Advisory ID: NCC-CSIRT-2025-029

Summary: 

Cisco has issued an urgent security advisory warning of active exploitation of a critical zero-day vulnerability (CVE-2025-20393) in its AsyncOS software, used on Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances. The flaw has a CVSS score of 10.0, allowing unauthenticated remote code execution with root privileges when the Spam Quarantine feature is enabled and exposed to the internet, conditions present in some deployed environments.

Cisco Talos, the company’s threat intelligence team, has linked the ongoing attacks to a China-nexus advanced persistent threat actor tracked as UAT-9686, which has been active since at least November 2025. The actor uses the exploited systems to deploy persistent backdoors and tunneling tools, enabling deep, covert access.

Damage/Probability: Critical/High

Product(s): 

• Cisco Secure Email Gateway (SEG) appliances
• Cisco Secure Email and Web Manager (SEWM) appliances
• Cisco AsyncOS software powering SEG/SEWM

Version(s): 

• Cisco Secure Email Gateway (SEG) appliances
• Cisco Secure Email and Web Manager (SEWM) appliances
• Cisco AsyncOS software powering SEG/SEWM

Platform(s): 

Enterprise and government email security infrastructure using Cisco SEG or SEWM appliances.

Description: 

The vulnerability CVE-2025-20393 arises from improper input validation in the Spam Quarantine feature of Cisco AsyncOS. When the Spam Quarantine web interface is enabled and accessible from the internet, unauthenticated attackers can send crafted requests that bypass authentication and lead to arbitrary root code execution on the appliance.

Cisco became aware of active exploitation of this flaw on 10 December 2025 and has confirmed that victims include SEG and SEWM appliances with non-standard configurations (Spam Quarantine enabled and reachable externally).

The threat actor, tracked as UAT-9686, has deployed a toolkit comprising:
• AquaShell: a lightweight persistent backdoor used to maintain access.
• AquaTunnel (Reverse SSH): to facilitate secure reverse connections.
• Chisel: a TCP/UDP tunneling tool for flexible remote access.
• AquaPurge: a utility to clear logs and hinder forensic analysis.

Cisco Talos assesses attacker toolset and infrastructure are consistent with other Chinese-linked threat groups and note that similar implants have previously been attributed to UNC5174 and other state-aligned actors.

Threat Types: 

• Unauthenticated Remote Code Execution (RCE) via AsyncOS zero-day
• Deployment of persistent backdoors (e.g., AquaShell)
• Reverse SSH tunnels (e.g., AquaTunnel, Chisel)
• Log purging/evasion tools (e.g., AquaPurge)
• High-profile APT exploitation (espionage, persistent foothold)

Impacts: 

• Full appliance compromise: Exploitation can give attackers root-level control of Cisco email security devices.
• Email data exposure: Sensitive email traffic can be intercepted, modified, or exfiltrated.
• Persistent access: Backdoors and encrypted tunnels enable long-term remote access.
• Detection evasion: Log-wiping tools hinder detection and incident response.
• Espionage risk: APT exploitation raises the risk of targeted attacks on government, critical infrastructure, and enterprises.

Solutions:  

NCC-CSIRT recommends the following mitigation steps:

• Verify if Spam Quarantine is internet-exposed and restrict access via firewall, ACLs, or VPN.
• Temporarily disable Spam Quarantine where business operations allow.
• Restrict management interfaces (HTTP/HTTPS) to trusted networks only.q
• Enforce strong passwords, MFA for admin access, and disable unused services.
• Review web logs and admin activity for signs of exploitation.
• Hunt for reverse SSH tunnels and tools such as AquaShell, AquaTunnel, or Chisel.
• Monitor Cisco advisories and apply patches immediately when released.
• Enforce network segmentation to limit access to AsyncOS management services.
• Block direct internet access to the Spam Quarantine interface where possible.
• Monitor for RPC/HTTP POST abuse and reverse SSH activity.
• Harden management plane access and prepare for rapid patch deployment.

References:

• https://thehackernews.com/2025/12/cisco-warns-of-active-attacks.html

• https://vulmon.com/vulnerabilitydetails?qid=CVE-2025-20393

• https://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/

• //www.threads.com/@thehackernews/post/DSZBprQj5M5">https://www.threads.com/@thehackernews/post/DSZBprQj5M5

• https://feedly.com/cve/CVE-2025-20393 

Advisory ID: NCC-CSIRT-2025-028

Summary: 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical supply-chain vulnerability, CVE-2025-59374, affecting the ASUS Live Update client to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation in the wild. The flaw stems from malicious code inserted into official ASUS Live Update builds via a supply-chain compromise, enabling attackers to trigger unintended actions on targeted systems. This advisory highlights the risk to organizations that still deploy or rely on Asus Live Update, and urges immediate mitigation to limit exposure.

Damage/Probability: Critical/High

Product(s): 

ASUS Live Update Client (ASUS software utility for updating BIOS, drivers, and firmware on ASUS systems)

Version(s): 

Affected ASUS Live Update binaries distributed with unauthorized modifications through a supply-chain compromise; versions installed prior to update/fix (malicious build conditions apply).

