Daily Brief

Cisco Talos has identified UAT-7237, a Chinese-speaking APT group, targeting Taiwanese web infrastructure, aiming for long-term access using customized open-source tools. The group is a sub-entity of UAT-5918, known for attacking Taiwan's critical infrastructure since 2023, with activities dating back to at least 2022. UAT-7237 employs a unique shellcode loader, SoundBill, to deploy secondary payloads like Cobalt Strike, and uses SoftEther VPN for persistent access. Attack vectors include exploiting known vulnerabilities in unpatched servers, followed by reconnaissance to assess target value for further exploitation. Tools such as JuicyPotato for privilege escalation and Mimikatz for credential extraction are utilized, with recent attacks embedding Mimikatz into SoundBill. The group’s activities suggest a high proficiency in Chinese, as indicated by language settings in their VPN configurations. The discovery coincides with Intezer's identification of a new variant of the FireWood backdoor, linked to China-aligned Gelsemium, though with low confidence. These developments underscore the ongoing threat posed by state-sponsored actors using sophisticated, evolving tactics to compromise critical infrastructure.

Colt Technology Services faces a cyberattack causing a multi-day outage affecting hosting, porting services, and Voice API platforms. The attack began on August 12, impacting operations across 30 countries. Initially described as a "technical issue," the incident was later confirmed as a cyberattack, forcing Colt to take specific systems offline, affecting customer communication and support services. The WarLock ransomware group claims responsibility, offering to sell one million documents allegedly stolen from Colt for $200,000, including financial, employee, and customer data. Security researcher Kevin Beaumont suggests the breach likely involved exploiting a remote code execution vulnerability in Microsoft SharePoint, CVE-2025-53770, which was patched by Microsoft in July. Colt has notified authorities but has not provided details about the perpetrators or the attack type. Restoration timelines for affected systems remain uncertain. The incident underscores the critical need for robust cybersecurity measures, especially in telecommunications, where service disruptions can have widespread implications. This attack serves as a reminder of the importance of timely patch management and vulnerability assessments to prevent exploitation of known security flaws.

Cisco disclosed a critical remote code execution vulnerability, CVE-2025-20265, in its Secure Firewall Management Center software, affecting enterprise and government networks using RADIUS authentication. The flaw, scoring 10 out of 10 in severity, allows unauthenticated attackers to execute arbitrary shell commands with elevated privileges through crafted input during the RADIUS authentication phase. Affected versions include FMC 7.0.7 and 7.7.0, with Cisco releasing free patches to mitigate the risk. Customers with valid service contracts can access these updates through regular channels. As a temporary measure, Cisco suggests disabling RADIUS authentication, switching to alternatives like local user accounts or SAML single sign-on, though users must assess the impact on their environments. The vulnerability was identified internally by Cisco's security team, and there are currently no reports of it being exploited in the wild. Alongside this critical fix, Cisco addressed 13 high-severity vulnerabilities across various products, urging users to apply the latest updates to safeguard their systems.

A cyberattack exploiting Citrix vulnerabilities has disrupted the Dutch Public Prosecution Service, keeping speed cameras offline across the Netherlands since July 17. The attack has affected the reactivation of fixed, average, and flex speed cameras, primarily on A and N roads, crucial for traffic monitoring. The Public Prosecution Service is conducting a phased relaunch to minimize further disruptions, with the first step being the reinstatement of email communications. The interconnected nature of systems with judiciary and law enforcement agencies has necessitated careful coordination to restore full operations. The Dutch NCSC reported that these vulnerabilities were exploited as early as May, impacting several critical organizations in the country. The ongoing outage presents challenges for traffic law enforcement and highlights the need for robust cybersecurity measures in interconnected systems. The Public Prosecution Service is actively working with partners and stakeholders to mitigate the impact on victims, suspects, and the justice system.

Plex has alerted users to update their media servers urgently due to a security flaw affecting versions 1.41.7.x to 1.42.0.x, though a CVE-ID is yet to be assigned. The vulnerability was identified through Plex's bug bounty program, leading to the release of a patched version, 1.42.1.10060, now available for download. While specific details about the flaw remain undisclosed, users are advised to update promptly to prevent potential exploitation by threat actors. This proactive notification is unusual for Plex, highlighting the severity of the issue and the importance of securing systems against potential threats. Past vulnerabilities in Plex Media Server, such as the CVE-2020-5741, have been linked to significant breaches, emphasizing the need for timely updates. The urgency in patching is underscored by the risk of reverse engineering by attackers, which could lead to the development of exploits. Users are reminded of the potential consequences of unpatched vulnerabilities, including unauthorized access and data breaches, as seen in previous incidents involving Plex.

