Datapath Risks: Supply Chains and Intelligence Maturity.

Datapath to Disaster: A September 2025 Cyber Threat Intelligence Brief

The digital landscape is shifting. While breathless headlines about AI-driven cyberattacks haven’t yet materialized as a widespread crisis, a more insidious trend is taking hold: the weaponization of the datapath – the very arteries through which our data flows ¹. September 2025 has seen a surge in breach reports, eclipsing initial anxieties around ransomware (though it remains a persistent threat), and highlighting a critical vulnerability: our increasing reliance on complex, interconnected systems. This isn’t simply about compromised hardware or software anymore; it’s about the vulnerabilities inherent in how data is processed, moved, and secured.

Currently, three key themes dominate the threat landscape. First, supply chain attacks are evolving, extending beyond traditional targets to encompass the entire datapath, as evidenced by the recent, though limited-impact, NPM supply chain incident ¹. Second, identity attacks are broadening in scope, moving beyond individual user accounts to target interconnected applications, demanding a more holistic security posture ¹. Finally, organizations are grappling with a critical need to mature their threat intelligence capabilities, as highlighted by Cisco Talos’s new Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) ², which provides a roadmap for moving beyond reactive security to proactive, strategic intelligence.

Notable actors and behaviors include continued activity from ransomware groups like those linked to Volodymyr Tymoshchuk (LockerGoga, MegaCortex, Nefilim) – for whom the US is offering a $10 million reward ¹ – alongside reports of Chinese state-sponsored activity targeting Dior’s Shanghai branch ¹. We’re also observing a concerning trend of leaked credentials, from the TransUnion breach impacting 4.4 million customers ³ to exposed Azure ActiveDirectory credentials, and a WhatsApp zero-day exploit ³. Interestingly, multiple sources – Talos and independent researchers – point to vulnerabilities in seemingly mundane components like Dell laptop firmware and small office/home routers being actively exploited to mask malicious traffic ³. Confidence in these reports varies; the actor attribution remains uncertain in several cases, representing emerging intelligence. High-confidence findings include the active exploitation of the critical SAP vulnerability (CVE-2025-42957) ¹ and the prevalence of malware families identified by their SHA256 hashes (41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610, 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507, c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0) ¹.

What to watch next: as organizations strive for collective defense and automated intelligence sharing, the ability to rapidly risk-score and operationalize threat data will be the defining factor in mitigating the inevitable compromises of tomorrow.

The threat landscape is currently dominated by breach reports, shifting focus away from AI and ransomware, though the latter remains a persistent threat.
A key trend identified is the evolving nature of supply chain attacks, now encompassing the “datapath” – where data is processed – alongside traditional hardware and software components.
Identity attacks are expanding beyond individual users to target interconnected applications, necessitating a broader security focus.
Cisco Talos has released the Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) to aid organisations in assessing and improving their threat intelligence programs across 11 domains.
A significant NPM supply chain attack, while potentially impactful, appears to have had limited realised consequences.
Several security headlines highlight specific vulnerabilities and incidents:
- A critical SAP vulnerability (CVE-2025-42957) is being actively exploited.
- 1.6 million fitness phone call recordings were exposed due to an unencrypted database.
- The US is offering a $10 million reward for a Ukrainian ransomware operator (Volodymyr Tymoshchuk) linked to LockerGoga, MegaCortex, and Nefilim.
- China accuses Dior's Shanghai branch of illegal data transfer.
Prevalent malware observed includes:
- SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610 – identified as a self-extracting archive.
- SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 – a coinminer.
- SHA256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 – a dropper.
Further details on recent threats, including a comprehensive list of IoCs (IP addresses, domains, hashes, etc.), can be found at https://blog.talosintelligence.com/beaches-and-breaches/. ¹

