Weekly Security Roundup: Active Exploits, Zero Trust, and Secure SDLC
Security topics this week center on threat investigation, updated implementation patterns, and developer tooling to keep codebases secure. Reports detail emergency vulnerability exploitation and targeted cloud attacks; step-wise guides show how organizations can build secure environments, lower risks, and improve developer protection with static analysis, secrets scanning, and policy choices.
Threat Intelligence: Active Exploitation Reports and Attack Chain Analysis
Microsoft investigated Storm-1175’s exploitation of CVE-2025-10035 in GoAnywhere MFT (pre-v7.8.3)—using deserialization attacks, remote management, ransomware, and credential theft. The article shares attack breakdowns, detection indicators, hunting queries, and upgrade recommendations. Storm-2657’s “Payroll Pirate” targets US universities through Workday HR, using adversary-in-the-middle attacks to steal credentials and divert payroll. Guidance includes immediate credential resets, multi-factor authentication, device cleaning, and inbox review. Automated queries support rapid cloud response workflows, continuing last week’s focus on CI/CD and SaaS risk isolation.
- Investigating Active Exploitation of CVE-2025-10035 in GoAnywhere Managed File Transfer
- Investigating Storm-2657 ‘Payroll Pirate’ Attacks Targeting US Universities
Practical Security Architecture and Workflow Hardening
Organizations adopt secure architecture patterns from Microsoft’s Secure Future Initiative, using network segmentation, Entra ID, Conditional Access, Zero Trust in CI/CD, and central detection/logging. Guides help users map ZTA pillars to services like Entra ID, Defender, Intune, Purview, Sentinel, and Logic Apps—covering identity, application, data, and incident response. Stepwise advice, tips, and challenges support security modernization. Securing Teams workflows includes attack chain analysis, defense controls, and detection queries for Microsoft 365, embedding security into incident management. These guides continue progress on multi-layer defense and policy automation.
- Microsoft Secure Future Initiative: Practical Patterns and Practices for Enhanced Security
- Implementing Zero Trust Architecture in an Azure Environment
- Mitigating Threats Targeting Microsoft Teams: Attack Chain and Defense Strategies
Infrastructure and Application Security Tooling
CodeQL 2.23.2 update adds Rust queries for URL security, improved JS/TS SDK dataflow, upgraded Python and Ruby analysis, expanded Go registry checks, and enhanced C# null detection. These changes help reduce false positives and cover a broader range of languages. Most GitHub users are auto-updated; enterprises are guided through manual upgrades. A new article addresses five common Infrastructure-as-Code (IaC) issues (drift, policy gaps, audits, excessive permissions, hardcoded secrets) and solutions such as drift detection, OPA/Terraform policies, secret management, and audit logging in CI/CD pipelines. These best practices follow recent advice on policy management and secured cloud automation.
- CodeQL 2.23.2 Adds Rust Security Detections and Enhanced Language Support
- Common IaC Security Issues and How to Fix Them
Other Security News
GitHub Enterprise Cloud now offers up to 20 Enterprise Managed User IDs in a proxy header, simplifying authentication and governance across business units—continuing improvements to centralized identity management. GitHub secret protection adds new default credential scan patterns and strengthens push protection, moving forward with automated secrets scanning from last week. Microsoft Fabric’s OneLake Security preview brings central RBAC and Row/Column-level SQL security, advancing workspace isolation and access control coverage. Microsoft Ignite 2025 previews security sessions focused on agentic AI, Zero Trust, enterprise DLP, and Copilot security features, continuing discussion on agentic protection and layered defense.