Daily Brief

Researchers identified a critical vulnerability in WatchGuard Fireware OS, tracked as CVE-2025-9242, allowing unauthenticated attackers to execute arbitrary code on affected devices. The flaw affects Fireware OS versions 11.10.2 to 11.12.4_Update1, 12.0 to 12.11.3, and 2025.1, impacting both mobile user and branch office VPNs with IKEv2. Exploitation involves an out-of-bounds write in the iked process, potentially enabling attackers to gain control of the instruction pointer register and spawn a Python shell. WatchGuard has released patches to address the vulnerability, urging users to update to secure versions to prevent potential exploitation by ransomware groups. The vulnerability's characteristics, such as internet exposure and lack of authentication, make it attractive for malicious actors seeking remote code execution capabilities. This discovery follows recent disclosures of other critical vulnerabilities, including those in Progress Telerik UI and Dell UnityVSA, emphasizing the need for timely patch management. Organizations using affected WatchGuard devices should prioritize patching and review their VPN configurations to mitigate potential security risks.

Microsoft has revoked over 200 certificates used by the Vanilla Tempest group to sign malicious binaries in a ransomware campaign involving Rhysida. These certificates were used in fake Microsoft Teams setup files to deliver the Oyster backdoor, ultimately deploying Rhysida ransomware. The campaign was detected in late September 2025, and Microsoft disrupted the activity earlier this month, updating security solutions to flag related threats. Vanilla Tempest, also known as Vice Society, has been active since July 2022, using various ransomware strains including BlackCat and Quantum Locker. The group used SEO poisoning to direct users to malicious domains mimicking Microsoft Teams download sites, exploiting user trust in search results. Trusted Signing and major code signing services like DigiCert and GlobalSign were used to sign the malicious installers and tools. Users are advised to download software only from verified sources to mitigate the risk of such attacks and avoid suspicious links in search engine ads.

Sotheby’s, a prominent international auction house, experienced a data breach involving unauthorized access to sensitive employee information, including Social Security numbers and financial account details. The breach was detected on July 24, 2025, prompting a two-month investigation to determine the scope and specific data affected. The company handles billions in auction sales annually, emphasizing the potential impact on its operations and reputation. The breach notification indicated that two individuals in Maine and two in Rhode Island were affected, with the total number of impacted employees undisclosed. No ransomware groups have claimed responsibility for the breach, although similar entities have targeted auction houses previously. Sotheby’s is offering affected employees 12 months of free identity protection and credit monitoring services through TransUnion. The company has engaged data protection experts and law enforcement to manage the incident and mitigate future risks.

Aram Hovespyan, CEO of Codific, critiques the CVE and CVSS systems, citing misaligned incentives and inconsistency in vulnerability assessments. Research presented at the USENIX Security Symposium indicates 34% of CVEs cited in academic papers are either unconfirmed or disputed by software maintainers. The CVE process involves multiple stakeholders, including CNAs, which may lack motivation or technical context, leading to questionable vulnerability reports. The CVSS system's scoring inconsistency is highlighted, with studies showing significant score variations upon re-evaluation, questioning its reliability. An example of a deprecated system receiving a high CVSS score before being downgraded illustrates potential flaws in the current vulnerability assessment process. Industry experts suggest CVEs and CVSS should not be the sole foundation of application security strategies, advocating for risk assessment grounded in threat modeling. Calls for procedural improvements in vulnerability reporting emphasize the need for a scientific approach to interpreting vulnerability data.

Sotheby’s, a premier global auction house, reported a data breach affecting customer information, including financial details, detected on July 24, 2025. The breach involved unauthorized access to sensitive data such as full names, Social Security numbers, and financial account information. The investigation into the breach spanned two months to ascertain the scope and specifics of the data compromised. While the total number of affected individuals remains undisclosed, at least four individuals in Maine and Rhode Island were impacted. No ransomware group has claimed responsibility for the attack, although similar organizations have targeted auction houses previously. Sotheby’s has offered a 12-month free identity protection and credit monitoring service to affected customers through TransUnion. Past security incidents at Sotheby’s include a web skimmer attack in 2017-2018 and a supply-chain attack in 2021, highlighting ongoing security challenges.