From Silos to Swarms: Automating the Future of Threat Intelligence. 2025-09-05

The article details a progression in cyber threat intelligence (CTI) maturity, advocating for a shift from isolated intelligence consumption to autonomous, cross-industry collaboration.
The threat intelligence maturity curve is defined by four stages: Ingesting Feeds, Enriching and Using Intel Internally, Manually Sharing with Peers, and Automating Threat Intelligence Sharing and Coordinated Defense.
Stage 4, automated collaboration, is presented as a strategic imperative due to the increasing speed and collaborative nature of modern attackers.
Automated collaboration involves immediate validation and dissemination of Indicators of Compromise (IOCs), tools, Techniques and Procedures (TTPs) to trusted partners based on predefined policies and roles.
Common barriers to adoption – concerns about control, maturity, and trust – are addressed, with the article asserting that modern platforms and governance frameworks mitigate these risks.
Leaders are advised to assess their current maturity, evaluate their technology stack, engage in trusted networks, establish Key Performance Indicators (KPIs) for intelligence contribution, and invest in secure automation.
The article highlights the potential impact of proactive threat intelligence sharing, contrasting learning about attacks after impact with preemptive mitigation based on shared intelligence.
A specific example is provided of a school district detecting malware and automatically sharing the IOCs with other relevant organisations.
The article references a video providing further information on proactive security: https://www.youtube.com/watch?v=tiyUk7OYquU
The article encourages readers to explore Cyware’s Threat Intelligence Platform: https://www.cyware.com/products/threat-intelligence-platform-tip
A large amount of threat intelligence data is discussed, such as IOCs, TTPs, and remediation steps. For further reading on collaborative threat intelligence, see: https://www.cyware.com/blog/from-intelligence-silos-to-autonomous-collaboration-the-next-leap-in-cyber ⁴

Assume Breach: Building Resilience in a World of Inevitable Compromise. 2025-08-29

Cybercrime & Societal Resilience: A Summary

The article posits that contemporary cyberattacks represent not merely technical failures, but systemic vulnerabilities reflecting broader societal dependencies and assumptions regarding system reliability.
A key observation is the real-time exploitation of vulnerabilities by adversaries during periods of technological transformation.
The text highlights the interconnectedness of systems, illustrating how a single breach can have cascading effects, potentially impacting numerous entities (e.g., municipalities).
Syndis advocates a proactive security posture centred around the assumption of compromise.
Assume Breach Penetration Testing is recommended to identify and remediate existing access paths within a network.
Red Teaming & Adversary Simulation are suggested to evaluate the efficacy of security responses under realistic attack conditions.
SOC Services are presented as a means of continuous monitoring and early threat detection.
Incident Response Readiness is deemed crucial for effective containment and eradication of threats.
Business Continuity Planning is advocated to minimise downtime following a successful attack.
Security Awareness Training & Phishing Simulations are proposed to strengthen the human element of security.
Cloud & Application Security Reviews are recommended to address vulnerabilities introduced during rapid development and migration.
The article stresses that a holistic approach, combining multiple security measures, is necessary to build resilience.
Supply chain security is explicitly identified as a critical component of national resilience.
The article does not contain specific IoCs (e.g., IP addresses, domain names, hashes) or CVE identifiers. Further information can be found at https://syndis.com/blog/cybercrime-can-happen-to-anyone-the-real-lesson-from-sweden.
Targeted sectors are not explicitly defined, but the discussion of municipalities suggests potential targeting of public sector organisations.
Potential impact includes widespread disruption of services and erosion of trust in critical infrastructure.

⁵

CTI-CMM: Charting a Course from Reactive to Strategic Intelligence. 2025-09-10

The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) is presented as a framework for organisations to evaluate and enhance their threat intelligence programs.
CTI-CMM identifies 11 key domains where CTI can support decision-making, including Asset, Change and Configuration Management, Threat and Vulnerability Management, and Risk Management.
Each domain has associated “missions” outlining specific CTI activities, such as rapidly detecting at-risk assets or reducing risk against emerging adversaries.
The model defines four maturity levels: CTI0 (Pre-Foundational), CTI1 (Foundational – ad hoc, reactive), CTI2 (Advanced – planned, proactive), and CTI3 (Leading – strategic, prescriptive).
Maturity progression follows a “prepare, assess, plan, deploy, measure” cycle, enabling continuous improvement of the CTI program.
CTI-CMM builds upon previous capability models, including the Cybersecurity Capability Maturity Model (C2M2) and early work by Verisign in the early 2010s.
The framework acknowledges that achieving the highest maturity level isn’t always necessary; focusing on meeting user needs with appropriately resourced intelligence is prioritised.
The article stresses the importance of aligning CTI efforts with business objectives and delivering actionable intelligence to stakeholders.
A table details the 11 domains, abridged descriptions, and example CTI missions.
A table outlines the characteristics of each maturity level (CTI0-CTI3).
The article includes a diagram illustrating the CTI program maturity levels.
Further details on threat intelligence programs and maturing a cyber threat intelligence program can be found at https://blog.talosintelligence.com/maturing-the-cyber-threat-intelligence-program/. ²

From Threat Data to Defense: Automating Intelligence with STIX/TAXII.

