT is actively being used to land ransomware, Talos shipped IDS rules for Patch Tuesday, and vendor/OTX community pulses are noisy. Read this, make a plan, sleep if you can.

Top stories — what you need to know (and do)

1) F5: nation‑state compromise — CISA ED 26‑01 makes it an operational emergency

What happened

• F5 confirmed long‑term, unauthorized access and exfiltration of BIG‑IP source code and undisclosed vuln intel. CISA issued Emergency Directive ED 26‑01 (2025‑10‑16 ET) ordering rapid inventory, management‑plane lockdowns, accelerated patching and decommissioning or isolation of EOS devices. See CISA ED 26‑01 and Sophos’ write‑up: CISA ED 26‑01, Sophos.

Impact and plain English takeaway

• Stolen source code + vuln notes = attackers get an express lane to reliable exploits. Management APIs, certificates, SSH keys, and any internet‑exposed admin endpoints are high‑risk now. If you run any BIG‑IP family product, treat management plane compromise as a live threat.

Immediate actions (prioritized)

1. Inventory all F5 assets (TMOS/F5OS, VE, BIG‑IQ, BIG‑IP Next, BNK/CNF, iSeries/rSeries) and assign owners. No fuzzy lists.
2. Take every F5 management interface off the internet — place them behind dedicated admin networks, VPN/jump hosts, and IP allowlists (per CISA/BOD guidance).
3. Follow CISA timelines: apply vendor updates as released; CISA’s directive demands prompt application and verification of patches and images (validate checksums/signatures for CNF/BNK images).
4. Rotate credentials, API tokens, SSH keys, and device certificates where feasible.
5. Hunt: review iControl REST/API logs, new/unknown admin accounts, unexpected config pushes, and unusual egress from F5 devices.

Hunt starters (concrete)

• Alert on iControl REST calls from unexpected source IPs or non‑standard UAs.
• Correlate change‑management logs with device config diffs and AAA events; flag changes outside maintenance windows.
• Look for bulk cert/token operations and unexpected TLS sessions from management IPs.

Why you can’t wait

• Public IOCs are sparse; attackers with source code knowledge can weaponize vulnerabilities before vendors or defenders have signatures. Isolation and secrets rotation are your best early defenses.

2) Patch Tuesday Oct 2025 & CISA KEV: two Windows EoPs are already live in the wild

What happened

• Microsoft’s Oct 2025 cycle fixed a large set of issues. Two Windows elevation‑of‑privilege bugs — CVE‑2025‑24990 (Agere modem driver) and CVE‑2025‑59230 (RasMan) — are confirmed exploited in the wild. High‑impact RCEs include WSUS unauth deserialization (CVE‑2025‑59287) and Office Preview Pane RCEs (CVE‑2025‑59227/59234/59236). See MSRC release notes and ZDI summary: MSRC Oct release notes, ZDI review.

CISA KEV changes

• CISA added five actively exploited CVEs to the Known‑Exploited Vulnerabilities (KEV) catalog, including the two Windows EoPs and issues affecting Rapid7 Velociraptor, IGEL OS, and SKYSEA Client View. See CISA KEV alert: CISA KEV alert.

Immediate priorities

• Patch CVE‑2025‑24990 and CVE‑2025‑59230 on all Windows rings, beginning with Tier‑0 and internet‑facing hosts.
• WSUS: patch CVE‑2025‑59287 on WSUS servers; restrict WSUS access to trusted admin networks and enforce TLS/code‑signing hygiene.
• Office endpoints: block Preview Pane for untrusted mail sources, enforce macro restrictions, and enable ASR rules to block Office→script interpreter chains.

Detection & mitigation notes

• Use Talos Snort rules (see next section) while patches roll out. Hunt for LSASS access attempts, unexpected services/tasks, and suspicious Office child processes.

Why this matters

• These are the sorts of bugs attackers chain: initial access or phishing → EoP → lateral movement. Prioritize the KEV entries immediately.

3) Fortra GoAnywhere MFT — CVE‑2025‑10035 actively exploited (ransomware linkage)

What happened

• Fortra confirmed a pre‑auth deserialization RCE in GoAnywhere MFT (CVE‑2025‑10035). Exploitation observed since at least 2025‑09‑11; Microsoft TI attributes activity to Storm‑1175 and Medusa ransomware families. Fortra published hotfixes and fixed builds (e.g., 7.6.3, 7.8.4). CISA added it to KEV. Sources: Fortra advisory, Rapid7, Microsoft TI, watchTowr: see Fortra PSIRT (FI‑2025‑012) and analysis links in references.

