Daily Brief

Huntress has identified a widespread compromise of SonicWall SSL VPN devices affecting over 100 accounts across 16 customer environments, initiated on October 4, 2025. Attackers appear to have gained access using valid credentials, bypassing brute-force methods, indicating a significant breach of security. Some attackers conducted network scanning and attempted access to local Windows accounts, while others disconnected without further actions. SonicWall acknowledged a related security incident involving unauthorized exposure of firewall configuration backup files via MySonicWall accounts. The breach impacts all customers using SonicWall's cloud backup service, potentially exposing sensitive network information. Organizations are advised to reset credentials on live firewall devices, restrict remote access, revoke external API keys, and enforce multi-factor authentication. Recent ransomware activities targeting SonicWall devices highlight the exploitation of known vulnerabilities, emphasizing the necessity for timely patch management.

Threat actors, identified as Storm-2603, are leveraging the Velociraptor DFIR tool to execute LockBit, Warlock, and Babuk ransomware attacks, as reported by Sophos and Cisco Talos. Attackers exploited SharePoint vulnerabilities, known as ToolShell, to gain initial access, utilizing an outdated Velociraptor version prone to privilege escalation (CVE-2025-6264). The campaign involved creating domain admin accounts, lateral movement, and disabling system defenses to facilitate data exfiltration and ransomware deployment. Storm-2603's tactics included modifying Active Directory Group Policy Objects and using Smbexec for remote execution, demonstrating advanced operational capabilities. Rapid7, the maintainer of Velociraptor, acknowledged the misuse of the tool, emphasizing the risk of legitimate security tools being repurposed by malicious actors. Halcyon suggests Storm-2603 may have ties to Chinese nation-state actors, evidenced by their sophisticated development practices and rapid operational evolutions. The group's strategic use of multiple ransomware families aims to confuse attribution and evade detection, indicative of organized and resourceful cybercriminal operations.

A zero-day vulnerability (CVE-2025-11371) in Gladinet's CentreStack and Triofox software allows unauthorized local access to system files, impacting all versions, including the latest release. At least three companies have been targeted by threat actors exploiting this flaw to gain unauthorized access and execute code remotely. The vulnerability is a Local File Inclusion (LFI) flaw, enabling attackers to extract machine keys and leverage an older deserialization vulnerability (CVE-2025-30406) for remote code execution. Huntress researchers discovered the issue and informed Gladinet, which is working on notifying customers and providing a workaround until a patch is available. Mitigations have been shared with affected customers, but they may reduce some platform functionalities to prevent exploitation. CentreStack is widely used by thousands of businesses across 49 countries, indicating a significant potential impact if the vulnerability is not addressed promptly. Organizations using these products should implement recommended mitigations immediately to protect against potential exploitation.

"Cybersecurity For Dummies, 3rd Edition" is currently available for free, offering critical insights into building effective digital defenses against modern cyber threats. Authored by cybersecurity expert Joseph Steinberg, the book simplifies complex cybersecurity concepts into actionable guidance suitable for individuals and organizations. The guide addresses a range of threats, including ransomware, data breaches, and social engineering, making it a valuable resource for comprehensive security planning. The offer is valid until October 22, 2025, through TradePub, requiring registration to download the eBook at no cost. This initiative is part of a partnership with BleepingComputer.com, which benefits from commissions on leads generated through TradePub. As cyber threats continue to evolve, resources like this are essential for staying informed and prepared against potential attacks.

Apple has revamped its bug bounty program, significantly increasing rewards to a maximum of $5 million, aiming to attract more security researchers to identify critical vulnerabilities. The highest reward of $2 million is designated for zero-click remote code execution vulnerabilities, which require no user interaction and are similar to mercenary spyware attacks. New categories and increased payouts include challenges like bypassing Gatekeeper without user interaction and unauthorized iCloud access, which Apple notes have not yet been reported. The program now includes vulnerabilities in Apple-developed chips, with the wireless proximity award increasing from $250,000 to $1 million, reflecting a focus on hardware security. Apple plans to distribute 1,000 secured iPhone 17 devices in 2026 to high-risk civil society organizations, enhancing protection against sophisticated spyware threats. Advanced security measures such as Lockdown Mode and Memory Integrity Enforcement in iOS aim to make spyware attacks more costly and difficult to execute. The initiative is expected to deter the development of complex attack chains by offering substantial financial incentives for vulnerability reporting, potentially reducing the prevalence of spyware.

