Daily Brief

SonicWall confirmed a breach affecting all customers using its cloud backup service, exposing firewall configuration backup files to unauthorized access. The breach involves MySonicWall accounts, a portal for managing product access and cloud backups, impacting operational security for users. Exposed files contain AES-256-encrypted credentials and configuration data, potentially easing exploitation of firewalls by threat actors. SonicWall collaborated with Mandiant to investigate the breach, advising customers to reset account credentials and follow remediation guidance. Approximately 5% of SonicWall's firewall customers use the cloud backup service, but all such users are now confirmed affected by this incident. Customers can verify if their devices are impacted by checking the 'Product Management → Issue List' on MySonicWall. Continuous monitoring of MySonicWall alerts is recommended for updated information on affected devices and further protective actions.

SonicWall disclosed unauthorized access to firewall configuration backup files for customers using its cloud backup service, raising concerns about potential targeted attacks. The compromised files contain encrypted credentials and configuration data, posing an increased risk despite the encryption. SonicWall is actively notifying affected partners and customers and has released tools for device assessment and remediation. Users are urged to log in and verify their devices, with priority levels assigned to assist in remediation efforts. The breach affected less than 5% of SonicWall's customers, but the information in the files could facilitate exploitation of related firewalls. SonicWall advises immediate action for users with cloud backup features, offering further guidance for those with incomplete serial number displays. This incident follows a recent advisory for customers to reset credentials after exposure of firewall configuration backup files.

SonicWall has revealed that all customers using its MySonicWall cloud backup service were affected by a cybersecurity breach, contradicting earlier claims of a limited impact. The breach involved unauthorized access to firewall configuration backup files, which contain critical network settings and policies, posing a significant security risk. Initial reports suggested only 5% of users were impacted; however, further investigation confirmed the breach affected every user of the cloud backup service. SonicWall has advised customers to delete existing cloud backups, change credentials, and recreate backup files locally to mitigate potential risks. The company has enhanced its infrastructure security with stronger authentication controls and additional logging to prevent future incidents. Despite the breach, SonicWall maintains that other MySonicWall services and customer devices were not compromised. The incident raises concerns about the security of cloud-stored sensitive data and the need for robust backup strategies. SonicWall has not identified the threat actors involved, nor confirmed if any data was exfiltrated or leaked, leaving the full scope of the breach uncertain.

North Korean cyber actors have stolen an estimated $2 billion in cryptocurrency in 2025, marking the largest annual total recorded. The Bybit hack in February accounted for $1.46 billion of the stolen assets, with other significant breaches affecting LND.fi, WOO X, and Seedify. The increasing focus on high-net-worth individuals reflects a shift in targeting strategy, exploiting weaker security measures compared to businesses. North Korean hackers utilize advanced identity theft techniques to secure remote tech jobs, funneling earnings into the regime's nuclear program. The fraudulent IT worker scheme has reportedly contributed up to $1 billion to North Korea's nuclear ambitions over the past five years. Okta's data reveals a diverse range of targets, with one in two not being tech firms and one in four not based in the U.S. The regime's cyber-enabled theft operations underscore the growing reliance on illicit activities to fund state objectives.

Token theft is increasingly responsible for security breaches in SaaS environments, bypassing traditional security measures like multi-factor authentication and posing significant risks to organizations. Recent incidents, including breaches at Slack, CircleCI, Cloudflare, and Salesloft, demonstrate how stolen tokens can lead to unauthorized access and data compromise. The proliferation of SaaS applications, known as SaaS sprawl, has expanded the attack surface, with many organizations lacking visibility into their token usage and third-party integrations. Tokens such as OAuth access tokens and API keys often act as credentials, granting attackers access to systems without further authentication checks. Legacy security solutions are inadequate for monitoring app-to-app connections, necessitating the adoption of dynamic SaaS security platforms to manage and secure token usage. Organizations are encouraged to improve token hygiene by identifying, controlling, and monitoring their tokens and SaaS integrations to prevent unauthorized access. Implementing regular oversight and approval processes for third-party app integrations can mitigate risks associated with over-privileged and unvetted applications.

Pro-Russian hacktivist group TwoNet shifted focus from DDoS attacks to targeting critical infrastructure, recently claiming an attack on a decoy water treatment facility. The decoy, set up by Forescout researchers, was designed to monitor adversarial tactics, revealing TwoNet's operational methods and timeline. TwoNet gained initial access using default credentials and exploited an XSS vulnerability, CVE-2021-26829, to announce their presence with a HMI pop-up alert. The attackers engaged in disruptive actions, including disabling real-time updates by removing PLCs and altering HMI setpoints, without attempting privilege escalation. TwoNet's activities include targeting SCADA interfaces in critical infrastructure and offering cybercrime services, such as RaaS and hacker-for-hire, on their Telegram channel. Forescout advises critical infrastructure organizations to enhance security by implementing strong authentication, network segmentation, and protocol-aware detection systems. This incident reflects a broader trend of hacktivist groups evolving from DDoS attacks to more sophisticated operations targeting operational technology and industrial control systems.

