Daily Brief

Stock in the Channel (STIC), a UK-based tech stock platform, experienced a ransomware attack, causing significant service disruption and website outage. The attack was executed by a sophisticated criminal group exploiting a zero-day vulnerability in a third-party application. Despite extensive infrastructure damage, STIC reports no evidence of a data breach and has successfully recovered critical data. The company's website remains partially operational, with ongoing efforts to fully restore services; stock and price data may be outdated. STIC's email and phone lines continue to function, maintaining communication channels with its 60,000 users across 22 countries. The incident underscores the importance of securing third-party applications to prevent exploitation by cybercriminals. No customer data compromise is believed to have occurred, but the situation remains under close monitoring.

Implementing deny-by-default policies and multi-factor authentication (MFA) can significantly reduce attack surfaces and prevent unauthorized access to systems. Security-by-default strategies, including application allowlisting, stop ransomware and unauthorized tools before execution, enhancing overall system resilience. Adopting a proactive defense mindset is essential as cyber threats evolve from mere nuisances to profit-driven enterprises. Industry frameworks like NIST and ISO offer guidance, but clear, actionable steps are needed for effective security implementation. Default security configurations, such as disabling Office macros and blocking outbound server traffic, can eliminate significant vulnerabilities. Continuous monitoring and patching are crucial to maintaining security beyond initial configuration, ensuring defenses remain robust against new threats. Emphasizing security-by-default helps organizations prevent breaches, reduce complexity, and maintain operational integrity without alienating IT teams.

CISA issued a warning about active exploitation of two vulnerabilities in N-able's N-central platform, a tool widely used by MSPs and IT departments for network management. The vulnerabilities, CVE-2025-8875 and CVE-2025-8876, involve insecure deserialization and improper input sanitization, potentially allowing command execution by authenticated users. N-able has released patches in version 2025.3.1 and urges immediate updates to prevent potential risks, especially as details of the CVEs will be disclosed in three weeks. Over 2,100 N-central instances are exposed online, primarily in the U.S., Australia, and Germany, increasing the urgency for patch application to mitigate risks. CISA added these vulnerabilities to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to patch by August 20 under BOD 22-01. Organizations, including private sector entities, are advised to follow vendor instructions for mitigation or discontinue use if solutions are unavailable. This alert follows a recent CISA directive on a Microsoft Exchange vulnerability, underscoring the ongoing threat landscape and need for proactive security measures.

The UK government's five-year Strategic Partnership Agreement with Microsoft, valued at nearly £9 billion, is under debate for its true value to taxpayers. The agreement bundles Microsoft 365, Azure, Business Applications, and Microsoft Copilot, raising concerns about potential lock-in and limited competition. Microsoft's recent financial performance shows significant revenue growth, prompting questions about whether the UK is securing substantial discounts or merely boosting Microsoft's profits. The inclusion of AI tool Copilot could enhance efficiency, but lack of transparent pricing raises concerns about affordability and vendor dependency. The Crown Commercial Service's role in the agreement may prioritize vendor stability over aggressive cost-saving measures, potentially limiting negotiation leverage. Critics suggest exploring alternative platforms or hybrid strategies to foster competition and avoid over-reliance on a single supplier. Historical efforts to control IT costs, such as the 2004 Gershon Review, highlight the need for renewed focus on competition and innovation in procurement practices.

Google mandates cryptocurrency app developers to secure government licenses in 15 regions, including the U.S., UK, and EU, to enhance user safety and compliance. The policy affects developers of cryptocurrency exchanges and wallets, excluding non-custodial wallets, requiring registration with relevant authorities like FCA and FinCEN. Developers must declare their apps as cryptocurrency exchanges or wallets and may need to provide additional compliance information for unlisted jurisdictions. Non-compliant developers are advised to withdraw their apps from targeted regions, reflecting Google's commitment to adapting to evolving regulatory landscapes. Concurrently, the FBI warns of scams where fraudsters pose as law firms to exploit cryptocurrency scam victims, resulting in $9.9 million in reported losses. The FBI advises vigilance against unsolicited law firm contacts and recommends verifying identities through video or documentation to prevent further victimization. These developments underscore the critical need for robust verification processes and regulatory adherence in the rapidly evolving cryptocurrency sector.

