Daily Brief

Google has released security updates to patch multiple vulnerabilities in Android, including two exploited flaws in Qualcomm components. The addressed vulnerabilities are CVE-2025-21479 and CVE-2025-27038, both actively exploited and concerning the Graphics component. CVE-2025-21479 involves an incorrect authorization issue leading to memory corruption, and CVE-2025-27038 is a use-after-free vulnerability affecting Chrome’s rendering process. These security flaws have been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog, necessitating urgent federal agency compliance by June 24, 2025. Past exploitations of similar Qualcomm chipset flaws have been linked to the use by commercial spyware vendors, suggesting a potential misuse context for the newly patched vulnerabilities. Alongside the Qualcomm fixes, Google patched additional high-severity privilege escalation and a critical remote code execution risks in the Android Framework and System component. Android users are strongly advised to update their devices with the latest patches to protect against these vulnerabilities and potential exploitation.

Researchers at Check Point have discovered a critical security flaw in Cursor, an AI-based code editor, which permits remote code execution through manipulation of MCP files. The vulnerability, tagged as CVE-2025-54136 with a CVSS score of 7.2, is named MCPoison due to its method of attack involving Model Context Protocol (MCP) configuration modifications. Attackers can exploit the flaw by altering a previously approved MCP configuration file in a GitHub repository or locally on a user's device, enabling the execution of malicious commands without detection. The MCP, developed by Anthropic, facilitates standardized interaction between large language models and external resources, but this vulnerability exposes dangerous trust assumptions in its implementation. The exploit could lead to significant risks such as data theft and intellectual property breaches, impacting the entire supply chain. Cursor addressed the issue in their latest release, version 1.3, by mandating user approval for every change to the MCP configuration. This incident underlines growing concerns about AI security as AI tools and large language models increasingly integrate into business and development processes.

SonicWall is actively researching a surge in ransomware targeting its Gen 7 firewall devices, potentially exploiting a zero-day vulnerability. Multiple third-party threat research teams, including Arctic Wolf, Google Mandiant, and Huntress, have reported this suspicious activity, which involves bypassing multi-factor authentication to deploy ransomware. Recent advisories suggest that attackers have been successful even in environments with enhanced security measures, pivoting quickly from compromised VPN devices to domain controllers. The exploited vulnerability potentially allows bad actors to disable security tools, steal credentials, and deploy ransomware, with Akira ransomware specifically identified in recent incidents. SonicWall has yet to confirm the new vulnerability but has advised customers to disable SSL VPN services on affected devices and promised to release updated firmware and guidance promptly once more is known. Arctic Wolf observed an increase in ransomware exploits as of July 15, and Google reported exploitation of fully patched, end-of-life SonicWall VPNs for deploying backdoors and rootkits. The ongoing investigations aim to determine the full scope and impact of the campaign, with more details expected as the situation develops.

Researchers at Nextron Threat have discovered a harmful malware named "Plague" which sets up a resilient backdoor on Linux systems. The malware, undetected by antivirus tools, dodges detection by manipulating system authentication processes through a malicious PAM (Pluggable Authentication Module). 'Plague' is capable of bypassing user authentication, providing attackers sustained and silent SSH access, and endures through system updates. It uses advanced tactics like custom string obfuscation, log hiding, and using a disguised file name to remain hidden from debugging tools. Crucially, the backdoor leaves minimal forensic footprints by sanitizing the runtime environment, erasing session traces and redirecting command logs. Despite the severity of the threat, there have been no confirmed instances of 'Plague' detected in active use in the wild. The malware was uploaded to the VirusTotal scanning service in 2024, yet it failed to trigger any malware detection alarms. The discovery raises substantial concerns regarding the effectiveness of current antivirus solutions against sophisticated threats on Linux platforms.

Las Vegas hosts three major security conferences: BSides, Black Hat, and DEF CON, attracting a large global audience of security professionals. BSides offers a variety of talk tracks and a key focus on password security solutions, featuring discussions on high-efficiency password cracking systems. Black Hat's program includes training sessions, high-profile keynotes, and discussions on recent vulnerabilities in hardware and software, emphasizing AI and government cybersecurity strategies. DEF CON, known for its more relaxed and inclusive atmosphere, focuses on hands-on hacking, with villages dedicated to specific security topics and the infamous Wall of Sheep displaying poor security practices. Security measures at the conferences are tight, with network operations centers actively monitoring for suspicious activity and ensuring attendee security. The conferences are a hub for networking, with opportunities to engage with peers, government officials, and potential employers through various talks, workshops, and social events. DEF CON, despite its more casual environment, remains a crucial learning and networking venue, distinguishing itself with a strong focus on practical hacking techniques and security demonstrations.