The U.S. Treasury's OFAC has renewed sanctions against Russian crypto exchange Garantex for processing over $100 million in illicit transactions linked to ransomware since 2019. Sanctions now extend to Grinex, Garantex's successor, and three Garantex executives, alongside six associated companies in Russia and Kyrgyzstan. Garantex was initially sanctioned in April 2022 for facilitating transactions from darknet markets and ransomware groups like Hydra and Conti. Despite a March 2025 law enforcement takedown, Garantex rebranded as Grinex, continuing to process significant transaction volumes with 82% linked to sanctioned entities. Garantex's infrastructure and customer deposits were moved to Grinex, which has facilitated billions in cryptocurrency transactions since its inception. The U.S. Department of State has offered rewards for information leading to the arrest of Garantex leaders, including $5 million for key figure Serda. The U.S. DoJ has seized over $2.8 million in cryptocurrency linked to ransomware activity, part of broader efforts to disrupt cybercrime networks. The integration of the A7A5 token into Grinex illustrates ongoing challenges in curbing illicit finance through cryptocurrency platforms.

Agentic AI, capable of autonomous decision-making, is reshaping privacy dynamics by acting on behalf of users without constant oversight, raising new trust-related challenges. These AI systems interpret and act upon sensitive data, potentially altering user interactions and decision-making processes, impacting personal and professional spheres. Traditional privacy frameworks, like GDPR and CCPA, may prove inadequate as they assume linear data transactions, whereas agentic AI operates contextually. The erosion of privacy may occur not through data breaches but through shifts in power and purpose, as AI systems infer, share, or suppress information. Ethical boundaries and trust primitives, such as authenticity and veracity, are crucial as AI agents blur traditional privacy norms and legal boundaries. The potential for AI agents to be subpoenaed, audited, or reverse-engineered poses significant risks to user privacy and the concept of AI-client privilege. Organizations must prioritize designing AI systems that align with user values and can explain their actions, ensuring ethical coherence and trust in AI interactions.

Colt Technology Services experienced a cyber incident impacting its customer portal and Voice API platform, leading to a temporary shutdown of these services as a protective measure. The attack targeted internal systems, reportedly separate from customer-supporting infrastructure, with no evidence of unauthorized access to customer or employee data. In response, Colt proactively took systems offline and notified authorities, while engaging third-party cybersecurity experts to assist in restoration efforts. The disruption began on August 12, with services like Colt Online remaining unavailable, prompting customers to seek support through alternative communication channels. Technical investigations suggest potential cybercriminal activity, with Shodan scans revealing interactions with Colt's SharePoint servers, which were subsequently secured with enhanced firewall protections. The incident underscores the importance of robust cybersecurity measures, especially for multinational firms with extensive global operations and customer bases. As restoration efforts continue, Colt emphasizes customer patience and commitment to resolving the issue swiftly, while maintaining transparency through regular status updates.

The U.S. Department of the Treasury has sanctioned Grinex, a successor to the Russian crypto-exchange Garantex, for facilitating money laundering for ransomware groups. Grinex was promoted on Telegram channels associated with Garantex after U.S. authorities seized Garantex's domains for processing $100 million in illicit transactions. Two Garantex administrators were charged, with one arrested in India, as part of the ongoing crackdown on cybercriminal networks. Garantex had ties to major cybercrime groups, including Hydra, Conti RaaS, and several ransomware gangs such as LockBit and Ryuk. Grinex's creation was reportedly a direct response to sanctions and asset freezes impacting Garantex, continuing its operations under a new name. The Treasury's Office of Foreign Assets Control renewed sanctions against Garantex and its associates, including six partner companies in Russia and Kyrgyzstan. The Department of State announced a $6 million reward for information leading to the arrests or convictions of Garantex executives, emphasizing the threat to national security. Grinex has processed billions in cryptocurrency transactions, raising concerns about the integrity of virtual asset service providers.

Researchers from King's College London have demonstrated that AI chatbots can be manipulated to harvest personal data by using system prompt engineering techniques. The study involved 502 participants and utilized popular large language models, revealing that manipulated chatbots elicited significantly more personal information than their benign counterparts. Models such as Meta's Llama and Mistral's Mistral were used without retraining, showing that simple prompt adjustments can bypass existing privacy guardrails. The research warns of the ease with which individuals with minimal technical skills can deploy malicious AI chatbots, raising concerns about privacy invasion democratization. OpenAI's GPT Store is identified as a potential platform for abuse, where custom GPTs can be pre-prompted to collect data under the guise of investigative roles. Participants were most likely to disclose basic personal details, with some sharing sensitive information, indicating a gap in user awareness of privacy risks. The study suggests the need for enhanced protective mechanisms and regulatory measures to mitigate privacy threats posed by AI chatbots. The findings were presented at the 34th USENIX Security Symposium, emphasizing the importance of transparency and early audits by platform providers.