CISA has added two N-able N-central security flaws to its Known Exploited Vulnerabilities catalog, indicating active exploitation of these vulnerabilities. N-able N-central, a Remote Monitoring and Management platform, is widely used by Managed Service Providers to manage client endpoints across various operating systems. The vulnerabilities have been addressed in the latest software updates, N-central versions 2025.3.1 and 2024.6 HF2, released on August 13, 2025. N-able advises users to enable multi-factor authentication, especially for admin accounts, to mitigate potential security risks. The specific methods of exploitation and the scale of attacks remain unknown, prompting ongoing inquiries for further details. Federal Civilian Executive Branch agencies have been advised to apply the necessary patches by August 20, 2025, to safeguard their networks. This development follows recent CISA actions addressing older vulnerabilities in Microsoft Internet Explorer and Office, urging timely updates or discontinuation of outdated products.

Fortinet has issued a critical alert for a remote command injection flaw in FortiSIEM, urging immediate application of security updates to prevent exploitation. The vulnerability, CVE-2025-25256, affects FortiSIEM versions 5.4 to 7.3 and is rated with a CVSS score of 9.8, indicating severe risk. Exploit code for this flaw is already circulating, posing a significant threat to organizations using FortiSIEM in sectors like government, finance, and healthcare. Fortinet advises upgrading to supported versions to mitigate risk, as older versions will not receive patches for this vulnerability. The flaw allows unauthenticated attackers to execute arbitrary commands, but it does not produce clear indicators of compromise, complicating detection efforts. A temporary workaround involves restricting access to the phMonitor on port 7900, though this does not resolve the underlying issue. This disclosure follows a recent surge in brute-force attacks on Fortinet products, suggesting heightened threat activity around these systems.

Fortinet has disclosed a critical vulnerability in FortiSIEM, identified as CVE-2025-25256, which allows unauthenticated attackers to execute unauthorized commands, potentially leading to full system compromise. The vulnerability affects FortiSIEM versions 7.3.0-7.3.1, 7.2.0-7.2.5, 7.1.0-7.1.7, 7.0.0-7.0.3, and versions before 6.7.9, receiving a CVSS score of 9.8, indicating severe risk. Fortinet has advised customers to upgrade to patched versions and suggested limiting access to the phMonitor port (7900) as a temporary mitigation measure. Working exploit code for this vulnerability has been detected in the wild, raising concerns about potential exploitation if systems remain unpatched. GreyNoise reported a significant increase in brute-force attempts targeting Fortinet SSL VPNs, with over 780 unique IPs involved, possibly indicating an increased threat landscape. The surge in brute-force attempts coincided with the vulnerability disclosure, although a direct causal link has not been confirmed by GreyNoise. This situation underscores the importance of timely patch management and monitoring for unusual activity to mitigate potential threats effectively.

Security researchers from Proofpoint have identified a downgrade attack that can bypass FIDO authentication in Microsoft Entra ID, exposing users to phishing and session hijacking risks. The attack leverages the Evilginx adversary-in-the-middle framework to spoof a browser user agent, tricking users into using weaker authentication methods. This method exploits a gap in functionality, bypassing FIDO authentication by simulating an unsupported browser, prompting users to authenticate via less secure alternatives. Although no active exploitation has been observed, the potential for targeted attacks remains significant, especially against high-value targets. Organizations are advised to disable fallback authentication methods and implement additional security checks to mitigate this emerging threat. The attack does not indicate a flaw in FIDO itself but reveals vulnerabilities in its implementation, necessitating improved security measures. This development underscores the need for vigilance and proactive measures in environments increasingly reliant on FIDO-based authentication systems.

A significant increase in brute-force attacks on Fortinet SSL VPNs was observed, suggesting potential zero-day vulnerabilities may soon be disclosed. GreyNoise detected two attack waves on August 3 and August 5, with a notable shift from VPNs to FortiManager targets, indicating a strategic change in focus. Such attack patterns have historically preceded new vulnerability disclosures, with 80% correlation, signaling a need for heightened vigilance. The attacks utilized JA4+ fingerprinting, linking them to earlier activity from a FortiGate device, hinting at possible reuse of tools or environments. Security teams are advised to block identified IP addresses, enhance login protections, and restrict Fortinet device access to trusted networks. This activity is unlikely to be benign research scans, as it involves credential brute-forcing, which is typically indicative of intrusion attempts. Organizations should prepare for potential zero-day disclosures by reviewing and strengthening their security measures around Fortinet products.

