Daily Brief

The US, UK, and Australia have sanctioned Media Land, a Russian entity accused of hosting services for ransomware gangs like Lockbit, BlackSuit, and Play. Media Land is alleged to have facilitated multiple DDOS attacks against US companies and critical infrastructure, according to the US Department of Treasury. Australia’s Federal Police have linked Media Land to malware infections and scams, while the UK’s National Crime Agency cited its role in enabling phishing attacks. The sanctions aim to disrupt Media Land's operations by prohibiting citizens and banks in these countries from engaging with the company and its affiliates. This marks the third major action against Russian "bulletproof" hosting providers this year, following previous actions against Zservers and the Aeza Group. The US continues to target Aeza Group, which attempted to evade sanctions by rebranding and using UK-based Hypercore Ltd for its infrastructure. Sanctions also extend to individuals Aleksandr Volosovik and Yulia Pankova, alleged operatives of Media Land, impacting their legal and financial operations. This coordinated international effort seeks to dismantle Russian cybercrime networks, though challenges persist in fully eradicating these operations.

Fortinet confirmed a zero-day vulnerability in its FortiWeb firewall, issuing a patch following recent similar disclosures affecting the same product. The newly identified flaw, CVE-2025-58034, is an OS command injection vulnerability allowing unauthorized code execution via crafted HTTP requests or CLI commands. Trend Micro reported approximately 2,000 detections of this vulnerability being exploited in the wild, emphasizing its active threat status. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the FortiWeb bug to its Known Exploited Vulnerability catalog, mandating federal agencies to patch within seven days. Fortinet's recent advisories suggest a potential exploit chain between CVE-2025-58034 and another critical flaw, CVE-2025-64446, which allows authentication bypass. Security researchers note the rapid disclosure and patching timeline, indicating potential linkage between the vulnerabilities for unauthenticated remote code execution. Organizations using FortiWeb are urged to update to the latest software version to mitigate risks and prevent unauthorized network access.

The Sneaky2FA phishing-as-a-service kit now includes browser-in-the-browser capabilities to steal Microsoft credentials and active sessions, enhancing its deceptive tactics. This kit, alongside Tycoon2FA and Mamba2FA, primarily targets Microsoft 365 accounts, using sophisticated techniques like SVG-based attacks and attacker-in-the-middle tactics. The browser-in-the-browser pop-up mimics legitimate Microsoft login windows, dynamically adjusting to the victim’s operating system and browser for increased realism. Attackers can bypass two-factor authentication by stealing credentials and session tokens, allowing unauthorized access to victim accounts. The phishing technique, initially devised by researcher mr.d0x, has been adopted for attacks on various services, including Facebook and Steam. Sneaky2FA employs conditional loading and obfuscation to evade detection, presenting benign pages to bots and researchers while targeting actual victims. Users are advised to verify pop-up authenticity by attempting to drag it outside the browser window, as legitimate pop-ups appear as separate instances in the taskbar.

Amazon's security leadership reports a growing trend of cyber operations aiding physical military strikes, affecting industries like shipping, transportation, and electronics. These operations represent a new model blending cyber and kinetic warfare, necessitating revised security and risk management strategies for businesses. Iran's cyber groups, Imperial Kitten and MuddyWater, have been linked to digital reconnaissance preceding missile strikes, demonstrating the operational synergy between cyber and physical domains. Amazon's Threat Intelligence has identified and mitigated threats using honeypot systems and collaboration with affected organizations and government agencies. The integration of cyber and physical security is crucial, as isolated approaches may leave organizations vulnerable to exploitation as intelligence tools. Network defenders are urged to expand threat models and improve intelligence sharing to counter cyber-enabled kinetic attacks effectively. Businesses are advised to evaluate the interconnectedness of their physical and digital systems, including supply chain vulnerabilities, to enhance security posture.

A critical vulnerability, CVE-2025-9501, in the W3 Total Cache WordPress plugin allows PHP command injection, potentially compromising over one million websites. The flaw affects all versions prior to 2.8.13, enabling unauthenticated users to execute commands via malicious comments. The vulnerability resides in the _parse_dynamic_mfunc() function, which processes dynamic function calls in cached content. A patch was released on October 20, but only 430,000 downloads have occurred, leaving many sites still at risk. WPScan has developed a proof-of-concept exploit, set for release on November 24, which could accelerate malicious exploitation. Administrators are advised to upgrade to version 2.8.13 or disable the plugin to prevent potential attacks. Failure to address this vulnerability could result in attackers gaining full control over affected WordPress sites.

