Daily Brief

Amazon's threat intelligence team discovered advanced threat actors exploiting zero-day vulnerabilities in Cisco ISE and Citrix NetScaler ADC to deploy custom malware. The vulnerabilities, identified as CVE-2025-5777 and CVE-2025-20337, were actively exploited to deliver a custom web shell disguised as a legitimate Cisco ISE component. The malware operates entirely in memory, using Java reflection for stealth, and employs DES encryption with non-standard Base64 encoding to avoid detection. The attacks were detected through Amazon's MadPot honeypot network, revealing the sophistication and resourcefulness of the threat actor involved. These findings stress the need for organizations to implement defense-in-depth strategies and robust detection mechanisms to identify unusual behavior patterns. The campaign targets critical identity and network access control infrastructure, emphasizing the vulnerability of even well-maintained systems to pre-authentication exploits. Organizations are urged to limit access to management portals through firewalls or layered access to mitigate risks associated with such vulnerabilities.

An advanced threat actor exploited zero-day vulnerabilities in Citrix NetScaler ADC and Cisco Identity Service Engine (ISE) before public disclosure and patch availability. Amazon's MadPot honeypot detected exploitation attempts for Citrix Bleed 2 (CVE-2025-5777), indicating pre-disclosure attacks. The Cisco ISE vulnerability (CVE-2025-20337) allows unauthorized attackers to execute arbitrary code or gain root access, with active exploitation confirmed shortly after disclosure. Hackers deployed a custom web shell, 'IdentityAuditAction,' on Cisco ISE, using advanced techniques to evade detection and maintain persistence. Despite the sophistication of the attack, the targeting was indiscriminate, which is unusual for advanced persistent threat (APT) operations. Amazon shared findings with Cisco, leading to heightened awareness and reissued warnings about active exploitation. Organizations are urged to apply security updates for the identified vulnerabilities and enhance network device security through firewalls and layered defenses.

Synnovis, a UK pathology provider, experienced a data breach after a June 2024 ransomware attack, impacting NHS hospitals and clinics across London. The breach involved theft of patient data, including NHS numbers, names, birth dates, and some test results, necessitating a complex forensic investigation. Synnovis is notifying affected healthcare organizations, with patient notifications managed by NHS entities, adhering to UK data protection laws. The ransomware attack disrupted operations at major NHS hospitals, causing cancellations of non-emergency pathology services and blood transfusions. The incident led to significant operational challenges, including blood shortages and the cancellation of over 1,500 medical appointments and operations. The attack was attributed to the Qilin ransomware group, known for its Ransomware-as-a-Service model, impacting over 300 organizations globally. Synnovis, in collaboration with NHS Trust partners, decided against paying the ransom, emphasizing their commitment to ethical standards and cybersecurity principles.

The Hacker News and Bitdefender are hosting a webinar on Dynamic Attack Surface Reduction (DASR), a proactive cybersecurity approach aimed at preemptively closing security gaps. DASR offers a shift from traditional methods by automatically identifying and mitigating risks before attackers exploit them, reducing the reactive burden on security teams. Current security tools often overwhelm teams with alerts without providing efficient solutions, whereas DASR focuses on preventing vulnerabilities from being exploited. The approach addresses the continuously evolving attack surface, including new applications, cloud systems, and remote devices, which traditional defenses struggle to manage effectively. Bitdefender's experts will discuss real-world applications of DASR and their PHASR system, showcasing how these tools help prevent potential breaches. This session aims to equip security teams with strategies to transition from reactive problem-solving to proactive threat prevention, enhancing overall organizational security posture.

Zhimin Qian, a fraudster involved in a large-scale cryptocurrency scheme, was sentenced to nearly 12 years in prison after a seven-year investigation by the Metropolitan Police. Qian's fraudulent activities affected over 128,000 individuals in China, involving a company that falsely claimed to develop technology and mine Bitcoin. Authorities seized over 61,000 Bitcoin, valued at approximately £4.8 billion, marking the largest confirmed cryptocurrency seizure to date. Qian attempted to launder funds through property purchases in London and overseas, using associates to obscure the asset origins. The investigation involved collaboration between the Metropolitan Police, Crown Prosecution Service, National Crime Agency, and Chinese law enforcement. The case underscores the increasing use of cryptocurrency by organized crime groups to conceal and invest illicit profits. The National Crime Agency launched a campaign targeting males under 45 to raise awareness about the risks of cryptocurrency fraud, which is rapidly growing in the UK.