Impact & immediate steps

• Internet‑exposed Admin Console instances are being actively targeted — patch immediately to fixed builds or apply vendor hotfixes.
• Remove Admin Console from public exposure; restrict to VPN/jump hosts and strict IP allowlists; place behind WAF.
• Hunt for webshells, unusual transfers, new files in webroot, suspicious child processes, and rotated credentials. Rotate keys and secrets used in MFT workflows.

Plain takeaway

• If you run GoAnywhere and your Admin Console is reachable from the internet: assume compromise until proven otherwise. Patch and isolate now.

4) Detection tooling — Talos shipped Snort rules for Patch Tuesday

What changed

• Cisco Talos published Snort detection SIDs tied to the Oct 2025 Patch Tuesday set and called out three CVEs already exploited in the wild (CVE‑2025‑24990, CVE‑2025‑59230, CVE‑2025‑47827) and WSUS/Office RCEs. Talos SIDs include Snort 2: 65391–65410, 64420–65422 and Snort 3: 301325–301334. See Talos blog for rule guidance.

Action for network defenders

• Deploy Talos Snort/Suricata/IDS rules immediately if you run signature‑based detection; keep rule updates current while patching proceeds.
• Correlate alerts from IDS with endpoint events (LSASS access, unexpected drivers) and management‑plane telemetry (F5 iControl REST anomalies).

Why this matters

• Signatures won’t stop zero‑day chains, but they detect noise and early exploitation attempts while you patch.

5) Oracle EBS & Sitecore — community IOCs, patch and validate before enforcement

Status

• Oracle EBS BI Publisher integration (CVE‑2025‑61882) and Sitecore (CVE‑2025‑53690) are confirmed exploitable; vendors published advisories and fixes. Community OTX pulses reportedly list IPs/hashes for these CVEs, but specific pulses were not verifiable in every telemetry pull. If you run these apps, treat the vulnerabilities as urgent.

Actionables

• Patch Oracle EBS/Sitecore immediately.
• Harden management/BI endpoints behind WAF/reverse proxy and allowlists.
• When ingesting OTX indicators: pull the exact pulse IDs, validate them against your logs before blocking, and avoid wholesale, unverified blacklists.

6) OTX/AdaptixC2 and indicator hygiene — use as leads, validate locally

What we saw

• Community pulses (OTX) claim AdaptixC2 indicators and other exploit indicators for October CVEs. Retrieval is often gated and community quality varies. We could not fully validate specific pulses in this run.

How to treat community IOCs

• Treat OTX pulses as investigative leads. Pull the pulse, validate against your telemetry, and only promote high‑confidence matches to enforcement lists. False positives from community feeds burn time and trust.

7) SquareX claims: AI browsers, OAuth consent abuse — policy and monitoring actions now

What was claimed

• Vendor‑linked SquareX reporting (press/coverages) claims some AI‑enabled browsers/assistant extensions can be manipulated to start OAuth consent flows and exfiltrate tokens. Primary PoC material was limited in our pulls.

Practical steps you can implement now

• Require admin consent for risky OAuth scopes and verified publishers in IdPs (Entra/Google/Okta).
• Monitor grants and token usage (new IP/UA/geo). Revoke suspicious app grants and rotate secrets.
• Enforce enterprise extension allowlists, block unapproved agentic assistants, and tighten download controls.

Why we care

• If true, this increases the risk of post‑auth compromise without credential theft. It’s an identity governance and extension‑control problem more than a pure browser bug.

8) Sophos CTU: ransomware volatility, MFA gaps, and legacy edge vulns — a programmatic reminder

Highlights

• Sophos CTU’s executive report (Vol. 2025 No. 5) notes persistent ransomware ecosystem churn, widespread abuse of stolen VPN credentials where MFA is absent, and continued exploitation of legacy edge device vulnerabilities. Emphasis: phishing‑resistant MFA and edge patching/replacement. See Sophos CTU report.

