Weekly Cyber Security Bulletin — 29 Sep to 5 Oct 2025

This week’s security landscape underscores a worrying trend: cloud and supply‑chain weaknesses combined with social engineering are enabling high‑impact intrusions. From a near‑critical OpenShift AI privilege escalation to weaponized document and installer campaigns, organisations must urgently reexamine permissions, supply‑chain trust, and user‑facing controls.

The big picture
Between 29 September and 5 October 2025, security researchers and vendors disclosed several high‑severity vulnerabilities and confirmed active data‑exfiltration campaigns that continue to target both enterprise infrastructure and everyday users. Notable issues affect hybrid cloud platforms (Red Hat OpenShift AI), virtualization tooling (VMware Aria and VMware Tools), and widely used desktop software (Notepad++). Simultaneously, threat actors exploited third‑party provider compromises (Renault UK, Discord) and conducted cleverly disguised phishing and malvertising operations to deliver backdoors, steal credentials, and enable long‑term persistence.

Critical vulnerabilities to prioritise

• Red Hat OpenShift AI (CVE‑2025‑10725) — A near‑critical privilege escalation vulnerability allows authenticated low‑privileged users to create Jobs in privileged namespaces, potentially enabling full cluster takeover. Given the high impact on confidentiality, integrity, and availability, administrators should apply vendor patches, revoke overly broad ClusterRoleBindings, and review role bindings that include system:authenticated. Read more: https://access.redhat.com/security/cve/cve-2025-10725
• VMware Aria & VMware Tools (CVE‑2025‑41244 / 41245 / 41246) — Multiple local privilege escalation and information disclosure flaws call for immediate patching to Aria Operations 8.18.5 and VMware Tools 13.0.5/12.5.4 (or vendor‑recommended updates). Limit VM user privileges and restrict admin interfaces to reduce attack surface. Read more: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149
• Notepad++ DLL Hijacking (CVE‑2025‑56383) — A straightforward DLL path issue enables local code execution by placing malicious DLLs in plugin folders. While not remotely exploitable by itself, this vulnerability is highly valuable to attackers who already have limited local access. Enforce file integrity monitoring and endpoint controls to mitigate risk. Read more: https://nvd.nist.gov/vuln/detail/CVE-2025-56383

Attack campaigns and supply‑chain incidents

• Third‑party breaches (Renault UK, Discord) — Both incidents show attackers targeting vendors and service providers as a gateway to personal data. Compromised records include names, contact details, partial billing data, and in some cases scanned government IDs. Organisations relying on third parties should accelerate supplier risk assessment, verify breach notifications, and communicate clear guidance to affected customers about phishing and fraud. Read more on Renault: https://www.express.co.uk/news/uk/2116479/renault-uk-customers-have-data
  Read more on Discord: https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service

Security News

• Google publishes UNC6040 hardening guide On October 1, 2025, Google Cloud Security released detailed recommendations to defend against the UNC6040 threat actor group, an advanced persistent threat exploiting cloud misconfigurations, stolen keys, and abused SDK tools for lateral movement and data exfiltration. The guidance includes a proactive hardening playbook with YARA and Sigma detection rules, service‑account and metadata auditing, and continuous validation of IAM roles. Organisations are advised to implement these controls to prevent credential theft and persistence through forged service accounts. Read more: https://cloud.google.com/blog/topics/threat-intelligence/unc6040-proactive-hardening-recommendations/
• SVG phishing & PureMiner / Amatera chain — Attackers are embedding malicious HTML/iframes inside SVG attachments to bypass simple attachment filters. The chain leverages CHM/HTA and mshta.exe to disable AMSI and load fileless payloads for mining and credential theft. Block or thoroughly inspect SVGs, disallow CHM/HTA where feasible, and hunt for anomalous PowerShell and AMSI bypass indicators. Read more: https://www.fortinet.com/blog/threat-research/svg-phishing-hits-ukraine-with-amatera-stealer-pureminer
• Malicious Teams installers & Oyster backdoor — SEO poisoning and malvertising now target high‑traffic downloads (e.g., Microsoft Teams). Fake installers signed with dubious certificates drop long‑running backdoors and persistence mechanisms. Always download software from official vendor pages, maintain up‑to‑date EDR, and educate users to use bookmarks for critical apps. Read more:  https://www.broadcom.com/support/security-center/protection-bulletin/oyster-backdoor-spread-via-malicious-teams-setup

Practical recommendations (what to do this week)

1. Patch urgently. Prioritise Red Hat OpenShift AI and VMware updates; apply vendor advisories.
2. Harden IAM and RBAC. Remove permissive ClusterRoles, audit service accounts and metadata services in cloud projects, and tighten privileged roles.
3. Lock down endpoints. Monitor plugin directories, disable mshta.exe/CHM where possible, and apply file integrity checks.
4. Supply‑chain vigilance. Reassess third‑party provider controls, require breach‑notification SLAs, and verify compensation/mitigation plans.
5. User awareness & technical controls. Educate users about malicious download sites and attachments; deploy URL filtering, block known malicious domains, and tune detection rules for AMSI bypass and suspicious PowerShell activity.

Conclusion
This week’s disclosures and campaigns reaffirm that modern attacks blend technical vulnerabilities with human and supply‑chain weaknesses. A combined approach — rapid patching, strict role/permission hygiene, endpoint hardening, and supplier oversight — will reduce risk and limit attacker dwell time.

Start your security audit now. Contact: [email protected] | +971553438693 | SOC | 24/7 Cybersecurity Monitoring & Rapid Threat Response | Crowe UAE