Daily Brief

Huntress researchers revealed Chinese-linked cybercriminals exploited VMware ESXi zero-day vulnerabilities over a year before public disclosure, using a sophisticated toolkit for hypervisor escape. The intrusion, observed in December 2025, began with a compromised SonicWall VPN appliance, leading to domain admin access and network pivoting to deploy the attack suite. The attack exploited multiple flaws, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, allowing attackers to escape virtual machines and execute code on the ESXi hypervisor. Development of the toolkit started as early as February 2024, with evidence pointing to Chinese origins, including development paths with simplified Chinese strings. The vulnerabilities were disclosed by VMware in March 2025, but Huntress findings indicate exploitation occurred long before, highlighting a significant gap in detection and response. The attackers' toolkit supported over 150 ESXi builds, posing a broad threat to various environments, and included stealth techniques such as disabling drivers and loading unsigned kernel modules. This incident reflects a pattern of China-linked actors quietly exploiting zero-days in enterprise software, as seen in previous campaigns like Volt Typhoon, emphasizing the need for proactive threat detection.

Bitdefender is hosting a webinar to provide a data-driven analysis of cybersecurity threats expected to impact organizations by 2026. The session aims to distinguish between speculative predictions and real, emerging risks reshaping the current attack landscape. Key trends include the evolution of ransomware into targeted disruptions, significantly impacting business operations. The rapid adoption of AI within organizations is identified as a significant internal security challenge, altering traditional security assumptions. The webinar will address skepticism around AI-orchestrated attacks, suggesting limited near-term capability. Attendees will gain insights into aligning security investments with evidence-based risks, enhancing defenses against emerging threats. The event emphasizes translating technical threat research into actionable, business-relevant security priorities.

Trend Micro has addressed a critical remote code execution flaw in its Apex Central management console, tracked as CVE-2025-69258, which could allow attackers to execute code with SYSTEM privileges. The vulnerability permits unauthenticated attackers to inject malicious DLLs, exploiting a LoadLibraryEX flaw, leading to potential unauthorized control over affected systems. Technical analysis by Tenable revealed that attackers could exploit this flaw by sending crafted messages to the MsgReceiver.exe process on TCP port 20001. Trend Micro has released Critical Patch Build 7190 to rectify this issue, alongside fixes for two denial-of-service vulnerabilities, CVE-2025-69259 and CVE-2025-69260. The company advises immediate patch application and recommends reviewing remote access policies and perimeter security to mitigate potential risks. This vulnerability follows a similar remote code execution flaw patched in 2022, emphasizing the need for continuous vigilance and timely updates. Organizations using Apex Central are urged to update to the latest builds to protect against potential exploitation, particularly those with systems exposed to the internet.

Grok has restricted its AI image-generation feature to paying subscribers following UK government scrutiny over its misuse for creating non-consensual explicit images. The UK government is considering a ban on X if it fails to control the misuse of AI tools, particularly those generating degrading images of individuals. Safeguarding minister Jess Phillips condemned the use of Grok for creating intimate images without consent, emphasizing the severe impact on victims. The UK plans to outlaw nudification apps and criminalize the possession or distribution of AI tools for generating child sexual abuse material. Prime Minister Keir Starmer stated that all options are being considered regarding the government's continued use of X, urging the platform to address the issue. Regulatory bodies like Ofcom and the Information Commissioner's Office are investigating potential breaches of the Online Safety Act and data protection laws. X maintains that it takes action against illegal content, but the recent changes may not fully address regulatory concerns regarding the AI feature's initial availability.

