DigiCert’s Open-Source Intelligence (OSINT) Report – September 5 – September 11, 2025

Majority of Enterprise Internet-Exposed Assets Lack Web Application Firewall Protection

(TLP: CLEAR) A recent analysis conducted by CyCognito analysts has revealed alarming gaps in web application firewall (WAF) deployment across enterprise infrastructure, revealing that more than half of internet-exposed assets from Forbes Global 2000 companies operate without basic WAF protection. The investigation, conducted between January 1 and June 30, 2025, examined over 500,000 external enterprise assets and found that 52.3% of cloud-hosted assets and 66.4% of off-cloud assets lack WAF coverage. Intelligence reporting indicates concerning exposure patterns for assets handling personally identifiable information (PII). Nearly 40% (39.3%) of cloud-hosted PII-collecting assets and nearly two-thirds (63.4%) of off-cloud PII-collecting assets operated without WAF protection, including login portals, registration forms, and checkout pages. This leaves sensitive customer data vulnerable to credential stuffing, SQL injection attacks, and exploitation of web application vulnerabilities. These findings expose critical vulnerabilities in what should be considered baseline application security protections for modern enterprises.

(TLP: CLEAR) Comments: CyCognito attributes the aforementioned gaps of exposure primarily to organizational complexity rather than technology limitations, citing fragmented deployments where enterprises operate an average of 12 different WAF products (median of 11), with some deploying more than 30 different solutions managed by separate teams.
(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. “WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”
(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. It’s always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats.
Source: https://www.scworld.com/news/more-than-half-of-internet-exposed-assets-have-no-web-application-firewall

GitHub Workflows Supply Chain Attack Compromises Hundreds of Repositories, Steals Thousands of Secrets

(TLP: CLEAR) Recent intelligence reporting highlights a sophisticated supply chain attack, dubbed “GhostAction”, that leveraged compromised GitHub Actions workflows resulting in the exfiltration of over 3,325 secrets from 327 GitHub users across 817 repositories. According to GitGuardian, who initially discovered GhostAction on September 5, 2025, the malicious campaign began with the compromise of a GitHub maintainer account associated with the FastUUID project, where attackers injected malicious workflow files designed to harvest and steal sensitive credentials. The stolen credentials spanned multiple critical service categories including PyPI tokens, npm tokens, DockerHub credentials, GitHub personal access tokens, and AWS access keys. Additionally, several companies had their entire SDK portfolios compromised simultaneously, with malicious workflows affecting Python, Rust, JavaScript, and Go repositories concurrently. Upon discovering the compromised FastUUID repository, GitGuardian immediately initiated multi-stakeholder notifications, alerting PyPI administrators who promptly secured the affected package in read-only mode within minutes of the alert. The compromised maintainer simultaneously reverted the malicious commit, effectively containing the immediate threat vector.

(TLP: CLEAR) Comments: Despite the swift containment efforts, GitGuardian’s forensic analysis revealed persistent exposure risks across package ecosystems. Additionally, the team identified 24 high-priority packages, 9 within the npm registry and 15 on PyPI, that remain at elevated risk of compromise due to the exfiltrated authentication tokens. These packages represent critical infrastructure dependencies that could enable secondary supply chain attacks if the stolen credentials are weaponized within the narrow window before complete credential rotation occurs.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.” 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.

Source: https://www.securityweek.com/github-workflows-attack-affects-hundreds-of-repos-thousands-of-secrets/

From MostereRAT to ClickFix: New Malware Campaigns Highlight Rising AI and Phishing Risks

(TLP: CLEAR) Analysts from Fortinet FortiGuard Labs have recently disclosed details of a sophisticated phishing campaign that delivers a stealthy banking malware-turned-remote access trojan, dubbed “MostereRAT”, employing advanced evasion techniques in order to gain complete system control and establish persistent access. The campaign utilizes business inquiry lures delivered via email to deceive recipients into downloading malicious Microsoft Word documents containing embedded ZIP archives that deploy the trojan. Reporting also reveals that along with the discovery of MostereRAT researchers have identified novel adaptations of “ClickFix” social engineering tactics that weaponize AI summarization tools through CSS-based obfuscation methods and “prompt overdose” techniques to deliver malicious instructions disguised as legitimate AI-generated content. Threat actors have been deploying fake Cloudflare Turnstile verification pages to distribute MetaStealer through abuse of the search-ms URI protocol handler, while others have demonstrated proof-of-concept attacks that manipulate AI summarization tools using CSS-based obfuscation and “prompt overdose” methods. These techniques enable adversaries to insert malicious instructions within content that appears to be legitimate AI-generated text, effectively weaponizing trust in automated systems to facilitate malware distribution and social engineering attacks.

(TLP: CLEAR) Comments: Together, these campaigns underscore the rapid convergence of established malware distribution methods with emerging AI exploitation strategies. The use of multi-language development frameworks, defense evasion techniques that mimic offensive security tools, and social engineering campaigns enhanced by AI obfuscation reflects a threat landscape that is becoming increasingly adaptive and complex. Threat actors are not only refining their technical capabilities but are also expanding the scope of their operations by embedding malicious instructions into trusted workflows and exploiting new vectors of user interaction.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following: 

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link. 

• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts. 

• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.

• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses: 

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars. 

• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click. 

• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature. 

• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://thehackernews.com/2025/09/from-mostererat-to-clickfix-new-malware.html

Salesloft Drift Supply Chain Attack Traced to Months-Long GitHub Account Compromise

(TLP: CLEAR) A comprehensive forensic investigation has confirmed that the large-scale Salesloft Drift supply chain attack, which impacted hundreds of organizations throughout August 2025, originated from a prolonged and highly sophisticated compromise of Salesloft’s GitHub infrastructure. Evidence indicates that the intrusion began as early as March 2025, granting the adversaries months of persistent, undetected access to the company’s development environment. The campaign has been attributed to UNC6395, a threat group tracked by Google Threat Intelligence, which displayed a high degree of operational security and discipline throughout the operation. Over the course of more than three months, the attackers conducted extensive reconnaissance, mapped critical infrastructure, and implemented layered persistence mechanisms to ensure continued control within Salesloft’s systems. The threat actors also demonstrated sophisticated understanding of cloud infrastructure security by pivoting from the compromised GitHub environment to Drift’s Amazon Web Services infrastructure, where they successfully obtained OAuth authentication tokens that provided legitimate-appearing access to customer technology integrations without triggering standard security alerts or authentication challenges. Furthermore, the scope and impact of the credential theft campaign proved devastating across the cybersecurity industry, with confirmed victims including major security vendors Cloudflare, Palo Alto Networks, Zscaler, Tenable, and Qualys.

(TLP: CLEAR) Comments: The following attack represents a masterclass in advanced persistent threat methodology, where UNC6395 leveraged their initial GitHub foothold to systematically map Salesloft’s infrastructure, download sensitive content from multiple repositories, establish unauthorized guest user accounts, and deploy custom workflows designed to facilitate long-term access and data exfiltration capabilities.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following: 

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link. 

• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts. 

• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.

• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.

Source: https://www.scworld.com/news/salesloft-drift-supply-chain-attack-originated-from-compromised-github-account?utm_source=sc-dailyscan&utm_medium=email&nbd=%7B%7Blead.HumId%7D%7D&nbd_source=mrkto&mkt_tok=MTg4LVVOWi02NjAAAAGc0gvgzyuxQfynTMRNW334MMlnExIG0aH1IgQ-T3H7sLba-k87BN5tonSaIeFUyyC7ZwQihu2-L7PBgtX51kpE1BS8TxsE71Bht9bXPm_Oy9blYA