Daily Brief

The FBI issued a warning about virtual kidnapping scams where criminals use altered social media images as fake proof of life to extort ransoms. Scammers contact victims via text, claiming to have kidnapped a family member, and demand immediate ransom payments under threats of violence. No actual abductions occur; criminals rely on manipulated images and publicly available information to create convincing scenarios. The FBI advises caution and recommends verifying claims by assessing photo inaccuracies and using a family code word for emergencies. Protective measures include avoiding sharing personal details with strangers and being vigilant when posting about missing persons online. Victims are encouraged to take screenshots of suspicious communications for analysis, as scammers often limit viewing time of fake proof-of-life photos. The FBI has not disclosed the number of related complaints but acknowledges multiple instances of similar scams spoofing phone numbers.

A severe XXE injection vulnerability, CVE-2025-66516, has been identified in Apache Tika, affecting multiple modules and rated 10.0 on the CVSS scale. The flaw allows attackers to exploit XML data processing, potentially accessing server files or executing remote code via crafted XFA files in PDFs. Affected modules include tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1), and tika-parsers (1.13-1.28.5), impacting all platforms. The vulnerability expands on a previous issue, CVE-2025-54988, by affecting additional components, highlighting the need for comprehensive updates. Users are urged to upgrade to tika-core version 3.2.2 or higher to ensure protection against this critical threat. Failure to update could leave systems vulnerable, with potential operational disruptions and security breaches. Organizations should prioritize patch management and review their security posture to mitigate similar threats in the future.

Traditional passive internet-scan data often fails to provide a complete picture of an organization's attack surface, leading to outdated and incomplete security insights. Modern infrastructures are dynamic, with cloud services and development deployments changing daily, necessitating continuous, automated reconnaissance for accurate visibility. Passive datasets frequently miss ephemeral assets such as temporary testing services and auto-scaled cloud nodes, which attackers can exploit. Continuous reconnaissance involves automated, environment-aware checks that adapt to infrastructure changes, ensuring up-to-date exposure verification. Sprocket Security advocates for daily automated checks to discover and validate exposures, enhancing decision-making and reducing alert fatigue. Implementing continuous visibility helps prioritize risks accurately, reducing time spent on irrelevant or outdated findings and improving overall security posture. Organizations are encouraged to adopt continuous reconnaissance as a foundational element of their attack surface management strategy to prevent avoidable incidents.

Asus confirmed a third-party supplier was compromised by the Everest ransomware group, affecting some camera source code for Asus phones. The hardware giant stated there was no impact on its own systems, products, or customer privacy, focusing the breach on the supplier. Everest claims to have exfiltrated 1 TB of data from Asus, ArcSoft, and Qualcomm, including source code, AI models, and internal tools. Asus is enhancing its supply chain security to align with cybersecurity standards, though it did not disclose the vendor or specific stolen content. The breach coincides with recent reports of a separate attack on Asus routers, heightening scrutiny on the company's overall security measures. This incident raises concerns about the robustness of supply chain security and the potential exposure of proprietary or sensitive data. The situation underscores the need for robust vendor management and proactive security practices to mitigate third-party risks.

The European Commission has fined X, formerly known as Twitter, €120 million ($140 million) for violating the Digital Services Act (DSA) transparency obligations. This marks the first non-compliance ruling under the DSA, which mandates platforms to remove harmful content and protect users across the EU. A two-year investigation found X's 'blue checkmark' system misleading, allowing badge purchases without meaningful identity verification, increasing fraud and manipulation risks. X's advertising database failed transparency requirements, with accessibility issues and delays hindering scam and false advertising detection. Researchers faced barriers accessing public data, limiting their ability to study systemic risks affecting European users. X must address blue checkmark violations within 60 days and submit plans to fix research access and advertising issues within 90 days. The commission warned that failure to comply could result in additional periodic penalties, emphasizing accountability under the DSA.

Amazon reports that Chinese state-backed hackers quickly targeted the critical React "React2Shell" vulnerability, exploiting it within hours of its disclosure. AWS's threat intelligence observed active exploitation attempts by groups such as Earth Lamia and Jackpot Panda, using the MadPot honeypot network. The vulnerability, CVE-2025-55182, allows remote code execution through unsafe deserialization in React's server-side packages, impacting 39% of cloud environments. AWS has implemented mitigations across its services but emphasizes that these are not substitutes for patching; immediate updates are advised for affected systems. Some industry experts caution against overreaction, noting potential self-inflicted outages from emergency responses, as seen with a recent Cloudflare incident. The rapid exploitation by state actors highlights the urgency for organizations to patch vulnerabilities promptly to prevent potential breaches. The widespread use of React increases the potential impact, making swift action critical to safeguard affected infrastructures.

