Daily Brief

Cisco reports a new attack variant targeting its Secure ASA and FTD firewalls, exploiting vulnerabilities active since May 2025, causing denial-of-service conditions. The attacks have been linked to a government-backed threat group, previously identified in the ArcaneDoor campaign, targeting government and telecom sectors. Cisco has collaborated with US and UK cybersecurity agencies to address these threats, deploying a specialized team to support affected customers. Attackers have used advanced evasion techniques, including disabling logging and modifying Cisco's ROM Monitor to maintain persistence across reboots. Cisco has also disclosed two critical vulnerabilities in its Unified Contact Center Express software, urging immediate patching to prevent unauthorized command execution. These software vulnerabilities, CVE-2025-20354 and CVE-2025-20358, enable remote attackers to execute commands with elevated privileges or bypass authentication. Organizations are advised to update to the latest software releases to mitigate these risks and protect against potential exploitation.

A new threat group, InedibleOchotense, is impersonating ESET to conduct phishing attacks on Ukrainian entities, aiming to distribute the Kalambur backdoor. These attacks exploit ESET's reputation, using fake domains to distribute trojanized installers that deliver both legitimate software and malicious payloads. The Kalambur backdoor leverages the Tor network for command-and-control and enables remote access via RDP, posing significant security risks. CERT-UA identified similar campaigns linked to Sandworm, a known Russian APT group, highlighting ongoing threats to Ukrainian infrastructure. Sandworm has also launched destructive wiper attacks against various sectors in Ukraine, reinforcing the persistent threat from Russia-aligned actors. Another group, RomCom, exploited a WinRAR vulnerability in attacks targeting European and Canadian industries, reflecting a broader geopolitical strategy. RomCom's activities have evolved from e-crime to nation-state operations, supporting Russian objectives through credential harvesting and data exfiltration.

The article discusses the integration of red and blue teams into a collaborative purple team, enhancing cybersecurity defenses through continuous validation and improvement. Breach and Attack Simulation (BAS) is highlighted as a critical tool for facilitating real-time, ongoing validation of security measures against evolving threats. Purple teaming shifts the focus from isolated offensive and defensive exercises to a unified approach, improving both detection and response capabilities. Automation in BAS eliminates manual delays, allowing for rapid simulation of adversary tactics and immediate assessment of control effectiveness. The methodology prioritizes addressing high-impact, hard-to-detect vulnerabilities, optimizing resource allocation and reducing the risk of breaches. Metrics such as time-to-detect and mean time to validate are used to measure the effectiveness of purple teaming, ensuring continuous progress. The article warns against over-reliance on AI for threat emulation, advocating for human oversight to ensure accuracy and relevance in simulations. Continuous validation through BAS leads to a proactive security posture, providing executives with tangible assurance of their organization's defensive capabilities.

Cisco disclosed new attack variants targeting Secure Firewall ASA and FTD software, exploiting CVE-2025-20333 and CVE-2025-20362, potentially causing denial-of-service conditions on unpatched devices. The vulnerabilities, previously exploited as zero-day flaws, allow arbitrary code execution and unauthorized URL access, necessitating urgent updates to prevent further exploitation. Cisco has released patches addressing these critical flaws, alongside updates for Unified Contact Center Express vulnerabilities that could permit unauthorized file uploads and privilege escalation. A high-severity DoS vulnerability in Identity Services Engine (CVE-2025-20343) was also patched, preventing potential device restarts from crafted RADIUS access requests. The U.K. National Cyber Security Centre confirmed malware delivery via these vulnerabilities, emphasizing the importance of rapid patch deployment. Cisco credited security researcher Jahmel Harris for identifying these critical security issues, reinforcing the value of collaborative cybersecurity efforts. While no active exploitation in the wild has been reported, organizations are advised to apply the latest patches immediately to safeguard their systems.

ClickFix attacks now incorporate video tutorials, enhancing social engineering tactics by guiding victims through self-infection processes, increasing the likelihood of successful malware execution. The malware automatically detects the victim's operating system, delivering tailored commands to execute, affecting Windows, macOS, and Linux users. A fake Cloudflare CAPTCHA challenge is used to trick users, complete with a countdown timer and a "users verified" counter to simulate legitimacy. Push Security researchers identified that these attacks are primarily distributed through malvertising campaigns on Google Search, exploiting outdated WordPress plugins or using SEO poisoning. The payloads vary by operating system and include MSHTA executables, PowerShell scripts, and other living-off-the-land binaries, posing significant risks to endpoint security. Future iterations of ClickFix could potentially execute entirely within the browser, circumventing traditional EDR protections and increasing the challenge for cybersecurity defenses. Users are advised to remain vigilant and avoid executing any terminal commands from online sources unless fully understood, as a precaution against these evolving threats.

