Bulletins //

NormCyber Threat Bulletin: 23rd July 2025

9 Min Read

Nessus for Windows: High-Severity Flaw Risks Full System Takeover (CVE-2025-36630)

Written by Desiree Westdorp, Threat Detection & Response Analyst

Severity: High (CVSS 8.4)
Impact: Privilege Escalation to SYSTEM Level
Affected Versions: Nessus versions prior to 10.8.5 on Windows platforms
Mitigation: Upgrade to Nessus 10.8.5 immediately

A critical flaw – CVE-2025-36630 – has emerged in Tenable’s Nessus for Windows, cutting straight to the core of trust in a tool meant to safeguard the very systems it now puts at risk. This vulnerability, stemming from improper privilege management, allows non-admin users to overwrite arbitrary system files with log data – executed at SYSTEM level. In plain terms: it opens the door for privilege escalation and total system compromise. With a CVSSv3 score of 8.4, this isn’t just a technical oversight – it’s a high-severity exposure affecting all versions prior to 10.8.5. If Nessus forms any part of your defensive stack, this demands immediate action.

Technical aspect
The vulnerability stems from improper privilege management within Nessus’s logging subsystem on Windows platforms. The flaw permits a locally authenticated, non-administrative user to exploit the logging mechanism to overwrite arbitrary local system files with log content whilst operating at SYSTEM privilege level. This represents a classic privilege boundary violation where the application fails to properly validate file write operations based on actual user privilege levels.

Exploitation requires local access to the Windows system running Nessus, positioning it as a post-exploitation technique rather than an initial compromise vector. However, the impact is severe – successful exploitation grants attackers the ability to modify critical system files, potentially leading to complete system compromise or persistent access.

Attack Methodology
The exploitation process follows a straightforward path. An attacker with initial access to a Windows system manipulates Nessus’s logging functionality whilst operating with standard user privileges. Through carefully crafted log entries, the attacker can overwrite system files with malicious content, with the overwrite operation executing at SYSTEM privileges due to the privilege management flaw. This effectively transforms any user account compromise on a Nessus-enabled Windows system into potential SYSTEM-level access.

The potential business impact extends beyond immediate system compromise. Organisations face several critical risks including operational disruption that could render vulnerability scanning capabilities unreliable, creating blind spots in security monitoring. Compliance violations may occur as many regulatory frameworks require continuous vulnerability assessment, and compromised scanning infrastructure could lead to compliance failures. Additionally, SYSTEM-level access grants comprehensive visibility into organisational data, including sensitive vulnerability reports and network topology information.

Mitigation Strategy
Tenable addressed this vulnerability in Nessus version 10.8.5, released on 30 June 2025. The fix implements proper privilege validation within the logging subsystem, preventing non-administrative users from leveraging SYSTEM-level file operations.

Immediate actions required include upgrading all Windows-based Nessus installations to version 10.8.5 immediately, verifying successful installation and functionality post-upgrade, and reviewing system logs for suspicious file modification activities. Long-term enhancements should include deploying Nessus on dedicated, hardened systems with minimal user access and implementing comprehensive logging and monitoring for Nessus infrastructure.

The disclosure follows established responsible disclosure practices, with Tenable providing coordinated response and timely patch release. No evidence of active exploitation has been reported, though the straightforward nature suggests proof-of-concept code will likely emerge rapidly.

This vulnerability serves as a stark reminder that security tools require the same rigorous security practices applied to other critical infrastructure components. Organisations should treat this vulnerability with highest priority, implementing patches immediately whilst conducting comprehensive reviews of their vulnerability management infrastructure security posture.

Summary
CVE-2025-36630 serves as a timely reminder that even trusted tools like Nessus can harbour vulnerabilities. Don’t let this one slip through the cracks – check your Nessus version and apply patches without delay. Norm’s Managed Detection and Response services can help spot potential threats, while our patch management solutions keep your systems secure. Need assistance securing your Nessus deployment? Our team is ready to lend a hand.

References:
[R1] Nessus Version 10.8.5 Fixes Multiple Vulnerabilities (tenable.com)
Tenable Nessus 2025 Release Notes (tenable.com)

Anubis RaaS: Complete with built-in scorched earth capability

Written by Desiree Westdorp, Threat Detection & Response Analyst

Threat Level: Critical
Impact: Complete data loss, business disruption
Platforms: Windows, Linux, NAS, ESXi

A recent gloHere’s something that should genuinely keep security teams awake at night: a ransomware group that’s decided the traditional extortion model is too predictable. Anubis RaaS emerged in December 2024, and they’ve essentially torn up the ransomware playbook. Most threat actors follow a basic business model – encrypt your files, demand payment, provide decryption keys. It’s criminal, but there’s an implied transaction.

Anubis has decided that sometimes they’ll just destroy your data anyway. Their “/WIPEMODE” parameter doesn’t encrypt – it completely obliterates file contents. Pay the ransom or don’t; once they activate that functionality, your data is gone forever. It’s like dealing with cybercriminals who’ve decided that burning down the house is more satisfying than robbing it.

How They Operate
The attack typically begins with sophisticated spear-phishing campaigns, escalating to SYSTEM-level privileges before deploying Elliptic Curve Integrated Encryption Scheme (ECIES) for file encryption. Affected files receive the “.anubis” extension, and the malware attempts to replace desktop wallpapers with their branding.

Figure 1. Command line interface with the “/WIPEMODE” parameter. The command includes a key for authentication.

The real differentiator is that wiper module, which they conveniently forget to mention in their ransomware note. When activated, it systematically overwrites file contents with zeros whilst preserving directory structures. You’ll see your entire file system exactly as it should be – folders, filenames, hierarchies – except when you attempt to access any file, you’ll find empty shells.

