🧠 CyberPulse SMB: Daily Security Digest

CyberPulse SMB: Daily Digest

Date: September 10, 2025
Grouped Recommendations: High-Risk, Awareness, Policy, Emerging, Controls, Other

📋 Recommendations

High-Risk

Recent high-risk cybersecurity events highlight several key threats to SMBs: Ransomware attacks targeting various sectors (including municipalities), exploitation of vulnerabilities in widely used software (SAP, Salesforce integrations), malicious packages in popular repositories (npm), and phishing campaigns using sophisticated techniques. These incidents underscore the need for proactive security measures, focusing on patching, access control, and employee training to mitigate significant financial and operational damage.

• Prioritize patching: Immediately patch known vulnerabilities in all software, especially SAP, Salesforce integrations, and operating systems. Use automated patching tools where possible.
• Strengthen access control: Implement multi-factor authentication (MFA) for all accounts, especially those with administrative privileges. Regularly review and revoke unnecessary access rights.
• Improve employee security awareness: Conduct regular security awareness training for all employees, focusing on phishing recognition, safe browsing practices, and password management. Include simulation exercises.
• Secure your supply chain: Carefully vet third-party software and services before integrating them into your systems. Utilize reputable sources and regularly check for updates and security advisories.
• Implement robust data backups: Regularly back up critical data to an offline, secure location. Test your recovery procedures to ensure data can be restored quickly and effectively in case of a ransomware attack.
• Develop an incident response plan: Create a documented plan outlining procedures to follow in the event of a security incident, including communication protocols and escalation paths. Practice the plan regularly.
• Key risks for SMBs in 2025 include vulnerabilities from outdated software (OWASP A06), supply chain attacks (MITRE TA0042), and exploitation of insecure configurations (OWASP A09). The rise of AI agents introduces new attack vectors, while insufficient cybersecurity awareness and resource limitations hinder effective mitigation. The increasing sophistication of cyber threats demands proactive, layered security measures.
  • Prioritize patching: Implement a rigorous patching schedule for all software, focusing on critical vulnerabilities. Automate patching where possible.
  • Enforce strong passwords and MFA: Mandate strong, unique passwords for all accounts and enforce multi-factor authentication (MFA) wherever feasible.
  • Regularly back up data: Implement a robust backup and recovery strategy, testing backups regularly to ensure data recoverability.
  • Secure remote access: Use a VPN for all remote access and restrict access based on the principle of least privilege.
  • Employee security awareness training: Conduct regular security awareness training to educate employees about phishing, social engineering, and other common threats.
  • Inventory and manage software: Maintain an up-to-date inventory of all software and hardware, prioritizing the removal of obsolete or unsupported systems.
  • Assess and manage third-party risk: Evaluate the security posture of your third-party vendors and service providers.