Comparitech published a study analyzing over two billion leaked passwords, identifying the most common and easily guessed passwords still in use. Popular passwords include "123456", "password", and "admin", with many entries featuring sequential number patterns, highlighting a persistent security risk. The study found that 25% of the passwords consisted solely of numbers, while 38% included the string "123", making them vulnerable to brute-force attacks. Comparitech advises the adoption of biometric passkeys or long passphrases to enhance security, emphasizing length over complexity. The use of password managers is recommended, though users should remain cautious of potential vulnerabilities in these tools. Enterprises are urged to enforce strict password policies to prevent users from choosing weak passwords and to mitigate security risks. The report serves as a reminder of the importance of robust password practices in safeguarding against unauthorized access and data breaches.

ClickFix malware campaigns have evolved to include video instructions, enhancing social engineering tactics by guiding victims through self-infection processes with malicious commands. The malware automatically detects the victim's operating system, ensuring the delivery of OS-specific commands to increase attack success rates. Push Security researchers observed the use of fake Cloudflare CAPTCHA challenges that incorporate a countdown timer, pressuring users to act quickly without verifying authenticity. Attackers employ JavaScript to automatically copy malicious commands to the clipboard, minimizing user error and increasing the likelihood of successful execution. ClickFix attacks are primarily propagated through malvertising on Google Search, exploiting outdated WordPress plugins or using SEO poisoning to enhance visibility. Payloads vary by operating system, with Windows attacks using MSHTA executables and PowerShell scripts, while other systems face different living-off-the-land binaries. Future iterations of ClickFix may run entirely in browsers, potentially bypassing Endpoint Detection and Response (EDR) protections. Users are advised to remain cautious of online verification processes that require code execution, as these are likely malicious attempts.

Cisco has issued security updates for two critical vulnerabilities in its Unified Contact Center Express (UCCX) software, potentially allowing attackers to execute commands with root privileges. The flaws, identified as CVE-2025-20354 and CVE-2025-20343, affect the Java RMI process and the CCX Editor application, enabling unauthorized remote command execution. Cisco's advisory explains these vulnerabilities stem from inadequate authentication mechanisms, which attackers could exploit by uploading crafted files or redirecting authentication flows. Although no public exploit code or active exploitation has been detected, Cisco urges immediate software upgrades to the fixed releases to mitigate risks. Additional high-severity vulnerabilities in Cisco Contact Center products and the Identity Services Engine (ISE) could lead to denial-of-service conditions or unauthorized access. The Cisco Product Security Incident Response Team (PSIRT) is actively monitoring the situation, with no indications of these vulnerabilities being exploited in the wild. This incident follows previous security challenges for Cisco, including a recent emergency directive from CISA to secure firewall devices against zero-day attacks.

SonicWall confirmed a state-backed group accessed firewall configuration backups in September, affecting all users of the MySonicWall cloud backup service. The breach involved unauthorized API calls to a cloud-based backup system, not impacting SonicWall's products, firmware, or customer networks directly. Google-owned Mandiant was engaged for incident response, and all recommended remediation actions have been implemented to secure the infrastructure. SonicWall emphasized the breach was confined to cloud services, distinguishing it from the Akira ransomware campaigns targeting similar devices. The company's "Secure by Design" initiative aims to enhance product architecture and security practices, informed by lessons from this incident. SonicWall remains committed to supporting SMB and distributed environments, recognizing the increasing focus of state actors on edge-security providers. The breach underscores the vulnerability of defensive infrastructure to geopolitical cyber operations, despite SonicWall's efforts to emerge more resilient.

Financial institutions are increasingly required to adopt cyber-resilience practices due to regulatory mandates such as DORA in the EU and CPS230 in Australia. The complexity of compliance arises from the need for cross-functional collaboration between technical and non-technical teams during crisis management exercises. Advanced platforms like OpenAEV enable seamless integration of tabletop and red team simulations, enhancing both technical and human readiness against cyber threats. These platforms streamline logistics by synchronizing team communications and automating feedback processes, thus improving efficiency and reducing preparation time. Organizations are encouraged to gradually implement blended simulations, starting with separate red team and tabletop exercises to refine their processes. Continuous improvement and frequent simulations foster muscle memory and confidence, crucial for effective crisis management and regulatory compliance. Tools like OpenAEV, which offer community access and integration with existing security systems, play a vital role in bolstering cyber defenses and resilience.

