CISA Emergency Directive for Cisco Zero-Day Vulnerabilities
A new emergency directive was issued by the Cybersecurity and Infrastructure Security Agency (CISA) on September 26, 2025, compelling all federal agencies to urgently identify and mitigate recently discovered zero-day vulnerabilities affecting Cisco Adaptive Security Appliances (ASA). The move reflects escalating risks posed by persistent, advanced threats capable of surviving standard security measures.
Nature of the Vulnerability and Threat Actor Tactics
The vulnerability affects Cisco ASA devices exposed to internet-facing web services. Threat actors exploit as-yet unpatched weaknesses allowing privileges to persist on devices even across reboots or upgrades. Technical investigation shows that the attack leverages flaws in ASA’s remote-access and web management interfaces, bypassing authentication controls to establish persistent footholds.
Mandate Details and Forensic Protocols
All agencies must:
- Inventory all Cisco ASA units within operational scope.
- Collect forensic data to confirm device integrity and hunt for compromise artifacts.
- Disconnect any devices that lack vendor support, as they cannot receive critical updates.
- Perform all mandated upgrades on remaining devices before the specified deadline.
Agencies must adopt CISA-authorized forensic acquisition and analysis tools for compromise assessment. CISA will continue to support technical assessments and validation of remediation actions.
Risk Implications for Industry and Guidance for Broader Community
While the directive directly applies to federal networks, organizations outside government using Cisco ASA are strongly urged to follow equivalent protocols. The attack’s persistence mechanism, exploitation simplicity, and capability to infiltrate sensitive networks pose substantial risk to critical infrastructure. CISA emphasizes cross-industry vigilance and adoption of mitigation best practices, including network segmentation, access control hardening, and ongoing log monitoring to detect anomalies rapidly.
Microsoft and Cloudflare Takedown of RacoonO365 Phishing Infrastructure
In early September 2025, Microsoft and Cloudflare collaborated with law enforcement to dismantle over 300 domains deployed by the RacoonO365 group—a criminal collective offering phishing-as-a-service aimed chiefly at Microsoft 365 users. The takedown neutralized a major cybercrime operation that leveraged sophisticated evasion and social engineering techniques.
Technical Details of RacoonO365 PhaaS Model
RacoonO365 marketed its service to other threat actors, packaging custom phishing sites indistinguishable from legitimate login portals. The service operated on a subscription model, charging clients about $11 per day for use over set periods. Attackers typically used the infrastructure to intercept credentials and session tokens at scale, bypassing basic anti-phishing filters.
Operation Tactics and De-Anonymization
The coordinated takedown involved seizing backend infrastructure, disabling Cloudflare scripts that helped obscure malicious sites, and rapidly isolating compromised domain accounts. Investigators succeeded in identifying the group’s ringleader via a cryptocurrency wallet exposure—a rare operational security lapse.
Impact and Continued Vigilance
The operation not only halted active credential harvest campaigns but also provided actionable intelligence about the group’s offering methods, affiliate network, and technical infrastructure. Microsoft and Cloudflare continue to monitor for related “PhaaS” activity and urge organizations to improve detection capabilities for credential phishing attempts, including email security hardening and user awareness training.
FBI Warning: Salesforce, Salesloft Drift Integrations Under Active Attack
On September 12, 2025, the FBI issued an urgent warning targeting Salesforce customers, uncovering new attack campaigns leveraging both the core CRM platform and integrations such as Salesloft Drift. The development marks an intensification of targeted enterprise attacks first observed earlier this year, notably linked to the ShinyHunters group.
Attack Mechanisms and “Supergroup” Collaboration
Threat actors are exploiting legitimate Salesforce and Salesloft Drift integrations for credential theft and unauthorized access. The campaigns feature coordinated groups, sharing resources and data strategies to amplify attack effectiveness—forming “supergroups” able to breach large and diverse victim pools. Techniques observed include:
- Exploitation of API keys and tokens within third-party integrations.
- Abuse of OAuth flows for persistent access.
- Phishing and business email compromise attacks across multi-organizational clouds.
Recommended Remediation Steps
To counter these threats, organizations are urged to:
- Audit third-party application permissions and tokens regularly.
- Segment cloud permissions and monitor logs for anomalous authentication attempts.
- Apply strict least-privilege policies for all cloud application integrations.
The FBI and industry partners continue to investigate new affiliate networks forming as part of these campaigns.
US Treasury Sanctions Southeast Asian Cyber Scam Networks
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned 19 entities and individuals in Southeast Asia on September 8, 2025. These groups operated large-scale scam centers responsible for more than $10 billion in losses, often exploiting forced labor and physical coercion to extract funds via romance and investment scams targeting victims globally.
Technical Tactics and Organizational Links
The criminal networks facilitating these scams use:
- Pseudonymous digital wallets for international money laundering.
- Centralized infrastructure for romance and investment fraud via spam campaigns and false brand representation.
- Forced labor facilities with operational ties to paramilitary and government-linked organizations in North Korea, Cambodia, and Burma.
International Impact
The sanctions disrupt cyber infrastructure and financial flows used by these organizations, providing law enforcement new leverage to counter ongoing scam campaigns and related nation-state money laundering operations.
Google Law Enforcement Request Platform Breach and FBI eCheck Exposure Risk
The LAPSUS$ hacker group publicly claimed to have breached Google’s Law Enforcement Request System (LERS) platform in September 2025, exposing previously unreported vulnerabilities and access risks for sensitive law enforcement case data. Google confirmed the breach and took down the compromised accounts, but forensic evidence suggests deeper access footprint risks.
Technical Breach Analysis
Attackers infiltrated LERS via a fraudulent account creation leveraged to access internal surveillance tools and law enforcement portals. The platform services multiple high-sensitivity operations, including the FBI’s eCheck system, which manages personal data associated with active and historical case files.
Potential Impact and Remediation
While Google stated that no data loss occurred, screenshots provided by the attackers indicate extensive access capabilities. Exposure threatens both law enforcement investigations and privacy of individuals referenced within requests processed via the platform. Google and its partners are reviewing lateral access risks and have issued new validation protocols for account creation and monitoring.
Scattered Spider: Arrests and Persistent Targeting of Multiple Sectors
Despite public claims of “going dark,” Scattered Spider—a cybercriminal group previously involved in major breaches—was found to be actively targeting the financial, retail, and other business sectors into late September 2025. Coordinated law enforcement actions resulted in charges against two group members for past cyber extortion operations.
Group Activity, Tactics, and Indictments
Research reveals that Scattered Spider has continued composite attacks involving:
- Credential phishing exploiting business cloud applications.
- Ransomware deployment and subsequent extortion schemes.
- Collaboration with other major threat actor collectives, including campaigns paralleling Salesforce and Google platform intrusions.
The group’s tactics appear to overlap with those observed in recent breaches, suggesting continued affiliate-based operations even under law enforcement pressure. Charges announced by US and UK authorities aim to further disrupt the group’s capacity.