The U.S., U.K., and Australia have sanctioned Russian bulletproof hosting providers aiding ransomware gangs, including LockBit, BlackSuit, and Play, disrupting their operations. Media Land and its affiliates are accused of supporting cybercrime activities, such as phishing, malware delivery, and DDoS attacks against U.S. critical infrastructure. Sanctions target Media Land executives, including Aleksandr Volosovik, linked to cybercrime groups like Evil Corp and Black Basta, freezing their assets and exposing them to further legal actions. Aeza Group LLC and its front company, Hypercore Ltd, are also sanctioned, impacting their ability to operate internationally and collaborate with allied countries. Five Eyes cybersecurity agencies have issued guidance for ISPs to mitigate threats from bulletproof hosting, recommending threat intelligence-based filtering and enhanced customer verification. The sanctions aim to dismantle cybercriminal networks by freezing assets and imposing secondary sanctions on entities transacting with the designated individuals and companies. This coordinated international effort reflects a broader strategy to combat cybercrime by targeting infrastructure providers supporting illicit activities.

A critical vulnerability in 7-Zip, identified as CVE-2025-11001, is actively being exploited, as reported by NHS England Digital. The flaw allows remote attackers to execute arbitrary code through symbolic link manipulation within ZIP files, potentially compromising systems. 7-Zip version 25.00, released in July 2025, addresses this vulnerability, alongside another similar flaw, CVE-2025-11002. The vulnerabilities were introduced in version 21.02 and can be exploited in Windows environments with elevated user permissions or developer mode enabled. Security researcher Dominik released a proof-of-concept exploit, emphasizing the need for users to update to the latest 7-Zip version promptly. The lack of detailed information on the exploitation methods and actors involved increases the urgency for organizations to secure their systems. Organizations should prioritize patch management and ensure that all systems using 7-Zip are updated to mitigate potential risks.

A new campaign uses WhatsApp hijacking and social engineering to spread the Delphi-based banking trojan, Eternidade Stealer, targeting users in Brazil. Attackers leverage a Python script to hijack WhatsApp accounts, marking a shift from previous PowerShell-based methods, and distribute malicious attachments. The campaign exploits WhatsApp's popularity in Brazil, using it as a vector to propagate large-scale attacks on Brazilian institutions. The attack initiates with an obfuscated Visual Basic Script, which leads to the deployment of multiple payloads, including a Python script and an MSI installer. Eternidade Stealer targets banking portals and cryptocurrency services, activating only when relevant applications are accessed to avoid detection. The malware communicates with a command-and-control server using IMAP to dynamically update server addresses, enhancing persistence and evasion. The infrastructure includes management panels for monitoring and geofencing, with access restricted to Brazilian and Argentine systems, redirecting others to a benign error page. Despite its Brazilian focus, the campaign's global footprint is evident, with connections recorded from multiple countries, necessitating vigilance from cybersecurity defenders worldwide.

Operation WrtHug has compromised approximately 50,000 ASUS routers worldwide, primarily targeting outdated models with known vulnerabilities. The campaign predominantly affects routers in Taiwan, Southeast Asia, Russia, Central Europe, and the U.S., with no infections detected in China. Attackers exploit command injection flaws, notably CVE-2025-2492, using ASUS AiCloud services to deploy a global intrusion set. A unique self-signed TLS certificate with a 100-year validity is a key indicator of compromise, replacing ASUS's standard 10-year certificate. The compromised routers may serve as operational relay boxes for stealth operations, facilitating command-and-control activities. ASUS has released security updates to address these vulnerabilities, urging users to update firmware or replace unsupported devices. The campaign shares similarities with the AyySSHush campaign, suggesting potential connections between the two.

DevOps platforms like GitHub, Bitbucket, and GitLab hold critical data, making them attractive targets for cyber threats, including ransomware and insider attacks. The Shared Responsibility Model places the onus on users to secure their data, emphasizing the need for stringent access controls and automated backups. Each platform offers unique security features: GitHub includes secret scanning and push protection, while GitLab focuses on role segregation and patching. Common vulnerabilities include weak access controls, improper repository permissions, and lack of multi-factor authentication, which can be exploited through various attack vectors. A notable supply-chain attack on GitHub involved a malicious update to a popular GitHub Action, potentially exposing thousands of repositories. Preventive measures include enforcing MFA, using ephemeral runners, and maintaining external immutable backups to mitigate risks. Organizations are encouraged to shift security practices left and ensure compliance with industry regulations to protect DevOps data effectively. Implementing a comprehensive backup and disaster recovery strategy, such as using third-party solutions like GitProtect, can safeguard against data loss and ensure business continuity.