Forescout successfully tricked the pro-Russia hacktivist group TwoNet into targeting a fake critical infrastructure, leading to the group's premature shutdown. TwoNet believed they compromised a water treatment plant, boasting about the attack on their Telegram channel, which was later revealed to be a honeypot. The group exploited default credentials and a known vulnerability (CVE-2021-26829) to tamper with the honeypot's systems, including disabling alarms and defacing screens. TwoNet's operations were characterized by DDoS attacks and a brief attempt to expand into broader cybercrime services, including ransomware affiliate schemes. Forescout's initiative underscores the importance of robust security measures for operational technology and industrial control systems to prevent real-world breaches. The incident highlights the need for skepticism and thorough monitoring of claims made by hacktivist groups, as they often blend real incidents with exaggeration. The case serves as a reminder of the evolving threat landscape, where groups may transition from DDoS attacks to more destructive activities, posing significant risks to critical infrastructure.

Fortinet FortiGuard Labs identified Stealit malware leveraging Node.js' Single Executable Application feature to distribute payloads via fake game and VPN installers. The malware utilizes the open-source Electron framework, enabling execution on systems without a pre-installed Node.js runtime. Stealit is propagated through counterfeit installers on platforms like Mediafire and Discord, targeting both Windows and Android systems. The malware offers functionalities such as file extraction, webcam control, live screen monitoring, and ransomware deployment, available through subscription plans. A Base64-encoded authentication key is used to authenticate with the command-and-control server and manage victim control dashboards. Stealit configures Microsoft Defender Antivirus exclusions to avoid detection, employing anti-analysis checks against virtual or sandboxed environments. This campaign exploits the novelty of Node.js SEA, potentially bypassing security applications and surprising malware analysts.

VMware certification is pivotal in transforming IT professionals into strategic leaders, equipping them with essential skills for managing complex, hybrid, multi-cloud environments. The certification provides a structured framework that empowers IT professionals to confidently tackle infrastructure challenges and drive strategic initiatives. Participation in the VMUG Advantage community offers access to hands-on labs, exam prep tools, and a global network for knowledge sharing and professional growth. Certification shifts the mindset from short-term problem-solving to long-term architectural planning, fostering proactive strategies over reactive operations. IT professionals report significant career advancements post-certification, transitioning from system administrators to architects and IT leaders. VMUG Advantage membership provides valuable resources, including exam discounts and access to personal-use VCP licenses, enhancing career development opportunities. The initiative supports continuous learning and professional development, crucial for maintaining relevance in the rapidly evolving IT landscape.

Microsoft's Threat Intelligence team reports a cybercrime group, Storm-2657, targeting US university payroll systems since March 2025, redirecting salaries to attacker-controlled accounts. The attack involves phishing emails to harvest MFA codes using adversary-in-the-middle techniques, compromising HR and email accounts without exploiting Workday software flaws. Once access is gained, attackers alter payroll settings in systems like Workday, rerouting paychecks while hiding or deleting HR-related emails to avoid detection. The campaign has compromised 11 accounts across three universities, sending phishing emails to nearly 6,000 accounts at 25 universities, using fake HR updates and illness alerts. Microsoft highlights the vulnerability of legacy MFA systems, advising the adoption of phishing-resistant methods such as FIDO2 keys and Windows Hello to bolster security. Universities are urged to enhance cross-system visibility, correlating telemetry between Exchange Online and Workday to detect suspicious activities and prevent future breaches. Immediate response actions include resetting compromised credentials, removing unauthorized MFA devices, and reverting fraudulent payroll changes to mitigate financial losses.

Microsoft has identified Storm-2657, a threat actor targeting U.S. organizations, specifically higher education sectors, to hijack HR SaaS accounts and divert employee salaries. The attacks exploit social engineering and inadequate multi-factor authentication (MFA) protections, rather than security vulnerabilities in the HR software platforms. Initial access is gained through phishing emails designed to capture credentials and MFA codes via adversary-in-the-middle phishing links. Attackers modify salary payment configurations and enroll their phone numbers as MFA devices to maintain access and redirect payments. Compromised accounts are used to send additional phishing emails, reaching nearly 6,000 accounts across 25 universities, using lures related to illnesses or misconduct. Microsoft recommends adopting phishing-resistant MFA methods, such as FIDO2 security keys, and monitoring for suspicious account activity to mitigate risks. The campaign, dubbed Payroll Pirates, has been observed since March 2025, with 11 accounts compromised at three universities.