Awareness

• Small and mid-sized businesses (SMBs) face significant risks from phishing attacks and a lack of employee cybersecurity awareness. Phishing remains a highly effective attack vector, exploiting human error to gain access to sensitive data and systems. Insufficient employee training leaves SMBs vulnerable to sophisticated attacks and data breaches, potentially leading to financial losses, reputational damage, and legal liabilities. Addressing these weaknesses through targeted training and simulated phishing exercises is crucial for mitigating these risks.
  • Prioritize phishing awareness training: Conduct regular, engaging training sessions focusing on identifying and reporting phishing attempts. Include realistic examples and scenarios relevant to your business.
  • Implement simulated phishing campaigns: Regularly test employee awareness with realistic phishing simulations. Analyze results to identify training gaps and adjust your approach accordingly.
  • Develop a clear incident reporting policy: Establish a simple, accessible process for employees to report suspected phishing emails or other suspicious activity. Ensure prompt investigation and response.
  • Focus training on common attack vectors: Tailor training to address specific threats relevant to your industry and business operations (e.g., supply chain attacks). Don't just focus on emails.
  • Make training accessible and engaging: Use short, interactive modules, videos, and gamification techniques to improve knowledge retention and engagement. Consider microlearning approaches.
    • Prioritize patching and software updates: Regularly update all software, including operating systems, applications, and firmware, to address known vulnerabilities. This is crucial for mitigating many of the identified threats.
    • Implement multi-factor authentication (MFA): Use MFA for all critical accounts, including email, cloud services, and remote access. This significantly reduces the risk of account compromise from phishing and other attacks.
    • Enhance email security: Employ robust email filtering and anti-spam measures, including SPF, DKIM, and DMARC. Train employees to identify phishing attempts and avoid clicking suspicious links.
    • Secure your network perimeter: Use a firewall and intrusion detection/prevention system (IDS/IPS) to monitor and block malicious traffic. Regularly review and update your firewall rules.
      • Prioritize patching: Implement a robust patching schedule for all software and operating systems, focusing on critical vulnerabilities first. Utilize automated patching solutions where possible.
      • Enforce Multi-Factor Authentication (MFA): Mandate MFA for all user accounts across all systems and services, especially those with access to sensitive data.
      • Secure cloud storage: Implement strong access controls, encryption both in transit and at rest, and regular security audits for all cloud storage services. Minimize data stored in the cloud to only what is absolutely necessary.
      • Improve network security: Deploy a VPN for remote access and implement DNS filtering to block malicious websites and prevent phishing attacks. Regularly review and update your firewall rules.
      • Secure device management: Enforce strong passwords and device encryption for all company devices. Implement Mobile Device Management (MDM) to control access and enforce security policies.
        • Patch all software regularly: Implement automated patching for operating systems (Windows 11 updates are crucial), applications, and firmware. Prioritize critical and high-severity vulnerabilities.
        • Enable multi-factor authentication (MFA): Require MFA for all accounts, especially email and cloud services. This significantly reduces the risk of successful account takeovers.
        • Train employees on security awareness: Conduct regular phishing simulations and training to educate employees on identifying and reporting suspicious emails and links.
        • Implement robust endpoint protection: Use a reputable antivirus and endpoint detection and response (EDR) solution. Ensure regular scans and updates.
        • Secure network infrastructure: Utilize strong passwords, firewalls, and intrusion detection/prevention systems (IDS/IPS). Regularly review network configurations.
        • Back up data regularly: Implement a 3-2-1 backup strategy (3 copies, 2 different media, 1 offsite) to

