DNV Cyber Threat Insights, September 2025

281

DNV Cyber has launched a new initiative to share complimentary cybersecurity insights from our dedicated threat intelligence team. To receive future threat insights emails from DNV Cyber, please subscribe here.

You can view these threat insights in full below and can download them as easily shareable PowerPoint slides.

Here is a selection of recent threat insights curated by our specialists. We hope you find this valuable:

• Critical infrastructure organizations lack visibility of supply chain vulnerabilities
• Cloud misconfigurations are exposing sensitive data
• Phishing and malware campaign against shipping exploits ‘hidden’ information
• A Zero-Day In SAP: SAP NetWeaver flaw being exploited
• Privilege management vulnerabilities in Schneider Electric engineering apps
• Malicious PDF editors bypass typical vigilance through Google advertising

Click to download the PowerPoint slides.

Trends

Critical infrastructure organizations lack visibility of supply chain vulnerabilities

Just half of professionals working in critical infrastructure are confident that their organization has full visibility of the cybersecurity vulnerabilities that may expose their supply chain, according to DNV’s Cyber Priority research. A third believe that cyber threat actors may have already  infiltrated their supply chain  – but that their suppliers have failed to report it.

Discuss:

• Do you have oversight of the potential vulnerabilities in your supply chain?
• Do you have cybersecurity obligations built into contracts with suppliers?

Recommendations:

• Address cybersecurity requirements in procurement and supplier contracts
• Understand your attack surface by employing tools and services that detect your unknown unknowns
• Employ continuous detection and response capabilities to identify and reduce the impact of breaches that originate from a third-party.

You can’t secure what you don’t know

Cloud misconfigurations are exposing sensitive data

Moving systems and data to the cloud can increase security, but only if implemented correctly. A recent analysis by Cyble shows the impact of mismanaged cloud services, with the threat intelligence firm uncovering over 200 billion files exposed across cloud storage buckets from seven major providers. The exposures stem from misconfigurations, leaving sensitive data like credentials, source code, and internal backups publicly accessible. Despite cloud storage being private by default, complexities in sharing and access controls often lead to unintended public exposure. The findings underscore the critical need for organizations to implement robust cloud security measures.

Discuss:

• Is your cloud storage configured correctly? When did you last check?

Recommendations:

• Regularly audit cloud storage configurations
• Implement strong access controls, such as multi-factor authentication and least privilege
• Monitor for exposed data, including leaked and stolen credentials.

It isn’t always the bad guy’s fault

Vulnerabilities

Phishing and malware campaign against shipping industry exploits ‘hidden’ information    

CyberOwl, a DNV company, has observed a phishing and malware campaign targeting organizations involved in the trading of Iranian oil and gas, but which has also spread to others in the trading ecosystem including maritime operators. This attack included the use of steganography techniques – data in digital media such as images, audio tracks, video clips, or text files – in order to prevent the detection of hidden information.

Discuss:

• Have you implemented best practices when it comes to phishing, including employee awareness and technical solutions?
• Have you assessed geopolitical tensions and the risks that may have an impact on your organization?

Recommendations:

• Read the CyberOwl security advisory for more information

Hiding malicious code in plain sight

A Zero-Day In SAP: SAP NetWeaver flaw being exploited   

Cybercriminal groups BianLian and RansomExx have been observed exploiting a critical vulnerability in SAP NetWeaver (CVE-2025-31324). This flaw allows attackers to upload malicious files without authentication, leading to remote code execution. The flaw can also apparently be used in conjunction with known exploits to pack a more powerful punch. Evidence suggests that the Qilin ransomware group exploited this SAP vulnerability weeks before it was publicly disclosed. 

Arla Foods, a Danish-Swedish multinational cooperative, suffered a cyberattack that left a dairy facility in Germany offline for nearly two weeks, disrupting the production of skyr and yogurt. The attack is believed to have exploited the critical vulnerability in SAP NetWeaver software. 

Discuss:

• Does your organization use SAP NetWeaver?

Recommendations:

• Apply SAP security note patches 
• Check the root of the identified OS directories for the presence of specific files associated to these attacks (link above)
• If you suspect your assets may have been compromised, consider a DFIR investigation
• Follow the vulnerability landscape of your used software and apply patches when necessary

Privilege management vulnerabilities in Schneider Electric engineering apps

Schneider Electric’s Vijeo Designer and Easergy Studio software have been found to contain significant security vulnerabilities. Vijeo Designer, a crucial Human-Machine Interface (HMI) engineering software used in industrial settings, has a high-severity flaw in its privilege management system. This vulnerability allows non-admin users to tamper with system files and potentially gain unauthorized access to critical systems. Schneider Electric has released updates to fix these issues. The vulnerabilities were discovered by Charit Misra of DNV Cyber.   

Discuss:

• Does your organization use Schneider Electric engineering applications?

Recommendations:

• Apply the recommended patches from Schneider Electric
• Read our security advisory about the vulnerability, including mitigations to keep your organization resilient
• Follow best practices for securing operational technology (OT) environments. DNV Cyber’s Building a Robust OT Security Programme series of publications is a good place to start.

Malicious PDF editors bypass typical vigilance through Google advertising

Starting around late June 2025, attackers orchestrated a large-scale malvertising campaign dubbed ‘TamperedChef’ using Google Ads to steer victims to dozens of newly created domains masquerading as legitimate download pages for PDF editors like “AppSuite PDF Editor,” “PDF Editor,” and “PDF OneStart”. The software worked normally for almost two months before the malicious activity started, giving attackers both reach and stealth.

In August, a dormant backdoor in these executables activated to turn them into covert proxies exhibiting information stealing behaviors. By abusing trusted advertising platforms and everyday software categories, attackers effectively bypassed typical vigilance.

Discuss:

• Is your organization aware and vigilant against SEO poisoning and malvertising attacks?
• Are you sufficiently managing the procurement of software in your company to prevent such attacks?

Recommendations:

• Train users to only download tools from verified, official sites
• Deploy web filtering and ad-blocking solutions to block known malicious ad networks and domains
• Monitor for rare and unusual scheduled tasks and registry changes.

No such thing as a free PDF editor

We hope these threat insights inform your cyber priorities, encourage discussion, and make your organization more resilient.

Subscribe to receive threat insights from DNV Cyber

Best regards, DNV Cyber Threat Intelligence DNV Cyber gathers and analyses intelligence from both open sources and our own resources. View our threat insights and security advisories. Our threat intelligence service provides deeper insights and curates intelligence specifically for your business.