Daily Brief

Cisco's Unified Communications Manager and Session Management Edition have hardcoded credentials in the Engineering-Special (ES) builds. These critical vulnerabilities have received the highest rating (CVSS 10) and allow unauthenticated, remote attackers to gain full system control. Affected versions are specific ES releases of Cisco Unified CM and Unified CM SME, numbering from 15.0.1.13010-1 to 15.0.1.13017-1. Cisco has released a patch for the affected systems, only accessible through the Cisco Technical Assistance Center. Administrators should verify system integrity by checking log entries and SSH login records for unauthorized access indicators. This major security lapse marks Cisco’s second CVSS 10 flaw disclosed within a single week, highlighting significant security oversight. There is no available workaround for this issue; the only solution is to apply the provided patch and upgrade to the newest code.

CISA warns of active exploitation of vulnerabilities in the Signal clone TeleMessage TM SGNL used by national security staff. Federal agencies directed to patch flaws or discontinue use by July 22, following discovery of bugs allowing data theft. Vulnerabilities identified include CVE-2025-48927 and CVE-2025-48928, which allow unauthorized data access and sensitive information leaks. The flaws exposed include a misconfigured endpoint that could lead to downloading memory dumps and another that exposes passwords over HTTP. TeleMessage gained attention post-Signalgate incident, where a journalist was inadvertently added to a sensitive group chat meant for record-keeping. Over 60 government personnel’s chat logs were recently leaked, emphasizing the urgency and severity of the security flaws. These vulnerabilities represent significant risks to the federal enterprise, necessitating immediate and mandatory remedial actions by agencies.

North Korean state-backed hackers have launched a sophisticated malware campaign targeting web3 and cryptocurrency entities using a new macOS malware dubbed NimDoor. NimDoor involves reaching out to victims via Telegram and tricking them into downloading a fake Zoom SDK update through platforms such as Calendly and email. The malware features unique elements like an unusual signal-based persistence mechanism, which reinstalls itself when attempts are made to terminate it. Core components of NimDoor, such as 'GoogIe LLC' and 'CoreKitAgent', are used to manage persistent access, collect system data, and deploy further payloads effectively. CoreKitAgent uses AppleScript and WSS-based communications to exfiltrate data and facilitate remote command execution, enhancing its backdoor capabilities. SentinelOne researchers have identified this attack as part of a larger trend of increased sophistication in malware developed by North Korean threat actors. The report provides detailed technical insights into the payloads, obfuscation techniques, and operational structures of the NimDoor malware family. Indicators of compromise and other technical data related to the malware and its operations targeting sensitive cryptocurrency information have been documented.

The Department of Justice (DOJ) is investigating a former ransomware negotiator suspected of collaborating with ransomware gangs to secure extortion payments and receive kickbacks. The individual under scrutiny previously worked for DigitalMint, a company specializing in ransomware negotiation and cryptocurrency payments for decryptors. DigitalMint, which has handled over 2,000 ransomware negotiations since 2017, terminated the employee upon discovering the alleged misconduct and is cooperating with law enforcement. The investigation is focused on whether the ex-employee manipulated negotiations to increase ransom payments, from which they allegedly received a cut. As a result of the ongoing investigation, some law and insurance firms have advised clients to refrain from using DigitalMint's services. DigitalMint asserts they are not the target of the DOJ investigation but have communicated details of the incident to affected stakeholders to maintain trust. A 2019 ProPublica report highlighted similar unethical practices in the U.S. data recovery industry, exposing firms that paid ransoms to cybercriminals while billing clients for data restoration.

TTAM Research Institute is set to acquire genetic testing company 23andMe following its recent Chapter 11 bankruptcy, sparked by a massive data breach in 2023. The data breach compromised approximately 14,000 accounts and indirectly affected around 7 million people due to a credential-stuffing attack by "Golem." 23andMe faced severe backlash for poor incident response and inadequate security measures, resulting in a $3.13 million fine by the UK’s Information Commissioner’s Office. TTAM, founded by 23andMe’s former CEO Anne Wojcicki, assures to uphold stringent data protection standards, intending to continue research and expand educational activities around human genetics. The nonprofit has pledged to maintain transparency and allow customers continued control over their genetic data, with options to erase their data permanently. Customers are reassured that no action is needed on their part and that TTAM will operate with the same privacy protocols and staff as before the acquisition.

