4N6 BEAT

CISA confirmed active exploitation of two more DELMIA Apriso vulnerabilities and added them to the Known Exploited Vulnerabilities (KEV) catalog on October 28, 2025: CVE-2025-6205 (critical missing authorization) and CVE-2025-6204 (high-severity code injection). Federal agencies have three weeks under BOD 22-01; the remediation due date cited is November 18, 2025. (BleepingComputer). (bleepingcomputer.com)

DELMIA Apriso is a manufacturing operations/MES platform commonly deployed on Windows with IIS and a backend database. Vendor advisories state both CVEs affect releases 2020 through 2025, with the missing authorization bug enabling privileged access and the code injection bug enabling arbitrary code execution under specific conditions. (Dassault Systèmes CVE-2025-6205, CVE-2025-6204; NVD 6205, NVD 6204). (3ds.com)

SANS ISC documented a phishing message whose Subject was split into multiple RFC 2047 “encoded-words,” with soft hyphen characters (U+00AD) inserted between letters to break keyword matches. Outlook renders these as normal-looking text, so users never see the obfuscation, but filters that don’t normalize Unicode or decode RFC 2047 first can miss it (SANS ISC). Soft hyphen is a format character that’s typically invisible except at line breaks (Unicode UAX #14; see “Use of Soft Hyphen”), and Microsoft has previously called out invisible Unicode (including U+00AD and U+2060) as a phish-evasion tactic in both bodies and subject lines (Microsoft Threat Intelligence, 2021).

Techno Security & Digital Forensics Conference West 2025 kicks off in San Diego on October 27-29 at the Town & Country Resort, with a strong emphasis on Generative/Agentic AI discovery and legal impacts (event announcement, program highlights). Legal-oriented sessions are explicitly tackling discovery for GenAI and agentic AI, including JAMS’ panel “Artificial Intelligence and Generative AI: Causes of Action and Defenses and Discovery” scheduled for Monday, October 27 at 3:15 p.m. (JAMS session page). Regional partners also underline the AI-heavy tracks (Cybersecurity, eDiscovery, Forensics, Investigations) running October 27-29 (CCOE event listing).

MSAB’s Q3 2025 release introduces BruteStorm Surge, a GPU-accelerated brute-force add-on for XRY Pro that targets long/complex passcodes, alongside major suite updates: XAMN 8.3 adds cross-app conversation threading and support for Cash App warrant returns; UNIFY 25.9 can ingest Cellebrite UFDR and GrayKey extractions; and XEC 7.15 brings role-based access control (RBAC). These capabilities are confirmed in MSAB’s official update and the initial news brief. See MSAB’s release post and feature breakdown (MSAB Q3 2025; Forensic Focus news).

Microsoft announced general availability of a unified Microsoft Defender for Identity sensor that correlates identity and endpoint telemetry across on-premises Active Directory, Microsoft Entra ID, and even third-party identity providers (e.g., Okta), improving incident correlation and enabling automatic attack disruption with richer identity context. The post also signals migration guidance for existing customers in the coming months. Microsoft Security Blog, 2025-10-23.

Why this matters to DFIR: identity evidence that used to be scattered (AD security events, Entra sign-ins, endpoint logons) is now designed to land in one incident and one hunting surface (Defender XDR), with contain/disable actions tied directly to identity context. That reduces dwell time and speeds attribution and scoping. Microsoft Security Blog.

Forensic Focus’ Oct 22, 2025 roundup spotlights Microsoft’s new Digital Defense Report (MDDR) and a wave of DFIR-relevant updates. Microsoft reports that more than half of attacks with known motives are driven by extortion or ransomware, with 80% of investigated incidents targeting data theft for financial gain. Microsoft also processes ~100 trillion security signals daily, blocks ~4.5M new malware attempts, and analyzes 38M identity risk detections. Critically, over 97% of identity attacks are password attacks-and phishing-resistant MFA can block >99% of them. (Forensic Focus roundup; Microsoft On the Issues article; MDDR 2025 overview). (forensicfocus.com)

ESET documented a late-March through mid-2025 surge of Operation DreamJob activity attributed to North Korea-aligned Lazarus, targeting multiple European defense companies - including firms that build UAV components and UAV software - to steal proprietary designs and manufacturing know-how. Initial access relied on classic “dream job” lures and trojanized readers/loaders; later stages delivered ScoringMathTea, a Lazarus RAT with ~40 commands. ESET links the focus on UAV know-how to North Korea’s push to scale its domestic drone program. (ESET WeLiveSecurity). (welivesecurity.com)

SANS Internet Storm Center’s Oct 24, 2025 Stormcast flags four items that should immediately shape triage and detection content across enterprise environments: an Android infostealer abusing Termux, active exploitation of Adobe Commerce/Magento “SessionReaper,” new cache-poisoning fixes for BIND and Unbound resolvers, and a released exploit for a critical WSUS deserialization RCE. Reference the minimal Stormcast entry and the full podcast summary for context (ISC diary 32418, podcast detail).

Below is a forensics-first breakdown: what to collect, where to hunt, and how to contain.

Cisco Talos IR’s Q3 2025 report highlights a sharp rise in compromises that began with exploitation of on-premises Microsoft SharePoint via the ToolShell chain. More than 60% of Talos engagements involved exploitation of public-facing apps, and almost 40% showed ToolShell activity; ransomware dropped to ~20% of cases while post-exploitation phishing from compromised accounts continued to climb (Talos IR Q3 2025). Microsoft confirms active, multi-actor abuse of new SharePoint bugs (CVE-2025-53770, CVE-2025-53771) related to earlier July CVEs (CVE-2025-49704, CVE-2025-49706), and stresses that only on-prem servers are affected-not SharePoint Online (Microsoft Security TI, MSRC customer guidance). CISA added CVE-2025-53770 to the KEV catalog, underscoring exploitation in the wild (CISA KEV entry).

Cisco Talos Incident Response reports that over 60% of their Q3 2025 engagements began with exploitation of public-facing applications, driven largely by the ToolShell attack chain against on-premises Microsoft SharePoint; roughly 40% of all engagements involved ToolShell activity. Talos also saw more post-compromise phishing launched from valid internal accounts and a marked emphasis on segmentation and rapid eviction to contain spread. Ransomware made up about 20% of cases, with actors observed deploying a SharePoint webshell (notably spinstall0.aspx) and, in at least one case, abusing Velociraptor for persistence. Talos IR Q3 2025.