Daily Brief

Ofcom fined 4chan £20,000 for failing to protect children from harmful content, marking the first penalty under the UK's Online Safety Act. Additional fines of up to £6,000 may accrue if 4chan does not submit required risk assessments and revenue information to Ofcom. The Online Safety Act mandates platforms to remove illegal content and protect users, with penalties reaching £18 million or 10% of global revenue. Ofcom has initiated 21 investigations since March 2025, targeting platforms failing to comply with content safety regulations. Some platforms, like Krakenfiles and Nippydrive, avoided penalties by geo-blocking UK users, reducing exposure to harmful content. Ofcom's enforcement includes promoting hash-matching technology to prevent the spread of illegal content, with some platforms already adopting these measures. The UK government maintains a stance against banning VPNs, despite their use in bypassing geo-blocks, focusing on platforms that promote such workarounds.

Harvard University is investigating a data breach linked to a zero-day vulnerability in Oracle's E-Business Suite, exploited by the Clop ransomware group. The breach affects a limited number of parties within a small administrative unit, according to Harvard's IT department. Oracle's zero-day flaw, tracked as CVE-2025-61882, has been patched following its exploitation in these attacks. Clop has threatened to release Harvard's data publicly unless a ransom is paid, continuing its pattern of extortion tactics. Mandiant and Google have identified a broader extortion campaign targeting Oracle E-Business Suite customers. The incident highlights the ongoing risk of zero-day vulnerabilities and the importance of timely patch management. Organizations using Oracle's software are advised to apply the latest security updates and monitor for suspicious activity.

The Dutch government imposed special administrative measures on Nexperia, a Chinese-owned semiconductor firm, citing governance failures that threaten European technological security. The Ministry of Economic Affairs invoked the Goods Availability Act to prevent potential transfer of sensitive chip technology to Nexperia's Chinese parent company, Wingtech Technology. Under these measures, Nexperia’s corporate decisions can be blocked or reversed if they harm Dutch operations or critical supply chains. Wingtech criticized the Dutch intervention as politically motivated and claimed it freezes Nexperia's global operations for a year. This action is part of broader Western efforts to limit Chinese access to strategic semiconductor assets amid rising technological competition. Nexperia previously faced scrutiny in the UK, resulting in the forced sale of Newport Wafer Fab following a national security review. The situation reflects ongoing geopolitical tensions affecting the global semiconductor industry, with significant implications for supply chain security.

The RondoDox botnet is actively exploiting more than 50 vulnerabilities across over 30 vendors, targeting internet-exposed infrastructure such as routers, DVRs, and CCTV systems. Trend Micro detected a RondoDox intrusion attempt in June 2025, exploiting a known flaw in TP-Link Archer routers, highlighting the ongoing risk from previously disclosed vulnerabilities. RondoDox has evolved to use a "loader-as-a-service" model, distributing with Mirai/Morte payloads, complicating detection and increasing the urgency for remediation. The botnet's arsenal includes nearly five dozen security flaws, with 18 lacking CVE identifiers, affecting vendors like D-Link, NETGEAR, Cisco, and Apache. The campaign signifies a shift from single-device attacks to a multivector loader operation, indicating a sophisticated evolution in automated network exploitation. Recent findings indicate the AISURU botnet, built on Mirai, is leveraging compromised IoT devices in the U.S. for large-scale DDoS attacks, involving 300,000 hosts globally. Security efforts must focus on patching vulnerabilities, strengthening credentials, and monitoring for unsanitized inputs to mitigate the growing threat from such botnets.

Microsoft revamped the Internet Explorer mode in Edge following reports that threat actors exploited it to access user devices without authorization. Attackers used social engineering and zero-day exploits in IE's JavaScript engine, Chakra, to gain remote code execution on victim devices. The exploitation involved tricking users into reloading pages in IE mode, bypassing modern security measures in Chromium and Edge. Once inside, attackers could perform post-exploitation activities, including malware deployment and data exfiltration. Microsoft has removed easy access to IE mode by eliminating related toolbar and menu options, enhancing security. Users must now enable IE mode manually, adding a layer of protection against potential attacks. This incident underscores the ongoing challenge of balancing legacy support with modern security needs.

