Daily Brief

Researchers at ANY.RUN have identified Salty2FA, a new phishing kit targeting US and EU enterprises, capable of bypassing multiple two-factor authentication methods. Salty2FA poses a significant threat to industries such as finance, energy, and telecommunications by facilitating account takeovers through credential theft. The phishing kit employs a multi-stage execution chain, including convincing email lures and fake login pages, to intercept credentials and 2FA codes. Campaigns using Salty2FA have been active since late July 2025, with early traces potentially dating back to March, impacting numerous enterprises across regions. Security Operations Centers (SOCs) are advised to focus on behavioral patterns and response speed, as static indicators like domains or hashes change frequently. Interactive sandboxing tools, such as ANY.RUN, are recommended to enhance threat visibility and reduce investigation times, providing critical insights into evolving phishing tactics. Enterprises are encouraged to adopt these advanced defenses to transform Salty2FA from a hidden risk into a manageable threat, ensuring robust protection against phishing attacks.

SAP's latest update addresses four critical vulnerabilities in NetWeaver, including a deserialization flaw (CVE-2025-42944) with a perfect 10 CVSS score, requiring immediate attention from users. Microsoft’s Patch Tuesday brought eight critical fixes, notably CVE-2025-55232, which poses a risk of remote code execution in High Performance Compute environments, urging admins to monitor TCP port 5999. Microsoft also released patches for Excel, Defender Firewall, and Hyper-V, addressing elevation of privilege and other critical security issues. Adobe issued 22 patches, with a priority fix for a file system overwriting bug in ColdFusion and critical updates for Adobe Commerce, Magento, and Acrobat. Android released its largest patch bundle of the year with 120 fixes, including two actively exploited vulnerabilities, highlighting the need for prompt updates by OEMs. Cisco addressed a high-severity denial-of-service vulnerability in its Secure Firewall ASA software, emphasizing the importance of rapid deployment of security patches. Organizations are advised to prioritize these updates to mitigate potential exploitation and maintain system integrity across diverse platforms.

Adobe has identified a critical security flaw, CVE-2025-54236, in its Commerce and Magento Open Source platforms, potentially allowing attackers to control customer accounts. The vulnerability, named SessionReaper, scores 9.1 on the CVSS scale and involves improper input validation via the Commerce REST API. Adobe has issued a hotfix and implemented web application firewall rules to protect against potential exploitation attempts targeting its cloud infrastructure. E-commerce security firm Sansec notes SessionReaper's severity, comparing it to past significant Magento vulnerabilities like Shoplift and TrojanOrder. The flaw involves a malicious session and a nested deserialization bug, with multiple exploitation paths, including a remote code execution vector requiring file-based session storage. Merchants using Redis or database sessions are advised to take immediate action, as various avenues exist to exploit this vulnerability. Adobe has also addressed a critical path traversal vulnerability in ColdFusion, CVE-2025-54261, which could lead to arbitrary file system writes, affecting multiple versions across platforms.

SAP issued security updates addressing critical vulnerabilities in NetWeaver, with a CVSS score up to 10.0, posing risks of code execution and arbitrary file uploads. An unauthenticated attacker could exploit CVE-2025-42944 to execute arbitrary OS commands, potentially compromising the entire application. As a temporary measure, SAP recommends adding P4 port filtering at the ICM level to block unauthorized access. A high-severity bug in SAP S/4HANA (CVE-2025-42916) could allow high-privilege users to delete database table contents without proper authorization. Recent disclosures revealed active exploitation of another critical S/4HANA flaw (CVE-2025-42957), emphasizing the need for timely patch application. Organizations are urged to apply the latest patches promptly to safeguard against potential exploitation and maintain system integrity.

A recent supply chain attack compromised npm packages, affecting approximately 10% of cloud environments, with malware-laden versions available for two hours. Attackers exploited a phishing email to reset two-factor authentication on a developer's account, injecting cryptocurrency-stealing malware into popular packages. Despite the potential for significant financial impact, attackers only managed to steal $925 in cryptocurrency, highlighting operational missteps. The attack primarily resulted in a denial-of-service effect, consuming significant time and resources as organizations worked to mitigate risks. The incident underscores the vulnerability of the JavaScript ecosystem, where many packages rely on utilities maintained by single developers. Security experts advise vigilance against phishing and credential theft, which remain prevalent methods for compromising trusted infrastructure. Organizations are urged to review their software supply chain security practices to prevent similar incidents in the future.

