Daily Brief

Fortinet has issued a warning about a critical vulnerability in FortiSIEM, identified as CVE-2025-25256, with an exploit currently active in the wild. The vulnerability, with a severe CVSS score of 9.8, allows unauthenticated attackers to execute unauthorized code via crafted CLI requests. Affected versions of FortiSIEM are vulnerable to OS command injection, which could lead to significant security breaches if not addressed promptly. Fortinet has not disclosed specific details about the exploit's nature or its geographical origin but confirmed the presence of practical exploit code. Organizations are advised to limit access to the phMonitor port (7900) as a temporary workaround to mitigate potential exploitation risks. The advisory follows GreyNoise's report of increased brute-force traffic targeting Fortinet SSL VPN devices, indicating heightened threat activity. Businesses relying on FortiSIEM should prioritize patching and implement recommended security measures to prevent unauthorized access and potential data breaches.

The UK government is deploying ten new mobile units equipped with Live Facial Recognition (LFR) technology across seven additional regions, enhancing police capabilities in Greater Manchester, West Yorkshire, and more. The Home Office asserts that LFR is a targeted, intelligence-led tool, aiding in the arrest of 580 offenders, including serious criminals, over the past year in London and South Wales. Privacy advocates, including Big Brother Watch, express concerns over potential misidentifications and the expansion's implications for privacy and democratic rights, citing previous wrongful stops. The College of Policing mandates public notification for LFR use, except in critical situations, and ensures compliance with guidelines to maintain lawful and proportionate deployment. The National Physical Laboratory has independently tested the LFR algorithm, confirming its accuracy and lack of bias related to age, gender, or ethnicity. A government consultation is underway to establish a new legal framework for LFR, with findings from deployments contributing to this process. Privacy groups criticize the use of passport and immigration databases for facial recognition, claiming a significant increase in police scans, raising privacy concerns. The Home Office clarifies that these databases are accessed only for Retrospective Facial Recognition (RFR) in specific criminal investigations, requiring prior approval for use.

AI-driven SOC capabilities are addressing inefficiencies in security operations, enabling faster threat detection and response while reducing false positives and manual workload for analysts. The recent Gartner Hype Cycle for Security Operations 2025 identifies AI SOC Agents as a key innovation, signaling a shift towards automation in security processes. AI systems prioritize alerts swiftly, allowing true threats to be identified quickly and reducing time wasted on false positives, enhancing overall SOC efficiency. By integrating data from various platforms, AI SOC tools significantly reduce mean time to investigate and respond, limiting threat spread and improving security posture. AI capabilities in SOCs provide insights into detection engineering, identifying coverage gaps and recommending rule adjustments for improved threat detection. The hybrid model of AI and human expertise allows analysts to focus on advanced threat hunting and strategic tasks, improving security outcomes and analyst retention. Prophet Security's AI SOC platform automates triage and investigations, enhancing analyst efficiency and delivering consistent security results across organizations.

Marc Andreessen, co-founder of Netscape, criticized the UK's Online Safety Act, claiming his input was misrepresented by the UK government. The Online Safety Act mandates platforms like Google and Reddit to block certain content unless users verify their age through photo ID or credit card checks. The introduction of the Act has led to increased use of Virtual Private Networks (VPNs) to bypass content restrictions, raising concerns about its effectiveness. Free speech and privacy advocates, including Andreessen, argue the Act could lead to censorship and overreach by the government. The UK government faces pressure to balance the prevention of unsavoury content access with maintaining free speech rights. Platforms not complying with the Act risk fines up to £18 million or 10 percent of their global turnover, highlighting the significant regulatory impact. Andreessen's public comments reflect ongoing debate and dissatisfaction with the legislation's approach and potential consequences.

The UK government spends approximately £1.9 billion annually on Microsoft software licenses, raising questions about the cost-effectiveness of this investment. Despite the high expenditure, the UK public sector struggles to find viable open-source alternatives due to hidden costs and compatibility issues. Historical challenges with systems like NHSmail highlight difficulties in managing upgrades and ensuring compatibility without major tech brands. The Crown Commercial Service's recent five-year agreement with Microsoft includes access to AI technologies, aiming to boost digital progress and economic growth. Effective procurement requires consistent negotiation strategies across government bodies to maximize value and streamline software acquisition. While open-source solutions offer potential savings, they often lead to unforeseen risks, such as system lock-in and integration challenges. The debate continues on balancing proprietary software benefits versus open-source flexibility, with a focus on accountability and transparent contract management.

