Weekly Cyber Briefing 20.10.2025
F5 breach exposes source code in suspected state-backed cyber attack; UK Government tells Boards that cyber accountability sits with them; Ransomware campaign abusing Azure certificates disrupted by Microsoft
The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris.
In August 2025, cybersecurity firm F5 disclosed that a nation-state threat actor had breached its internal systems, stealing parts of the BIG-IP source code, details of undisclosed vulnerabilities, and limited customer data. Although F5 found no evidence that its software supply chain or customer-facing systems were altered, the theft raises major concerns because F5 products are widely used to manage network traffic for governments and large organisations. The stolen information could enable hackers to discover or exploit new security flaws, prompting agencies such as CISA to issue urgent warnings and F5 to release critical updates. Users of F5 devices are strongly advised to apply patches, restrict external access, and monitor for suspicious activity, as the breach could lead to future targeted attacks despite no current evidence of exploitation.
Supply chain problems…yet again. It’s reported that a highly sophisticated nation-state threat actor broke into its systems and stole files containing source code and undisclosed vulnerability details. In essence, they’ve found a huge number of zero days in just one hack.
The advisory is to apply the latest updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients as soon as possible for optimal protection.
Notably, Google Threat Intelligence Group (GTIG) divulged that US companies have been targeted by the suspected Chinese hacking group (and other related clusters) to deliver the BRICKSTORM backdoor, which appears to be linked to this attack.
The 12-month dwell time is concerning, but we’re dealing with incredibly advanced attackers. Mapped to the likely BRICKSTORM TTPs, here are some steps to take to attempt to detect and respond:
T1190 – Exploit Public-Facing Application, configure GPO logging under Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit System Events and Audit Other System Events = Success, Failure. Enable Audit Network Policy Server Events as well. To limit access to appliance management interfaces, configure Windows Firewall with Advanced Security → Inbound Rules. Create a rule named “Mgmt-Interface-Allowed-Networks” with: Program = Any, Remote IP addresses = internal management subnet (e.g., 10.10.10.0/24), Action = Allow. Then add a second rule “Deny-All-Other-Mgmt-Access” with Remote IP = Any, Action = Block. This combination captures exploit attempts and restricts the attack surface.
T1059 – Command and Scripting Interpreter, enable script and command telemetry via GPO. Go to Computer Configuration → Policies → Administrative Templates → Windows Components → Windows PowerShell, set “Turn on Module Logging” and “Turn on Script Block Logging” to Enabled. Then configure Audit Process Creation under Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy and also under Advanced Audit Policy Configuration → Audit Process Creation = Success. Set registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine to DWORD 1. This logs all interpreter activity including command-line arguments, helping detect usage of implants like BRICKSTORM.
For T1547 – Boot or Logon Autostart Execution, use Intune to block persistence via scheduled tasks and startup entries. In Endpoint Security → Attack Surface Reduction → Rule: Block abuse of exploited vulnerable signed drivers, set to Enabled. Also in Device Configuration → Administrative Templates → System, push registry-based enforcement by clearing startup folder entries: configure HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as a blank or locked key. Additionally, restrict scheduled tasks via a PowerShell script deployed from Devices → Scripts that queries Get-ScheduledTask for non-Microsoft authors and removes them unless whitelisted.
T1071.001 – Application Layer Protocol: Web Protocols, control egress paths in GPO under Windows Firewall with Advanced Security → Outbound Rules. Create a rule “Block-Unapproved-C2-Web” with: Program = Any, Protocol = TCP, Remote Ports = 80, 443, Remote IP = Any, Action = Block. Then, create a rule “Allow-Only-Approved-Web-Egress” scoped to Remote IPs of approved proxy servers. To disable DoH, set HKLM\SOFTWARE\Policies\Microsoft\Windows\DnsPolicy\EnableAutoDoh = 0 (DWORD). This combination prevents HTTPS-based C2 and cloaked web protocols used by implants.
T1071.004 – DNS over HTTPS (DoH), in Intune, go to Device Configuration → Administrative Templates → Network → DNS Client, and set “DoH Allowed” to Disabled. Then, in Endpoint Security → Firewall → Outbound Rules, create a rule targeting executable paths such as %ProgramFiles%\Mozilla Firefox\firefox.exe and other DoH-capable browsers. For each: Protocol = TCP, Remote Port = 443, Action = Block. This ensures DNS queries do not escape visibility via encrypted channels.
T1003 – OS Credential Dumping, configure credential-related auditing in GPO. Go to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Credential Validation = Success, Failure and Audit Process Access = Success, Failure. Under Security Settings → Local Policies → Security Options, set “Audit Sensitive Privilege Use” to Success, Failure. These logins and process interactions are key for detecting LSASS access, NTDS.dit extraction, or clone-based attacks targeting credentials.
T1555 – Credentials from Password Stores, use Intune. Under Endpoint Security → Account Protection, enable “Credential Guard” for supported devices. Then, go to Administrative Templates → Microsoft Edge (or equivalent for Firefox/Chrome) and enable “Prevent saving passwords to the password manager.” Use AppLocker or Application Control in Intune to block unauthorized browser extensions, particularly those accessing credential stores. This hardens devices against password store compromise.
