Daily Brief

Cisco has issued security updates for two critical vulnerabilities in its Unified Contact Center Express (UCCX) software, potentially allowing attackers to execute commands with root privileges. The flaws, identified as CVE-2025-20354 and CVE-2025-20343, affect the Java RMI process and the CCX Editor application, enabling unauthorized remote command execution. Cisco's advisory explains these vulnerabilities stem from inadequate authentication mechanisms, which attackers could exploit by uploading crafted files or redirecting authentication flows. Although no public exploit code or active exploitation has been detected, Cisco urges immediate software upgrades to the fixed releases to mitigate risks. Additional high-severity vulnerabilities in Cisco Contact Center products and the Identity Services Engine (ISE) could lead to denial-of-service conditions or unauthorized access. The Cisco Product Security Incident Response Team (PSIRT) is actively monitoring the situation, with no indications of these vulnerabilities being exploited in the wild. This incident follows previous security challenges for Cisco, including a recent emergency directive from CISA to secure firewall devices against zero-day attacks.

SonicWall confirmed a state-backed group accessed firewall configuration backups in September, affecting all users of the MySonicWall cloud backup service. The breach involved unauthorized API calls to a cloud-based backup system, not impacting SonicWall's products, firmware, or customer networks directly. Google-owned Mandiant was engaged for incident response, and all recommended remediation actions have been implemented to secure the infrastructure. SonicWall emphasized the breach was confined to cloud services, distinguishing it from the Akira ransomware campaigns targeting similar devices. The company's "Secure by Design" initiative aims to enhance product architecture and security practices, informed by lessons from this incident. SonicWall remains committed to supporting SMB and distributed environments, recognizing the increasing focus of state actors on edge-security providers. The breach underscores the vulnerability of defensive infrastructure to geopolitical cyber operations, despite SonicWall's efforts to emerge more resilient.

Financial institutions are increasingly required to adopt cyber-resilience practices due to regulatory mandates such as DORA in the EU and CPS230 in Australia. The complexity of compliance arises from the need for cross-functional collaboration between technical and non-technical teams during crisis management exercises. Advanced platforms like OpenAEV enable seamless integration of tabletop and red team simulations, enhancing both technical and human readiness against cyber threats. These platforms streamline logistics by synchronizing team communications and automating feedback processes, thus improving efficiency and reducing preparation time. Organizations are encouraged to gradually implement blended simulations, starting with separate red team and tabletop exercises to refine their processes. Continuous improvement and frequent simulations foster muscle memory and confidence, crucial for effective crisis management and regulatory compliance. Tools like OpenAEV, which offer community access and integration with existing security systems, play a vital role in bolstering cyber defenses and resilience.

Microsoft addressed three critical vulnerabilities in the Windows Graphics Device Interface (GDI) that could allow remote code execution and information disclosure. The flaws, identified as CVE-2025-30388, CVE-2025-53766, and CVE-2025-47984, involve out-of-bounds memory access in gdiplus.dll and gdi32full.dll. These vulnerabilities were patched across updates released in May, July, and August 2025, affecting multiple versions of the GDI libraries. The flaws could be exploited through malformed enhanced metafile (EMF) and EMF+ records, causing memory corruption during image rendering. Check Point noted the challenges in ensuring comprehensive fixes, as some vulnerabilities can persist due to incomplete initial patches. Organizations are advised to apply the latest patches promptly to mitigate potential exploitation risks associated with these vulnerabilities.

Japanese media giant Nikkei experienced a data breach affecting over 17,000 employees and partners, following a malware infection on an employee's device. Attackers gained access to Nikkei's internal Slack workspace, potentially exposing names, email addresses, and chat histories. The breach did not compromise information related to sources or reporting activities, according to Nikkei's initial investigation. Nikkei promptly reported the incident to Japan's Personal Information Protection Commission, despite not being legally required to do so. The company has reset passwords and plans to enhance personal information management to prevent future breaches. This incident highlights the vulnerability of collaboration platforms like Slack, increasingly targeted by cybercriminals through phishing and malware. The breach serves as a cautionary tale for organizations relying on digital communication tools, emphasizing the need for robust security measures.