The rise of AI technologies is reshaping both business operations and cyberattack strategies, introducing sophisticated threats like deepfake scams and synthetic identities. Traditional security models are proving inadequate against AI-driven threats, which exploit faster, unpredictable attack patterns. Identity verification has emerged as a critical defense mechanism, acting as the final barrier against unauthorized access in AI-enhanced environments. Okta's upcoming webinar, led by Karl Henrik Smith, will provide insights into adapting security strategies to counter AI-powered cyber threats. The session aims to equip developers, security architects, and tech leaders with actionable plans to integrate identity at the core of security frameworks. As AI continues to evolve, organizations must prioritize adaptive security measures to safeguard against increasingly rapid and sophisticated cyberattacks.

The Matrix.org Foundation has disclosed two high-severity vulnerabilities in the Matrix protocol, necessitating significant updates to both servers and clients. These vulnerabilities affect the federated secure chat protocol, which supports an estimated 60 million users, including 500,000 government users. The protocol update to version 1.16 introduces Room Version 12, which is essential for mitigating these security issues. Servers engaging in open, unrestricted federation are most at risk, while single-instance users face minimal immediate threat. The vulnerabilities, one of which is identified as CVE-2025-49090, require server and client upgrades to ensure protection against potential exploitation. Protocol implementers such as Conduit, ejabberd, and Synapse are preparing to release necessary fixes, with the matrix.org homeserver expected to update by September. The exact nature of the vulnerabilities remains undisclosed, but proactive updates are advised to mitigate potential risks.

Microsoft released updates addressing 111 vulnerabilities, with 16 classified as Critical, impacting various software, including Windows and Microsoft Exchange Server. A significant zero-day flaw, CVE-2025-53779, affects Windows Kerberos, potentially allowing privilege escalation within Active Directory domains. The Kerberos vulnerability, known as BadSuccessor, requires attackers to have control over specific attributes, posing risks to domain security. Exploitation of BadSuccessor could lead to full domain control, enabling attackers to disable security measures and manipulate audit logs. Microsoft has also addressed critical vulnerabilities in Azure services, including Azure OpenAI and Microsoft 365 Copilot BizChat, with no customer action required. A Rust-based Windows kernel vulnerability could cause system crashes, posing a risk of widespread disruption in large or remote workforces. Continuous vigilance and proactive patching remain essential to maintaining system integrity, even with advanced security technologies in place.

Interlock ransomware group claimed responsibility for a cyberattack on Saint Paul, Minnesota, leaking 43GB of files after ransom demands were refused. The attack, which occurred in late July, led to a state of emergency declaration and involved the theft of over 66,000 files, including sensitive internal documents. Mayor Malvin Carter confirmed that the compromised data mainly originated from a Parks and Recreation Department network drive, not impacting resident personal information. Despite Interlock's claims of extensive damage, city officials maintain control over their systems and have initiated a comprehensive reset of servers and passwords. The attack disrupted several city services, including payment portals and municipal Wi-Fi, with recovery timelines still uncertain weeks after the incident. Interlock, known for its double-extortion tactics, combines data theft with encryption to pressure victims, mirroring methods used by groups like BlackCat and LockBit. The FBI and CISA had recently warned of Interlock's escalating attacks on critical infrastructure, highlighting the ongoing threat to municipal entities.

A new ransomware family, Charon, has been identified targeting the Middle East's public sector and aviation industry, employing advanced evasion tactics typically associated with APT groups. Techniques used include DLL side-loading and process injection, with similarities to methods used by the China-linked Earth Baxia group, though direct attribution remains unconfirmed. The attack chain involved sideloading a malicious DLL using a legitimate browser file, deploying Charon ransomware, which disrupts security services and deletes backups. Charon ransomware employs multithreading and partial encryption to enhance efficiency, with an underdeveloped feature for disabling EDR solutions through a vulnerable driver. A customized ransom note indicates targeted attacks rather than opportunistic ones, as victim organizations are specifically named in the demands. The convergence of APT-level tactics with ransomware operations increases risks by combining sophisticated evasion techniques with the immediate impact of data encryption. The broader trend shows ransomware operators adopting complex, multi-stage processes, emphasizing the need for vigilant monitoring of suspicious activities and tactics.