Astaroth banking trojan employs GitHub to maintain operations despite infrastructure takedowns, complicating efforts to neutralize its impact. The malware primarily targets Brazil, with additional focus on several Latin American countries, including Mexico and Argentina. Attackers initiate the infection chain through DocuSign-themed phishing emails, leading to the download of malicious files. Astaroth uses obfuscated JavaScript and AutoIt scripts to install and execute its payload, which includes keylogging capabilities. The trojan monitors browser activities, capturing credentials from banking and cryptocurrency sites, and transmits data via Ngrok. Astaroth incorporates anti-analysis features, shutting down if detection tools are present, and ensures persistence through Windows Startup folder modifications. GitHub-hosted configurations use steganography for resilience, prompting collaboration with Microsoft to remove malicious repositories. The use of legitimate platforms like GitHub for malicious purposes presents ongoing challenges in cybersecurity defense strategies.

eSentire researchers uncovered ChaosBot, a Rust-based backdoor malware, leveraging Discord channels for command-and-control, impacting financial services by executing arbitrary commands on compromised systems. Threat actors used compromised Cisco VPN and Active Directory credentials to deploy ChaosBot via WMI, facilitating remote command execution across networks. ChaosBot uses phishing emails with malicious LNK files, executing PowerShell commands to download malware, while displaying a decoy PDF from the State Bank of Vietnam. The malware sideloads a malicious DLL through Microsoft Edge's "identity_helper.exe," performing system reconnaissance and deploying a fast reverse proxy for persistent network access. ChaosBot employs evasion techniques, such as patching ntdll!EtwEventWrite and checking MAC addresses, to bypass Windows Event Tracing and avoid virtual machine environments. Fortinet reports a new Chaos ransomware variant in C++, introducing destructive file deletion and clipboard hijacking to redirect cryptocurrency transfers, marking a shift towards aggressive financial gain tactics. The Chaos-C++ ransomware masquerades as utilities like System Optimizer v2.1, using a combination of encryption methods to ensure robust execution and maximize impact.

Oracle has issued a security alert for a vulnerability in its E-Business Suite, tracked as CVE-2025-61884, which could allow unauthorized access to sensitive data. The flaw, with a CVSS score of 7.5, affects versions 12.2.3 through 12.2.14 and can be exploited remotely without authentication via HTTP. Successful exploitation may result in unauthorized access to critical data, posing significant risks to affected organizations. Oracle urges immediate application of the available update to mitigate potential exploitation, though no active exploitation has been reported. This vulnerability follows recent disclosures of zero-day exploits in Oracle's E-Business Suite impacting numerous organizations. The flaw could be leveraged by attackers, potentially linked to the Cl0p ransomware group, to deploy malware such as GOLDVEIN.JAVA and SAGEGIFT. Organizations using Oracle E-Business Suite should prioritize patching to protect sensitive resources and prevent potential data breaches.

A smishing campaign is impersonating New York's Department of Taxation and Finance, falsely offering "Inflation Refunds" to steal personal and financial data from residents. The legitimate Inflation Refund initiative automatically sends checks to eligible New Yorkers, requiring no application or personal information submission. Scammers send texts urging recipients to click a link, leading to a fake website that requests sensitive information, potentially resulting in identity theft and financial fraud. Governor Kathy Hochul's office has issued a warning, emphasizing that the Tax Department and IRS do not solicit personal information via text or email. The New York Department of Taxation and Finance advises residents to be cautious of unsolicited communications and report any suspicious messages to authorities. Residents are encouraged to avoid clicking on links from unexpected messages and to report scams to the Tax Department or IRS to mitigate risks. This incident serves as a reminder of the importance of public awareness and vigilance against phishing and smishing attacks.

Spanish Guardia Civil dismantled the GXC Team, a cybercrime group, arresting its leader, a 25-year-old Brazilian known as "GoogleXcoder." The GXC Team operated a crime-as-a-service platform, offering AI-powered phishing kits, Android malware, and voice-scam tools via Telegram and hacker forums. Targeting banks, transport, and e-commerce sectors in Spain, Slovakia, the UK, the US, and Brazil, the group replicated websites of numerous institutions for phishing. The group developed nine Android malware strains to intercept SMS and one-time passwords, aiding in account hijacking and fraudulent transactions. Coordinated police raids across multiple Spanish cities led to the seizure of electronic devices, phishing kit source code, and stolen cryptocurrency. Authorities shut down Telegram channels used for scam promotion, including one provocatively named "Steal everything from grandmothers." Forensic analysis of seized devices and cryptocurrency transactions enabled the identification of six individuals linked to the criminal network. The investigation is ongoing, with potential for further arrests as Spanish authorities continue to dismantle the cybercrime ring.