Two Chinese-linked hacking groups, Earth Lamia and Jackpot Panda, have been exploiting the React2Shell vulnerability (CVE-2025-55182) within hours of its disclosure, targeting various global sectors. The React2Shell vulnerability, with a CVSS score of 10.0, allows unauthenticated remote code execution and has been patched in React versions 19.0.1, 19.1.2, and 19.2.1. Amazon Web Services identified exploitation attempts through its MadPot honeypot infrastructure, tracing activity back to IP addresses linked to known Chinese state-sponsored actors. Earth Lamia has previously targeted critical sectors such as financial services and government organizations across Latin America, the Middle East, and Southeast Asia. Jackpot Panda, active since at least 2020, has focused on online gambling operations in East and Southeast Asia, using trusted third-party relationships to deploy malicious implants. Recent attacks by Jackpot Panda have targeted Chinese-speaking victims, suggesting possible domestic surveillance efforts, using a trojanized installer for the CloudChat application. AWS reported that the threat actors are also exploiting other vulnerabilities, indicating a systematic approach to scanning for unpatched systems and maximizing attack opportunities.

Cloudflare experienced a global outage due to an emergency patch for a critical remote code execution flaw in React Server Components, affecting numerous websites with "500 Internal Server Error" messages. The incident was not a cyberattack but a result of a change in Cloudflare's Web Application Firewall to address the newly disclosed React2Shell vulnerability, tracked as CVE-2025-55182. React2Shell impacts the React JavaScript library and dependent frameworks, allowing unauthenticated remote code execution via malicious HTTP requests. Vulnerable React versions include 19.0 to 19.2.0, with exploitation already reported by China-linked hacking groups such as Earth Lamia and Jackpot Panda. The NHS England National CSOC warns of the high likelihood of continued successful exploitation, with multiple proof-of-concept exploits available. This incident follows previous Cloudflare outages, highlighting ongoing challenges in maintaining stable network operations amidst urgent security updates. Organizations using React and its frameworks should promptly apply patches and monitor for unusual activity to mitigate potential exploitation risks.

Inotiv, a U.S.-based pharmaceutical firm, experienced a ransomware attack in August 2025, affecting its operations and compromising personal data. The breach impacted 9,542 individuals, including current and former employees, their families, and others connected to Inotiv. The attack disrupted business operations by taking down networks and systems, but Inotiv has since restored access and functionality. The Qilin ransomware group, known for its Ransomware-as-a-Service model, claimed responsibility, alleging the theft of over 162,000 files totaling 176 GB. Inotiv has not confirmed the types of data stolen nor attributed the attack to a specific group, despite Qilin's claims. The incident underscores the ongoing threat of ransomware to critical sectors, emphasizing the need for robust cybersecurity measures. Inotiv's disclosure to the SEC and notification to affected individuals demonstrate compliance with regulatory requirements and transparency.

Amnesty International reports Intellexa's Predator spyware targeting a Pakistani human rights lawyer via a WhatsApp link, marking its first known use against civil society in the country. The investigation, in collaboration with international media, reveals Predator's use of zero-day exploits to infiltrate Android and iOS devices, leveraging both 1-click and zero-click methods. Technical analysis shows Predator's ability to exploit browser vulnerabilities, including CVE-2023-41993, to gain device access and exfiltrate sensitive data. Google Threat Intelligence Group links Intellexa to multiple zero-day exploits, indicating potential third-party sourcing for these vulnerabilities. The spyware can activate microphones and cameras, posing significant privacy risks, and has been detected in over a dozen countries, suggesting widespread deployment. U.S. sanctions have targeted Intellexa and its executives for civil liberties violations, yet Predator-related activities continue across various regions. Intellexa's alleged remote access to customer surveillance logs raises concerns about human rights due diligence and potential legal liabilities for misuse. Intellexa employs malicious ads to deliver exploits, with Google collaborating to dismantle associated advertising networks and accounts.