2025-09-03

The article addresses the challenge of effectively utilising threat intelligence within government organisations, noting a prevalence of data but a lack of actionable insights.
A key issue identified is the difficulty in integrating threat intelligence platforms with existing security tools (EDR, SIEM, firewalls) via standards like STIX/TAXII. Cyware’s platform is presented as a solution, demonstrating rapid STIX/TAXII connectivity.
Automation of phishing intelligence processing is highlighted as a specific pain point, with Cyware’s sandboxing capabilities resolving a case where another vendor failed to deliver after a year and significant expenditure.
Recurring SecOps challenges include real-time threat intel integration, automation of incident response, cross-agency collaboration, and improving SIEM/SOAR effectiveness.
The article criticises other threat intelligence platforms for requiring significant manual effort from SOC teams, such as converting data formats (PDF, CSV) to STIX and creating investigation reports.
Cyware’s solution focuses on bidirectional threat intelligence sharing using STIX/TAXII, automated end-to-end processes, and scalability with existing teams.
The platform supports all STIX versions (1, 2, 2.1) and simplifies intelligence sharing through a set-and-forget TAXII server configuration.
Cyware offers 400 integrations with tools like ServiceNow (37 out-of-box actions), CrowdStrike (72 out-of-box actions), and Splunk (20 out-of-box actions).
Client success managers provide training and support to ensure effective platform utilisation.
The article promotes a webinar hosted by Carahsoft and Cyware for further information on operationalizing threat intelligence and achieving collective defense: https://www.carahsoft.com/learn/event/71169-how-to-operationalize-threat-intelligence-&-achieve-collective-defense?hss_channel=lcp-10407612
Further resources on strengthening cyber defenses with Cyware are available at: https://www.cyware.com/government
The article details a number of Indicators of Compromise (IOCs) and threat intelligence data, for further operationalisation please see https://www.cyware.com/blog/how-to-operationalize-cyber-threat-intelligence-and-achieve-collective

⁶

September 2025 Patch Tuesday: RCEs and EoPs on High Alert 2025-09-09

Microsoft released its September 2025 Patch Tuesday update, addressing 86 vulnerabilities across a range of products.
Currently, no vulnerabilities are actively exploited in the wild, however, eight are considered likely candidates for exploitation.
Five vulnerabilities are classified as Elevation of Privilege (EoP), two as Information Disclosure, and one as Remote Code Execution (RCE).
CVE-2025-54916 is an RCE vulnerability within Windows NTFS, exploitable over the network via a stack-buffer overflow, affecting multiple Windows versions (10, 11, Server 2008-2025).
CVE-2025-54910 is an RCE vulnerability in Microsoft Office (Microsoft 365 Apps, Office 2016-2024) caused by a heap-based buffer overflow, requiring local exploitation despite potential remote attacker location. This is also known as Arbitrary Code Execution (ACE).
CVE-2025-54918 is an EoP vulnerability in Windows NTLM, allowing an authorized attacker to gain SYSTEM privileges over the network, impacting Windows 10, 11, and Server 2008-2025.
CVE-2025-54101 is an RCE vulnerability in Windows SMB v3 Client/Server, requiring an attacker to win a race condition, affecting Windows 10, 11, and Server 2008-2022.
Two RCE vulnerabilities affect the DirectX Graphics kernel (CVE-2025-55226 and CVE-2025-55236), both requiring authorized access and, in the case of CVE-2025-55226, target environment preparation.
Additional vulnerabilities assessed as likely for exploitation include: CVE-2025-53803 (Kernel Memory Information Disclosure), CVE-2025-53804 (Kernel-Mode Driver Information Disclosure), CVE-2025-54093 (TCP/IP Driver EoP), CVE-2025-54098 (Hyper-V EoP), and CVE-2025-54110 (Kernel EoP).
Cisco Talos has released a new Snort ruleset to detect exploitation attempts, with rules ranging from 65327 – 65334 (Snort2) and 301310 – 301313 (Snort3).
Cisco Security Firewall customers should update their Security Rule Update (SRU). Open-source Snort Subscriber Ruleset customers can obtain the latest rule pack from Snort.org.
A comprehensive list of all vulnerabilities addressed in the September 2025 Patch Tuesday is available at https://msrc.microsoft.com/update-guide/releaseNote/2025-Sep.
Further details regarding Indicators of Compromise (IoCs) such as IP addresses, domains, and file hashes can be found at https://blog.talosintelligence.com/microsoft-patch-tuesday-september-2025/. ⁷