Huntress has identified a widespread compromise of SonicWall SSL VPN devices affecting over 100 accounts across 16 customer environments, initiated on October 4, 2025. Attackers appear to have gained access using valid credentials, bypassing brute-force methods, indicating a significant breach of security. Some attackers conducted network scanning and attempted access to local Windows accounts, while others disconnected without further actions. SonicWall acknowledged a related security incident involving unauthorized exposure of firewall configuration backup files via MySonicWall accounts. The breach impacts all customers using SonicWall's cloud backup service, potentially exposing sensitive network information. Organizations are advised to reset credentials on live firewall devices, restrict remote access, revoke external API keys, and enforce multi-factor authentication. Recent ransomware activities targeting SonicWall devices highlight the exploitation of known vulnerabilities, emphasizing the necessity for timely patch management.

Threat actors, identified as Storm-2603, are leveraging the Velociraptor DFIR tool to execute LockBit, Warlock, and Babuk ransomware attacks, as reported by Sophos and Cisco Talos. Attackers exploited SharePoint vulnerabilities, known as ToolShell, to gain initial access, utilizing an outdated Velociraptor version prone to privilege escalation (CVE-2025-6264). The campaign involved creating domain admin accounts, lateral movement, and disabling system defenses to facilitate data exfiltration and ransomware deployment. Storm-2603's tactics included modifying Active Directory Group Policy Objects and using Smbexec for remote execution, demonstrating advanced operational capabilities. Rapid7, the maintainer of Velociraptor, acknowledged the misuse of the tool, emphasizing the risk of legitimate security tools being repurposed by malicious actors. Halcyon suggests Storm-2603 may have ties to Chinese nation-state actors, evidenced by their sophisticated development practices and rapid operational evolutions. The group's strategic use of multiple ransomware families aims to confuse attribution and evade detection, indicative of organized and resourceful cybercriminal operations.

A zero-day vulnerability (CVE-2025-11371) in Gladinet's CentreStack and Triofox software allows unauthorized local access to system files, impacting all versions, including the latest release. At least three companies have been targeted by threat actors exploiting this flaw to gain unauthorized access and execute code remotely. The vulnerability is a Local File Inclusion (LFI) flaw, enabling attackers to extract machine keys and leverage an older deserialization vulnerability (CVE-2025-30406) for remote code execution. Huntress researchers discovered the issue and informed Gladinet, which is working on notifying customers and providing a workaround until a patch is available. Mitigations have been shared with affected customers, but they may reduce some platform functionalities to prevent exploitation. CentreStack is widely used by thousands of businesses across 49 countries, indicating a significant potential impact if the vulnerability is not addressed promptly. Organizations using these products should implement recommended mitigations immediately to protect against potential exploitation.

"Cybersecurity For Dummies, 3rd Edition" is currently available for free, offering critical insights into building effective digital defenses against modern cyber threats. Authored by cybersecurity expert Joseph Steinberg, the book simplifies complex cybersecurity concepts into actionable guidance suitable for individuals and organizations. The guide addresses a range of threats, including ransomware, data breaches, and social engineering, making it a valuable resource for comprehensive security planning. The offer is valid until October 22, 2025, through TradePub, requiring registration to download the eBook at no cost. This initiative is part of a partnership with BleepingComputer.com, which benefits from commissions on leads generated through TradePub. As cyber threats continue to evolve, resources like this are essential for staying informed and prepared against potential attacks.

Apple has revamped its bug bounty program, significantly increasing rewards to a maximum of $5 million, aiming to attract more security researchers to identify critical vulnerabilities. The highest reward of $2 million is designated for zero-click remote code execution vulnerabilities, which require no user interaction and are similar to mercenary spyware attacks. New categories and increased payouts include challenges like bypassing Gatekeeper without user interaction and unauthorized iCloud access, which Apple notes have not yet been reported. The program now includes vulnerabilities in Apple-developed chips, with the wireless proximity award increasing from $250,000 to $1 million, reflecting a focus on hardware security. Apple plans to distribute 1,000 secured iPhone 17 devices in 2026 to high-risk civil society organizations, enhancing protection against sophisticated spyware threats. Advanced security measures such as Lockdown Mode and Memory Integrity Enforcement in iOS aim to make spyware attacks more costly and difficult to execute. The initiative is expected to deter the development of complex attack chains by offering substantial financial incentives for vulnerability reporting, potentially reducing the prevalence of spyware.