Cisco has addressed a critical vulnerability in its Secure Firewall Management Center (FMC) Software, identified as CVE-2025-20265, with a maximum CVSS score of 10.0. The flaw permits unauthenticated remote attackers to execute arbitrary shell commands due to improper input handling during the RADIUS authentication phase. Affected versions include Cisco Secure FMC Software releases 7.0.7 and 7.7.0, specifically when RADIUS authentication is enabled for web-based or SSH management interfaces. The vulnerability requires immediate patching, as no workarounds exist, to prevent potential exploitation that could lead to high-privilege command execution. Discovered by Brandon Sakai during internal testing, the flaw has not yet been exploited in the wild, but swift action is advised due to the high-risk nature of network appliance vulnerabilities. Cisco's advisory emphasizes the importance of updating to the latest software version to mitigate this and other high-severity vulnerabilities.

The UK government plans to allocate £9 billion over five years on Microsoft products, sparking a debate on fiscal responsibility and potential open-source alternatives. The Strategic Partnership Arrangement 2024 aims to deliver enhanced value through Microsoft's product portfolio, yet critics question the cost-effectiveness compared to free and open-source software (FOSS). Microsoft's financial performance remains robust, with recent quarterly revenue increasing by 18% to $76.4 billion and maintaining high net margins, raising concerns about negotiation leverage. Comparisons reveal the spending commitment rivals significant public sector expenditures, such as school building programs and winter fuel allowance adjustments, highlighting the scale of investment. Advocates for FOSS suggest potential savings and flexibility, while others argue for maintaining Microsoft's established infrastructure to ensure continuity and reliability in public services. The discussion reflects broader considerations of technology procurement strategies, balancing innovation, cost, and operational efficiency in government IT investments.

At least a dozen ransomware groups now use kernel-level EDR killers, bypassing major endpoint security tools to escalate privileges and encrypt data, prompting ransom demands. Crypto24, a new ransomware variant, has targeted nearly two dozen companies across the US, Europe, and Asia since April, affecting sectors like financial services and technology. These attacks utilize a customized version of RealBlindingEDR, disabling endpoint detection by targeting kernel-level hooks from 28 security vendors, including Sophos and Kaspersky. Sophos researchers identified that multiple ransomware families, such as Blacksuit and Medusa, employ updated EDRKillShifter tools to disable endpoint defenses before launching attacks. RansomHub's EDR killer leverages a "Bring Your Own Vulnerable Driver" method, exploiting signed but vulnerable drivers to gain kernel-level access and disable security functions. The ability to move laterally across cloud-connected networks after disabling endpoint defenses poses a significant risk, as attackers exploit unmonitored communication paths. Legitimate software tools like HRSword are being repurposed by threat actors to disable endpoint protections, complicating detection and response efforts for cybersecurity teams.

Over $300 million in cryptocurrency linked to cybercrime has been frozen through collaborative efforts involving law enforcement and private sector entities. The T3+ Global Collaborator Program, initiated by TRM Labs, TRON, Tether, and Binance, has frozen over $250 million in criminal assets since September 2024. This initiative has aided global law enforcement in tackling money laundering, investment fraud, and other financial crimes by analyzing billions in transactions worldwide. A separate joint operation by the U.S. and Canada, supported by Chainalysis, has identified over $74.3 million in fraud losses, leading to significant asset freezes. Project Atlas and Operation Avalanche, led by Canadian authorities, have uncovered over 2,000 crypto wallets linked to fraud across 14 countries. Collaboration with Tether has resulted in the blacklisting of over $50 million in USDT, preventing further movement of stolen assets. These initiatives demonstrate the effectiveness of global partnerships in disrupting cybercriminal activities at the blockchain level.

Cybercriminals are selling access to active FBI and other global law enforcement email accounts on dark web forums for as little as $40. Abnormal AI researchers confirmed these accounts are live, allowing criminals to impersonate government officials and manipulate investigations. Compromised accounts are used to send fraudulent subpoenas and emergency data requests, exploiting legal mechanisms like CALEA and EDRs. Criminals leverage these accounts to access law enforcement portals on platforms such as Meta, TikTok, and Twitter, extracting private user data. Common attack vectors include credential stuffing, weak passwords, phishing, and info-stealing malware, leading to a surge in compromised credentials. The FBI has warned about the misuse of government email addresses to submit fraudulent requests, posing significant risks to personal data security. This situation highlights the critical need for stronger authentication measures and cybersecurity awareness among government employees.