Financial services firm Prosper experienced a data breach affecting over 17.6 million accounts, with attackers accessing sensitive customer and applicant information. The breach was detected on September 2, but Prosper has not found evidence of unauthorized access to customer accounts or funds. Exposed data includes Social Security numbers, names, government-issued IDs, employment and credit status, income levels, and other personal details. Prosper has reported the incident to authorities and is collaborating with law enforcement to investigate the breach. The company is offering free credit monitoring to affected individuals once the full scope of compromised data is determined. Although Prosper has not confirmed the extent of the breach, the notification service Have I Been Pwned disclosed the impact on 17.6 million email addresses. Prosper's customer-facing operations remain unaffected, and the company prioritizes resolving the incident while keeping customers informed.

Threat actors exploited a remote code execution vulnerability (CVE-2025-20352) in Cisco devices, targeting older models like the 9400, 9300, and 3750G series lacking endpoint detection solutions. The vulnerability affects the Simple Network Management Protocol (SNMP) in Cisco IOS and IOS XE, allowing attackers with root privileges to deploy a Linux rootkit for persistent access. Trend Micro identified this campaign as 'Operation Zero Disco', noting the malware sets a universal access password and can manipulate logs and bypass access controls. The rootkit includes a UDP controller to listen on any port, disabling logs, and enabling lateral movement across VLANs through ARP spoofing and internal firewall rule bypassing. Despite newer switches having Address Space Layout Randomization (ASLR) protection, they remain susceptible to persistent targeting, emphasizing the need for robust security measures. Trend Micro recommends a low-level firmware and ROM region investigation if a compromise is suspected, as no reliable detection tool currently exists for these attacks. Indicators of compromise (IoCs) related to 'Operation Zero Disco' have been published to aid in identifying affected systems.

Microsoft disrupted a series of Rhysida ransomware attacks by revoking over 200 certificates used to sign malicious Microsoft Teams installers. The threat group, Vanilla Tempest, used deceptive domains mimicking Microsoft Teams to distribute fake installers, infecting systems with the Oyster backdoor. The campaign involved malvertising tactics, including search engine ads and SEO poisoning, to push fake Teams installers that compromised Windows devices. Upon execution, the malicious installers deployed Oyster malware, enabling remote access for data theft, command execution, and further payload deployment. Vanilla Tempest, also known as VICE SPIDER, has been active since June 2021, targeting sectors like education, healthcare, IT, and manufacturing. The group has a history of using various ransomware strains, including BlackCat and Zeppelin, and was previously warned against by the FBI and CISA. Microsoft's intervention reflects ongoing efforts to counteract sophisticated cybercrime tactics leveraging trusted software distribution channels.

Symantec's Threat Hunter Team identified a Chinese APT group, Jewelbug, infiltrating a Russian IT service provider, signaling a rare instance of espionage between the two nations. The intrusion spanned from early 2025 to May, granting Jewelbug months of undetected access to critical infrastructure, including servers and code repositories. Jewelbug employed tactics such as renaming Microsoft's cdb.exe to "7zup.exe" and used Yandex Cloud for exfiltration, exploiting the trust Russian firms place in local services. The attack potentially aimed at a software supply chain assault, threatening a wide network of Russian companies with espionage or operational disruption. This incident challenges the notion of Russia being off-limits to Chinese cyber operations, suggesting a shift in Beijing's intelligence strategy. Previous reports indicate Chinese groups have targeted Russian military and corporate networks since mid-2022, seeking sensitive military and technological data. The evolving use of cloud-native C2 channels by Jewelbug highlights a trend toward more sophisticated and stealthy cyber operations. Russian IT providers and their clients should reassess their cybersecurity strategies in light of this emerging threat landscape.

Gladinet addressed a zero-day local file inclusion vulnerability in its CentreStack solution, exploited since late September, by releasing a security update in version 16.10.10408.56683. The vulnerability, CVE-2025-11371, allowed attackers to read critical configuration files and leverage them for remote code execution through a previously identified flaw, CVE-2025-30406. Huntress researchers identified the flaw as a bypass for earlier mitigations against a deserialization vulnerability, leading to unauthorized access and potential system compromise. The root cause was traced to a sanitization failure in the temp-download handler, which enabled directory traversal and unauthorized file access under NT AUTHORITY\SYSTEM. Administrators are urged to install the latest update or apply temporary mitigations by disabling the temp handler in the Web.config file to prevent exploitation. Huntress provided technical insights and a minimal proof-of-concept exploit, though the full exploit chain remains undisclosed to limit potential abuse. Organizations using CentreStack should prioritize patching to safeguard against potential threats and maintain operational security integrity.