T1021.004 – Remote Services: SSH, restrict lateral SSH movement via GPO. In Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment, remove “Log on through Remote Desktop Services” from Domain Admins and Service Accounts, assigning access only to a jump-box user group. Then, under Windows Firewall with Advanced Security → Inbound Rules, create a rule named “Allow-SSH-From-JumpBox”: Program = sshd.exe, Port = 22, Remote IP = known jump-box IPs, Action = Allow. Follow with a “Deny-All-Other-SSH” rule for Port 22 and Remote IP = Any. This setup prevents untrusted sources (like appliances) from accessing privileged hosts over SSH.
For T1027 – Obfuscated Files or Information, implement protections in Intune. Under Device Configuration → Endpoint Protection, enable “Control Flow Guard (CFG)” and “Code Integrity”. Deploy a PowerShell script from Devices → Scripts that recursively scans folders like C:\Program Files\F5 for high-entropy executables. Example script:
Get-ChildItem “C:\Program Files\F5” -Recurse -Include *.exe | ForEach-Object {
$entropy=[System.Text.Encoding]::UTF8.GetBytes((Get-Content $_.FullName -Raw)) |
Measure-Object -Property Length -Average | Select -ExpandProperty Average
if ($entropy -gt 7.5) {
Write-EventLog -LogName Application -Source “ThreatHunting” -EventID 3001 -EntryType Warning -Message “High entropy file: $($_.FullName)”
}
}
This detects packed or obfuscated implants that avoid standard AV detection.
T1119 – Automated Collection, configure file system auditing via GPO. Under Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration, enable Audit File Share Access = Success, Failure and Audit Object Access on sensitive folders such as source code repositories or vaults. Then, under Windows Firewall with Advanced Security → Outbound Rules, create a rule called “Block-Unauthorized-File-Export” with: Program = Any, Remote IP Addresses = Any, Remote Port = greater than 1024 (or scoped to common file transfer ports), Action = Block. Apply exceptions only for approved tooling by path or hash. This configuration prevents unknown or unauthorized processes from staging or exfiltrating sensitive files via outbound connections.
Last week, the UK government posted an open letter to FTSE 350 chief executives urging them to make cybersecurity a Board responsibility. They advised executives to keep physical copies of key operational plans as a precaution against cyber attacks. A rise in significant cyber attacks has shown how quickly organisations can be thrown into chaos when computer systems fail.
The National Cyber Security Centre (NCSC) reports a surge in nationally significant incidents this year, following criminal attacks on Marks & Spencer, The Co-op, and Jaguar Land Rover, which caused catastrophic impact.
Richard Horne, NCSC chief executive, said organisations must plan for how they would operate and rapidly rebuild IT systems after an attack.
This feels like the first time the government has truly woken up to the potential severity and widespread impact of cyber attacks.
The letter serves as a reminder of what is already available, including the Cyber Governance Code of Practice, Cyber Resilience Bill, Early Warning Service, Cyber Essentials and the CAF. The letter asks executive and non-executive directors to prioritise cyber risk and pleads with firms to plan and exercise how they would continue operations and rebuild following a destructive cyber incident. Horne asks firms to have a plan for continued operation without their IT systems, which is exactly what we saw airlines practice when Collins’ vMUSE went down.
Realistic tabletop exercises that give executives time to rehearse scenarios can go a long way to raising the profile of cyber and getting a strong understanding of an organisation’s critical business functions. It also tests appetite for taking proactive shutdown measures (pulling the pink cable) or paying a ransom.
Microsoft has shut down a Rhysida ransomware campaign that used fake Microsoft Teams apps to trick victims. The attackers had managed to sign their malicious files with real digital certificates — including some issued through Microsoft’s own Azure Trusted Signing service — making the malware look like legitimate software.
In a post on X, Microsoft Threat Intelligence said it has now revoked over 200 certificates to stop the abuse. The hackers, known to Microsoft as Vanilla Tempest, used the fake Teams files to secretly install a backdoor called ‘Oyster’, which opened the door for Rhysida ransomware to spread across victim networks.
This is a proactive move by Microsoft. Delving a little deeper, VANILLA TEMPEST are a ransomware group that have been operating since 2021. They predominantly target the healthcare and education sectors, which are often considered the most vulnerable. We would recommend those in these sectors consider these practices to harden themselves from attack and improve their response measures:
1: Restrict execution of unsigned or suspiciously signed executables
Implementation Steps (GPO):
2: Block scheduled task persistence by unauthorized users
Implementation Steps (GPO):
3: Detect execution from non-standard paths
Implementation Steps (Intune):
4: Restrict certificate trust and alert on anomalies
Implementation Steps (GPO):
5: Monitor and block outbound RDP use
Implementation Steps (GPO):
6: Log and alert on PowerShell abuse (used by Oyster)
Implementation Steps (Intune):
Features 17.10.2025
It’s 2023 all over again as Fortra’s file transfer software is targeted.
Blogs & Opinions 14.10.2025
A new proof-of-concept attack spells trouble for SecOps teams.
Weekly Cyber Briefing 13.10.2025
Teenagers arrested after nursery cyber attack; Ransomware groups buddy up; Lapsus$ adopt new credential-purchasing tactics