Fortra investigated CVE-2025-10035, a critical flaw in GoAnywhere MFT, exploited since September 11, 2025, following a customer report of suspicious activity. The vulnerability affects customers with an admin console exposed to the public internet, though other web-based components remain unaffected. Fortra swiftly released a hotfix for affected software versions and issued full patched releases by September 15, demonstrating rapid response to mitigate risks. Law enforcement was notified, and customers were advised to restrict internet access to admin consoles, enable monitoring, and maintain updated software. The vulnerability involves a deserialization flaw in the License Servlet, allowing command injection without authentication, exploited by Storm-1175 to deploy Medusa ransomware. Uncertainty remains over how attackers obtained private keys necessary for exploitation, raising concerns about potential cryptographic circumvention. The incident underscores the importance of securing admin interfaces and maintaining vigilance against unauthorized activities in enterprise environments.

The Security Operations Center (SOC) landscape is evolving with AI-powered platforms, enhancing detection, response, and adaptation capabilities by integrating advanced technologies into traditional security frameworks. Current AI SOC adoption remains low, with Gartner estimating only 1–5% penetration, yet the transition to AI-enhanced operations is increasingly recognized as essential for modern cybersecurity. Advanced AI SOC platforms employ mesh agentic architectures, utilizing multiple AI agents to autonomously manage specialized SOC tasks, improving efficiency and reducing the need for constant human intervention. Leading AI SOC systems integrate seamlessly with existing tools and workflows, minimizing disruption and maximizing operational effectiveness without requiring extensive retraining of security personnel. Continuous learning loops in AI platforms enable adaptive responses, refining AI models based on past decisions and analyst feedback to enhance future incident management. The rise of agentic AI, exemplified by platforms like Conifers.ai's CognitiveSOC™, offers scalable solutions that augment entire SOC pipelines, providing tailored, context-aware security operations. While full autonomy remains aspirational, AI in SOCs is crucial for scaling human expertise, addressing analyst burnout, and mitigating talent shortages in the face of escalating cyber threats.

Researchers identified 175 malicious npm packages used in a credential phishing campaign named Beamglea, targeting over 135 companies in industrial, technology, and energy sectors globally. The packages, collectively downloaded 26,000 times, serve as infrastructure for phishing attacks, redirecting victims to credential harvesting pages via npm's public registry and unpkg.com's CDN. The campaign employs a Python script to generate npm packages with randomized names, embedding victim-specific phishing URLs and email addresses into HTML files. Attackers exploit npm and UNPKG for hosting phishing infrastructure, using JavaScript to redirect victims to fake Microsoft login pages, pre-filling email fields to enhance credibility. The phishing infrastructure is cost-effective, leveraging npm's open registry and trusted CDN services, creating a model that could be replicated by other threat actors. The campaign's success illustrates the evolving tactics of threat actors, emphasizing the need for continuous adaptation by cybersecurity defenders to counter such innovative strategies. Security teams should scrutinize npm package installations and educate users on recognizing phishing attempts, particularly those involving pre-filled credential forms.

US and French authorities have seized BreachForums, a cybercriminal marketplace operated by Scattered Lapsus$ Hunters, targeting Salesforce and its clients in an extortion scheme. The seizure was executed by the US Department of Justice and the FBI, with support from French cyber police and the Paris prosecutor's office. The group, known as the "Trinity of Chaos," had used BreachForums to threaten the release of a billion-record haul of Salesforce customer data. Despite the takedown, Scattered Lapsus$ Hunters continue operations on the dark web, maintaining threats against high-profile companies like Disney, UPS, and Toyota. Salesforce has publicly refused to negotiate or pay any ransom demands, asserting no compromise of its platform or related vulnerabilities. The extortion campaign is linked to historical breaches, exploiting OAuth tokens from a Salesforce integration, rather than a new security incident. The swift action by law enforcement disrupts the group's operations, though the threat of data release remains if ransom demands are unmet. The incident underscores the ongoing challenge of cybercriminal groups leveraging past data breaches for extortion purposes.

UK trade union Prospect disclosed a data breach impacting up to 160,000 members, including sensitive personal details such as sexual orientation and disabilities. The breach occurred in June 2025, but members were only notified recently, raising concerns about the delay in communication. Affected members include professionals from prominent organizations like BT Group, BAE Systems, and the Ministry of Defence. Prospect engaged external cybersecurity experts to investigate and mitigate the breach, ensuring no significant operational impact occurred. The union is providing 12 months of credit and identity monitoring through Experian, urging members to act before the October 30 deadline. Members are advised to enhance personal security by using strong passwords, enabling multi-factor authentication, and monitoring financial statements for irregularities. The Information Commissioner's Office has been informed, and ongoing investigations aim to fully understand the breach's scope and implications.