Active Directory (AD) is crucial for authentication in over 90% of Fortune 1000 companies, making it a prime target for cyberattacks. The 2024 Change Healthcare breach exemplifies the impact of AD compromise, resulting in halted operations and exposed health records. Attackers exploit AD to gain privileged access, modify permissions, and disable security controls, often bypassing standard detection tools. Hybrid and cloud infrastructures increase AD's complexity, expanding attack surfaces and creating visibility gaps for security teams. Common vulnerabilities include compromised credentials, OAuth token misuse, and legacy protocol exploitation, necessitating robust security measures. Strengthening AD security involves layered defenses like strong password policies, privileged access management, zero-trust principles, and continuous monitoring. Effective patch management is critical, as attackers actively seek unpatched systems to exploit vulnerabilities. Continuous improvement in AD security practices is essential to adapt to evolving threats and infrastructure changes.

The UK Parliament received the Cyber Security and Resilience (CSR) Bill, aiming to enhance cybersecurity measures across critical sectors, including datacenters and managed service providers. This legislative update builds on the NIS 2018 regulations, expanding to include datacenters after their designation as critical national infrastructure in 2024. The bill grants the government new powers to issue security directives, similar to the US CISA's authority, to ensure rapid response to national security threats. Organizations affected by severe cyberattacks must report incidents to regulators and the NCSC within 24 hours, with a comprehensive report required within 72 hours. Penalties for non-compliance include fines up to £100,000 daily or 10% of daily turnover, emphasizing the importance of adherence to the new regulations. The bill is part of a broader strategy to reduce the £14.7 billion annual economic impact of cyberattacks on the UK, aiming for a more resilient national infrastructure. The legislation underscores the government's commitment to national security, ensuring fewer disruptions to essential services and enhancing overall cyber defense capabilities.

Microsoft addressed 63 vulnerabilities, including a zero-day in Windows Kernel, through its latest security update, with four flaws rated as Critical and 59 as Important. The zero-day, CVE-2025-62215, involves a privilege escalation flaw due to a race condition in Windows Kernel, allowing attackers to gain SYSTEM privileges if exploited successfully. Attackers need initial access to exploit this vulnerability, which could be achieved through methods like phishing or exploiting other vulnerabilities. The update also includes a critical heap-based buffer overflow flaw in Microsoft's Graphics Component (CVE-2025-60724), which could lead to remote code execution. Microsoft's Threat Intelligence Center and Security Response Center identified and reported the zero-day vulnerability currently under active exploitation. Organizations are advised to apply these patches promptly to mitigate potential risks associated with these vulnerabilities, especially those being actively exploited. This update follows the October 2025 Patch Tuesday, which addressed 27 vulnerabilities in the Chromium-based Edge browser, enhancing overall system security.

The UK's Civil Aviation Authority (CAA) predicts that organized drone attacks will soon disrupt UK airports, citing recent incidents at Belgian airports as a precursor. CAA's Rob Bishton emphasized the evolving threat from drones and cyber attacks, noting that current defenses may be insufficient against more sophisticated operators. The warning follows past disruptions, such as the 2018 Gatwick incident, which grounded flights and led to stricter drone regulations. Recent drone incursions in Denmark and Belgium have prompted UK military assistance, highlighting the potential for international collaboration against hybrid threats. Heathrow's CEO expressed concerns over drone threats but maintained confidence in the airport's advanced defense systems. Air traffic control protocols dictate immediate airspace restrictions upon drone sightings, causing potential delays and diversions. A recent cyberattack by the Everest ransomware group disrupted airline check-in systems across Europe, further complicating aviation security challenges. The CAA urges readiness for future incidents, as drones and cyber threats continue to evolve rapidly, posing significant risks to aviation infrastructure.

Google announced Private AI Compute, a technology designed to securely process AI queries in the cloud while ensuring user data privacy. The system utilizes Trillium Tensor Processing Units and Titanium Intelligence Enclaves to maintain security akin to on-device processing. Google's infrastructure employs a Trusted Execution Environment, encrypting and isolating memory to prevent unauthorized access and data exfiltration. Each workload undergoes cryptographic validation to ensure mutual trust, preventing untrusted components from accessing user data. An external assessment by NCC Group identified potential side-channel and denial-of-service vulnerabilities, which Google is actively addressing. The system's ephemeral design ensures that data inputs and computations are discarded after user sessions, mitigating risks from privileged access. This initiative aligns with similar privacy-focused efforts by Apple and Meta, enhancing secure AI processing across the industry.

