Threat Briefing: October 17, 2025

This week, F5 reported a significant breach of its corporate systems carried out by an unidentified nation-state actor. The case is notable as one of the first publicly acknowledged instances where the U.S. Department of Justice requested that a publicly traded company delay disclosure under SEC reporting rules. The incident highlights the growing trend of nation-state actors targeting edge networking devices to gain access or launch cyberattacks.

As we continue through Cybersecurity Awareness Month, this is a timely reminder to use multi-factor authentication (MFA) on both work and personal accounts. Threat actors are always looking for stolen credentials, and MFA can prevent them from accessing your accounts, even if they manage to obtain your password.

• F5 Reports Breach Linked to Nation-State Actor – F5 Networks has disclosed a cybersecurity breach involving a nation-state actor who gained access to corporate systems and exfiltrated device telemetry and customer metadata. The company reported the incident in an SEC 8-K filing and notified the U.S. Department of Justice. While F5 has not identified the specific threat actor, the intrusion is believed to be part of a larger campaign targeting technology companies. CyberScoop
• Fake LastPass and Bitwarden Alerts Used to Compromise PCs – Cybercriminals are sending fraudulent breach notifications impersonating LastPass and Bitwarden to trick users into downloading malware. These phishing emails direct victims to malicious websites that install remote access trojans (RATs) and steal credentials. By leveraging legitimate branding and urgent messaging, the campaign aims to increase click-through rates. Security researchers note that this tactic reflects a growing trend of exploiting user trust in password managers.BleepingComputer 
• Satellite Scans Uncover Massive Data Leak – Researchers monitoring satellite communications have uncovered widespread leaks of sensitive corporate and military information caused by insecure protocols. Exposed data includes internal communications, credentials, and operational details across multiple sectors. The findings underscore the risks associated with outdated satellite technology and insufficient encryption. Experts urge organizations to audit their satellite links and implement secure transmission standards to protect critical information. CyberScoop
• Authorities Shut BreachForums Amid Extortion Claims – U.S. and French law enforcement seized the BreachForums leak site just hours before the Scattered Spider group threatened to release stolen Salesforce data. Rebranding as “Scattered Lapsus$ Hunters,” the group claims to have breached Salesforce-related systems and targeted 39 high-profile customers for extortion. Although the main site was taken down, the group says its Tor-based platform remains active and plans to publish the stolen data. Salesforce has refused to pay a ransom, linking the threat to a breach at third-party vendor Salesloft. This is the fourth FBI takedown of BreachForums, which previously had more than 340,000 members.The Record 
• Microsoft Revokes 200+ Certificates to Combat Ransomware – Microsoft has revoked more than 200 code-signing certificates that threat actors were using to distribute ransomware and other malware. This action is part of a broader effort to disrupt malicious campaigns that exploit legitimate developer tools. The revoked certificates were linked to loaders like Gootloader and malware families such as Black Basta. Microsoft is collaborating with partners to prevent future abuse of its signing infrastructure. SecurityWeek