The Pennsylvania Attorney General's Office experienced a cyberattack, disabling its email, website, and phone systems, significantly affecting its operational capabilities. Attorney General Dave Sunday announced that staff are collaborating with law enforcement to restore services and investigate the incident's origins. Although no group has claimed responsibility, the attack's characteristics suggest a possible ransomware incident, yet confirmation is pending. Cybersecurity expert Kevin Beaumont identified potential vulnerabilities in the office's network, specifically concerning Citrix NetScaler appliances, which may have been exploited. The Citrix vulnerability, CVE-2025-5777, has been actively targeted globally, prompting CISA to mandate immediate patching for federal agencies. The attack reflects broader cybersecurity challenges, as similar vulnerabilities have led to significant disruptions in other critical organizations worldwide. This incident underscores the importance of proactive vulnerability management and rapid response strategies to mitigate potential threats.

Cybercriminals continue exploiting CVE-2017-11882, a vulnerability in Microsoft Office's discontinued Equation Editor, despite its patch release eight years ago. The vulnerability allows remote code execution through malicious documents, impacting systems running outdated Microsoft Office or WordPad versions. Attackers leverage this flaw by distributing specially crafted files via email or compromised websites, targeting users who open these files. The vulnerability was patched in 2017, and Microsoft removed the Equation Editor in 2018, yet attackers persist in exploiting unpatched systems. Recent campaigns involve XLAM files masquerading as purchase orders, which deploy keyloggers when executed on vulnerable software. Organizations are advised to ensure all systems are updated to eliminate exposure to this and similar legacy vulnerabilities. This ongoing exploitation highlights the critical importance of maintaining up-to-date software to prevent attacks leveraging outdated vulnerabilities.

Cisco Talos researchers uncovered a malvertising campaign deploying PS1Bot, a multi-stage malware framework designed for stealthy in-memory execution and persistent system access. PS1Bot features a modular design, enabling information theft, keylogging, and reconnaissance, while minimizing persistent artifacts on infected systems. Active since early 2025, the campaign uses malvertising and SEO poisoning to distribute a JavaScript payload that initiates the infection chain. The malware shares technical similarities with AHK Bot and overlaps with ransomware-related campaigns involving Skitnet, aiming to steal data and control compromised hosts. Initial infection begins with a compressed archive delivered via malvertising, containing a JavaScript downloader that executes a PowerShell script to contact a command-and-control server. Google's AI-powered systems are being leveraged to combat invalid traffic, improving ad placement reviews and reducing deceptive practices by 40%. The modular nature of PS1Bot allows rapid deployment of updates, enhancing its adaptability and threat potential against targeted systems.

Microsoft will remove PowerShell 2.0 from Windows 11 and Windows Server starting August 2025, as part of efforts to eliminate legacy code and bolster security. The removal impacts users with legacy scripts or software relying on PowerShell 2.0, necessitating updates or workarounds to avoid operational disruptions. PowerShell 5.1 and 7.x remain available, offering backward compatibility for most commands, reducing the risk of script failures during the transition. Organizations using older Microsoft server products like Exchange, SharePoint, and SQL Server are advised to migrate to newer PowerShell versions. This initiative aims to simplify system complexity and improve security, aligning with Microsoft's broader strategy to modernize Windows infrastructure. Customers are encouraged to update their systems and replace outdated software to ensure compatibility with future Windows releases. Microsoft emphasizes the importance of using supported PowerShell versions to enhance script safety and system reliability.

Zoom has released a patch for a critical vulnerability in Zoom Clients for Windows, identified as CVE-2025-49457, with a CVSS score of 9.6, addressing privilege escalation risks. The flaw, stemming from an untrusted search path, could allow unauthenticated users to escalate privileges via network access, posing significant security threats to organizations. Xerox has also patched vulnerabilities in FreeFlow Core, with the most severe allowing potential remote code execution, addressed in the latest version 8.0.4 update. Exploiting these vulnerabilities could enable attackers to execute arbitrary commands, steal sensitive data, or facilitate lateral movement within corporate networks. Both companies have issued security bulletins urging users to apply the updates promptly to mitigate potential exploitation risks. The swift response by Zoom and Xerox highlights the importance of proactive vulnerability management to protect critical systems and data from cyber threats. Organizations are advised to review their patch management processes to ensure timely deployment of security updates across their IT environments.