This Week in Dragon Sight

This week’s reporting highlights a sharp escalation in attacks that exploit trust, identity, and widely adopted platforms. New research revealed a Kerberos relay technique abusing DNS CNAME records to bypass authentication safeguards, while multiple supply chain incidents including compromised AWS Console components and workflow automation tooling demonstrated how upstream trust failures can rapidly cascade into enterprise environments. Criminal groups continued to favor scale and stealth, leveraging malicious Chrome extensions to steal credentials from enterprise HR systems and using hundreds to thousands of compromised websites to distribute malware at volume. Infrastructure abuse also intensified, with attackers exploiting misconfigured proxies to access paid large language model services and organizations facing operational pressure from the industry shift toward shorter lived TLS certificates. Together, these incidents reflect a sustained focus by both criminal and state aligned actors on identity systems, cloud control planes, and software supply chains as high impact targets.

NEW!!!

Checkout our new Youtube channel!!

Cyber Signal

CYBER NEWS ROUNDUP

Nexus-Dragon Cybersecurity Roundup: News Articles from Around the Web Relevant to the SMB

Kerberos Relay Attack Abuses DNS CNAME Records
Researchers uncovered a Kerberos relay attack technique that exploits DNS CNAME records to redirect authentication traffic and gain unauthorized access to internal services. The threat primarily impacts Active Directory environments and can enable lateral movement and privilege escalation without exploiting software vulnerabilities. Nexus-Dragon views this as critical for SMBs because many rely on default AD configurations without continuous identity monitoring, making them especially vulnerable to trust abuse attacks.
Read more: https://cybersecuritynews.com/kerberos-relay-attack-uses-dns-cname/

Let’s Encrypt Moves Toward 6-Day TLS Certificates
Let’s Encrypt announced plans to issue TLS certificates with lifespans as short as six days, significantly reducing the window for certificate abuse after compromise. While this improves overall internet security, it places operational pressure on organizations that lack automated certificate management. Nexus-Dragon flags this as important for SMBs because manual certificate processes will quickly become unmanageable and increase the risk of outages or expired encryption.
Read more: https://cybersecuritynews.com/lets-encrypt-6-day-tls-certificates/

AWS Console Supply Chain Attack Raises Cloud Security Concerns
A supply chain attack targeting components associated with the AWS Management Console demonstrated how trusted cloud tooling can be abused to gain persistence and access. The incident highlights that even cloud-native environments are susceptible to upstream compromise beyond customer control. Nexus-Dragon considers this especially relevant for SMBs that assume cloud platforms inherently reduce security responsibility and may underinvest in cloud access monitoring.
Read more: https://cybersecuritynews.com/aws-console-supply-chain-attack/

Malicious Chrome Extensions Steal Credentials from HR Platforms
Threat actors have deployed credential-stealing Chrome extensions specifically designed to target enterprise HR and payroll platforms. Once installed, the extensions harvest login data that can be reused for payroll fraud and broader account compromise. Nexus-Dragon notes this is a growing risk for SMBs, where employees often install browser extensions without oversight and HR systems lack advanced security controls.
Read more: https://www.bleepingcomputer.com/news/security/credential-stealing-chrome-extensions-target-enterprise-hr-platforms/

GootLoader Malware Scales Delivery Using Hundreds of Compromised Sites
The GootLoader malware campaign has expanded by leveraging hundreds to thousands of compromised websites to distribute malicious payloads at scale. This approach increases infection success by blending into legitimate web traffic and search results. Nexus-Dragon highlights this as a key concern for SMBs because infections often begin with routine web browsing and can quickly lead to ransomware or data theft.
Read more: https://thehackernews.com/2026/01/gootloader-malware-uses-5001000.html

Weekly Recap Highlights Fortinet Exploits and RedLine Malware Activity
This week’s threat recap emphasized active exploitation of Fortinet vulnerabilities alongside continued use of RedLine infostealer malware. Attackers are rapidly weaponizing exposed perimeter devices and pairing them with credential theft to expand access. Nexus-Dragon stresses that SMBs frequently delay patching edge devices, making them prime targets for automated exploitation.
Read more: https://thehackernews.com/2026/01/weekly-recap-fortinet-exploits-redline.html

Hackers Abuse Misconfigured Proxies to Access Paid LLM Services
Attackers are targeting misconfigured proxy servers to hijack access to paid large language model services, shifting abuse costs onto unsuspecting organizations. This reflects a broader trend of infrastructure misuse rather than direct data theft. Nexus-Dragon sees this as an early warning for SMBs adopting AI tools without securing supporting infrastructure, potentially leading to unexpected costs and policy violations.
Read more: https://www.bleepingcomputer.com/news/security/hackers-target-misconfigured-proxies-to-access-paid-llm-services/

Government Alerts & ICS Advisories

AVEVA Process Optimization Security Advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01

Schneider Electric EcoStruxure Power Build Rapsody Security Advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-10

Festo Firmware Security Advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-02

Siemens SIMATIC and SIPLUS Products Security Advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-04

Siemens Industrial Edge Devices Security Advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-08

Siemens Industrial Edge Device Kit Security Advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-09

Cyber Hygiene

·  Active Directory: Enforce LDAP/SMB signing and EPA to prevent Kerberos relays.