Spanish police apprehended two cybercriminals in Las Palmas for stealing data from government officials and journalists. The arrested individuals were deemed a significant threat to national security and used the stolen data to gain notoriety and inflate its selling price online. The investigation was initiated after the detection of personal data leaks from top state institutions on various media platforms. One suspect specialized in data exfiltration, while the other managed sales and finances, including handling a cryptocurrency wallet. Numerous electronic devices were seized during home raids, potentially leading to further evidence or identifying additional accomplices. This arrest follows a series of successful operations against high-profile cybercriminals in Spain, including breaches of national and international security organizations. The police's continuous efforts highlight Spain's proactive measures to combat cybercrime and safeguard sensitive information.

North Korean hackers have intensified their cyber operations by targeting Web3 platforms and South Korean national security experts using sophisticated malware and social engineering techniques. Cybersecurity firms SentinelOne and Genians documented separate but related campaigns involving the use of Nim and C++ programming languages to deploy malware and steal data. Attack vectors include misleading emails, deceptive links, and fake Zoom update requests that lead to the installation of persistent and information-stealing malware on macOS systems. The malware utilized in these campaigns demonstrates advanced capabilities such as credential harvesting from popular web browsers, extracting Telegram data, and evading user-initiated termination. Techniques such as the employment of AppleScript for process control, and the use of GitHub for malware staging and command-and-control communications highlight the evolving sophistication of the threat actors. The "ClickFix" tactic, previously documented in phishing scenarios, has evolved to trick users into manual interactions that facilitate malware deployment. These ongoing activities underline the persistent threats posed by North Korean hacker groups like Kimsuky, which continue to adjust and refine their cyberattack methods against regional and technological targets.

Cisco has issued a security advisory for a severe vulnerability in its Unified Communications Manager. The flaw, identified as CVE-2025-20309, involves hardcoded root SSH credentials that could enable remote attackers to access devices with root privileges. Affected versions include Unified CM and Unified CM SME Engineering Special releases from 15.0.1.13010-1 to 15.0.1.13017-1. There are no alternative workarounds; the vulnerability can only be mitigated by upgrading to newer software versions or applying a specific patch. Cisco has not detected any active exploitation of this vulnerability but has provided indicators of compromise to help administrators assess their systems. This incident adds to a list of issues with hardcoded credentials previously discovered in other Cisco products. The company stressed the importance of monitoring system logs for unauthorized access attempts, with detailed instructions on how to retrieve relevant log entries.

Citrix has issued warnings about potential login disruptions on NetScaler ADC and Gateway appliances following patches for severe security vulnerabilities. Patching the vulnerabilities, which could lead to authentication bypass and denial-of-service attacks, triggers issues due to the newly default-enabled Content Security Policy (CSP). The implemented CSP is intended to mitigate risks like cross-site scripting and code injections but inadvertently blocks legitimate scripts required for authentication methods like DUO, SAML, or other IDP configurations. The disruptions manifest as broken login pages, particularly under configurations relying on custom scripts not compliant with the strict CSP rules. Two critical vulnerabilities identified, CVE-2025-5777 ("Citrix Bleed 2") and CVE-2025-6543, are addressed by the patches; the latter is actively exploited in DoS attacks. Citrix recommends that administrators disable the CSP temporarily and clear the cache to resolve the login issues while further solutions are developed. Citrix offers further assistance through their support team for unresolved issues post-CSP adjustment.

A severe vulnerability in the Forminator plugin for WordPress, identified as CVE-2025-6463 with a CVSS score of 8.8, risks entire site takeovers. The plugin is popular, installed on over 600,000 websites, and allows users to create forms with a drag-and-drop interface. The flaw originates from improper validation and sanitization of user input, enabling arbitrary file deletion when forms are submitted. Attackers can exploit the vulnerability by injecting malicious file paths into form fields, leading to the deletion of essential WordPress files like wp-config.php. The deletion of critical files forces WordPress sites into a setup state, where attackers can potentially gain control by linking the site to their own database. The issue was reported by a security researcher, resulting in a bug bounty of $8,100 and a rapid response from the developers, who issued a patch within ten days. Version 1.44.3 of Forminator, which fixes the vulnerability, has been released, but the total number of updated installations remains unclear. Although there are no current reports of active exploitation, the exposure of technical details makes it likely that attackers will soon attempt to exploit this vulnerability.