Bitdefender has been acknowledged as a Representative Vendor in the 2025 Gartner Market Guide for Managed Detection and Response, marking its fourth consecutive year of inclusion. The Gartner Market Guide outlines the evolving landscape of MDR services, emphasizing proactive exposure management and the integration of human expertise with advanced technology. The MDR market is expanding due to increasing cyber threat sophistication and a shortage of skilled in-house security personnel, driving demand for outsourced security solutions. Bitdefender MDR offers 24x7 monitoring, threat investigation, and neutralization, combining advanced detection technologies and global threat intelligence for comprehensive protection. Organizations using MDR services report faster threat detection, reduced dwell time, and enhanced compliance readiness, improving overall security posture and operational resilience. Bitdefender's proactive threat hunting and AI-driven analytics ensure rapid threat containment, minimizing business disruption and delivering measurable security outcomes. The Gartner Market Guide serves as a valuable resource for organizations evaluating MDR providers, influencing purchasing decisions and shaping effective cybersecurity strategies.

Russian state-backed group Sandworm launched data-wiping malware against Ukraine's grain sector, a key economic pillar, in June and September, according to ESET's latest report. These attacks are part of a broader campaign affecting Ukraine's education, government, and energy sectors, amplifying the impact on the nation's war economy. Data wipers corrupt or delete files irrecoverably, differing from ransomware by focusing solely on sabotage without data theft. The grain sector, a less frequent target, is now under increased threat, reflecting strategic attempts to undermine Ukraine's economic resilience. Initial access for these attacks was facilitated by threat actor UAC-0099, who transferred control to Sandworm for executing the wiper malware. ESET also noted concurrent Iran-aligned activities targeting Israel, utilizing Go-based tools, indicating broader geopolitical cyber threats. To mitigate such threats, organizations are advised to maintain offline data backups and implement robust endpoint detection and intrusion prevention systems.

The UK Information Commissioner's Office (ICO) is imposing significant fines on businesses for inadequate password security, citing breaches of UK GDPR Article 32 requirements. Recent fines include £14 million for Capita plc due to unsecured AWS buckets and £3.07 million for Advanced Computer Software following a ransomware attack exploiting MFA gaps. 23andMe faced a £2.31 million penalty after a credential stuffing attack compromised millions of user profiles, emphasizing the need for robust password policies. Smaller firms like DPP Law Ltd are not exempt, with a £60,000 fine for a brute-force attack on an unprotected admin account, highlighting the universal applicability of GDPR. The ICO stresses the necessity of multi-factor authentication (MFA) and centralized credential management to prevent unauthorized access and data breaches. The National Cyber Security Centre recommends using memorable, secure passwords and MFA to meet compliance standards and avoid substantial financial penalties. Effective credential management requires user-friendly enterprise password managers, as complex systems often lead to non-compliance and increased security risks. Organizations are urged to adopt comprehensive password management solutions to mitigate risks and align with regulatory expectations, protecting against potential financial and reputational damage.

The Curly COMrades threat group has been identified using Windows Hyper-V to deploy a concealed Linux virtual machine, bypassing traditional endpoint detection and response (EDR) systems. Bitdefender's report reveals that the group uses a lightweight Alpine Linux VM to host custom malware, including CurlyShell and CurlCat, for executing reverse shell operations and data transfers. This activity targets systems primarily in Georgia and Moldova, with indications of alignment with Russian interests, and has been ongoing since late 2023. Tools used by the group include RuRat for remote access, Mimikatz for credential theft, and MucorAgent, a modular .NET implant, indicating a sophisticated attack strategy. Collaboration with Georgia CERT unveiled further tools and methods, showing attempts to maintain long-term access by exploiting Hyper-V on Windows 10 hosts. The malware operates as a headless daemon, communicating with a command-and-control server via HTTP requests, allowing encrypted command execution. The use of diverse proxy and tunneling tools, such as Resocks and Ligolo-ng, highlights the group's adaptability and commitment to maintaining a robust reverse proxy capability.

SonicWall confirmed state-sponsored actors accessed firewall configuration backup files in a September breach, affecting less than 5% of its cloud backup service customers. The breach involved unauthorized API calls to a specific cloud environment, with no impact on SonicWall's products, firmware, or other systems. Google-owned Mandiant was engaged to investigate the breach, leading to the implementation of recommended security enhancements for SonicWall's network and cloud infrastructure. SonicWall has introduced an Online Analysis Tool and Credentials Reset Tool to assist customers in identifying affected services and securing their credentials. The company emphasizes its commitment to bolstering security for SMBs and distributed environments, as nation-state threats increasingly target edge security providers. Customers are advised to log in to MySonicWall.com to verify their devices and reset credentials for any impacted services.