The U.S. Department of the Treasury sanctioned cyber scam networks in Southeast Asia, responsible for defrauding Americans of over $10 billion in 2024. These operations, based in Burma and Cambodia, employ forced labor and human trafficking, operating as modern slavery farms for online fraud. The scams include romance baiting and fake cryptocurrency investments, with a 66% increase in financial damage reported compared to 2023. Sanctions target nine entities linked to the Karen National Army in Burma and ten linked to organized crime networks in Cambodia. The sanctions, based on multiple Executive Orders, block these entities from the U.S. financial system and freeze any U.S.-held assets. While no arrests have been made, the sanctions aim to isolate these groups financially and legally, limiting their global operational capabilities.

The Defense Department has finalized a rule mandating contractor compliance with the Cybersecurity Maturity Model Certification (CMMC) program, effective November 9. This move aims to enhance cybersecurity across the defense industrial base. Contractors must meet one of three CMMC levels based on the sensitivity of unclassified data they handle. Compliance is required for contract eligibility with the DoD. CMMC Level 1 requires an annual self-assessment, Level 2 typically demands a third-party audit, and Level 3 necessitates a government-led assessment, ensuring rigorous cybersecurity standards. Requirements include controlling access to sensitive data, user authentication, physical security measures, regular software updates, and prompt incident reporting and remediation. The rule places responsibility on both contractors and DoD contracting officers, who must specify CMMC levels in solicitations and verify vendor compliance before awarding contracts. The finalized rule follows contractor feedback and revisions to the CMMC, addressing industry concerns while maintaining robust cybersecurity requirements. Acting DoD CIO Katherine Arrington emphasized the importance of prioritizing U.S. national security through compliance with these cyber standards.

Cybersecurity firms Trend Micro and Akamai report on new threats targeting exposed Docker APIs, evolving from cryptomining to more complex botnet capabilities. Attackers utilize Tor to conceal identities, deploying modified Alpine Linux images to execute malicious code on vulnerable Docker hosts. The infection process involves installing tools for scanning and propagation, enabling persistent SSH access, and blocking external access to Docker APIs. A Zstandard-compressed Go binary is used as a dropper, facilitating further malware deployment and autonomous node infection. Researchers note inactive logic for potential future exploits, including Telnet and Chrome’s remote debugging interface, indicating possible expansion into credential theft and DDoS attacks. The findings suggest a shift from opportunistic Docker exploitation to a sophisticated multi-vector threat with capabilities for lateral movement and persistence. Organizations are advised to secure Docker API endpoints and monitor for unusual network activity to mitigate potential botnet formation risks.

The U.S. Department of Defense inadvertently exposed stream keys on its public DVIDS website, risking unauthorized control over its social media broadcasts. Stream keys, crucial for secure broadcasting, were accessible through simple web searches or browsing sequential URLs, posing a significant security risk. This vulnerability affected high-profile events, including the U.S. Cyber Command ceremony and West Point commencement, by exposing keys for platforms like YouTube and Facebook. The Defense Department has since rectified the issue by implementing new stream keys and discontinuing the practice of publicly posting them. The incident highlights ongoing security challenges within the Pentagon, following previous concerns about cloud service management and data handling. This oversight underscores the importance of stringent cybersecurity protocols, especially in safeguarding sensitive military communications. Organizations are reminded to regularly audit and secure digital access points to prevent unauthorized use and potential reputational damage.

Microsoft has issued the KB5065429 update for Windows 10 versions 22H2 and 21H2, addressing critical security and performance issues. The update is mandatory, incorporating September 2025 Patch Tuesday security updates, fixing two zero-day vulnerabilities and 81 other flaws. Key fixes include resolving unexpected User Account Control (UAC) prompts and performance issues with NDI streaming software. New features include auditing capabilities for SMB client compatibility and options for administrators to manage outbound network traffic. The update supports business continuity with the introduction of Windows Backup for Organizations, aiding seamless device transitions. Microsoft assures there are no known issues with this update, emphasizing its importance for maintaining system security and performance. Users can install the update via Windows Update or download it from the Microsoft Update Catalog, with automatic installation upon checking for updates.

