My Profile Photo

Jason Lazerus

“Beware the quiet man. For while others speak, he watches. And while others act, he plans. And when they finally rest… he strikes.” - Anonymous

on security weekly recap

Weekly Security Recap — 2025-11-02

Overview

This week, the cybersecurity landscape was marked by vulnerabilities affecting both AI platforms and critical infrastructure. Notably, a flaw in Anthropic’s Claude AI allowed data exfiltration through its code interpreter, emphasizing the risks associated with AI integration. Additionally, critical vulnerabilities in industrial systems like Schneider Electric’s EcoStruxure and Hitachi Energy’s TropOS underscore the persistent threat to critical infrastructure. Meanwhile, old attack vectors like email and remote access continue to dominate cyber insurance claims, indicating that traditional threat vectors remain highly relevant. These developments highlight the need for robust security measures and continuous vigilance across both cutting-edge and established technologies.

Major incidents

Claude AI Vulnerability Exposes Enterprise Data

A vulnerability in Anthropic’s Claude AI assistant has been discovered, allowing attackers to exploit its code interpreter feature to exfiltrate enterprise data. This flaw enables the circumvention of default security settings, posing a significant risk to organizations using the platform. Security researcher Johann Rehberger demonstrated how the vulnerability could be leveraged through indirect prompt injections, which can manipulate the AI’s code execution capabilities. The impact of this vulnerability is particularly concerning for enterprises relying on Claude AI for sensitive data processing. The flaw highlights the importance of scrutinizing AI systems for potential security weaknesses, especially as they become more integrated into business operations. Enterprises using Claude AI should consider implementing additional security layers to mitigate the risk of data breaches through such vulnerabilities.

Sources:

  • https://www.csoonline.com/article/4082514/claude-ai-vulnerability-exposes-enterprise-data-through-code-interpreter-exploit.html

Hitachi Energy TropOS Vulnerabilities

Hitachi Energy’s TropOS system has been found to contain critical vulnerabilities, including OS command injection and improper privilege management. These vulnerabilities, identified with a CVSS score of 8.7, can be exploited remotely with low complexity, allowing attackers to execute arbitrary commands and escalate privileges. Such exploits could severely disrupt operations by compromising the integrity and availability of critical energy infrastructure. The affected products include various TropOS models used widely in energy management and distribution. Organizations using these systems should prioritize patching to prevent potential exploitation. The discovery of these vulnerabilities underscores the ongoing risks faced by industrial control systems and the need for continuous monitoring and timely updates to maintain security.

Sources:

  • https://www.cisa.gov/news-events/ics-advisories/icsa-25-303-02

Schneider Electric EcoStruxure Vulnerability

A critical vulnerability in Schneider Electric’s EcoStruxure platform has been identified, posing a significant risk to industrial operations. The flaw, rated with a CVSS score of 8.2, involves the allocation of resources without limits or throttling, potentially leading to the loss of real-time process data from Modicon Controllers. This vulnerability is exploitable remotely and requires low attack complexity, making it a concerning issue for industries relying on EcoStruxure for operational management. The potential impact includes operational disruptions and compromised data integrity, emphasizing the need for immediate remediation. Organizations using EcoStruxure should apply available patches and consider additional security measures to mitigate this risk.

Sources:

  • https://www.cisa.gov/news-events/ics-advisories/icsa-25-301-01

Chinese Hackers Exploit Windows Shortcut Flaw

Chinese threat actors have been exploiting a longstanding Windows shortcut vulnerability to target European diplomats. This vulnerability, which has been a favorite among cybercriminals since 2017, is being used in spear-phishing campaigns against officials in Hungary, Belgium, Serbia, and Italy. The attacks involve sending malicious shortcut files that, when executed, deploy malware like PlugX. The persistence of this vulnerability highlights the challenges in patching older systems and the need for increased vigilance against spear-phishing tactics. Organizations, especially those in the diplomatic sector, should enhance email filtering and train staff to recognize phishing attempts to mitigate this threat.

Sources:

  • https://www.csoonline.com/article/4082701/chinese-hackers-target-western-diplomats-using-hard-to-patch-windows-shortcut-flaw.html
  • https://www.securityweek.com/chinese-apt-exploits-unpatched-windows-flaw-in-recent-attacks/

Typo Hackers Deploy Credential Stealer via npm

A new supply-chain attack has been uncovered involving typosquatted npm packages designed to deploy a cross-platform credential stealer. The threat actor published ten malicious npm packages mimicking popular libraries, which collectively amassed nearly 10,000 downloads before being detected. This campaign highlights the risks associated with open-source software and the ease with which attackers can distribute malicious code through trusted repositories. Developers are urged to verify package authenticity and use automated tools to detect potential typosquatting attempts. This incident underscores the importance of supply-chain security and the need for vigilance in managing dependencies.

Sources:

  • https://www.csoonline.com/article/4081790/typo-hackers-sneak-cross-platform-credential-stealer-into-10-npm-packages.html

Old Threats, New Consequences

Despite advancements in cyber defense, traditional attack vectors like email and remote access continue to dominate cyber insurance claims. According to At-Bay’s 2025 InsurSec Rankings Report, these vectors account for 90% of claims in 2024. This trend indicates that while attackers may be developing new techniques, tried-and-true methods remain effective. Larger companies are particularly vulnerable, often due to the complexity of managing extensive IT environments. Organizations should reinforce basic security measures, such as multi-factor authentication and robust email filtering, to combat these persistent threats. This trend serves as a reminder of the importance of maintaining fundamental cybersecurity hygiene.

Sources:

  • https://www.csoonline.com/article/4081506/old-threats-new-consequences-90-of-cyber-claims-stem-from-email-and-remote-access.html

Defensive highlights

Best Practices for Securing Microsoft Exchange Server

Cybersecurity agencies from the US, Australia, and Canada have issued a comprehensive list of best practices for securing Microsoft Exchange Server. This guidance is timely, as threat actors continue to exploit vulnerabilities in this widely used email platform. The advisory emphasizes patch management, network segmentation, and the implementation of multi-factor authentication as critical defenses. Organizations are encouraged to apply these practices to mitigate risks associated with Exchange Server, which remains a prime target for cyberattacks. By following these guidelines, IT departments can reduce the attack surface and enhance the security posture of their email infrastructure.

Sources:

  • https://www.csoonline.com/article/4082746/cyber-agencies-produce-long-overdue-best-practices-for-securing-microsoft-exchange-server.html

Security Management for Boards: Metrics That Matter

A recent discussion highlights the importance of effective cybersecurity management at the board level, focusing on metrics that convey business impact rather than technical details. Traditional metrics like patch counts and firewall logs often fail to provide meaningful insights into an organization’s risk posture. Instead, boards should focus on metrics that reflect the potential business impact and recovery times following a cyber incident. This approach can help boards make informed decisions about resource allocation and risk management strategies. By prioritizing business-relevant metrics, organizations can bridge the gap between technical cybersecurity measures and strategic business objectives.

Sources:

  • https://www.csoonline.com/article/4081319/cybersecurity-management-for-boards-metrics-that-matter.html