Collective Defense: Beyond Silos, Towards Real-Time Resilience. 2025-08-29

Collective defense is presented as a critical cybersecurity strategy involving the sharing of threat intelligence and best practices between multiple entities.
Isolated security approaches are deemed insufficient due to the speed and collaborative nature of modern threats, including those from nation-state actors.
Regulatory frameworks such as NIS2, DORA, and the Cyber Solidarity Act are driving increased adoption of threat intelligence sharing.
Collaboration occurs across public (e.g., ISACs, CERTs, CISA) and private sectors, including strategic partners and vendors within supply chains.
Key technological requirements for effective collective defense include standardized data formats (STIX), automated orchestration, secure collaboration with access controls, integration with existing security tools (SIEM, EDR), and analytics for contextual enrichment.
Cyware Collaborate is positioned as a CTI management platform offering capabilities such as alert creation, crisis management, digital risk protection, intelligence requirements gathering, threat defender libraries, RSS feed integration, analytics dashboards, and a knowledge centre.
The article highlights the importance of bi-directional, real-time information sharing to enable coordinated responses to threats like ransomware and supply chain attacks.
A significant amount of threat intelligence data is available through Cyware Collaborate, including alerts, indicators, and TTPs; further information can be found at https://www.cyware.com/blog/collective-defense-in-cybersecurity-how-threat-intelligence-sharing-drives-collaborative-response.
The article emphasizes the need to close security gaps and strengthen resilience against cascading failures, particularly within critical infrastructure sectors.
The author, Jawahar Sivasankaran, is the President of Cyware and has over 26 years of experience in the cybersecurity industry.

⁸

Beyond Indicators: Risk Scoring for Actionable Threat Intelligence. 2025-08-22

Risk scoring is presented as a method to prioritise threat intelligence data, moving beyond simple indicator lists to contextualised analysis.
Raw threat data (indicators, domains, hashes, malware families, campaigns) gains value when relationships between these elements are mapped, revealing potential attacker intent and pathways.
Operationalisation of threat intelligence is achieved by transforming raw data into actionable insights, such as identifying pre-ransomware activity or at-risk regions/sectors.
Customisation of risk scoring engines is crucial, allowing organisations to weigh indicator attributes (temporal relevance, persistence) and combine enrichments (YARA signatures, threat actor behaviour, CVE data) based on their specific needs.
Geopolitical and sectoral context is vital; the platform can track threat actors targeting specific industries (e.g., financial institutions in Malaysia, hospitality, UK retailers like Marks and Spencer and The Co-op).
The risk engine facilitates proactive threat anticipation through dynamic adjustment of weights and enrichments, reflecting the evolving threat landscape.
Automation is enabled by risk scoring, triggering incident response, adapting endpoint controls, and executing playbooks.
Risk scores are dynamic and evolve with the threat landscape, guiding detection, triage, and mitigation efforts, and framing risk in business terms.
Transparency is key, with contextual tags, source credibility, and user-defined attributes contributing to actionable clarity.
The article highlights the importance of combining risk scoring with human judgement, amplifying analytical capabilities rather than replacing them.
Further information on risk scoring and threat intelligence programs can be found at https://www.cyware.com/blog/how-risk-scoring-drives-threat-intelligence-program-results. ⁹

AI Psychopathy, Leaked Credentials & The Endless Grind: Talos Intelligence Roundup 2025-09-04