Microsoft addressed three critical vulnerabilities in the Windows Graphics Device Interface (GDI) that could allow remote code execution and information disclosure. The flaws, identified as CVE-2025-30388, CVE-2025-53766, and CVE-2025-47984, involve out-of-bounds memory access in gdiplus.dll and gdi32full.dll. These vulnerabilities were patched across updates released in May, July, and August 2025, affecting multiple versions of the GDI libraries. The flaws could be exploited through malformed enhanced metafile (EMF) and EMF+ records, causing memory corruption during image rendering. Check Point noted the challenges in ensuring comprehensive fixes, as some vulnerabilities can persist due to incomplete initial patches. Organizations are advised to apply the latest patches promptly to mitigate potential exploitation risks associated with these vulnerabilities.

Japanese media giant Nikkei experienced a data breach affecting over 17,000 employees and partners, following a malware infection on an employee's device. Attackers gained access to Nikkei's internal Slack workspace, potentially exposing names, email addresses, and chat histories. The breach did not compromise information related to sources or reporting activities, according to Nikkei's initial investigation. Nikkei promptly reported the incident to Japan's Personal Information Protection Commission, despite not being legally required to do so. The company has reset passwords and plans to enhance personal information management to prevent future breaches. This incident highlights the vulnerability of collaboration platforms like Slack, increasingly targeted by cybercriminals through phishing and malware. The breach serves as a cautionary tale for organizations relying on digital communication tools, emphasizing the need for robust security measures.

Bitdefender has been acknowledged as a Representative Vendor in the 2025 Gartner Market Guide for Managed Detection and Response, marking its fourth consecutive year of inclusion. The Gartner Market Guide outlines the evolving landscape of MDR services, emphasizing proactive exposure management and the integration of human expertise with advanced technology. The MDR market is expanding due to increasing cyber threat sophistication and a shortage of skilled in-house security personnel, driving demand for outsourced security solutions. Bitdefender MDR offers 24x7 monitoring, threat investigation, and neutralization, combining advanced detection technologies and global threat intelligence for comprehensive protection. Organizations using MDR services report faster threat detection, reduced dwell time, and enhanced compliance readiness, improving overall security posture and operational resilience. Bitdefender's proactive threat hunting and AI-driven analytics ensure rapid threat containment, minimizing business disruption and delivering measurable security outcomes. The Gartner Market Guide serves as a valuable resource for organizations evaluating MDR providers, influencing purchasing decisions and shaping effective cybersecurity strategies.

Russian state-backed group Sandworm launched data-wiping malware against Ukraine's grain sector, a key economic pillar, in June and September, according to ESET's latest report. These attacks are part of a broader campaign affecting Ukraine's education, government, and energy sectors, amplifying the impact on the nation's war economy. Data wipers corrupt or delete files irrecoverably, differing from ransomware by focusing solely on sabotage without data theft. The grain sector, a less frequent target, is now under increased threat, reflecting strategic attempts to undermine Ukraine's economic resilience. Initial access for these attacks was facilitated by threat actor UAC-0099, who transferred control to Sandworm for executing the wiper malware. ESET also noted concurrent Iran-aligned activities targeting Israel, utilizing Go-based tools, indicating broader geopolitical cyber threats. To mitigate such threats, organizations are advised to maintain offline data backups and implement robust endpoint detection and intrusion prevention systems.

The UK Information Commissioner's Office (ICO) is imposing significant fines on businesses for inadequate password security, citing breaches of UK GDPR Article 32 requirements. Recent fines include £14 million for Capita plc due to unsecured AWS buckets and £3.07 million for Advanced Computer Software following a ransomware attack exploiting MFA gaps. 23andMe faced a £2.31 million penalty after a credential stuffing attack compromised millions of user profiles, emphasizing the need for robust password policies. Smaller firms like DPP Law Ltd are not exempt, with a £60,000 fine for a brute-force attack on an unprotected admin account, highlighting the universal applicability of GDPR. The ICO stresses the necessity of multi-factor authentication (MFA) and centralized credential management to prevent unauthorized access and data breaches. The National Cyber Security Centre recommends using memorable, secure passwords and MFA to meet compliance standards and avoid substantial financial penalties. Effective credential management requires user-friendly enterprise password managers, as complex systems often lead to non-compliance and increased security risks. Organizations are urged to adopt comprehensive password management solutions to mitigate risks and align with regulatory expectations, protecting against potential financial and reputational damage.