Current Threat Landscape
Initially targeting healthcare, construction, and engineering companies across Australia, Canada, Peru, and the United States, Anubis recently claimed responsibility for a significant breach at Disneyland Paris in June 2025, allegedly involving a partner company and resulting in a 64GB leak of approximately 39,000 files.

These aren’t amateur operators. Anubis maintains a sophisticated affiliate programme advertised on cybercrime forums RAMP and XSS, using handles “supersonic” and “Anubis__media” with communications in Russian. It’s essentially a criminal enterprise with corporate structure.

Why This Changes Everything
Traditional threat actors maintain some level of “business ethics” – they need victims to pay to sustain operations. Anubis has calculated that reputation damage doesn’t outweigh the psychological impact of complete data destruction. This breaks the implicit game theory that has governed ransomware negotiations. When the assumption that payment leads to recovery is removed, the entire risk calculation changes.

Defensive Requirements
Standard ransomware defences are insufficient. The critical question shifts from “how do we prevent this?” to “what happens when prevention fails?”

Backup strategies require fundamental reconsideration. When facing adversaries who view data destruction as tactically advantageous, backup integrity becomes your only viable recovery path. Offline, immutable backups aren’t just best practice – they’re organisational survival requirements. Air-gapped systems, version control, and regular restoration testing become non-negotiable.

Bottom Line
Anubis changes the fundamental risk equation because they’ve removed the implicit guarantee that characterises traditional ransomware operations. Prevention becomes the only viable strategy – there’s no acceptable risk tolerance when facing adversaries who view complete data destruction as an acceptable tactical outcome.

For organisations still operating under traditional ransomware assumptions, Anubis serves as a critical wake-up call. The threat landscape has evolved beyond simple extortion into deliberate business destruction. Your security strategy needs to evolve accordingly.

References:
Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper (trendmicro.com)
Anubis Ransomware Targets Global Victims with Wiper Functionality (picussecurity.com)
Gigabytes of Disneyland data “just end up” in ransomware gangs’ hands (cybernews.com)

Hackers Ramp Up Callback Phishing Campaigns, Impersonating Microsoft, DocuSign and More

Written by Matthew Johnson, Threat Intelligence Analyst

Cyber security researchers at Cisco Talos are calling attention to ongoing phishing campaigns that impersonate popular brands including Microsoft and DocuSign, tricking targets into calling phone numbers operated by threat actors.

In an article published by Cisco Talos, they highlight that a significant number of email threats containing PDF attachments to persuade victims to call adversary-controlled phone numbers, which displays a newly popular social engineering tactic known as Telephone-Oriented Attack Delivery, or TOAD for short.

In the published research, an analysis of phishing emails with PDF attachments between May 5th and June 5th, 2025, highlighted Microsoft and DocuSign as the most impersonated brands, while brands including PayPal and NortonLifeLock were the most impersonated in TOAD emails with PDF attachments.

This activity is part of a wider set of phishing attacks that attempt to leverage the trust people have with legitimate brands which enables them to perform malicious actions. These types of email messages typically incorporate PDF attachments featuring legitimate brands, and these PDFs will include a QR code that points to a fake Microsoft login page, or a link that redirects the victim to phishing pages posed as legitimate services such as Dropbox.

Phishing attacks incorporating PDF payloads have also been seen to leverage PDF annotations to embed URLS in various forms including comments, forms or sticky notes within the PDF attachment. Utilising this alongside linking the QR codes to authentic web pages allows the threat actors PDF contents to appear trustworthy and legitimate.

In TOAD based attacks, victims are coerced into calling a threat actor operated number under the false pretence that they need to resolve an issue. During the call itself, the attacker will masquerade as a customer service representative and attempt to trick the victim into either installing malicious software onto their device or disclosing sensitive information. This technique has previously been a popular technique among threat actors, an example of such being Luna Moth, who were highlighted by the FBI in May 2025 as a financially motivated group employing such techniques to target small to medium size businesses in the legal industry.

It doesn’t stop at just masquerading as legitimate businesses though. In recent months, phishing campaigns have also leveraged a legitimate feature within Microsoft 365 known as Direct Send, which allows an attacker to spoof internal users and deliver their phishing emails without the need for compromising an account, making these phishing campaigns even more dangerous.

In summary, the recent surge in PDF‑based phishing attacks represents a sophisticated social‑engineering evolution. By disguising threats within trusted document formats, exploiting voice interaction and leveraging brand familiarity, attackers evade traditional defences.

References:
PDFs: Portable documents, or perfect deliveries for phish? (talosintelligence.com)
Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns (thehackernews.com)
Microsoft 365 ‘Direct Send’ abused to send phishing as internal users (bleepingcomputer.com)

Get Norm’s threat bulletin direct to your inbox

Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below:

Insights //

More of the latest insights & articles.

NormCyber Threat Bulletin: 23rd July 2025

Password image for the blog One Password Away from Collapse

One Password Away from Collapse: The Ransomware Threat and the Urgency of Cyber Resilience

Blog
NormCyber shortlisted for PICCASO Awards’ 2025 Cyber Security Team of the Year

NormCyber shortlisted for PICCASO Awards’ 2025 Cyber Security Team of the Year

News
decorative image of food Isle helping to emphasis the importance of Cybersecurity in the food industry

Food Industry Cyber Security: Why the Sector Is a Prime Target for Hackers

Blog
NormCyber appoints Mark Lee as Sales Director to spearhead enterprise market expansion

NormCyber appoints Mark Lee as Sales Director to spearhead enterprise market expansion

News
Data Sharing under UK GDPR: Key Considerations for Internal and External Sharing

Data Sharing under UK GDPR: Key Considerations for Internal and External Sharing

Blog
See All Insights