Threat Actors Shift Focus to Exploiting Public-Facing Applications
TL;DR: Cisco Talos Incident Response notes a significant trend in cyberattacks, with public-facing applications being targeted in nearly 40% of engagements, alongside a worrying rise in phishing attacks aimed at Native American tribal organizations. While ransomware incidents decreased, attention must remain on timely patching and MFA implementation to mitigate risks.
In the latest quarterly report from Cisco Talos Incident Response, nearly 40% of engagements involved exploiting public-facing applications, marking a decrease from over 60% in the previous quarter. Notably, vulnerabilities in Oracle E-Business Suite (CVE-2025-61882) and React2Shell (CVE-2025-55182) were exploited soon after their public disclosure. During one incident, vulnerabilities allowed for the deployment of web shells in targeted servers, while another led to the installation of Monero cryptomining malware. This activity underscores the rapid exploitation that can occur with unpatched systems.
Phishing also emerged as a prominent initial access method, particularly in campaigns targeting Native American tribal organizations, which faced credential harvesting tactics. These incidents often involved compromised accounts to distribute additional phishing attempts, highlighting a significant risk for organizations lacking multi-factor authentication (MFA). In one instance, adversaries gained access through weak MFA protocols, leading to further credential abuse.
Ransomware incidents made up only about 13% of total engagements, with Qilin ransomware being the most prevalent variant. While the decrease in ransomware is noted, the continuity of certain threat actors raises concerns about varied attack strategies that include reconnaissance and information gathering.
Why this matters: Organizations are facing increasing threats from sophisticated adversaries leveraging both exploitation of public-facing applications and social engineering tactics. This shows the need for defenders to prioritize timely patching, robust MFA policies, and proactive monitoring to protect critical assets.
To reduce risk, implementing timely patch management for known vulnerabilities and enhancing MFA strategies can be pivotal. Organizations should also embrace centralized logging solutions, such as SIEMs, to support thorough investigations and rapid response to incidents.
Indicators of Compromise (IOCs): Relevant vulnerabilities identified include:
– CVE-2025-61882 (Oracle E-Business Suite)
– CVE-2025-55182 (React2Shell)
Click here for the full article
