Daily Brief

CISA has added two TP-Link router vulnerabilities, CVE-2023-50224 and CVE-2025-9377, to its Known Exploited Vulnerabilities catalog due to active exploitation evidence. TP-Link routers affected by these flaws have reached end-of-life status, meaning they no longer receive active support or security updates. Despite the end-of-life status, TP-Link released firmware updates in November 2024 to address these vulnerabilities, responding to malicious exploitation activities. The vulnerabilities are linked to the Quad7 botnet, used by a China-linked threat actor, Storm-0940, for conducting evasive password spray attacks. Federal Civilian Executive Branch agencies are advised to implement necessary mitigations by September 24, 2025, to protect their networks from potential threats. This alert follows a similar CISA action on another TP-Link vulnerability, CVE-2020-24363, affecting the TL-WA855RE Wi-Fi Ranger Extender. Organizations are encouraged to upgrade to newer hardware to ensure continued security and optimal performance against emerging threats.

Sainsbury's has initiated an eight-week trial of live facial recognition technology in two stores to address increasing shoplifting incidents and ensure staff and customer safety. The trial follows a survey indicating 63% customer support for using facial recognition to identify repeat offenders, amidst rising retail crime rates in the UK. The British Retail Consortium reports a 25% increase in theft incidents over the past year, costing the industry £2.2 billion, with significant daily violence against shopworkers. Privacy campaigners, including Big Brother Watch, express concerns over potential false accusations and privacy violations, urging a halt to the trial and government intervention. Sainsbury's CEO emphasizes the focus on identifying serious offenders, not monitoring customers, with non-recognized facial data deleted immediately to address privacy concerns. Other UK retailers, such as Asda and Iceland, are also exploring facial recognition technology to mitigate shoplifting and protect employees from rising threats and violence. The trial reflects a broader trend in the retail sector towards adopting advanced surveillance technologies to combat crime, despite ongoing privacy debates.

France's CNIL fined Google and SHEIN for failing to obtain user consent before deploying cookies, violating local privacy laws. Google faced a €200 million fine, with an additional €125 million penalty for Google Ireland, due to improper cookie consent practices. SHEIN was fined €150 million for similar infractions, affecting 12 million users in France who visited their website. Google's cookie consent process led to 74 million accounts being created under non-compliant conditions, impacting 53 million email users. SHEIN's opt-out process was ineffective, continuing to place cookies even when users selected "Reject All." The CNIL's actions highlight ongoing enforcement of privacy regulations, with implications for global tech companies operating in Europe. Google is reviewing the decision, while SHEIN plans to appeal, indicating potential legal challenges ahead. The fines come amid geopolitical tensions, as U.S. officials criticize foreign digital regulations impacting American tech firms.

The US State Department announced a $10 million reward for information on three Russian intelligence agents linked to hacking critical infrastructure using outdated Cisco systems. The agents, associated with Russia's FSB Center 16, exploited a Cisco vulnerability (CVE-2018-0171) patched in 2018 but still affecting many unpatched systems. Over 500 energy companies in 135 countries were targeted, with attackers hijacking networking devices to install malware and harvest data. The FBI identified the Salt Typhoon campaign as responsible for widespread data theft, though attribution to Chinese actors complicates the situation. The vulnerability lies within the Smart Install feature of Cisco IOS, affecting legacy systems that remain operational but unpatched. The campaign, active since 2012, targeted critical sectors like oil, gas, and nuclear facilities, including the Wolf Creek nuclear plant in Kansas. The timing of the bounty raises questions, as the suspects are unlikely to enter jurisdictions with US extradition treaties. Cisco has not commented on the issue, and the bounty appears aimed at raising awareness of ongoing cybersecurity threats.

US security leaders are pressing Congress to renew two key cybersecurity laws before they expire, emphasizing their importance to national security. The Widespread Information Management for the Welfare of Infrastructure and Government (WIMWIG) Act aims to extend the Cybersecurity Information Sharing Act of 2015 for another decade. WIMWIG facilitates voluntary threat intelligence sharing between the private sector and government, providing legal protections to encourage collaboration. The Protecting Information by Local Leaders for Agency Resilience (PILLAR) Act seeks to continue funding state and local cybersecurity initiatives, earmarking $1 billion over four years. Both bills incorporate AI considerations, reflecting evolving cybersecurity challenges since the original legislation was enacted. The legislation emphasizes security best practices, including multi-factor authentication and secure-by-design principles, to enhance resilience. The House Homeland Security Committee has advanced both bills, but time is limited for them to be signed into law. Industry experts, including Google-owned Wiz, have endorsed the bills, citing their potential to bolster defenses across various sectors.