Trend Micro released patches for critical vulnerabilities in Apex Central for Windows, including a remote code execution flaw rated 9.8 CVSS. The primary flaw, CVE-2025-69258, allows unauthenticated attackers to execute arbitrary code by exploiting the LoadLibraryEX function. Attackers can exploit this by sending specific messages to the MsgReceiver.exe component, potentially gaining SYSTEM-level access. Additional vulnerabilities, CVE-2025-69259 and CVE-2025-69260, involve similar exploitation techniques via crafted messages to the same process. The vulnerabilities affect on-premise versions of Apex Central below Build 7190, necessitating urgent patch application. Successful exploitation requires prior physical or remote access to the targeted system, emphasizing the need for robust access controls. Trend Micro advises reviewing remote access policies and updating perimeter security to mitigate potential exploitation risks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the retirement of 10 emergency directives issued between 2019 and 2024, marking a strategic shift in federal cybersecurity policy. These directives aimed to protect Federal Civilian Executive Branch (FCEB) agencies from potential risks and were successfully remediated, enhancing digital infrastructure resilience. CISA collaborated closely with federal agencies to implement required actions, now enforced through Binding Operational Directive 22-01, addressing known exploited vulnerabilities. Acting Director Madhu Gottumukkala emphasized CISA's role in strengthening federal systems against threats, particularly those from hostile nation-state actors. The closure of these directives signifies CISA's dedication to operational collaboration and real-time threat mitigation across the federal enterprise. CISA is advancing Secure by Design principles, focusing on transparency, configurability, and interoperability to bolster organizational defenses. The agency's proactive approach aims to eliminate persistent access and counter emerging threats, reinforcing cybersecurity measures across diverse environments.

A reader, referred to as "Rodney," shared a story of inadequate help desk support, emphasizing reliance on scripted responses over technical expertise. Rodney and a colleague faced challenges establishing a VPN between two firewalls, encountering unhelpful advice from a vendor-recommended support service. The support technician advised a complete system reinstall, ignoring Rodney's troubleshooting efforts and company policy compliance needs. During prolonged hold times, Rodney identified a time-setting issue on routers, resolving the problem by adjusting for daylight saving time. Rodney successfully reloaded the original rule bases, negating the need for the support technician's recommendations. Following the incident, Rodney refused to pay the support bill, involving his company's legal team, and the issue was dropped without further dispute. This case illustrates the importance of technical acumen in support roles and the potential pitfalls of over-reliance on scripted solutions.

The FBI issued a warning about North Korean state-sponsored actors using malicious QR codes in spear-phishing campaigns against U.S. and foreign government entities. Known as "quishing," this technique exploits QR codes to shift victims from secure systems to less protected mobile devices, bypassing traditional defenses. The threat group, Kimsuky, linked to North Korea's Reconnaissance General Bureau, has a history of subverting email authentication protocols in its phishing operations. Recent campaigns involved malicious QR codes in phishing emails, distributing Android malware called DocSwap, masquerading as a Seoul-based logistics firm. Quishing attacks often result in session token theft, allowing attackers to bypass multi-factor authentication and compromise cloud identities without alerting security systems. The FBI's alert follows ENKI's disclosure of similar campaigns, highlighting the ongoing threat posed by these sophisticated phishing tactics. Organizations are urged to enhance mobile device security and review QR code scanning practices to mitigate these evolving threats.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has retired ten Emergency Directives, marking the largest bulk closure in its history. These directives, issued between 2019 and 2024, were retired as their required actions have been completed or are now covered by Binding Operational Directive 22-01. Binding Operational Directive 22-01 leverages the Known Exploited Vulnerabilities (KEV) catalog to mandate patching timelines for federal civilian agencies. Agencies must patch vulnerabilities listed in the KEV catalog by specific deadlines, with older flaws requiring fixes within six months and newer ones within two weeks. CISA retains the authority to impose shorter patching timelines for high-risk vulnerabilities, such as the recent one-day patch requirement for certain Cisco device flaws. This strategic shift aims to streamline vulnerability management and ensure rapid response to emerging cyber threats across federal agencies. The transition to BOD 22-01 reflects CISA's commitment to proactive risk mitigation and maintaining robust cybersecurity defenses.

Cisco Talos has identified UAT-7290, a China-linked group, targeting telecommunications providers in Southeastern Europe with sophisticated Linux-based malware. The group, active since at least 2022, primarily focuses on cyber-espionage against South Asian telcos, expanding its reach and operational scope. UAT-7290 establishes an Operational Relay Box infrastructure, facilitating access for other China-aligned threat actors, indicating a coordinated effort. The attackers employ a combination of custom and open-source malware, leveraging known vulnerabilities in edge network devices for initial access. Techniques include one-day exploits and SSH brute force attacks to compromise and escalate privileges on public-facing edge devices. The malware suite includes Linux-based tools and occasionally Windows implants like RedLeaves and ShadowPad, shared among China-nexus actors. Cisco Talos provides detailed technical insights and indicators of compromise to aid organizations in defending against UAT-7290's activities.

