Weekly Threat Analysis (Aug 19–26, 2025)
Weekly Threat Analysis(Benelux, Aug 26, 2025)
Source: Trescudo Threat Intelligence • Author: Evangeline Smith, MarCom, Trescudo • Threat Level: High
TL;DR (what changed this week)
Telecom & government continue to be prime targets (Orange Belgium; Nevada state).
Third-party/SaaS social engineering is still driving breaches (Salesforce-linked campaign hitting Workday, Allianz).
Edge & identity remain the soft underbelly (critical Cisco FMC RCE; Kerberos zero-day patched).
Expect smishing/vishing waves following large PII leaks. Patch debt and OAuth abuse are the fastest paths to compromise.
1) Orange Belgium: 850k Customer Records Stolen (names, numbers, SIM/PUK, tariff)
What happened: A July intrusion disclosed last week exposed ~850,000 subscribers. No passwords reported, but data is perfect ammo for smishing/vishing and account recovery fraud. Action: monitor password-reset spikes, SIM-swap signals, and new OAuth grants; push customer comms. (BleepingComputer, TechRadar, Insurance Journal)
Hunt tips:
Surge in SMS phish domains impersonating Orange; user-agent anomalies in self-service portals.
Calls to carrier APIs for SIM activities from atypical IPs.
2) Nevada State Government: Statewide Outage, Offices Closed
What happened: A “network security incident” took down websites and phone lines; state offices suspended services while CISA assists. Ransomware is suspected; emergency services remain up. Action: review your crisis-comms & service continuity runbooks; rehearse 4-hour service-restoration objectives. (Reuters, The Record from Recorded Future, The Register)
Hunt tips:
Pre-ransom staging: new domain admin creation, GPO tampering, VSS deletions, lateral SMB with unusual service creation.
3) Salesforce-Linked Social Engineering Campaign (Workday, Allianz Life)
What happened: Ongoing vishing/OAuth-abuse campaign targeting CRM data. Workday and Allianz Life (1.1M individuals) disclosed impacts last week. Action: enforce admin consent + verified publisher for OAuth apps; revoke risky tokens; harden help-desk identity verification. (BleepingComputer, Cybersecurity Dive)
Hunt tips:
New high-scope OAuth consents; anomalous API pulls (Salesforce Data Loader-like patterns); support inbox rules forwarding to externals.
4) Cisco Secure FMC Critical RCE (CVE-2025-20265, CVSS 10)
What happened: Critical unauthenticated RCE in Firewall Management Center—central command for ASA/FTD—fixed Aug 14; widely flagged last week. Action: patch FMC immediately; remove public exposure; rotate admin creds and tokens; review change logs on managed firewalls. (sec.cloudapps.cisco.com, CIS)
Hunt tips:
Unexpected processes on FMC, suspicious outbound connections, new/modified access-control policies pushed to FTD/ASA outside CAB windows.
5) Microsoft Patch Tuesday: 107 CVEs, Kerberos Zero-Day (CVE-2025-53779)
What happened: MS patched 107 issues; a publicly disclosed Kerberos EoP included. If unpatched, AD compromise becomes easier for attackers already inside. Action: fast-track domain controller updates; monitor for abnormal Kerberos ticket requests/AS-REP anomalies. (CrowdStrike, The Hacker News, ivanti.com)
Hunt tips:
Sudden spike in service ticket creation; modifications to msds-related attributes; anomalous lateral auth patterns from non-tiered admins.
6) Australia: TPG/iiNet Breach via Stolen Credentials
What happened: iiNet order-management system accessed with stolen employee creds; ~280k emails, 20k landlines, and other contact data affected. Action: credential hygiene; geo-fenced admin access; email/SMS fraud advisories to customers. (TechRadar, Reuters, help.iinet.net.au)
Hunt tips:
Impossible travel on admin accounts; legacy auth in use; scripted data exports outside business hours.
SOC Playbook: 48-Hour Actions
Revoke risky OAuth tokens; enforce admin consent + verified publisher.
Step-up auth for help-desk password resets; require callback to a verified number.
Patch Cisco FMC; remove internet exposure; rotate secrets.
Validate MS Kerberos updates on DCs; watch for ticket anomalies.
Assume breach & detect behavior
Enable/author XDR detections for: web-shell artifacts, VSS deletions, suspicious GPO writes, new domain admins, archive-to-payload chains, LOLBins (wmic, certutil, rundll32).
Threat-hunt for new high-scope OAuth consents and bulk CRM exports.
Continuity & comms
Run a 1-system offline restore (prove RTO).
Publish a customer & employee micro-advisory on vishing/smishing tied to recent breaches.
Board KPIs (report next meeting):
Time-to-Isolate (median) ≤ 30 min
KEV patch SLA: internet-exposed ≤ 24h; internal ≤ 7 days
OAuth exposure: # of high-scope unverified apps (month-over-month ↓)
Restore confidence: quarterly offline restore evidence
Why this matters (strategy)
The attack paths this week are repeatable: stolen identities → OAuth abuse, edge RCE → lateral movement, PII leaks → social engineering at scale.
Controls that win: help-desk verification, OAuth governance, management-plane isolation, XDR with behavior analytics, and tested backups.
Sources
Orange Belgium breach summaries: BleepingComputer, TechRadar Pro, Insurance Journal. (BleepingComputer, TechRadar, Insurance Journal)
Nevada state outage: Reuters, The Record, The Register. (Reuters, The Record from Recorded Future, The Register)
Salesforce-linked campaign: BleepingComputer (Workday; Allianz Life), Cybersecurity Dive. (BleepingComputer, Cybersecurity Dive)
Cisco FMC CVE-2025-20265: Cisco Advisory, Arctic Wolf, CIS. (sec.cloudapps.cisco.com, Arctic Wolf, CIS)
Microsoft Aug Patch Tuesday & Kerberos CVE-2025-53779: CrowdStrike, The Hacker News, Ivanti. (CrowdStrike, The Hacker News, ivanti.com)
TPG/iiNet breach: Reuters, TechRadar Pro, iiNet (official). (Reuters, TechRadar, help.iinet.net.au)
Disclaimer
This weekly threat analysis is based on publicly available reporting and vendor advisories as of 26 Aug 2025 and is provided for informational purposes only. It does not constitute legal, regulatory, or professional advice. Threat conditions change rapidly—validate indicators, detections, and patches in your own environment before acting. Trescudo makes no warranties and assumes no liability for actions taken based on this content. References to third-party companies or products are for identification only; all trademarks are the property of their respective owners. No client or confidential data was used in preparing this report.