Wordpress plugin flaw exposes sensitive site data

A serious vulnerability has been discovered in the popular Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on more than 100,000 sites. Tracked as CVE-2025-11705, the flaw allows authenticated users with subscriber-level access to read any file on the server, including sensitive ones like wp-config.php. This could expose database credentials, password hashes, and authentication keys.

The issue, reported by researchers to Wordfence, affects versions 4.23.81 and earlier and stems from missing capability checks in the plugin’s AJAX scan function. A patched version, 4.23.83, was released on 15 October, fixing the problem by adding proper user verification.

While Wordfence has not observed active exploitation, any site allowing user registration or subscriptions is potentially at risk. Administrators are strongly urged to update immediately, as public disclosure could attract threat actors seeking to exploit unpatched installations.

Hacktivists breach Canadian critical infrastructure systems

The Canadian Centre for Cyber Security has issued a warning after hacktivists breached multiple critical infrastructure systems, manipulating industrial controls in incidents that could have caused dangerous conditions. The alert highlights three recent cases affecting a water treatment facility, an oil and gas company, and an agricultural operation, where attackers altered pressure, temperature, and monitoring values, triggering false alarms and operational disruptions.

Authorities believe these intrusions were opportunistic rather than sophisticated, intended to create fear, attract media attention, and undermine public confidence. The incidents echo similar global concerns, with the U.S. recently intercepting Russian-linked hackers targeting industrial control systems.

While no catastrophic damage occurred, the warning underscores the risk of internet-exposed ICS components such as PLCs, SCADA, and IoT devices. The Cyber Centre urges organisations to remove direct internet access, apply multi-factor authentication, conduct penetration testing, and maintain up-to-date firmware to mitigate future threats.

Microsoft resolves global DNS outage following Similar AWS disruption

Microsoft has resolved a major DNS outage that temporarily affected Azure, Microsoft 365, and related services worldwide. Beginning around 16:00 UTC, the outage caused widespread login failures and connection issues, preventing users from accessing company networks, the Azure Portal, Intune, and the Exchange admin centre.

The disruption impacted tens of thousands of organisations, including healthcare providers and the Dutch railway system, which experienced outages in its online ticketing and travel systems. Microsoft confirmed issues with its Azure Front Door CDN and advised users to rely on programmatic methods such as PowerShell and CLI until normal service was restored.

The incident follows closely after a major AWS (Amazon Web Services) DNS failure last week that similarly disrupted millions of online platforms. Microsoft has since restored functionality by rerouting traffic and continues investigating the root cause to strengthen service resilience.

Atroposia Malware-as-a-Service raises alarms

Security researchers at Varonis have uncovered a new malware-as-a-service (MaaS) platform named Atroposia, offering cybercriminals a powerful remote access trojan (RAT) for just $200/month. This modular toolkit enables persistent, stealthy access to infected systems and includes advanced features like hidden remote desktop sessions, file system control, clipboard and credential theft, and DNS hijacking.

Atroposia’s encrypted communication and ability to bypass Windows User Account Control make it especially dangerous. Its built-in vulnerability scanner can identify exploitable weaknesses in corporate environments, such as outdated VPN clients or unpatched software.

Varonis warns that Atroposia joins a growing list of plug-and-play cybercrime tools like SpamGPT and MatrixPDF, lowering the barrier for low-skilled attackers.

Herodotus and GhostGrab Target Android Users Worldwide

Herodotus and GhostGrab, both part of the growing malware-as-a-service (MaaS) ecosystem.

Herodotus, discovered by ThreatFabric, is a banking trojan targeting Italy and Brazil. It mimics human behavior to bypass biometric fraud detection and abuses Android accessibility services to hijack devices, steal credentials, and intercept 2FA codes. Its standout feature is randomized input delays, making remote actions appear human-like to evade detection.

Meanwhile, GhostGrab, uncovered by CYFIRMA, is a hybrid threat targeting users in India. It combines banking credential theft with covert Monero mining, creating a dual-revenue stream for attackers. Distributed via fake financial apps, it requests high-risk permissions to steal sensitive data, including ATM PINs and government IDs.

Both threats highlight the evolving sophistication of Android malware.

Security tip: Avoid sideloading apps, scrutinize permissions, and stick to trusted sources like Google Play.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.