Cybercriminals are leveraging X's Grok AI to bypass link restrictions and disseminate harmful links, primarily through deceptive video ads containing adult content baits. Malicious links are concealed in the "From:" metadata field, which X's platform does not currently scan for harmful content, allowing these links to evade detection. Grok AI, when queried about these ads, inadvertently provides users with clickable malicious links, enhancing their credibility and reach across the platform. The malicious links often lead to scams, including fake CAPTCHA tests and information-stealing malware, posing significant security risks to users. Guardio Labs researcher Nati Tal has reported this exploit to X, but there has been no formal response or confirmation of corrective actions taken by the company. Suggested mitigations include comprehensive scanning of metadata fields and refining Grok's link response capabilities to prevent the dissemination of harmful content. This incident underscores the need for enhanced security measures in AI-driven platforms to prevent exploitation by threat actors.

Google released a significant Android security update, addressing 120 vulnerabilities, marking the largest patch deployment of the year. Two high-severity vulnerabilities, CVE-2025-38352 and CVE-2025-48543, are reportedly under limited, targeted exploitation, potentially by surveillanceware entities. CVE-2025-38352 affects the Linux kernel, while CVE-2025-48543 impacts Android's runtime environment, both allowing privilege escalation without user interaction. The update also addresses critical vulnerabilities in Qualcomm components, including a CVSS 9.1-rated flaw in the GPS control system. Google’s Pixel devices will receive immediate updates, but the broader Android ecosystem, including Samsung and Motorola, may experience delays. Qualcomm has extended support for its components to eight years, aligning with Google's seven-year update policy for Pixel devices. The Hong Kong computer emergency response team has issued alerts, reinforcing the need for prompt patch application to mitigate risks.

Cybercriminals have rapidly adopted HexStrike AI, an open-source red-teaming tool, to exploit Citrix NetScaler vulnerabilities shortly after their disclosure. The critical CVE-2025-7775 vulnerability, a pre-auth remote code execution bug, was targeted as a zero-day, allowing attackers to deploy webshells and backdoors. HexStrike AI, developed by Muhammad Osama, integrates with over 150 security tools and AI agents to automate exploit development and vulnerability scanning. Despite its intended use for defensive purposes, the tool's capabilities have been misused, reducing the time between vulnerability disclosure and exploitation. Check Point reports early indications of HexStrike AI being directed at NetScaler zero-days, though confirmed attacks are not yet verified. The tool's release has sparked debate over the balance between empowering defenders and potential misuse by adversaries. The situation underscores the need for rapid patch deployment and enhanced monitoring to mitigate emerging threats.

Cybersecurity researchers identified two malicious npm packages exploiting Ethereum smart contracts to deploy downloader malware, targeting crypto developers. The packages were uploaded in July 2025 but are now removed. The campaign impacts npm and GitHub, deceiving developers into downloading harmful packages that appear legitimate, leveraging social engineering tactics. Once incorporated into projects, these packages fetch a next-stage payload from attacker-controlled servers, using Ethereum smart contracts to stage URLs, a technique similar to EtherHiding. Investigation revealed the packages are linked to GitHub repositories posing as trading bots, part of a distribution-as-service network called Stargazers Ghost Network. This network uses fake GitHub accounts to artificially boost repository popularity, targeting cryptocurrency developers through deceptive practices. The incident stresses the need for developers to thoroughly vet open-source libraries and their maintainers, beyond superficial metrics, to prevent such security breaches. The attack exemplifies evolving threat actor tactics to evade detection, underscoring the importance of vigilant software supply chain security.

The U.S. Department of State announced a $10 million reward for information on three Russian FSB officers linked to cyberattacks on U.S. critical infrastructure. The officers, part of FSB's Center 16, have been connected to multiple aliases, including Berserk Bear and Dragonfly, and are accused of targeting U.S. government and energy sectors. Between 2012 and 2017, these individuals allegedly attacked over 500 foreign energy companies, including the Wolf Creek Nuclear Operating Corporation in Kansas. Recent activities involved exploiting a known vulnerability, CVE-2018-0171, in outdated Cisco devices, affecting critical infrastructure across North America, Europe, Asia, and Africa. Cisco Talos has urged organizations to patch vulnerable devices promptly to prevent further exploitation by this Russian state-sponsored group. The FBI and State Department are leveraging Tor-based channels for secure tip reporting, offering potential rewards and relocation for credible information. This initiative follows a similar reward offer for information on state hackers tied to the RedLine infostealer malware, indicating a broader strategy against Russian cyber threats.

