Daily Brief

Businesses often underutilize gateways, missing opportunities to enhance security, productivity, and workflow efficiency due to basic configurations. Effective gateway security involves network segmentation, allowing isolated virtual networks to safeguard sensitive data and control access based on roles and device types. Deploying multiple gateways mitigates risks associated with single points of failure, preventing operational slowdowns and bottlenecks, particularly in larger organizations. Optimizing gateways for remote and hybrid workforces involves geographically distributed private gateways to minimize latency and ensure regulatory compliance. Implementing cloud firewalls adds a critical security layer, monitoring traffic, blocking malicious ports, and restricting protocols to reduce the attack surface. NordLayer offers a comprehensive solution integrating network segmentation, distributed architecture, and firewall policies to protect data and maintain compliance. Businesses must adopt advanced gateway security strategies to navigate evolving cybersecurity threats and support seamless operations across diverse work environments.

PolarEdge botnet, first identified by Sekoia in February 2025, targets routers from Cisco, ASUS, QNAP, and Synology, aiming to integrate them into a larger network. Attackers exploit a security flaw in Cisco routers (CVE-2023-20118) to deploy the PolarEdge backdoor, which sends host fingerprints to a command-and-control server. The malware operates as a TLS server using mbedTLS v2.8.0, featuring a custom binary protocol to execute commands received from the C2 server. PolarEdge employs anti-analysis techniques, including process masquerading and obfuscation, to evade detection and complicate forensic investigations. The botnet's command execution involves moving and deleting files on infected devices, though the exact purpose of these actions remains uncertain. Synthient's findings on GhostSocks reveal its integration with Lumma Stealer, enabling monetization of compromised devices through SOCKS5 residential proxies. The ongoing evolution of PolarEdge and associated tools like GhostSocks underscores the need for robust security measures to protect network infrastructure.

Japanese retailer Muji's online operations are disrupted following a ransomware attack on logistics partner Askul, halting orders and impacting customer experience. Askul, a key logistics provider, has suspended all orders and shipments while investigating the ransomware breach's full extent, affecting multiple retail clients. The attack has led to a complete standstill of Askul's operations, including new user registrations, returns, and customer service functions, creating significant operational challenges. Muji and other affected retailers, such as Loft and Sogo & Seibu, have issued apologies to customers, emphasizing their commitment to restoring services promptly. No ransomware group has claimed responsibility, and details on any ransom demand remain undisclosed, leaving uncertainty about the attack's resolution timeline. The incident is part of a broader trend of ransomware attacks targeting major Japanese corporations, highlighting vulnerabilities in supply chain and logistics networks. Businesses relying on Askul's logistics network face potential financial and reputational impacts due to the disruption in service and order cancellations.

The integration of AI into cybersecurity operations presents both opportunities and challenges, as it expands the attack surface if not properly secured. Effective AI security requires robust governance, identity controls, and transparency in AI decision-making processes to prevent potential risks. Organizations must treat AI systems as critical infrastructure, applying rigorous security measures akin to those used for networks and endpoints. The SANS Secure AI Blueprint offers a framework for AI security, aligning with NIST's AI Risk Management Framework and OWASP guidelines to mitigate common vulnerabilities. Balancing AI automation and human oversight is crucial; while some tasks can be fully automated, others require human judgment due to their complexity. Security teams should assess workflows based on error tolerance and automation failure costs, ensuring human involvement where necessary. The SANS Surge 2026 event will provide further insights into securing AI systems, offering a platform for learning and peer engagement.

The Cybersecurity and Infrastructure Security Agency (CISA) warns of active exploitation of a Windows SMB vulnerability, CVE-2025-33073, affecting Windows 10, 11, and Windows Server versions. This vulnerability, rated 8.8 on the CVSS scale, allows attackers to escalate privileges by tricking victims into connecting to a malicious SMB server. CISA has added this flaw to its Known Exploited Vulnerabilities (KEV) list, highlighting its active exploitation in real-world scenarios. Federal agencies are mandated to patch or remove affected systems by November 10 under Binding Operational Directive 22-01. Organizations are advised to apply Microsoft's June 2025 patch, monitor for unusual SMB traffic, and limit SMB exposure to untrusted networks. The flaw's exploitation potential is significant due to SMB's widespread use in enterprise environments, posing a risk of deeper network infiltration. CISA's alert also includes four additional vulnerabilities, including one in Oracle's E-Business Suite, indicating ongoing threats across multiple platforms.

