Malware Activity
Malicious Developer Extensions and Cisco Device Exploits
Cybersecurity experts have identified two (2) significant ongoing threats. First, a malicious actor known as TigerJack targets developers by creating harmful extensions for platforms like Microsoft's VSCode marketplace and OpenVSX, an open-source alternative. These extensions (some downloaded thousands of times), contain dangerous features such as stealing source code, secretly mining cryptocurrency, and executing malicious commands from remote servers. Despite some being removed from VSCode, TigerJack continues re-uploading similar malicious tools under different names. Operating with multiple fake accounts to appear legitimate and to push new payloads without updating the extensions. Second, researchers uncovered Operation Zero Disco. A cyberattack campaign exploiting a recent security flaw in older Cisco devices. The flaw, CVE-2025-20352, allowed hackers to remotely execute malicious code on vulnerable systems, especially older models like the 9400, 9300, and 3750G series. Even though Cisco patched the vulnerability, attackers had already installed Linux rootkits that granted persistent access by setting universal passwords containing "disco" and hooking into core software. Making detection difficult. They also attempted to exploit a Telnet vulnerability for deeper access. The attacks mainly targeted outdated Linux systems lacking modern security tools, but newer Cisco devices with protections like ASLR can still be targeted through repeated efforts, highlighting the need for cautious security practices. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Malicious Crypto Stealing VScode Extensions Resurface On OpenVSX article
- TheHackerNews: Hackers Deploy Linux Rootkits Via Cisco SNMP Flaw article
Threat Actor Activity
Australian Government Report Highlights the Interconnected Nature of State-backed and Criminal Hackers
The Annual Cyber Threat Report 2024-2025 from the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) underscores the blurred lines between state-sponsored hackers and financially motivated cybercriminals. A key focus is on a threat actor backed by China, known by various names including Kryptonite Panda and Leviathan, which targets Australian and regional networks for valuable information. These state-backed actors often employ tactics similar to those used by criminal entities, posing significant threats to government and critical infrastructure networks. Also highlighted was the convergence of tactics used by different cyber threat actors, emphasizing the need for enhanced defense strategies rooted in threat intelligence and incident response. The ACSC advises organizations to strengthen their defenses with multifactor authentication, unique passwords, regular backups, and timely patching, as these measures can prevent most incidents. Additionally, the report notes the increasing use of AI by less sophisticated cybercriminals to automate phishing campaigns, analyze stolen data, and orchestrate denial-of-service (DoS) attacks. Organizations are urged to invest in adaptive, intelligent security controls to combat AI-enabled threats. Ransomware remains a major threat to Australian companies and to the world, with Australian costs rising by 219% for large businesses.
Vulnerabilities
CISA Orders Federal Agencies to Secure Systems After F5 Issues Emergency Patches After Breach Exposes BIG-IP Vulnerabilities
F5 Networks has released urgent security updates after confirming a state-sponsored compromise on August 9, 2025, in which attackers stole source code and information on undisclosed BIG-IP vulnerabilities. Although the company found no evidence that the stolen flaws were exploited or that its software supply chain was compromised, it issued patches addressing forty-four (44) vulnerabilities across BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. F5 advised customers to update immediately and enhance monitoring through SIEM integrations and administrative login alerts. Following the disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued emergency directive ED 26-01, mandating that all Federal Civilian Executive Branch (FCEB) agencies patch affected F5OS, BIG-IP TMOS, BIG-IQ, and BNK/CNF systems by no later than October 22. All other F5 products must be patched by no later than October 31. CTIX analysts also urge administrators to follow the guidance and remove unsupported, public-facing devices. The directive highlights the ongoing exploitation risk, as BIG-IP vulnerabilities remain prime targets for both nation-state and cybercriminal groups seeking lateral movement, credential theft, and persistence within networks.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