·  Browsers: Whitelist extensions and block sideloading to reduce risk.

·  Proxies: Authenticate egress traffic and monitor for LLM API spikes.

·  CI/CD: Minimize token scopes and audit webhooks for supply chain gaps.

·  Automation: Ban unvetted community nodes and isolate workflow runtimes.

·  Email/Web: Quarantine suspicious ZIPs and restrict Windows Script Host.

·  Phishing: Enforce universal MFA and block risky attachment types.

·  Certificates: Automate renewal processes for short-lived TLS certs.

·  OT/ICS: Segment networks and strictly govern remote access.

·  Patching: Prioritize internet-facing systems for immediate updates.

Why This Matters

Attackers are bypassing complex exploits to abuse "trusted" infrastructure—browsers, automation tools, and CI/CD pipelines. Breaches now stem from overlooked basics like risky extensions or exposed tokens, allowing rapid lateral movement. Because SMBs often lack deep oversight, the critical defense is strict hygiene: enforce allowlists, lock down secrets, and treat every "trusted" system as requiring continuous verification.

Vulnerability Deep Dive

Threat Intelligence Brief: SAP S/4HANA CVE-2025-42957 Exploitation

Overview
CVE-2025-42957 is a critical code injection flaw in SAP’s S/4HANA ERP software, scored 9.9 CVSS. It allows attackers with low-privileged access to inject ABAP code, leading to full compromise of both the SAP system and underlying OS. Researchers at SecurityBridge and Pathlock confirmed exploitation is already occurring in the wild, affecting both cloud and on-premise systems.

Threat Actor Profile
No confirmed attribution at this time. Current evidence suggests opportunistic exploitation by financially motivated attackers scanning for unpatched SAP systems. Insiders threat once actor is on prem.

Tools and Techniques

• Exploitation of RFC-exposed function modules.

• Injection of ABAP code for privilege escalation and persistence.

• Abuse of low-privileged accounts to bypass authorization controls.

Mapped MITRE ATT&CK Techniques

• T1059.007: Command and Scripting Interpreter (Custom Code – ABAP)

• T1190: Exploit Public-Facing Application

• T1068: Exploitation for Privilege Escalation

• T1078: Valid Accounts

Technical Summary

• Vulnerable versions: S4CORE 102–108.

• Root cause: improper control of code generation (CWE-94).

• Exploit chain: attacker authenticates with low privileges → injects ABAP → escalates → gains OS-level control.

• SAP patch 3627998 addresses the issue but is reportedly easy to reverse-engineer.

Recent Exploitation Activity

• SecurityBridge confirmed verified in-the-wild abuse.

• Pathlock observed anomalous activity consistent with exploit attempts.

• Exploitation has not yet reached mass scale but is confirmed active.

IOCs / Observed Hosts
No public indicators of compromise have been released by SAP, SecurityBridge, or Pathlock as of this writing.

Tags Associated with Activity
SAP ABAP Injection CVE-2025-42957 ERP Exploitation

Strategic Implications
ERP platforms underpin core operations across industries. A compromise can disrupt supply chains, financials, and HR processes. For SMBs using SAP, exploitation could cause crippling downtime or regulatory exposure. The ease of exploitation raises concern that this will soon be weaponized at scale.

Defensive Recommendations

• Apply SAP patch 3627998 immediately.

• Restrict RFC exposure and monitor for unusual ABAP code execution.

• Enforce least privilege on SAP accounts.

• Audit SAP logs for unauthorized code injections or privilege escalations.

• Segment ERP systems from internet-facing environments.

Threat Modeling Summary

• Likely Targets: SMBs and enterprises running SAP S/4HANA (on-premise or private cloud).

• Attacker Goals: System takeover, data theft, operational disruption.

• Attack Vector: Exploitation of unpatched RFC modules using low-privileged access.

Why This Matters
SAP compromises affect the backbone of business operations. With confirmed in-the-wild exploitation and an easily reverse-engineered patch, time is limited. SMBs relying on SAP must treat this as an immediate priority or risk full operational compromise.

Disclaimer
Findings are based on open-source intelligence and vendor reporting. Organizations should validate their own exposure and act accordingly.