North Korean threat actor UNC5342 has adopted the EtherHiding technique to distribute malware via blockchain smart contracts, marking a first for state-sponsored cyber operations. The campaign, known as Contagious Interview, targets developers through LinkedIn, using social engineering to deploy malicious code under the guise of job assessments. EtherHiding involves embedding harmful code within smart contracts on public blockchains like Ethereum, making malware distribution resilient to takedown efforts. This method leverages the pseudonymous nature of blockchain transactions, complicating efforts to trace the deployment of malicious smart contracts. Attackers can update the malicious payload within the smart contract at any time, enhancing the flexibility and persistence of the threat. The attack chain affects Windows, macOS, and Linux systems, utilizing three different malware families to achieve its objectives. This development signals a significant shift in the cyber threat landscape, as nation-state actors increasingly use innovative techniques to evade detection and enhance operational resilience.

Threat actor UNC5142 is leveraging blockchain smart contracts to distribute information-stealing malware, targeting both Windows and macOS users via compromised WordPress sites. Google Threat Intelligence Group identified approximately 14,000 web pages with injected JavaScript linked to UNC5142, indicating widespread exploitation of vulnerable WordPress sites. The attack chain involves a multi-stage JavaScript downloader, CLEARSHORT, which uses smart contracts on the BNB Smart Chain to deliver malware payloads. The attack utilizes the ClickFix tactic, deceiving users into executing malicious commands, leading to system infections with stealer malware. UNC5142's infrastructure includes a sophisticated three-smart contract system, enhancing operational agility and resistance to detection and takedown efforts. The group's campaigns have evolved significantly, employing a proxy pattern architecture that allows for rapid updates without modifying compromised site scripts. The use of blockchain technology provides the threat actor with increased resiliency, blending malicious activities with legitimate Web3 operations. Despite a pause in activity since July 2025, the group's past success suggests a potential for future sophisticated campaigns.

Synacktiv discovered the LinkPro rootkit during an investigation of compromised AWS-hosted infrastructure, exploiting Linux systems with advanced concealment techniques. Attackers leveraged a vulnerable Jenkins server, identified as CVE-2024-23897, to deploy the rootkit via a malicious Docker Hub image on Kubernetes clusters. LinkPro uses eBPF modules for stealth, activating through a "magic packet" with a specific TCP window size, allowing remote command execution within a one-hour window. The rootkit modifies the "/etc/ld.so.preload" file to conceal itself, affecting all programs using shared libraries, including glibc, by intercepting system calls. LinkPro supports multiple communication protocols, enabling versatile command and control operations, and complicates network activity correlation with firewall logs. The attack's financial motivation remains suspected, though the threat actors' identities are currently unknown. This incident emphasizes the need for robust patch management and monitoring of exposed services to prevent similar infiltrations.

CISA has issued an alert regarding active exploitation of a critical vulnerability in Adobe Experience Manager, identified as CVE-2025-54253, which allows remote code execution. This vulnerability affects Adobe Experience Manager Forms on JEE versions 6.5.23 and earlier, stemming from a misconfiguration issue that permits unauthenticated access. Researchers Adam Kues and Shubham Shah disclosed the flaw to Adobe in April, but it remained unpatched until August, despite proof-of-concept exploit code being publicly available. Adobe's delayed response left systems exposed for over 90 days, prompting CISA to add this flaw to its Known Exploited Vulnerabilities Catalog. Federal agencies are mandated to secure their systems by November 5th under Binding Operational Directive 22-01, with CISA urging all organizations to prioritize patching. Administrators are advised to restrict Internet access to AEM Forms if immediate patching is not possible, to mitigate potential exploitation risks. The vulnerability's exploitation poses significant risks to federal and private sector enterprises, emphasizing the need for timely security updates and proactive defense measures.

Google has launched a new Gmail feature allowing users to designate trusted contacts to assist in account recovery when traditional methods are unavailable. This initiative aims to address challenges associated with passkeys, particularly when users lose access to their devices, hindering account access. Users can select up to 10 trusted contacts, who will receive a code to verify recovery requests, enhancing security through number-matching authentication. Google implements additional security measures, such as device history and IP checks, to ensure the legitimacy of recovery attempts and prevent unauthorized access. While the feature enhances account recovery, it requires contacts to possess strong cybersecurity awareness to avoid potential social engineering attacks. This feature is currently available for personal Gmail accounts, but not for Google Workspace or accounts enrolled in the Advanced Protection Program. Google's ongoing efforts in account recovery solutions aim to maintain high privacy and security standards while providing users with reliable access options.