Platform(s): 

ASUS laptops and PCs where the compromised ASUS Live Update client was installed; affected systems that meet specific targeting conditions, where malicious code can execute unintended actions.

Description: 

The vulnerability CVE-2025-59374, now listed in CISA’s KEV Catalog, refers to an “embedded malicious code vulnerability” in certain ASUS Live Update client builds. These malicious builds were distributed via a supply chain compromise first publicly documented as part of the Operation ShadowHammer campaign (2018–2019), where threat actors infiltrated ASUS infrastructure and embedded unauthorized code in legitimate update packages. The compromised clients contained a hard-coded list of target identifiers (e.g., specific MAC addresses) so only selected systems would execute malicious logic.

Although the original campaign occurred years earlier, CISA’s classification reflects confirmation that systems with the tainted Live Update client still exist in operational environments, are reachable, and are being actively exploited by threat actors. The compromise allows execution of unintended actions under conditions defined by the malicious code, potentially permitting remote attackers or unauthorized processes to affect system state, exfiltrate data, or facilitate additional malicious payloads when target conditions are met. Because the affected Live Update client has reached end-of-support as of December 4, 2025, no future security patches will be produced for this component.

Threat Types: 

• Supply-chain compromise
• Unauthorized modifications introduced into ASUS Live Update client distributions
• Remote code execution (RCE) through malicious update logic
• Targeted exploitation, malicious code triggers only on devices meeting specific criteria (e.g., specific MAC addresses)
• Persistence and lateral movement via tampered system update mechanisms

Impacts: 

• Malicious code execution: Affected systems may run hidden malicious code, enabling remote compromise and persistence.
• Supply-chain compromise risk: Abuse of a trusted update mechanism allows attackers to bypass normal security controls.
• Targeted compromise: The malware was selectively triggered on specific systems, indicating possible pre-existing compromises.
• Lateral movement risk: Infected endpoints could be used as entry points for broader network attacks and data theft.

Solutions:  

NCC-CSIRT recommends the following mitigation steps:

• Uninstall ASUS Live Update from all systems and discontinue its use (end-of-support).
• Scan affected systems to ensure no residual malicious components remain.
• Replace with secure, supported update mechanisms for BIOS, drivers, and firmware.
• Monitor endpoints and network activity for suspicious behavior linked to ASUS Live Update.
• Enforce secure software update and supply-chain policies, including trusted sources and application allow-listing.

References:

• https://radar.offseq.com/threat/cisa-flags-critical-asus-live-update-flaw-after-ev-7604611d

• https://cve.akaoma.com/cve-2025-59374

• https://dec-solutions.com/cve-2025-59374-asus-live-update-compromise/

• https://blog.netmanageit.com/cisa-flags-critical-asus-live-update-flaw-after-evidence-of-active-exploitation/

• https://thehackernews.com/2025/12/cisa-flags-critical-asus-live-update.html
  

Advisory ID: NCC-CSIRT-2025-027

Summary: 

Elastic Security Labs discovered a new, fully featured Windows backdoor named NANOREMOTE that uses the Google Drive API as a stealthy channel for command-and-control (C2), payload staging and data exfiltration. NANOREMOTE implements a task management system for reliable file transfers (queueing, pause/resume, refresh token handling) and also speaks to a hard-coded non-routable HTTP endpoint for operator requests. The implant shows clear code and infrastructure overlap with the previously documented FINALDRAFT family (REF7707 activity cluster), suggesting a shared authoring environment or common operator.

Damage/Probability: Critical/High

Product(s): 

• Microsoft Windows (desktop and server endpoints)
• Applications that can run userland loaders (e.g., MSVC/C++ runtime hosts)
• Any enterprise environment where Google Drive API endpoints are reachable from workstations

Version(s): 

Not version-specific, affects Windows systems where the NANOREMOTE implant or its loader (WMLOADER) can be executed.

Platform(s): 

Enterprise and government Windows hosts, especially in targeted sectors (telecom, government, defence, education, aviation, etc.).

Description: 

Elastic Security Labs identified a multi-stage attack in which WMLOADER, disguised as a Bitdefender component, deploys the NANOREMOTE backdoor. The malware supports remote control, reconnaissance, and data exfiltration via Google Drive and encrypted HTTP communications, with shared artifacts indicating links to FINALDRAFT and possible shared development.

C2 and exfiltration mechanics: NANOREMOTE can register with Google Drive to refresh tokens and queue tasks for uploading exfiltrated files or downloading staged payloads. Operator requests can be processed either via Google Drive file exchange or the implant HTTP POST channel. This dual October 2025-channel design enhances resilience and stealth.

Attribution signals: Code similarities and shared cryptographic artifacts tie NANOREMOTE to the REF7707 cluster (also linked to FINALDRAFT / Squidoor), a group previously observed by multiple vendors (Unit42, Palo Alto Networks) targeting government and telecom entities. Symantec/Broadcom also reported related intrusions in October 2025. These correlations raise the likelihood of state-aligned espionage tradecraft.