Source
Dark Reading – SAP S/4HANA Vulnerability Under Attack

Discover the Nexus-Dragon Ecosystem

Explore Everything at Nexus-Dragon.com. Your Launchpad for Elite Cybersecurity Training and Business-Grade Protection

Comprehensive Learning Subscription (CLS)
The CLS program is more than just certification prep it’s a full-spectrum, 4-year guided learning pathway for professionals committed to mastering information security and gaining long-term expertise in the field.

Included in CLS:

• Full prep and resources for CISSP, CEH, CASP+, GBK, and Cyber Training certifications

• Access to interactive cloud security labs, recorded workshops, and scheduled mentorship

• Built-in progress tracking, skill assessments, and a structured roadmap to job-ready proficiency

• Complimentary access to our Basic Cyber Operations (BCO) course for foundational knowledge in network security and incident response

Dragon Armor Cybersecurity Suite
Tailored for small and mid-sized businesses, Dragon Armor delivers serious protection without the complexity of big-ticket enterprise tools. It’s everything you need to secure your environment designed to scale as you grow.

Included with Dragon Armor:

• AI-driven threat detection, endpoint security, and real-time response

• Built-in alignment with HIPAA, NIST Cybersecurity Framework (CSF), and ISO 27001

• Guided onboarding and a full cybersecurity risk assessment to identify gaps

• Multi-year price lock and flexible plans that grow with your organization’s needs

Stay Ahead of Cyber Threats

Nexus-Dragon’s Curated Threat Intelligence Service delivers real-time, tailored insights focused on your risks, your industry, and your assets. We cut through the noise to give you high-confidence IOCs, mapped MITRE ATT&CK techniques, and strategic recommendations so you can act fast and stay protected. Get intelligence built for action.

www.nexus-dragon.com 

Dragon Armor Advisors (DAA) by Nexus-Dragon takes the hassle out of hiring by recruiting, vetting, and managing elite cybersecurity professionals for you. From analysts to compliance leads, our mission-ready experts many from NSA, DoD, and CISA integrate seamlessly into your team with zero long-term risk. Fill your security gaps fast. www.nexus-dragon.com

Sponsor Spotlights

Tenable Nessus® Expert is the gold standard for vulnerability assessment—built for security teams facing limited resources and a fast-changing threat landscape. It automates point-in-time assessments to help you quickly find, prioritize, and remediate vulnerabilities across operating systems, devices, and applications.
Discover how Nessus Expert can strengthen your defenses.

Optery helps businesses and individuals automatically remove their private information from hundreds of data broker websites—reducing exposure to phishing, identity theft, and targeted attacks. It’s a powerful privacy protection platform ideal for SMBs looking to safeguard executives, employees, or clients.
Learn more →

Monday Streamline your cybersecurity projects and team workflows with Monday is the flexible work OS built to help small businesses and IT teams stay organized, aligned, and efficient. From managing incident response tasks to tracking compliance milestones, Monday makes it easy to visualize progress and stay ahead of threats.
Learn more →

This week’s sponsor, Bitdefender, delivers advanced endpoint protection built to stop ransomware, phishing, and zero-day threats before they disrupt your business. Trusted by small businesses and IT teams worldwide, Bitdefender combines AI-driven detection with lightweight performance and centralized management. Learn how you can strengthen your security posture with enterprise-grade protection designed for SMBs.

Learn more →

Ready to move forward?
For full details, customized walkthroughs, or to begin onboarding, contact our team at:
Or explore our solutions directly at:

Meet the Nexus-Dragon

A Comprehensive Training and Security Platform

Nexus-Dragon stands apart by delivering more than just tools—it builds defenders. We combine cybersecurity training, information security, and real-world operations into one platform. Our focus spans network security, cloud security, and endpoint security, with added strength in penetration testing, incident response, and risk management. Every service is tied to core standards like the NIST Cybersecurity Framework, ISO 27001, PCI-DSS, HIPAA, and GDPR, ensuring both compliance and resilience.

Advanced Operations and Intelligence

Our operations cover the full spectrum of modern defense. The Nexus-Dragon team runs advanced security operations, integrating endpoint detection and response (EDR), extended detection and response (XDR), SIEM, and SOAR to catch and contain threats quickly. Capabilities include threat hunting, cyber threat intelligence, and vulnerability management, while our security architecture applies zero trust, multi-factor authentication (MFA), single sign-on (SSO), and identity governance to protect critical digital identity systems.

TELL US HOW WE’RE DOING!

Your feedback is VERY valuable! Let us know how we can improve future issues.

🔗 Submit Feedback

Legal Disclaimer

The information provided is for general purposes only and is accurate to the best of our knowledge. We do not guarantee its accuracy or reliability and are not responsible for any outcomes resulting from its use. This post contains affiliate links, meaning we may earn a commission if you purchase through them, at no additional cost to you. Written with the help of our little A.I!

All trademarks belong to their respective owners.

CONTACT US

📞 850-684-0278