Do Kwon, founder of Terraform Labs, pled guilty to fraud charges related to the failed Terra USD stablecoin, which resulted in a $41 billion loss for investors. Kwon admitted to making false statements about Terra USD's stability, which was meant to maintain a 1:1 value with the US dollar, but ultimately collapsed. Terraform Labs, based in Singapore, was poorly managed, leading to the failure of its complex scheme to stabilize Terra USD's value. Kwon was extradited from Montenegro to the United States, where he faces up to 25 years in prison and has agreed to forfeit over $19 million. The case highlights the risks associated with improperly managed cryptocurrency operations and the importance of regulatory oversight in the financial technology sector. Kwon's sentencing is scheduled for December, and his case is a cautionary tale for the cryptocurrency industry, emphasizing the need for transparency and governance. This incident serves as a reminder of the potential volatility and legal risks in the rapidly evolving cryptocurrency market.

Microsoft’s August Patch Tuesday resolved 111 vulnerabilities, with 12 marked as critical, including remote code execution (RCE) flaws in Windows Graphics Device Interface and SharePoint. CVE-2025-53766, a heap-based buffer overflow in GDI+, poses risks of code execution via malicious webpages or crafted documents, despite being deemed "exploitation less likely." CVE-2025-50165, another RCE flaw, could be triggered by viewing a specially crafted JPEG, highlighting the importance of vigilance even for low-likelihood exploits. Adobe released patches for 68 CVEs, focusing on critical RCE vulnerabilities across products like InCopy, InDesign, and Substance 3D applications. SAP, Intel, and Google also issued critical updates, addressing high-severity vulnerabilities in enterprise software, hardware, and Android devices. Organizations are advised to promptly apply these patches to mitigate risks of potential exploitation and ensure systems remain secure against emerging threats.

Allianz Life has confirmed a data breach affecting 2.8 million records, involving sensitive information from both customers and business partners. The breach is linked to a series of Salesforce-targeted attacks by the ShinyHunters extortion group, known for exploiting cloud-based CRM systems. Attackers used social engineering to deploy malicious OAuth apps, enabling unauthorized access to Salesforce databases and subsequent data theft. Leaked data includes personal and professional details such as names, addresses, Tax IDs, and firm affiliations, posing significant privacy and security risks. Allianz Life is currently investigating the breach, with no public comments available on the ongoing situation. The incident is part of a broader pattern of attacks also claimed by groups like Scattered Spider and Lapsus$, known for high-profile breaches. This breach underscores the critical need for robust security measures around third-party cloud applications and employee training against social engineering tactics.

Manpower's Lansing, Michigan franchise experienced a ransomware attack, compromising personal data of 144,189 individuals, while corporate systems remained unaffected. The breach, executed by the cybercriminal group RansomHub, involved unauthorized access between December 29, 2024, and January 12, 2025. Stolen data includes sensitive personal information such as social security cards, driver's licenses, passports, and corporate financial documents. ManpowerGroup is assisting the franchise with response efforts, while the FBI has been notified to aid in holding the perpetrators accountable. Affected individuals are being offered free credit monitoring and identity theft protection services through Equifax. The incident highlights the ongoing threat of ransomware attacks, emphasizing the need for robust cybersecurity measures and incident response protocols. RansomHub, responsible for previous high-profile attacks, remains a significant threat to organizations, particularly those within critical infrastructure sectors.

Binarly researchers identified at least 35 Docker Hub Linux images containing the XZ-Utils backdoor, posing potential risks to users and organizations relying on these images. The XZ-Utils backdoor, tracked as CVE-2024-3094, allows attackers to bypass authentication and execute root commands via a compromised liblzma.so library. Despite the discovery, Debian, a key maintainer, chose not to remove affected images, citing low exploitation risk and the importance of archiving. The backdoor was initially injected by a contributor named "Jia Tan" and affected major Linux distributions like Debian, Fedora, and Red Hat. Binarly and Kaspersky have released scanners to detect the backdoor, emphasizing the need for users to verify image integrity before deployment. The decision to retain compromised images on Docker Hub raises concerns about accidental usage in automated builds, necessitating caution among developers. Users are advised to ensure the XZ-Utils library is updated to version 5.6.2 or later to mitigate potential security threats.