Threat Types: 

• Covert C2 abuse of legitimate cloud API (Google Drive API)
• Data staging & exfiltration via cloud storage APIs
• Multi-stage loader + backdoor (WMLOADER -> NANOREMOTE)
• Espionage / targeted information theft (REF7707-linked activity)

Impacts: 

• Sensitive data can be staged and exfiltrated via trusted cloud services (e.g., Google Drive), reducing network detectability.
• The loader and backdoor provide remote code execution and persistent access, with legitimate cloud APIs and tokens hindering detection and attribution.
• Telemetry links the toolset to REF7707-like activity targeting government and critical sectors.

Solutions:  

NCC-CSIRT recommend the following mitigation steps:

• Isolate suspected WMLOADER/NANOREMOTE hosts and collect key forensic artifacts for analysis.
• Revoke suspicious OAuth refresh tokens and audit Google Drive account activity; rotate affected credentials.
• Scan endpoints for known WMLOADER/NANOREMOTE indicators and quarantine infected systems.
• Block identified C2 endpoints and monitor for NanoRemote-related HTTP POST traffic.
• Enforce least-privilege cloud access by restricting OAuth scopes, applying conditional access, and monitoring token anomalies.
• Strengthen email and endpoint controls to prevent loader delivery and detect malicious shellcode.
• If compromise is confirmed, rebuild affected hosts, rotate all exposed credentials, and share IOCs with NCC-CSIRT and the national CERT.

References:

• https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html

• https://www.elastic.co/security-labs/nanoremote

•  

  https://exchange.xforce.ibmcloud.com/osint/guid:853923dd8e684c9ea03a9173f6b409f7

Advisory ID:   ngCERT-2025-110010

SUMMARY

ngCERT alerts on escalating financial cyber-enabled scams by organised criminal networks targeting global financial systems. These scams are perpetuated by leveraging advanced technology and social engineering tactics, aimed at gaining illegal financial proceeds. In 2024 alone, global scam operations resulted in over $16.6 billion in losses to US victims, a 33% increase from the previous year, with Transnational Crime Organisations (TCOs) in Southeast Asia playing a central role. These networks employ forced labour in scam centres, AI-driven impersonation, and cryptocurrency laundering to target individuals and institutions. Recent international operations have led to thousands of arrests and asset seizures, but the threat persists, driven by high profits estimated at $3 trillion annually and evolving tactics. The severity, frequency and complexity of these scams underscore the need for individuals and financial institutions to implement proactive measures to safeguard their lives and systems.

Damage:      Critical

Probability:  High 

Platform(s): Financial Systems

DESCRIPTION

These criminal networks operate like multinational corporations, establishing scam centres in regions with weak governance, such as Southeast Asia, where they coerce trafficked individuals into perpetrating fraud through debt bondage and violence. Key tactics include:

1. Romance Baiting and Pig-Butchering Scams: Fraudsters build trust through dating apps or social media, posing as romantic interests or friends, then lure victims into fake cryptocurrency or investment platforms. Once invested, scammers drain funds, often using "USDT Token Approval Scams" where victims unknowingly grant wallet access through phishing links.
2. Phishing and Impersonation: Mass phishing campaigns mimic banks or executives in Business Email Compromise (BEC) schemes, tricking users into transferring funds or credentials. Additionally, AI is utilised to enhance deep fakes for voice/video calls.
3. Money Laundering through Mule Networks: Nearly 2 million money mule accounts were reported in 2024, where recruited individuals (often scam victims themselves) launder illicit proceeds through legitimate financial channels, including virtual asset service providers (VASPs).
4. Investment and E-Commerce Fraud: Fake online shopping sites or high-yield investment promises exploit economic vulnerabilities, with proceeds funnelled through stablecoins like Tether (USDT).

CONSEQUENCES

The ramifications of these scams are highlighted as follows:

1. Economic Losses.
2. Human Exploitation.
3. Systemic Risks.
4. Psychological and Societal Harm.

SOLUTION/MITIGATION

ngCERT recommends that financial institutions should:

1. Launch public campaigns to educate users on spotting romance scams, fake investments, and phishing while promoting 2FA and transaction cool-off periods.
2. Deploy AI-powered behavioural biometrics and fraud detection systems to identify and block money mule accounts.
3. Use advanced technology like deep fake detection tools and real-time wallet monitoring, combined with cross-sector intelligence sharing, to disrupt scams early.
4. Tighten KYC/AML rules for high-risk transactions and conduct coordinated international operations against scam call centres.
5. Encourage immediate reporting of all cyber-scam incidents to ngCERT and relevant agencies for rapid response.
6. Establish easy-to-access victim hotlines, fund recovery pathways, and train bank staff to engage coerced money mules instead of prosecuting them.

HYPERLINK

• https://www.biocatch.com/press-release/nearly-two-million-money-laundering-accounts-reported-in-2024
• https://www.interpol.int/en/News-and-Events/News/2024/USD-257-million-seized-in-global-police-crackdown-against-online-scams
• https://www.moodys.com/web/en/us/kyc/resources/insights/how-organized-crime-networks-operate-financial-scams.html
• https://www.interpol.int/en/News-and-Events/News/2024/INTERPOL-Financial-Fraud-assessment-A-global-threat-boosted-by-technology