Policy

Regular security awareness training: Educate employees on phishing

Other

🔗 Additional Reading

High-Risk

• https://thehackernews.com/2025/09/chinese-apt-deploys-eggstreme-fileless.html
• https://thehackernews.com/2025/09/chillyhell-macos-backdoor-and-zynorrat.html
• https://thehackernews.com/2025/09/microsoft-fixes-80-flaws-including-smb.html
• https://thehackernews.com/2025/09/apple-iphone-air-and-iphone-17-feature.html
• https://www.darkreading.com/cybersecurity-operations/chinese-hackers-allegedly-pose-us-lawmaker
• https://www.darkreading.com/endpoint-security/dormant-macos-backdoor-chillyhell-resurfaces
• https://go.theregister.com/feed/www.theregister.com/2025/09/10/chillyhell_modular_macos_malware/
• https://isc.sans.edu/diary/rss/32274
• https://www.bleepingcomputer.com/news/security/hackers-left-empty-handed-after-massive-npm-supply-chain-attack/
• https://www.bleepingcomputer.com/news/security/cursor-ai-editor-lets-repos-autorun-malicious-code-on-devices/
• https://www.bleepingcomputer.com/news/security/jaguar-land-rover-jlr-confirms-data-theft-after-recent-cyberattack/
• https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/
• https://www.welivesecurity.com/en/business-security/preventing-business-disruption-building-cyber-resilience-mdr/
• https://thehackernews.com/2025/09/adobe-commerce-flaw-cve-2025-54236-lets.html
• https://thehackernews.com/2025/09/sap-patches-critical-netweaver-cvss-up.html
• https://unit42.paloaltonetworks.com/data-is-the-new-diamond-latest-moves-by-hackers-and-defenders/
• https://go.theregister.com/feed/www.theregister.com/2025/09/09/npm_supply_chain_attack/
• https://krebsonsecurity.com/2025/09/microsoft-patch-tuesday-september-2025-edition/
• https://www.darkreading.com/cyberattacks-data-breaches/qantas-reduces-executive-pay-cyberattack
• https://www.darkreading.com/application-security/huge-npm-supply-chain-attack-whimper
• https://isc.sans.edu/diary/rss/32270
• https://www.bleepingcomputer.com/news/security/hackers-hide-behind-tor-in-exposed-docker-api-breaches/
• https://www.bleepingcomputer.com/news/security/windows-10-kb5065429-update-includes-14-changes-and-fixes/
• https://go.theregister.com/feed/www.theregister.com/2025/09/09/us_dod_exposed_keys/
• https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-patch-tuesday-fixes-81-flaws-two-zero-days/
• https://thehackernews.com/2025/09/axios-abuse-and-salty-2fa-kits-fuel.html
• https://thehackernews.com/2025/09/raton-android-malware-detected-with-nfc.html
• https://thehackernews.com/2025/09/from-mostererat-to-clickfix-new-malware.html
• https://thehackernews.com/2025/09/how-leading-cisos-are-getting-budget.html
• https://go.theregister.com/feed/www.theregister.com/2025/09/09/plex_breach/
• https://www.bleepingcomputer.com/news/security/us-charges-admin-of-lockergoga-megacortex-nefilim-ransomware/
• https://www.bleepingcomputer.com/news/security/adobe-patches-critical-sessionreaper-flaw-in-magento-ecommerce-platform/
• https://www.bleepingcomputer.com/news/security/how-external-attack-surface-management-helps-enterprises-manage-cyber-risk/
• https://www.bleepingcomputer.com/news/security/sap-fixes-maximum-severity-netweaver-command-execution-flaw/
• https://grahamcluley.com/the-ai-fix-67/
• https://www.schneier.com/blog/archives/2025/09/new-cryptanalysis-of-the-fiat-shamir-protocol.html
• https://www.darkreading.com/cyberattacks-data-breaches/mostererat-blocks-security-tools
• https://www.darkreading.com/cyberattacks-data-breaches/salesloft-breached-github-account-compromise
• https://thehackernews.com/2025/09/45-previously-unreported-domains-expose.html
• https://thehackernews.com/2025/09/github-account-compromise-led-to.html
• https://thehackernews.com/2025/09/gpugate-malware-uses-google-ads-and.html
• https://thehackernews.com/2025/09/weekly-recap-drift-breach-chaos-zero.html
• https://thehackernews.com/2025/09/you-didnt-get-phished-you-onboarded.html
• https://krebsonsecurity.com/2025/09/18-popular-code-packages-hacked-rigged-to-steal-crypto/
• https://www.bleepingcomputer.com/news/security/plex-tells-users-to-reset-passwords-after-new-data-breach/
• https://www.bleepingcomputer.com/news/security/hackers-steal-3-325-secrets-in-ghostaction-github-supply-chain-attack/
• https://www.bleepingcomputer.com/news/security/lovesac-confirms-data-breach-after-ransomware-attack-claims/
• https://research.checkpoint.com/2025/8th-september-threat-intelligence-report/

Policy

• https://thehackernews.com/2025/09/the-time-saving-guide-for-service.html
• https://go.theregister.com/feed/www.theregister.com/2025/09/10/federal_agencies_regulate_ai/
• https://securelist.com/three-hacktivist-apt-clusters-tools-and-ttps/117324/
• https://go.theregister.com/feed/www.theregister.com/2025/09/10/oracle_q1_results/
• https://go.theregister.com/feed/www.theregister.com/2025/09/09/new_cybersecurity_compliance_rules_dod/
• https://www.bleepingcomputer.com/news/security/kosovo-hacker-pleads-guilty-to-running-blackdb-cybercrime-marketplace/
• https://go.theregister.com/feed/www.theregister.com/2025/09/09/selfharm_online_safety_act/
• https://www.cisa.gov/news-events/news/cisa-highlight-agencys-top-priorities-secure-america-16th-annual-billington-cybersecurity-summit
• https://www.schneier.com/blog/archives/2025/09/ai-in-government.html