Operational actions

• Enforce phishing‑resistant MFA (FIDO2/WebAuthn) on internet‑facing services.
• Patch or replace end‑of‑life edge devices; segment and deny‑by‑default admin access.
• Harden remote access, posture‑check devices, and maintain immutable offline backups for ransomware response.

Weekly trend map — what’s changing at scale

• Attack surface maturity gap: high‑value management planes (F5, GoAnywhere, WSUS) continue to be targeted. These are attractive because they control traffic, updates, or transfer sensitive data.
• Identity & MFA remain the primary controls defenders fail to get right at scale — stolen credentials + weak MFA = easy RCE/initial access. Sophos CTU and NCSC both emphasize phishing‑resistant MFA.
• Community intelligence (OTX/Reddit) is plentiful but noisy — use for hunt hypotheses, not automated enforcement. Validate indicators locally.

Practical 72‑hour playbook (prioritized, executable)

1. F5 owners: inventory, remove public management exposure, apply CISA ED 26‑01 timelines, validate image checksums, rotate admin tokens/keys/certs, and start hunts for iControl/API anomalies.
2. Windows/WSUS: patch KEV/Oct items on Tier‑0 systems — CVE‑2025‑24990, CVE‑2025‑59230, CVE‑2025‑59287. Harden WSUS (TLS, code‑signing, network restriction).
3. GoAnywhere MFT: patch to fixed builds (7.6.3/7.8.4+) or apply hotfix; remove Admin Console from internet; rotate secrets; hunt for webshells/persistence.
4. App owners (Oracle/Sitecore): patch, WAF/IPS the management paths, validate OTX indicators before blocking.
5. Identity: enforce phishing‑resistant MFA on VPN/SSO/admin portals; revoke stale grants; monitor unusual OAuth behavior.
6. SOC: deploy Talos/IDS rules, add hunts for RasMan/Agere/LSASS anomalies, WSUS tampering, iControl REST oddities, and webshell detection patterns.
7. Execs: greenlight emergency windows and cross‑team response; this requires change control exceptions and communications templates.

Detection queries & rule ideas (quick starters)

• iControl REST anomaly (pseudo‑SPL)
• index=f5_logs sourcetype=icontrol | stats count by src_ip, uri | where count>10 AND src_ip NOT IN [admin_allowlist]
• WSUS tampering heuristic
• Detect sudden approval events or content hash changes for .cab/.msu payloads in WSUS logs; correlate to management IPs.
• RasMan driver/Agere EoP trace
• Alert on service start for RasMan outside maintenance window and any subsequent LSASS access or dump attempts.

If you want, we’ll push a follow‑up with precise Sigma rules, Splunk/ELK queries, and a sample F5 hunt playbook.

Closing thoughts — programmatic, not panicked

KryptoKat: This week’s theme is “management plane first.” When attackers steal source code or target update mechanisms, they are buying speed. Your priorities are inventory, isolation, and integrity checks — then patching and aggressive hunting. Don’t let social chatter make you pull emergency magic numbers; validate, then act.
UncleSp1d3r: Do the boring, effective stuff: take admin interfaces off the internet, get KEV patches on Tier‑0, patch GoAnywhere if you haven’t, and enforce phishing‑resistant MFA. That will stop the loudest, nastiest outcomes. Also, hydrate.

— Kat & Sp1d3r

Useful reading (authoritative)

• CISA Emergency Directive ED 26‑01 (F5): https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices
• Fortra GoAnywhere MFT advisory / timeline: https://www.fortra.com/security/advisories/product-security/fi-2025-012
• Microsoft Security Update Guide — October 2025: https://msrc.microsoft.com/update-guide/releaseNote/2025-Oct
• ZDI October 2025 review: https://www.thezdi.com/blog/2025/10/14/the-october-2025-security-update-review
• Cisco Talos Patch Tuesday Snort rules: https://blog.talosintelligence.com/microsoft-patch-tuesday-for-october-2025-snort-rules-and-prominent-vulnerabilities/
• Sophos CTU Exec Report Vol. 2025 No. 5: https://news.sophos.com/en-us/2025/10/17/threat-intelligence-executive-report-volume-2025-number-5/

If you want the F5 hunt playbook (Sigma + SPL + ELK + EDR rules) or specific Talos Snort SIDs mapped to your SOC runbook, say the word and we’ll assemble it.