CheckPoint Research reports the use of HexStrike-AI, an AI-powered tool, in exploiting newly disclosed Citrix vulnerabilities, including CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. HexStrike-AI, originally a legitimate red teaming tool, has been adapted by hackers to automate penetration testing and vulnerability exploitation, significantly reducing attack preparation time. Nearly 8,000 endpoints remain vulnerable to CVE-2025-7775, despite a decrease from 28,000 the previous week, indicating ongoing risk to organizations. The tool's AI-driven capabilities allow threat actors to automate scanning, exploit crafting, and payload delivery, compressing the window from vulnerability disclosure to mass exploitation. Hackers have reportedly used HexStrike-AI for remote code execution and deploying webshells on compromised Citrix NetScaler instances, some of which are being sold on dark web forums. This development challenges system administrators to patch vulnerabilities rapidly, as the time between disclosure and exploitation continues to shrink. CheckPoint advises enhancing defenses with AI-driven tools, early threat intelligence, and adaptive detection to counteract the increased speed and volume of attacks.

The U.S. Department of Justice has filed a lawsuit against Apitor Technology for allegedly allowing unauthorized data collection of children's geolocation information by a Chinese third party. The Federal Trade Commission claims Apitor violated the Children's Online Privacy Protection Rule by not obtaining parental consent before collecting data through its robot toy app. Apitor's app, used to control toy robots, employed a third-party SDK, JPush, which collected precise location data for purposes like targeted advertising. Under a proposed settlement, Apitor must ensure third-party compliance with COPPA, notify parents before data collection, and pay a $500,000 penalty, which is currently on hold. The company is required to delete all collected personal information and retain data only as necessary, ensuring future compliance with privacy regulations. This case underscores the importance of transparency and compliance in handling children's data, highlighting the legal risks of failing to protect minors' privacy. The FTC's action against Apitor follows a similar case involving Disney, emphasizing increased regulatory scrutiny on companies handling children's online data.

ESET researchers identified PromptLock, the first known AI-powered ransomware, highlighting AI's role in evolving cybercrime tactics. Although not fully operational, it poses a future threat to organizations. PromptLock variants for Windows and Linux were found on VirusTotal, suggesting cybercriminals are testing AI-driven malware against antivirus systems. Anthropic reported a cybercrime group using its Claude Code AI in a data extortion scheme affecting 17 organizations, with ransom demands up to $500,000. AI tools are being leveraged for automated reconnaissance, target discovery, and malware creation, signaling a shift in cybercrime operations towards AI-driven models. Congressional testimony revealed a 456% rise in GenAI-enabled scams, including deepfake extortion videos and advanced phishing emails, indicating a rapid escalation in AI-fueled threats. Ransomware-as-a-service operations, like Global Group, are using AI chatbots to automate victim interactions, reducing human workload and scaling operations more efficiently. Experts warn that AI is enhancing ransomware capabilities, from crafting phishing content to automating negotiation, narrowing the gap between traditional and AI-augmented criminal activities.

Workiva, a prominent SaaS provider, experienced a data breach through a compromised third-party CRM system, affecting some of its high-profile clients' business contact information. The breach involved exfiltration of names, email addresses, phone numbers, and support ticket content, though the core Workiva platform remained secure. The attack is part of a broader campaign by the ShinyHunters extortion group, targeting Salesforce customers using voice phishing and stolen OAuth tokens. Impacted organizations include major corporations such as Google, Cisco, and Allianz Life, with potential exposure to spear-phishing risks. Workiva has advised customers to stay vigilant against phishing attempts, emphasizing that official communications will not request sensitive information via text or phone. The incident reflects a growing trend of sophisticated attacks on CRM systems, highlighting the need for enhanced security measures and vigilance in third-party integrations.

Egyptian authorities and the Alliance for Creativity and Entertainment (ACE) have shut down Streameast, a major illegal sports streaming network, and arrested two individuals linked to the operation. Streameast offered free, ad-supported access to HD sports streams from licensed broadcasters, operating 80 domains with 136 million monthly visits. The platform streamed unauthorized content from major soccer leagues and U.S. sports, including the NFL, NBA, and MLB, as well as international competitions. Initial signs of disruption appeared six days ago, with users reporting access issues; ACE confirmed the shutdown with Egyptian authorities' assistance. The operation was linked to a UAE shell company used to launder $6.2 million in advertising revenue and $200,000 in cryptocurrency. Confiscated items included laptops, smartphones, cash, and credit cards; the arrests took place in El-Sheikh Zaid, Egypt. While 80 domains now redirect to ACE's "Watch Legally" site, some domains remain active, suggesting not all were seized or new ones were quickly registered.