Microsoft released security updates for 81 vulnerabilities, including two zero-day flaws, as part of its September 2025 Patch Tuesday initiative. The update addresses nine critical vulnerabilities, with five related to remote code execution, one to information disclosure, and two to privilege elevation. Two zero-day vulnerabilities were patched: one in Windows SMB Server and another in Microsoft SQL Server's Newtonsoft.Json component. The Windows SMB vulnerability could allow relay attacks leading to privilege escalation, prompting recommendations for enabling SMB Server Signing and Extended Protection for Authentication. The Newtonsoft.Json flaw in SQL Server could result in denial of service through a StackOverflow exception, affecting systems using the JsonConvert.DeserializeObject method. Administrators are advised to audit SMB servers for compatibility issues when implementing recommended security hardening measures. These updates are crucial for maintaining system security and preventing potential exploitation by attackers leveraging these vulnerabilities.

Liridon Masurica, a Kosovo national, pleaded guilty to running BlackDB.cc, a cybercrime marketplace active since 2018, focusing on selling compromised accounts and stolen personal data. U.S. authorities extradited Masurica in May 2025 after his arrest by Kosovar authorities in December 2024, highlighting international law enforcement cooperation. BlackDB.cc facilitated various illicit activities, including credit card fraud and identity theft, by selling sensitive information to cybercriminals worldwide. Masurica faces up to 55 years in federal prison if convicted on all charges, which include fraudulent use of unauthorized access devices. The FBI, in collaboration with Kosovo Police and other international agencies, played a crucial role in the investigation and extradition process. Recent law enforcement actions have targeted multiple cybercrime marketplaces, indicating ongoing efforts to dismantle criminal networks globally. The case underscores the persistent threat of cybercrime marketplaces and the importance of international cooperation in combating cyber threats.

Security researcher Jeremiah Fowler discovered an unprotected AWS database containing 1.6 million audio recordings from HelloGym, affecting major fitness brands like Anytime Fitness and UFC Gym. The recordings included sensitive information such as names, phone numbers, and payment discussions, posing significant privacy and security risks to customers and staff. The database was accessible without encryption or password protection, allowing potential exploitation by cybercriminals for social engineering attacks or identity theft. Fowler reported the breach to The Register, leading to the database's shutdown after being exposed for a week. The breach highlights vulnerabilities in data storage practices, emphasizing the need for encryption and regular security audits to prevent unauthorized access. There is a potential risk of voice cloning and deepfake scams using the exposed audio, as AI tools can replicate voices with minimal audio input. Organizations are advised to implement robust data protection measures, including encryption, penetration testing, and data segmentation, to mitigate future breaches.

The U.S. Department of Justice has charged Volodymyr Tymoshchuk, a Ukrainian national, for his involvement in the LockerGoga, MegaCortex, and Nefilim ransomware operations. Tymoshchuk, known online by several aliases, allegedly breached over 250 companies' networks between 2019 and 2021, causing millions in damages. His role included serving as an administrator for Nefilim ransomware, facilitating access for affiliates in exchange for a percentage of ransom proceeds. Group-IB linked Tymoshchuk to other ransomware gangs, aiding in affiliate recruitment on Russian-speaking hacker forums since 2019. The attacks targeted major U.S. companies and international firms, with some incidents causing complete business disruptions until data recovery. Free decryptors for LockerGoga and MegaCortex were released in 2022 as part of a global effort to counter these cybercrime rings. The U.S. State Department offers up to $11 million for information leading to the capture or conviction of Tymoshchuk or his accomplices.

Adobe released a crucial patch addressing CVE-2025-54236, known as SessionReaper, affecting Commerce and Magento Open Source platforms. The flaw allows unauthorized account control via the Commerce REST API. The vulnerability is considered one of the most severe in Magento's history, with potential for large-scale automation exploitation if not addressed promptly. Adobe preemptively informed select customers of the upcoming patch, with a web application firewall rule deployed as an interim protection measure for Commerce on Cloud users. No active exploitation of SessionReaper has been reported, though a leaked hotfix could enable threat actors to develop exploits. Successful exploitation relies on session data stored on the file system, a common default setting for most Magento stores. Administrators are urged to apply the patch immediately, despite potential disruptions to custom or external code due to disabled internal Magento functionality. The vulnerability shares characteristics with past critical issues like CosmicSting and Shoplift, previously used for session forging and privilege escalation.