The FBI has issued a flash alert about Kimsuky, a North Korean state-sponsored group, using QR codes in spearphishing campaigns targeting U.S. organizations. Targets include entities involved in North Korea-related policy, such as NGOs, think tanks, academic institutions, strategic advisory firms, and government bodies. Kimsuky employs "quishing," where QR codes redirect victims to malicious sites disguised as questionnaires or login pages to steal credentials. The technique bypasses traditional email defenses by exploiting mobile devices, enabling attackers to collect device fingerprints and user details. These campaigns often impersonate Microsoft 365, Okta, or Google login pages to capture access credentials or session tokens. The FBI advises implementing employee training, verifying QR code sources, and enforcing mobile device management and multi-factor authentication. Organizations are urged to report incidents to their local FBI Cyber Squad or through the IC3 portal for further investigation.

CrowdStrike announced a $740 million acquisition of identity security startup SGNL, aiming to bolster its Falcon platform with advanced identity capabilities for human, machine, and AI agent identities. The acquisition addresses the growing threat of identity-based attacks, which have surged by 32% in early 2025, highlighting the need for robust authorization mechanisms. SGNL offers context-aware authorization, dynamically granting or revoking access based on identity risk evaluations, crucial for managing non-human identities in a zero-trust environment. Industry experts view the acquisition as a strategic move, positioning CrowdStrike to integrate identity security as a core component of its security offerings. The deal reflects a broader industry trend, with major security vendors increasingly focusing on identity security as a critical differentiator in their platforms. This acquisition marks CrowdStrike's second AI security-related purchase, following its acquisition of Pangea, as it continues to expand its capabilities in securing AI-driven environments. The integration of SGNL's technology is expected to enhance CrowdStrike's privileged identity management and AI security strategies, aligning with emerging security standards like the Shared Signals Framework.

Chinese-speaking threat actors exploited VMware ESXi vulnerabilities over a year before their public disclosure, using a compromised SonicWall VPN for initial access. The attackers leveraged a sophisticated virtual machine escape technique, exploiting three VMware vulnerabilities identified as zero-days in March 2025. Evidence suggests the exploit toolkit was developed as early as February 2024, with a folder indicating the target was ESXi 8.0 Update 3. The attack involved pivoting from a Domain Admin account to domain controllers, staging data for exfiltration, and executing an exploit chain to access the ESXi hypervisor. Huntress researchers found PDB paths with simplified Chinese, hinting at a Chinese-speaking developer, and an English README, suggesting potential collaboration with other actors. The toolkit's modular design allows for post-exploitation tools to be separated from the exploits, facilitating adaptation to new vulnerabilities. Organizations are advised to apply the latest ESXi security updates and use YARA and Sigma rules for detection, as recommended by Huntress.

Multiple Cisco switch models are experiencing continuous reboot loops due to a firmware bug in the internal DNS client service. The issue began at approximately 2 AM and affects switches attempting DNS lookups, causing them to treat failures as fatal errors. Administrators report significant disruptions to network operations, with reboot cycles occurring every few minutes, impacting business continuity. Affected models include CBS, SG, and Catalyst 1200/1300 switches, with the problem appearing globally and possibly linked to a time-based condition. Temporary solutions involve disabling DNS resolution, SNTP, or time synchronization, and blocking outbound internet access from switch management interfaces. Cisco support has acknowledged the issue, but the root cause remains undisclosed, prompting administrators to seek workarounds. Continuous monitoring and prompt implementation of temporary fixes are crucial to mitigate operational disruptions until a permanent solution is released.

The Texas court initially issued a temporary restraining order (TRO) against Samsung, halting its collection of smart TV viewing data from Texas consumers due to privacy concerns. The order was based on claims that Samsung's Automated Content Recognition (ACR) technology collected data without user consent, violating the Texas Deceptive Trade Practices Act. Allegations included deceptive enrollment practices and potential access to data by the Chinese Communist Party, raising significant privacy and national security issues. The TRO mandated Samsung to cease data collection and sharing until January 19, impacting its targeted advertising operations in Texas. The court vacated the TRO the following day, allowing Samsung to resume its data collection activities, pending further legal proceedings. The case reflects ongoing legal challenges faced by tech companies over user data privacy and the need for transparent consent mechanisms. Texas has also filed lawsuits against other major TV manufacturers, including Sony and LG, over similar ACR technology concerns.