The ONE Conference in The Hague spotlighted malware vaccines as a potential proactive defense against ransomware, with Recorded Future showcasing research on infection-spoofing techniques for Windows systems. Malware vaccines aim to deceive ransomware by creating infection markers, such as decoy files and fake registry keys, to prevent malware from executing its payload. Challenges for malware vaccines include limited scope, potential interference with legitimate software, and ease of circumvention by threat actors with minor code adjustments. Recorded Future is considering an open-source community to develop broader-spectrum vaccines, akin to how Sigma rules are shared for threat detection. The cybersecurity industry lacks standardization and collaboration, with experts advocating for shared knowledge bases and open-contribution projects to enhance collective defense. Despite interest, malware vaccines remain underdeveloped commercially, partly due to the dominance of major players in the Endpoint Detection and Response market. Public funding for cybersecurity research is deemed essential, with calls for increased investment in training and innovation to address emerging threats effectively.

European organizations are increasingly adopting Zero Trust principles to secure users, devices, workloads, and applications, addressing modern cybersecurity challenges. Traditional Zero Trust models often leave gaps by focusing narrowly on immediate vulnerabilities, neglecting areas like remote locations, IoT devices, and supply chain connections. Threat actors exploit these overlooked areas, especially as operations become more decentralized and device-heavy, increasing the attack surface. Zero Trust Everywhere expands security measures across all IT infrastructure layers, reducing attack avenues and strengthening cybersecurity posture. This comprehensive approach aligns with regulatory requirements, aiding compliance with the Data Protection Act 2018 and UK NIS Regulations, while enhancing operational efficiencies. By adopting Zero Trust Everywhere, organizations can ensure data security, build customer trust, and maintain competitive advantages in international markets. The strategy supports UK sectors such as financial services and healthcare, safeguarding them against persistent threats from state-backed hackers and sophisticated cybercriminals.

Cifas, an anti-fraud nonprofit, inadvertently exposed email addresses of over 50 professionals in a calendar invite mishap. The incident involved a session invite for the JustMe app, sent in August for an October event. Email addresses were visible in the To and CC fields, affecting individuals from security vendors, consultancies, and government sectors. The Information Commissioner's Office (ICO) regards email addresses as personal data, requiring careful handling to prevent breaches. Although the ICO had not received a breach report, organizations must notify it within 72 hours if risks to rights and freedoms exist. The ICO advises using bulk email services or secure data transfer to prevent similar incidents, emphasizing the need for staff training. This incident serves as a reminder of the importance of proper email practices to protect personal data and organizational reputation.

Google's Threat Intelligence Group identified three new malware families—NOROBOT, YESROBOT, and MAYBEROBOT—linked to the Russian state-sponsored group COLDRIVER, indicating a shift in their operational tactics. These malware families are part of a sophisticated delivery chain, utilizing ClickFix-style lures to execute malicious PowerShell commands via fake CAPTCHA prompts. The malware, designed for intelligence gathering, targets high-profile individuals, including NGOs and policy advisors, with a focus on credential theft and information extraction. Initial deployment of YESROBOT served as a temporary solution following public disclosure of LOSTKEYS, later replaced by the more versatile MAYBEROBOT. The malware's evolution aims to evade detection, with NOROBOT and MAYBEROBOT reserved for significant targets who may have been previously compromised. Dutch authorities have apprehended three individuals suspected of aiding foreign government cyber activities, including mapping Wi-Fi networks for espionage purposes. This development underscores the ongoing threat posed by nation-state actors and the need for robust cybersecurity measures to protect high-value targets.

A European telecommunications firm was breached in July 2025 by Salt Typhoon, a China-linked cyber espionage group, using a Citrix NetScaler Gateway vulnerability for initial access. Salt Typhoon, active since 2019, has targeted telecom, energy, and government sectors globally, exploiting edge device vulnerabilities to exfiltrate sensitive data. Attackers pivoted to Citrix Virtual Delivery Agent hosts within the client's Machine Creation Services subnet, utilizing SoftEther VPN to mask their origins. The Snappybee malware, a successor to ShadowPad, was deployed using DLL side-loading via legitimate antivirus software, highlighting sophisticated evasion techniques. The malware communicated with an external server using HTTP and an unidentified TCP protocol, aiming to maintain persistence and control. Darktrace detected and mitigated the intrusion before significant escalation, emphasizing the need for advanced detection capabilities against such persistent threats. Salt Typhoon's use of legitimate tools and evolving tactics poses ongoing challenges to conventional detection methods, necessitating enhanced cybersecurity measures.