Cybersecurity firm CTM360 uncovered a large-scale scam targeting TikTok Shop users, dubbed ClickTok, using AI-generated content and phishing strategies to distribute malware and steal credentials. Threat actors created over 15,000 fake TikTok Shop domains, misleadingly similar to official TikTok URLs, to host phishing pages. These fake pages either harvest user credentials or push fraudulent apps infested with SparkKitty malware, affecting both Android and iOS platforms. The malware is multifaceted, capable of device fingerprinting and using OCR techniques to steal cryptocurrency wallet seed phrases from users' screenshots. Additionally, the scheme lures users into making crypto deposits on fake storefronts advertising nonexistent products at heavy discounts. Apart from deploying fake promotions on Facebook and TikTok, the campaign also abuses Meta ads and employs AI-generated videos mimicking legitimate influencers. The targeted phishing campaign is sophisticated, selectively engaging with victims in real-time to capture two-factor authentication data during financial transactions. This disclosure is part of broader warnings about increasing phishing threats, including a separate campaign targeting Meta Business Suite users, flagged by CTM360 amidst advisories from the U.S. Financial Crimes Enforcement Network on convertible virtual currency fraud.

Top CISOs are focusing on increasing analysts' speed and visibility rather than simply adding more tools to enhance Security Operations Center (SOC) efficiency. Live, interactive threat analysis tools, like ANY.RUN, help analysts observe and interact with malicious elements in real-time within a safe, isolated environment, drastically cutting down response times. Automation in SOC processes, particularly in triage, is vital for removing repetitive tasks, speeding up responses, and reducing the overall workload. ANY.RUN’s sandbox capabilities allow for interactive engagement with malicious URLs and files, enabling analysts to uncover threats hidden behind CAPTCHAs and QR codes efficiently. High-performing SOCs achieve better results through improved collaboration and integration with existing security tools like SIEM and SOAR, which facilitates a smoother, quicker investigative process. To ensure security and compliance, modern SOC tools offer private, isolated analysis environments with role-based access control and Single Sign-On (SSO) support. Implementing these advanced strategies, SOCs report measurable improvements in operational efficiency, including faster response times and sharper visibility into threats. The combination of interactive analysis, automated triage, and strategic collaboration equips SOCs to handle emerging threats more proactively and effectively.

Misconfiguration and vulnerabilities differ significantly, impacting SaaS security risk exposure. Misconfigurations are user-driven setups, such as access levels and third-party integrations, while vulnerabilities are inherent platform code flaws only fixable by the vendor. The shared responsibility model in SaaS implies vendors secure infrastructure, whereas customers manage the application's security settings. Data shows over half of organizations overly trust vendors for SaaS security, overlooking their responsibility, increasing the risk of breaches via misconfiguration. Traditional threat detection tools fail to capture risks originating from misconfiguration, as they primarily monitor user activities, not setup statuses. Real-world incidents reveal critical misconfiguration risks in platforms like Salesforce’s OmniStudio, often undetectable by conventional security measures. Building a "Secure-by-Design" SaaS framework involves proactive posture management and high-fidelity threat detection to mitigate known and unknown risks in tandem. The 2025 State of SaaS Security Report emphasizes the need for awareness and improved configuration management to prevent security breaches effectively.

Chanel experienced a data breach affecting U.S. customers' personal information including names, emails, and phone numbers. The breach occurred via a Chanel database hosted by a third-party service provider and was detected on July 25th. The breach is part of a broader trend involving Salesforce data thefts attributed to the ShinyHunters group. Threat actors have been using social engineering, particularly vishing and malicious OAuth apps, to access Salesforce customer data. Salesforce has stated that their platform remains secure and urged customers to apply best practices for cybersecurity. The accessed data included only a subset of details from individuals who contacted Chanel’s U.S. client care center. No financial information or other sensitive data beyond contact information was exposed in the breach. Affected Chanel clients have been informed, and there is no indication that the stolen data has been publicly leaked yet.

Microsoft has increased the prize pool for its Zero Day Quest hacking contest to $5 million to encourage discovery of vulnerabilities in cloud computing and AI. The contest will take submissions from August 4 to October 4, 2025, and is part of Microsoft's ongoing Secure Future Initiative aimed at overhauling security practices. Participants can receive a 50% bonus for reporting Critical severity vulnerabilities, with the potential for additional multipliers. A select group of top researchers will be invited to a live hacking event at Microsoft's campus in spring 2026 to collaborate on security enhancements. Microsoft plans to support participants with training sessions focused on AI system testing, bug bounty programs, and security research methodologies. The rewards for identifying vulnerabilities in Microsoft's various platforms, including .NET, AI Copilot, and ASP.NET Core, have also seen significant increases. Microsoft commits to sharing critical vulnerability information through the CVE program as part of its transparency efforts under the Secure Future Initiative.