CISA has directed U.S. government agencies to patch a new Fortinet FortiWeb vulnerability within a week, following its exploitation in zero-day attacks. The vulnerability, CVE-2025-58034, allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. This flaw has been added to CISA's Known Exploited Vulnerabilities Catalog, emphasizing its potential risk to federal systems. Agencies must secure their systems by November 25th under Binding Operational Directive 22-01, with a reduced remediation timeframe due to active exploitation. Another Fortinet vulnerability, CVE-2025-64446, has also been added to the catalog, with a patch deadline of November 21st. Fortinet vulnerabilities are frequently targeted in cyber espionage and ransomware attacks, as seen in past incidents involving state-sponsored groups. The urgency in patching these vulnerabilities reflects the ongoing threat landscape and the necessity for robust cybersecurity measures.

Researchers from Austria identified a flaw in WhatsApp's user enumeration feature, potentially exposing personal data of over 3.5 billion users worldwide. The flaw allowed the extraction of phone numbers, names, and profile images at a rate of 100 million accounts per hour, using a tool based on Google's libphonenumber. The vulnerability was exploited without encountering rate limiting or IP blocking, raising concerns about WhatsApp's security measures. Personal data collected included sensitive information such as sexual orientation, political views, and links to other platforms, posing privacy risks. WhatsApp's parent company, Meta, has since implemented anti-scraping measures and confirmed the deletion of data collected by researchers. The incident underscores the importance of robust security protocols to prevent large-scale data scraping and potential misuse by cybercriminals. Meta's response to the vulnerability was delayed, taking nearly a year to address the issue, but effective countermeasures are now in place.

SecurityScorecard's STRIKE team identified Operation WrtHug, exploiting six vulnerabilities in outdated ASUS routers, impacting tens of thousands of devices in Taiwan, the U.S., and Russia. The campaign leverages ASUS AiCloud's n-day vulnerabilities to gain high privileges on end-of-life routers, using a unique self-signed TLS certificate for network integration. Affected routers are predominantly linked to ASUS AiCloud services, with 99% of compromised devices presenting the same certificate, set to expire in 2122. Exploited vulnerabilities include CVE-2023-41345 to CVE-2025-2492, with potential ties to other China-linked botnets like AyySSHush, raising concerns of coordinated efforts. The operation suggests possible involvement of China-affiliated actors, given the targeting patterns and overlaps with tactics seen in previous Chinese ORB campaigns. The campaign underscores the risks associated with end-of-life devices, emphasizing the need for timely updates and decommissioning of outdated hardware. SecurityScorecard warns of the increasing trend of mass infections targeting network devices, urging organizations to bolster defenses against such widespread threats.

ShinyHunters, in collaboration with Scattered Spider, has developed ShinySp1d3r, a new ransomware-as-a-service platform, marking a shift from using third-party encryptors to deploying their own. The emerging RaaS was first revealed on a Telegram channel, with the group attempting to extort Salesforce and Jaguar Land Rover through data theft. ShinySp1d3r uses the ChaCha20 encryption algorithm, with RSA-2048 protecting private keys, and features unique file extensions and metadata headers. Each encrypted device will display a ransom note and a customized Windows wallpaper, urging victims to negotiate within three days to avoid public exposure. ShinyHunters is developing versions for Linux and ESXi, alongside a "lightning version" optimized for speed, indicating ongoing enhancements to their ransomware toolkit. The group claims healthcare entities are off-limits, although past ransomware gangs have not adhered to such promises, raising skepticism about enforcement. Operations will exclude attacks on Russia and CIS countries, likely to avoid legal repercussions for affiliates in those regions.

Kunal Mehta, a 45-year-old from Irvine, California, admitted to laundering $25 million in a $230 million cryptocurrency heist, becoming the eighth defendant to plead guilty in this case. The heist involved a group using social engineering tactics to access victims' cryptocurrency accounts, with operations spanning from October 2023 to March 2025. The crime ring consisted of young individuals from various U.S. states and abroad, who connected through online gaming before engaging in organized cyber theft and laundering activities. Mehta's role involved creating shell companies to legitimize the laundering process, charging a 10% fee for converting stolen cryptocurrency into cash and making wire transfers. The stolen funds financed extravagant lifestyles, including luxury cars, private jets, and high-end accessories, highlighting the significant financial impact of the criminal activities. Law enforcement's investigation revealed critical errors made by the group, linking laundered funds back to the original stolen amounts, aiding in their capture. The FBI emphasizes vigilance against online scams, urging individuals to avoid sharing personal information through unsolicited communications.