Awareness

• https://www.darkreading.com/cyberattacks-data-breaches/salty2fa-phishing-kits-enterprise-level
• https://www.schneier.com/blog/archives/2025/09/signed-copies-of-rewiring-democracy.html

Emerging

• https://go.theregister.com/feed/www.theregister.com/2025/09/10/nasa_best_evidence_life_on_mars/
• https://go.theregister.com/feed/www.theregister.com/2025/09/10/jaguar_land_rover_breach/
• https://isc.sans.edu/diary/rss/32272
• https://www.bleepingcomputer.com/news/microsoft/microsoft-waives-fees-for-windows-devs-publishing-to-microsoft-store/
• https://www.bleepingcomputer.com/news/security/pixel-10-fights-ai-fakes-with-new-android-photo-verification-tech/
• https://go.theregister.com/feed/www.theregister.com/2025/09/09/google_cloud_ceo_sees_sunny/
• https://www.darkreading.com/application-security/eop-flaws-again-lead-microsoft-patch-day
• https://go.theregister.com/feed/www.theregister.com/2025/09/09/apples_awe_droppings_fall_close/
• https://www.bleepingcomputer.com/news/security/us-sanctions-cyber-scammers-who-stole-billions-from-americans/
• https://go.theregister.com/feed/www.theregister.com/2025/09/09/microsoft_return_to_work/
• https://www.darkreading.com/cybersecurity-operations/sentinelone-acquire-observo-ai
• https://www.bleepingcomputer.com/news/microsoft/windows-11-kb5065426-and-kb5065431-cumulative-updates-released/
• https://thehackernews.com/2025/09/webinar-shadow-ai-agents-multiply-fast.html
• https://go.theregister.com/feed/www.theregister.com/2025/09/09/gym_audio_recordings_exposed/
• https://go.theregister.com/feed/www.theregister.com/2025/09/09/us_army_anduril_headset/
• https://go.theregister.com/feed/www.theregister.com/2025/09/09/chen_windows_95_hlt/
• https://go.theregister.com/feed/www.theregister.com/2025/09/09/gartner_ai_phone/
• https://www.bleepingcomputer.com/news/microsoft/microsoft-anti-spam-bug-blocks-links-in-exchange-online-teams/
• https://openssf.org/podcast/2025/09/09/whats-in-the-soss-podcast-39-s2e16-racing-against-quantum-the-urgent-migration-to-post-quantum-cryptography-with-keyfactors-crypto-experts/
• https://www.darkreading.com/vulnerabilities-threats/the-critical-failure-in-vulnerability-management
• https://www.darkreading.com/threat-intelligence/new-domains-salt-typhoon-unc4841
• https://go.theregister.com/feed/www.theregister.com/2025/09/09/gartner_ai_skill_loss_prediction/
• https://go.theregister.com/feed/www.theregister.com/2025/09/09/storage_message_signal/
• https://go.theregister.com/feed/www.theregister.com/2025/09/09/citrix_licensing_shift/
• https://go.theregister.com/feed/www.theregister.com/2025/09/08/intel_executive_changes/
• https://go.theregister.com/feed/www.theregister.com/2025/09/08/whatsapp_exsecurity_head_sues_company/
• https://isc.sans.edu/diary/rss/32268
• https://isc.sans.edu/diary/rss/32266
• https://isc.sans.edu/diary/rss/32264
• https://www.bleepingcomputer.com/news/security/surge-in-networks-scans-targeting-cisco-asa-devices-raise-concerns/
• https://www.bleepingcomputer.com/news/security/signal-adds-secure-cloud-backups-to-save-and-restore-chats/

Controls

• https://www.darkreading.com/endpoint-security/browser-becoming-new-endpoint

Other

• https://www.darkreading.com/vulnerabilities-threats/quiet-revolution-kubernetes-security
• https://go.theregister.com/feed/www.theregister.com/2025/09/10/vbscript_deprecation/
• https://www.darkreading.com/cyber-risk/southeast-asian-scam-centers-financial-sanctions

📥 Subscribe or Contribute

Join the CyberPulse email digest or email morgan@sprico.com to submit an article or recommendation.