China's National Computer Virus Emergency Response Center (CVERC) claims a nation-state, likely the USA, orchestrated a 2020 cyberattack on bitcoin mining pool LuBian, affecting operations in Iran and China. The attack resulted in the theft of 127,272 bitcoin, allegedly owned by Chen Zhi, chairman of Cambodia's Prince Group, who unsuccessfully sought the return of the cryptocurrency. CVERC suggests the dormant state of the stolen bitcoin wallet indicates a nation-state actor, as typical criminals would have liquidated the assets. The U.S. Department of Justice recently indicted Chen Zhi for wire fraud and money laundering, seizing the bitcoin as proceeds from his fraudulent activities. Both China and the U.S. agree on the bitcoin's theft and its current U.S. custody, though CVERC omits Zhi's connection to forced-labor scam operations. CVERC's report advises China's blockchain community to enhance security, despite China's 2021 ban on cryptocurrency mining and trading. The statement may reflect China's ongoing narrative against U.S. cyber operations, aligning with previous claims of fabricated American cyber threats.

Australia's Security Intelligence Organisation (ASIO) warns of increasing cyber sabotage threats targeting critical infrastructure by authoritarian regimes, emphasizing the potential for significant disruption and damage. Recent telecom outages in Australia, linked to potential sabotage, illustrate the severe consequences of such attacks, including the tragic loss of life. ASIO Director-General Mike Burgess identified Chinese hacking groups, Salt Typhoon and Volt Typhoon, as threats probing Australian and American critical infrastructure. Burgess stressed the evolving threat landscape, driven by technological advances and the availability of cyber tools for hire, which empower hostile regimes. Businesses are urged to strengthen defenses, as effective cybersecurity shares commonalities with other corporate risk management practices, such as preventing fraud and equipment failures. Boards are advised to actively engage with cybersecurity issues, moving beyond superficial presentations to a deeper understanding of their organization's vulnerabilities and risk management strategies. The call to action includes a comprehensive approach to security, integrating protection across the enterprise rather than isolated efforts, to mitigate foreseeable risks effectively.

The Rhadamanthys infostealer, a malware-as-a-service operation, has been disrupted, affecting numerous cybercriminals who lost server access. Rhadamanthys targets credentials and authentication cookies from browsers and applications, distributed via software cracks, YouTube, and malicious ads. Cybercriminals subscribe to the malware, paying monthly for access, support, and a web panel to collect stolen data. Reports suggest German law enforcement accessed web panels, changing server login methods to certificate-based, impacting many users. The disruption is potentially linked to Operation Endgame, a law enforcement initiative targeting various malware infrastructures. Researchers noted the Tor sites for Rhadamanthys are offline, though no police seizure banners confirm official involvement. The ongoing action by Operation Endgame has previously disrupted ransomware and other malware operations, with further announcements anticipated.

Synology addressed a critical remote code execution vulnerability in BeeStation products, identified during the Pwn2Own Ireland 2025 competition, affecting multiple versions of BeeStation OS. The vulnerability, CVE-2025-12686, involves a buffer copy flaw that could allow arbitrary code execution on Synology's NAS devices marketed as personal clouds. Researchers from Synacktiv successfully demonstrated the exploit, earning a $40,000 reward, highlighting the importance of proactive vulnerability research. Users are advised to upgrade to the latest software versions, as no mitigations are available for the identified flaw. Pwn2Own, organized by Trend Micro and the Zero Day Initiative, showcased 73 zero-day vulnerabilities across various products, with over $1 million awarded to researchers. The Zero Day Initiative will release detailed technical information on these vulnerabilities after ensuring patches are applied, maintaining a responsible disclosure process. This event underscores the ongoing need for vigilance and timely patch management in safeguarding consumer devices from emerging threats.

Cybercriminals exploited a critical flaw in Gladinet's Triofox platform, leveraging CVE-2025-12480 to gain unauthorized access with SYSTEM privileges. Google Threat Intelligence Group identified the attack on August 24, targeting Triofox version 16.4.10317.56372, which was released in April. The vulnerability arises from an access control logic gap, allowing attackers to spoof requests and bypass authentication using the HTTP Host header. Attackers created an unauthorized admin account and uploaded malicious scripts, exploiting Triofox's antivirus feature to execute code under SYSTEM privileges. Malicious payloads included Zoho UEMS installer, Zoho Assist, and AnyDesk for remote access, with Plink and PuTTY used to establish SSH tunnels. A patch addressing CVE-2025-12480 was released in July, with further updates recommended to enhance security and prevent unauthorized script execution. Security teams are advised to audit admin accounts and monitor for indicators of compromise, as detailed in GTIG's report and VirusTotal. Previous vulnerabilities in Triofox and CentreStack products have been exploited, emphasizing the need for timely patch application and system audits.