The "Getting to Yes" guide offers MSPs strategies to convert sales resistance into trust, emphasizing partnership over persuasion in cybersecurity service delivery. Traditional sales methods often fail as prospects are overwhelmed by technical jargon and fear-based messaging, leading to skepticism and stalled conversations. The guide suggests a trust-first framework with pillars of empathy, education, and evidence to align cybersecurity services with business outcomes like uptime and revenue. MSPs are encouraged to replace complex language with clear, value-driven communication, demonstrating how cybersecurity supports business continuity and compliance. Automation tools, such as Cynomi, are recommended to make trust-building scalable and consistent, enhancing client relationships and showcasing measurable progress. Successful MSPs act as trusted advisors, guiding clients to understand the intersection of risk and business impact, fostering long-term partnerships through clarity and confidence. By focusing on education and transparency, the guide aims to shift conversations from selling to collaborative problem-solving, promoting resilience and growth.

React2Shell, a critical deserialization vulnerability in React and Next.js, is being actively exploited by China-linked threat groups Earth Lamia and Jackpot Panda. The flaw, identified as CVE-2025-55182, allows unauthenticated remote code execution, affecting numerous projects using these popular frameworks. AWS reports immediate exploitation attempts following the vulnerability's disclosure, with attacks targeting sectors such as finance, logistics, and government across multiple regions. Proof-of-concept exploits have been published, raising the risk of widespread exploitation, despite security updates from React and Next.js. AWS honeypots detected activity from China-based infrastructure, complicating attribution due to shared anonymization techniques among threat actors. Observed attacks involve manual testing and iterative payload adjustments, indicating active debugging efforts by attackers to refine their techniques. Assetnote has released a scanner to help organizations identify vulnerable environments, emphasizing the need for prompt patching and monitoring.

The UK government is advancing plans to enhance police use of facial recognition, despite significant opposition from civil liberties groups. A new Home Office consultation proposes a legal framework to govern the use of facial recognition and other biometric technologies. The government argues that a unified legal regime is necessary to replace the current fragmented system of common law and data protection rules. The Home Office cites facial recognition's success in aiding 1,300 arrests, including serious offenders, as justification for its expansion. Critics, including Big Brother Watch, warn that increased use of facial recognition could lead to an authoritarian surveillance state. The Home Office has allocated £6.6 million this year for the development and evaluation of a national facial-matching service. Concerns persist regarding privacy implications, with calls for clear data storage rules and compliance with GDPR standards. The proposal aims to clarify legal ambiguities, but civil rights groups fear it may facilitate broader surveillance in public spaces.

The article addresses the pervasive issue of misinformation online, exacerbated by bots and AI-driven content, affecting platforms like X (formerly Twitter) and its AI system, Grok. A new feature on X, "About this account," revealed that many pro-Trump accounts were operated from non-US locations, indicating bot-driven propaganda. Grok, an AI system, initially identified misinformation as a major threat but was altered by Elon Musk to reflect his personal views, showcasing the influence of biases in AI responses. The article suggests skepticism, verification habits, and technical checks as essential tools for discerning truth, emphasizing the importance of recognizing bias in information consumption. It recommends using fact-checking sites and reverse image searches to verify claims and images, noting the increasing difficulty in detecting deepfakes and AI-generated content. The piece warns against the erosion of trust in traditional sources, including government websites, due to political influences, urging reliance on reputable and unbiased sources. The challenges of distinguishing real from fake content are highlighted, underscoring the need for continuous vigilance and critical evaluation of online information.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed the use of BRICKSTORM by PRC-backed hackers to maintain long-term access in U.S. systems, specifically targeting VMware and Windows environments. BRICKSTORM, written in Golang, allows threat actors to execute commands, manipulate files, and maintain stealthy access, utilizing protocols like HTTPS and DNS-over-HTTPS for secure command-and-control. The malware has been linked to Chinese groups UNC5221 and Warp Panda, targeting U.S. legal, technology, and manufacturing sectors, with intrusions detected in VMware vCenter environments. Initial access often involves exploiting internet-facing devices, with attackers moving laterally to domain controllers via Remote Desktop Protocol (RDP) and exfiltrating cryptographic keys. CrowdStrike identified Warp Panda's sophisticated operations, including the deployment of additional Golang implants, Junction and GuestConduit, to facilitate network traffic tunneling and command execution. The attackers have accessed sensitive data in cloud environments, exploiting Microsoft Azure to access OneDrive, SharePoint, and Exchange, indicating a focus on intelligence collection aligned with PRC interests. The Chinese embassy in Washington denied the accusations, asserting that the Chinese government does not support cyber attacks. The ongoing activity reflects a tactical evolution in Chinese cyber operations, emphasizing the need for robust defenses against state-sponsored threats.