Google released security patches addressing six vulnerabilities in its August 2025 Android update. Two critical flaws in Qualcomm components were actively exploited in targeted attacks. CVE-2025-21479 and CVE-2025-27038 involved memory corruption in GPU rendering and command execution. Qualcomm had previously warned of the exploitation of these vulnerabilities and issued recommendations for OEMs to update affected devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) mandated federal agencies to apply these security measures by late June 2025. Google's latest patches also fix a critical system component vulnerability enabling remote code execution without user interaction. Android updates vary in rollout times, with Google Pixel devices receiving immediate updates, while other vendors may delay for testing and adaptations. Previous patches in March and November addressed other zero-day vulnerabilities used by Serbian authorities in targeted spyware attacks.

SonicWall has issued a warning to administrators to disable SSLVPN services on Gen 7 firewalls due to potential exploitation by ransomware gangs, leveraging a possible zero-day vulnerability. Arctic Wolf Labs observed multiple Akira ransomware attacks since July 15, suggesting the use of a SonicWall zero-day vulnerability for initial network breach. The modes of initial access, including brute force and credential stuffing, have not been conclusively determined in these incidents. Cybersecurity firm Huntress affirmed Arctic Wolf's findings and issued a report with indicators of compromise, advising immediate disabling of the VPN service or severe access restrictions. Threat actors exploiting this vulnerability are reportedly pivoting to domain controllers within hours of gaining initial access, compounding the risk of broader network compromise. SonicWall is actively investigating these incidents to ascertain if they are linked to a previously known vulnerability or if a new one has surfaced, urging customers to apply recommended mitigations urgently. In the face of these threats, SonicWall has also highlighted a critical vulnerability, CVE-2025-40599, in SMA 100 appliances, recommending urgent patching to prevent potential remote code execution attacks.

Cisco disclosed a data breach involving basic profile information of Cisco.com user accounts following a voice phishing attack. An attacker accessed a third-party cloud-based Customer Relationship Management (CRM) system through social engineering, targeting a Cisco employee. Stolen data included names, organization names, addresses, Cisco-assigned user IDs, email addresses, phone numbers, and account metadata. The breach did not impact Cisco's products, services, or other CRM system instances, nor did it involve passwords or sensitive corporate information. Cisco terminated the attacker's access to the CRM system upon discovery and initiated an investigation. Measures are being implemented to enhance security and educate employees on recognizing and preventing vishing attacks. Cisco has engaged with data protection authorities and has begun notifying affected individuals as required by law. The exact number of affected users and whether attackers demanded a ransom remains undisclosed.

Ransomware groups are exploiting a Microsoft SharePoint vulnerability chain known as "ToolShell", compromising numerous global organizations. Palo Alto Networks' Unit 42 identified the 4L4MD4R ransomware variant, associated with Chinese nation-state hacking groups Linen Typhoon, Violet Typhoon, and Storm-2603. The attacks focus on internet-facing SharePoint servers, using malware loaders to knock down security defenses and encrypt files on compromised systems. Organizations targeted include the U.S. National Nuclear Security Administration, the Department of Education, and various European and Middle Eastern government networks. Microsoft has patched the vulnerabilities (CVE-2025-53770 and CVE-2025-53771) used in these attacks as of their July 2025 Patch Tuesday. The infected servers demanded a ransom in Bitcoin, generating ransom notes directly on the victim's systems. CISA has mandated federal agencies to secure their systems against the CVE-2025-53770 vulnerability within 24 hours.

Man-in-the-middle (MITM) attacks involve intercepting communications between two parties to steal sensitive data such as credit card numbers and login credentials. MITM attacks exploit weaknesses in communication protocols, often using unsecured Wi-Fi environments in public spaces like coffee shops to initiate attacks. Techniques used in MITM attacks include spoofing service set identifiers (SSIDs), ARP spoofing, and both mDNS and DNS spoofing to intercept or manipulate data. Protecting against MITM involves encrypting all web traffic using HTTPS and TLS, implementing certificate pinning for apps, and using HTTP Strict Transport Security (HSTS). Network security can be enhanced by avoiding public Wi-Fi or using trusted VPNs, segmenting networks, and using DNS security measures such as DNSSEC, DoH, and DoT. Authentication measures such as mutual TLS and strong multi-factor authentication (MFA) are essential to prevent impersonation and interception. Implementing advanced security monitoring tools, such as intrusion detection systems and endpoint detection and response (EDR) solutions, can detect and mitigate MITM tactics. Education for users and developers about the importance of adhering to security practices and using tools like Specops Password Policy can further protect against data breaches.