The Gootloader malware operation has resumed after a 7-month hiatus, utilizing SEO poisoning to promote fake websites that distribute malicious documents. Gootloader employs JavaScript-based loaders to trick users into downloading harmful documents, often disguised as legal templates or agreements. Recent campaigns use innovative techniques to evade detection, including special web fonts that obscure real filenames and keywords from automated tools. Malformed ZIP archives are crafted to extract malicious JavaScript files when opened with specific tools, complicating detection efforts. The Supper SOCKS5 backdoor is deployed in these attacks, enabling remote access and facilitating rapid network compromise by ransomware affiliates like Vanilla Tempest. Security researchers have actively disrupted Gootloader operations by filing abuse reports, but the threat persists with new tactics. Organizations are advised to exercise caution when downloading legal documents online and to verify the credibility of websites offering such resources.

Hyundai AutoEver America reported a data breach affecting its IT environment, exposing sensitive personal information such as Social Security Numbers and driver's licenses. The breach was discovered on March 1, 2025, but investigations revealed unauthorized access began on February 22, 2025. Hyundai AutoEver America provides IT solutions for Hyundai and Kia, impacting systems used in 2.7 million cars and involving 5,000 employees. External cybersecurity experts were engaged to investigate the breach's scope, confirm containment, and identify affected data, with law enforcement also involved. The breach's impact on employees versus customers remains unclear, with the total number of affected individuals yet to be disclosed. No ransomware group has claimed responsibility, and the identity of the attackers remains unknown. Hyundai has faced multiple cybersecurity incidents recently, raising concerns about ongoing vulnerabilities within its systems.

CISA has issued a warning about a critical remote command execution vulnerability in CentOS Web Panel, now added to the Known Exploited Vulnerabilities catalog. The flaw, identified as CVE-2025-48703, allows remote attackers to execute arbitrary commands if they know a valid username on a CWP instance. This vulnerability affects all versions of CWP prior to 0.9.8.1204, impacting web hosting providers and system administrators using the panel. A detailed analysis by security researcher Maxime Rinaudo revealed the flaw stems from improper input handling in the file-manager ‘changePerm’ endpoint. Federal entities are required to apply security updates or cease using the product by November 25, in accordance with CISA's BOD 22-01 guidance. CISA's advisory serves as a reminder for organizations to monitor and prioritize addressing vulnerabilities listed in the KEV catalog. The vulnerability was patched in CWP version 0.9.8.1205, released on June 18, following the researcher's report in May.

Google received clearance from the Department of Justice for its $32 billion acquisition of cloud security firm Wiz, marking its largest acquisition to date. The acquisition aims to integrate Wiz's unified cloud security platform into Google Cloud, enhancing security offerings with comprehensive multicloud visibility. Wiz's platform connects via API to customer environments, providing full-stack inventory and threat intelligence to assess risks across interconnected cloud services. The DOJ's antitrust investigation concluded without objections, but the deal still requires approval from other global regulators, including the UK, EU, and Japan. Google and Wiz emphasize that the acquisition will expand access to multicloud security solutions, offering businesses and governments more protection options. This acquisition follows a previous failed attempt by Google in 2024, where Wiz initially rejected a $23 billion offer, opting instead to pursue an IPO. The deal's progress reflects ongoing regulatory scrutiny of major tech acquisitions, highlighting the importance of compliance with international antitrust standards.

SonicWall's September breach involved state-sponsored actors accessing firewall configuration backup files, confirmed by Mandiant's investigation. The breach did not compromise SonicWall products, firmware, systems, tools, source code, or customer networks. Attackers used an API call to access cloud backup files, potentially exposing sensitive information such as access credentials and tokens. SonicWall advised customers to reset credentials and passwords for various network components to mitigate potential risks. The breach was isolated to a specific cloud environment, affecting all customers using SonicWall's cloud backup service. The incident was unrelated to attacks by the Akira ransomware group targeting SonicWall VPN accounts in late September. Huntress reported increased malicious activity targeting SonicWall SSLVPN accounts, but found no link to the September breach.