DNS0.EU, a non-profit DNS service based in France, announced its immediate closure due to unsustainable time and resource demands. The service was designed to provide a resilient DNS infrastructure across all EU member states, with 62 servers operating in 27 cities. DNS0.EU offered no-logs functionality, end-to-end encryption, and protection against malicious domains, including phishing and malware command-and-control servers. Users are advised to transition to DNS4EU or NextDNS, both offering robust privacy and security features, including protection against fraudulent and malicious content. DNS4EU, co-funded by the EU, provides straightforward setup and blocks access to inappropriate content, while NextDNS offers detailed filtering capabilities. The shutdown reflects the ongoing challenges faced by non-profit cybersecurity initiatives in maintaining operations without adequate resources. The closure may impact users seeking GDPR-compliant and privacy-focused DNS solutions, emphasizing the need for sustainable support in digital infrastructure projects.

CISA has expanded its Known Exploited Vulnerabilities Catalog with five new security flaws, including critical vulnerabilities in Oracle and Microsoft products. A significant vulnerability, CVE-2025-61884, affects Oracle E-Business Suite, enabling unauthorized access to critical data via server-side request forgery. Another critical flaw, CVE-2025-61882, allows unauthenticated attackers to execute arbitrary code, impacting numerous organizations as reported by Google Threat Intelligence Group and Mandiant. While specific threat actors remain unidentified, some exploitation activities are linked to Cl0p-branded extortion operations, suggesting organized cybercriminal involvement. Federal agencies are mandated to address these vulnerabilities by November 10, 2025, to mitigate potential risks and bolster network security. Additional vulnerabilities, CVE-2025-33073, CVE-2025-2746, and CVE-2025-2747, have been identified, though exploitation details remain sparse. Organizations are urged to prioritize patching and remediation efforts to protect against these actively exploited threats.

Japanese retailer Muji halted online sales after a ransomware attack on its logistics partner, Askul, disrupted operations, affecting order placements and browsing capabilities on its website. The attack impacted Muji's retail services in Japan, where Askul handles logistics, while operations in other countries remain unaffected. Askul, owned by Yahoo! Japan Corporation, suspended orders and shipping, and is investigating potential data breaches, including customer information leaks. Muji is working to identify affected shipments and notify customers via email, though no timeline for system restoration has been provided. The incident follows a recent ransomware attack on Asahi, Japan's largest beer producer, highlighting a concerning trend of cyberattacks on major Japanese companies. No ransomware groups have claimed responsibility for the attack on Askul, and the extent of the data breach remains under investigation. This situation underscores the critical need for robust cybersecurity measures and contingency planning in supply chain operations to mitigate such disruptions.

Nearly 76,000 WatchGuard Firebox appliances are vulnerable to CVE-2025-9242, a critical remote code execution flaw, with the majority located in Europe and North America. The vulnerability, rated 9.3 in severity, involves an out-of-bounds write in the Fireware OS 'iked' process, affecting IKEv2 VPN negotiations. Exploitation can occur without authentication by sending crafted IKEv2 packets, potentially compromising network security by writing data to unintended memory areas. WatchGuard has recommended upgrading to supported software versions, as version 11.x has reached end of support and will not receive further updates. Temporary workarounds involve securing connections using IPSec and IKEv2 protocols for specific VPN setups, as detailed in vendor documentation. The Shadowserver Foundation's scans confirm the vulnerability's prevalence, with 75,955 devices still at risk as of October 19, 2025. No active exploitation has been reported yet, but administrators are urged to apply patches promptly to mitigate potential threats.

CISA reports active exploitation of a high-severity privilege escalation flaw, CVE-2025-33073, affecting Windows Server and Windows 10 and 11 systems. The vulnerability, patched in June 2025, arises from improper access control, allowing attackers to gain SYSTEM privileges. Attackers can exploit this flaw by coercing a victim's machine to connect to a malicious SMB server, leading to privilege escalation. Microsoft credited several security researchers from CrowdStrike, Synacktiv, SySS GmbH, Google Project Zero, and RedTeam Pentesting GmbH for discovering the flaw. CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to patch by November 10 under BOD 22-01. While federal agencies are the primary target, CISA urges all organizations to patch this vulnerability promptly to mitigate risks. The advisory warns that such vulnerabilities are common attack vectors for cyber actors, posing significant threats to federal and private sectors alike.