top of page

Cybersecurity Weekly Update: 17-24 November 2025

  • Writer: SOC Team
    SOC Team
  • 6 hours ago
  • 3 min read

1. Microsoft Revokes 200+ Fraudulent Certificates Used in Ransomware Campaigns

Microsoft has revoked more than 200 fraudulent code-signing certificates that were being abused by the threat actor Vanilla Tempest (also known as Vice Society) to deploy malware through spoofed Microsoft Teams installers. These malicious installers were hosted on SEO-poisoned domains such as teams-download[.]buzz and teams-install[.]run, where victims were tricked into downloading a fake MSTeamsSetup.exe file. Once executed, the installer deployed the Oyster backdoor, which was subsequently used to deliver Rhysida ransomware into victim environments. (thecyberpost.com)

Microsoft has updated Defender and related detection engines to flag binaries signed with these revoked certificates, significantly degrading the threat actor’s ability to operate. (thecyberpost.com)


Why it matters: Threat actors are increasingly abusing trusted mechanisms such as code-signing certificates to bypass security controls. This undermines the typical trust assumptions organisations make when verifying software integrity.


Action: Validate the source of all enterprise software installers. Ensure endpoint security tools are fully updated, enforce strict code-signing validation policies, and block untrusted or anomalous signed binaries.


2. Coordinated Botnet Targets RDP Services Across Hundreds of Thousands of IPs

Security researchers at GreyNoise observed a large-scale botnet campaign targeting Remote Desktop Protocol (RDP) services. Beginning early October, more than 100,000 IP addresses — later growing to roughly 300,000 — were seen conducting coordinated authentication timing attacks and login-enumeration attempts. These IPs originate from over 100 countries, demonstrating a globally distributed botnet under centralised control. The activity focuses heavily on Microsoft RD Web Access and the RDP Web Client. (greynoise.io)

The campaign appears to be systematic, sustained, and focused primarily on the United States for now, but the infrastructure is broad enough to expand geographically at any time. (greynoise.io)


Why it matters: RDP remains one of the most compromised attack vectors in ransomware cases. A globally distributed botnet conducting automated enumeration significantly increases the chance of password compromise, especially in organisations with legacy systems, exposed remote access, or incomplete MFA coverage.


Action: Review your RDP exposure immediately. Enforce MFA on all remote access, apply rate limits or geo-blocking where possible, disable public RDP unless required, and monitor authentication anomalies.


3. SonicWall SSL-VPN Vulnerability (CVE-2024-40766) Still Actively Exploited

The Akira ransomware group continues to exploit the SonicWall SSL-VPN vulnerability CVE-2024-40766, affecting Gen 5/6/7 firewalls with SSL-VPN enabled. Recent threat-intelligence reports confirm that attackers are leveraging weak or inherited credentials left behind during firewall migrations, allowing them to bypass MFA and gain VPN access. Once inside, lateral movement and credential harvesting take place, often culminating in full ransomware deployment. (quorumcyber.com)

This campaign highlights ongoing exploitation despite vendor patches being available, suggesting many organisations have not fully completed remediation steps such as password resets or firmware upgrades. (crn.com)


Why it matters: Compromised VPN access provides a direct path into internal networks, especially in sectors such as defence, healthcare, education, and finance where VPN adoption is high. Weak credential hygiene or legacy configurations greatly increase organisational risk.


Action: Upgrade to SonicOS 7.3 or later and immediately reset all local SSL-VPN user credentials. Enforce MFA, restrict VPN access by IP or geography, and conduct regular audits of VPN logs to detect suspicious activity.


4. Growing Industry Focus on Cyber-Resilience Over Prevention

Across industry briefings this week, there is an increasing shift toward resilience as a strategic priority. Security leaders and analysts emphasised preparing for total IT failure scenarios, given the scale and sophistication of current attack campaigns. This includes investments in recovery planning, visibility, cross-domain monitoring, and rapid containment capabilities.

The ongoing threats — including certificate abuse, large-scale botnet activity, and persistent exploitation of legacy infrastructure — are driving organisations in critical sectors to re-evaluate continuity processes and post-breach readiness.


Why it matters: As threat actors become more sophisticated, traditional perimeter-based defence is no longer enough. Resilience ensures that even if an attacker gains entry, the organisation can continue operating and recover rapidly.


Action: Review and test incident response plans, ensure backup strategies include offline or immutable copies, conduct tabletop exercises for ransomware and access compromise scenarios, and validate that monitoring covers VPN, RDP, authentication, and endpoint activity comprehensively.


Key Recommendations

  1. Harden Access Points: Lock down RDP and VPN with MFA, rate-limiting, and credential hygiene.

  2. Validate Software Integrity: Avoid downloading critical software from untrusted third-party sites; check certificate validity.

  3. Manage Legacy Infrastructure Risks: Identify and patch older security appliances (firewalls, VPNs), reset migrated credentials, and enforce good security hygiene.

  4. Build Cyber Resilience: Test recovery plans; maintain clean backups; run tabletop exercises for threat scenarios.

  5. Leverage Threat Intelligence: Use dynamic blocking services and proactively hunt for anomalies in your environment.


 
 
bottom of page