Over 40 fraudulent browser extensions mimicking popular cryptocurrency wallets discovered in the Firefox add-ons store. Extensions target credentials by impersonating reputable wallets like Coinbase, MetaMask, and others, featuring malicious code to exfiltrate sensitive data. Russian-speaking cybercriminal group believed to be behind the scheme; extensions include malicious code that captures wallet keys and seed phrases. The fraudulent code includes event listeners to monitor and steal data when users input sensitive information. Fake user reviews, predominantly five-star, used to enhance the credibility of the extensions, despite the presence of one-star scam alerts from affected users. Despite reports to Mozilla and the presence of an early detection system for such scams, the malicious add-ons remained accessible at the time of the report. The campaign has been continually active, with new malicious extensions frequently added to the store.

The US Treasury has sanctioned Russian bulletproof hosting provider Aeza Group and four associates for supporting ransomware and cybercriminal activities. Aeza Group has facilitated operations for notable ransomware entities like BianLian and other data theft groups such as Meduza and Lumma. BianLian, known for targeting US critical infrastructure, has shifted from encryption ransomware to a data exfiltration extortion model. The sanctions mark the second punitive action against a bulletproof hosting provider in 2023, following the earlier sanctions against Zservers, which supported the LockBit ransomware group. Aeza Group's operations are linked to a UK-registered affiliate, Aeza International, managed with assistance from the UK's National Crime Agency. Sanctions mean US entities are prohibited from conducting business with Aeza, which could limit but not entirely stop their cybercriminal operations. The sanctions target the organization and its key operators, but the full impact on broader cybercriminal activities involving Russian entities may be limited.

Nearly 80% of cyber threats now imitate legitimate user behaviors, complicating threat detection. Verizon's report shows a significant increase in breaches at edge devices and VPN gateways, from 3% to 22%. Traditional EDR solutions fail to detect advanced threats like zero-day exploits and malware-free attacks. Security operations centers (SOCs) are increasing resilience by adopting a multi-layered detection strategy using Network Detection and Response (NDR). NDR enhances visibility and detection without the need for agent deployment, effectively uncovering subtle, malicious activities. Layered NDR strategies combine lightweight base layers for common threats with more sophisticated behavioral and machine learning layers for complex threats. Top SOCs utilize NDR to correlate detections and offer a comprehensive view of network threats, facilitating faster and more effective incident response. The movement towards NDR is driven by the need to adapt to sophisticated, rapidly evolving cyber-attacks and increasing attack surfaces.

Cybersecurity experts have identified a phishing trend using PDF attachments to emulate trusted brands like Microsoft and DocuSign. Attackers trick victims into initiating phone calls under the guise of solving issues or confirming transactions through these PDFs. These phishing calls may lead victims to inadvertently disclose sensitive data or install malicious software, including banking Trojans. Many PDFs contain QR codes that, when scanned, redirect to fake brand login pages, enhancing the illusion of legitimacy. The campaigns exploit VoIP technology for anonymity, using untraceable numbers to execute complex, multi-stage social engineering. The FBI has noted a rise in such callback phishing activities, particularly from a group known as Luna Moth. Further misuse of Microsoft 365's Direct Send feature by attackers allows phishing emails that appear to be internal communications. Overall, brand impersonation and sophisticated social engineering tactics remain major threats in the digital landscape.

Cl0p cybercrime gang’s Python-based data extraction tool has a significant security flaw allowing Remote Command Execution (RCE) attacks. The vulnerability has a high severity score of 8.9, primarily due to improper input validation which fails to sanitize inputs, enabling attackers to execute OS commands. Italian researcher Lorenzo N identified the flaw, which was later publicized by the Computer Incident Response Center Luxembourg (CIRCL). CIRCL head Alexandre Dulaunoy expressed skepticism regarding any forthcoming fixes from the Cl0p developers for this vulnerability. Potential exploiters of this vulnerability could include rival cybercriminal groups aiming to disrupt Cl0p's operations or steal their data using the compromised tool. The MOVEit file transfer attacks led by Cl0p in 2023 impacted numerous major organizations, continuously exploiting MOVEit vulnerabilities well into 2024. Recent activity reported by Greynoise detected a spike in scanning for systems vulnerable to previously known MOVEit bugs, indicating ongoing cyber threats related to MOVEit vulnerabilities.