The newsletter highlights a shift in focus from "Summer Camp" threat research to "Grind Season," emphasising the continuous nature of threat research and the importance of mental health for security professionals.
A framework, “Psychopathia Machinalis”, is presented, drawing parallels between the behaviour of advanced AI systems and human psychopathology, suggesting implications for internal threat detection and AI security.
Talos researchers identified and assisted in resolving three vulnerabilities: one in Dell laptop firmware, another in Microsoft Office for macOS permissions, and a third in small office/home routers.
The Dell vulnerability demonstrated that a clean OS reinstall may not fully remove an attacker, while the Office for macOS issue showed adversaries exploiting trusted app permissions (microphone access). Compromised routers enabled attackers to mask malicious traffic as legitimate ISP activity.
TransUnion experienced a data breach impacting 4.4 million customers, with PII including names, dates of birth, and Social Security numbers being compromised.
A mass data theft incident involving the Salesloft Drift AI chat agent has been reported, potentially compromising Google Workspace account credentials.
A high-severity vulnerability was discovered in Passwordstate credential manager, allowing potential administrative access to vaults.
A publicly accessible configuration file leaked Azure ActiveDirectory credentials, potentially enabling attackers to authenticate via Microsoft's OAuth 2.0 endpoints.
A WhatsApp zero-day vulnerability (CVE-2025-55177) was exploited, allowing attackers to trigger content processing from arbitrary URLs.
Several SHA256 hashes, MD5 hashes, VirusTotal links, typical filenames, claimed products, and detection names for prevalent malware files were provided. A wide range of malware is being observed, including worms, coinminers, droppers, and tools.
The newsletter provides links to further research on the identified vulnerabilities and related topics, including Cisco’s work securing Black Hat and insights from the Black Hat NOC.
Upcoming events where Talos researchers will be present include BlueTeamCon, LABScon, and VB2025.

For a comprehensive list of IoCs and further details, please refer to the original article: https://blog.talosintelligence.com/from-summer-camp-to-grind-season/ ³

Conclusion: Datapath to Disaster – Navigating a Shifting Threat Landscape

Recent intelligence confirms a dynamic threat landscape increasingly defined by supply chain vulnerabilities – extending beyond traditional hardware and software to encompass the “datapath” itself – and a surge in identity-focused attacks (Talos Intelligence, 2025-09-11; Cyware, 2025-08-29). While ransomware remains a persistent concern, current reporting indicates a shift in focus towards broader breaches and exploitation of vulnerabilities, exemplified by the actively exploited SAP flaw (CVE-2025-42957) and the Microsoft Patch Tuesday addressing 86 vulnerabilities (Talos Intelligence, 2025-09-09). This underscores a critical need to move beyond reactive security postures and embrace proactive resilience.

Key Takeaways:

Supply Chain Expansion (High Confidence): Attacks are increasingly targeting the entire datapath, demanding broader security assessments.
CTI Maturity Imperative (Medium Confidence): Organisations must progress beyond basic intelligence ingestion towards automated sharing and collaborative defense (Talos, 2025-09-05; Cyware, 2025-08-29).
Assume Breach is Essential (High Confidence): Proactive penetration testing and incident response readiness are no longer optional, but foundational (Syndis, 2025-08-29).
Patching Remains Critical (High Confidence): The September Patch Tuesday highlights the constant need for timely vulnerability remediation, particularly for RCE vulnerabilities (Talos Intelligence, 2025-09-09).

Recommended Next Steps:

High: Prioritize patching of critical vulnerabilities identified in the September 2025 Patch Tuesday, focusing on CVE-2025-54916 and CVE-2025-54910.
Medium: Conduct a comprehensive supply chain risk assessment, extending beyond Tier 1 vendors to map the entire datapath.
Watch: Evaluate current CTI program maturity using the Cisco CTI-CMM framework (Talos, 2025-09-10) and identify areas for improvement.
Watch: Investigate and implement STIX/TAXII integration to facilitate automated threat intelligence sharing (Cyware, 2025-09-03).

Intelligence gaps remain regarding the full scope of the NPM supply chain attack and the long-term implications of the “Psychopathia Machinalis” framework for AI security (Talos Intelligence, 2025-09-11). The evolving geopolitical landscape and the increasing sophistication of threat actors necessitate continuous monitoring and adaptation.

The era of perimeter defense is over. Vigilance, collaboration, and a relentless pursuit of proactive resilience are now paramount.