The State Service for Special Communications and Information Protection (SSSCIP) reported a significant rise in AI-driven cyber attacks by Russian hackers targeting Ukraine in the first half of 2025. A total of 3,018 cyber incidents were recorded, marking an increase from 2,575 incidents in the latter half of 2024, with local authorities and military entities facing heightened threats. Noteworthy incidents include the use of WRECKSTEEL malware by UAC-0219, targeting Ukrainian state administration and critical infrastructure, with AI tools suspected in its development. APT28, also known as UAC-0001, exploited cross-site scripting vulnerabilities in Roundcube and Zimbra webmail software to execute zero-click attacks, compromising credentials and email data. Russian cyber operations are synchronized with kinetic military actions, with Sandworm (UAC-0002) targeting energy, defense, and research sectors, illustrating a hybrid warfare strategy. Hackers increasingly abuse legitimate services like Dropbox and Google Drive for hosting malware and phishing pages, expanding their use of these platforms for data exfiltration. The ongoing cyber conflict emphasizes the need for enhanced cybersecurity measures and international cooperation to mitigate the evolving threat landscape posed by AI-enhanced attacks.

A critical vulnerability in the Service Finder WordPress theme, CVE-2025-5947, allows attackers to bypass authentication and access any account, including administrator roles. The flaw, with a CVSS score of 9.8, stems from inadequate validation of user cookie values during the account switching process. Exploitation of this vulnerability can lead to site hijacking, enabling attackers to insert malicious code or host malware. The issue affects all theme versions up to 6.0 and has been patched with the release of version 6.1 on July 17, 2025. Over 13,800 exploitation attempts have been detected since August 1, 2025, though the success rate remains unclear. The theme has been purchased by over 6,100 customers, highlighting the potential widespread impact of this vulnerability. Administrators are urged to update to the latest version and audit their sites for any suspicious activity to mitigate risks.

Hackers claim to have accessed 1.6 TB of data from Discord's Zendesk support system, impacting 5.5 million users, including government IDs and partial payment information. Discord refutes the hackers' claims, stating only 70,000 government ID photos were exposed, and denies the breach was directly on their platform, attributing it to a third-party service. The breach reportedly occurred via a compromised account from a business process outsourcing provider, highlighting vulnerabilities in outsourced support systems. Attackers allege access to Discord's internal systems allowed them to disable multi-factor authentication and retrieve sensitive user data, including email addresses and phone numbers. The threat actors demanded a ransom of $5 million, later reduced to $3.5 million, threatening to leak the data if not paid, but Discord has refused to comply. This incident underscores the risks associated with third-party service integrations and the importance of securing outsourced vendor relationships. Discord's response includes denying the hackers' claims and refusing to negotiate, emphasizing their stance against rewarding illegal activities.

A new FileFix attack variant employs cache smuggling to secretly download malicious files, bypassing security software and posing as a Fortinet VPN Compliance Checker. The attack was discovered by cybersecurity researcher P4nd3m1cb0y and detailed further by Expel's Marcus Hutchins, showcasing sophisticated social engineering tactics. The attack uses a padded network path to conceal a PowerShell command that extracts a malicious ZIP file from Chrome's cache, evading traditional security scans. Cache smuggling allows malware to be stored as a fake image in browser cache, bypassing detection by security tools scanning for direct downloads or web requests. Ransomware gangs and other threat actors have quickly adopted this technique, integrating it into their campaigns to enhance stealth and effectiveness. Palo Alto Unit 42 identified a new ClickFix kit, IUAM ClickFix Generator, automating the creation of similar lures, expanding the attack ecosystem. The ClickFix Generator supports OS-specific payloads, increasing the threat's adaptability and reach across different operating systems. Organizations must prioritize employee education on avoiding execution of commands copied from websites to mitigate risks from such social engineering attacks.

The Qilin ransomware group has claimed responsibility for a cyberattack on Asahi, Japan's largest brewing company, exfiltrating over 27GB of data. The breach led to the suspension of operations at six Asahi facilities, significantly impacting production and causing potential losses of up to $335 million. Hackers published 29 images as proof of the breach, including internal financial documents, employee IDs, and confidential contracts. Asahi confirmed the attack on October 3rd, following initial disruptions on September 29th, and has since resumed production using a temporary manual system. Qilin ransomware, linked to North Korean hackers, is known for exploiting critical network device vulnerabilities and deploying credential theft tools. Asahi's flagship product, "Super Dry," is back in production, with further shipping expected to resume by October 15th, although full operational capacity has not yet been restored. The company has postponed the launch of new products originally scheduled for October 2025 due to the attack's impact on business operations.

The Crimson Collective threat group has been targeting AWS cloud environments, stealing data and extorting companies, including a significant attack on Red Hat. They exfiltrated 570 GB of data from thousands of private GitLab repositories and demanded ransom from Red Hat, collaborating with Scattered Lapsus$ Hunters to increase pressure. The group compromises AWS environments by exploiting exposed credentials, using tools like TruffleHog, and escalating privileges through IAM accounts. Attackers gain full AWS control by attaching 'AdministratorAccess' policies to new IAM users, enabling extensive data enumeration and exfiltration. They modify RDS master passwords, create snapshots, and export data to S3 for exfiltration, leveraging permissive security groups for data transfer. Extortion notes are sent via AWS Simple Email Service within the compromised environment and externally, with multiple IP addresses used to facilitate operations. Rapid7's analysis suggests scanning environments for exposure using tools like S3crets Scanner to mitigate risks and prevent breaches from leaked AWS secrets. The size and composition of Crimson Collective remain unknown, but their tactics present a significant threat to cloud security.

Salesforce has refused to pay a ransom to cybercriminals threatening to leak nearly 1 billion customer records, maintaining a firm stance against extortion. The group, identified as Scattered LAPSUS$ Hunters, claims to have accessed Salesforce customer data through prior breaches, not recent vulnerabilities. Salesforce has communicated with affected customers, ensuring them that the platform itself remains uncompromised and secure. The attackers have set an October 10 deadline for ransom negotiations, threatening to publish the data if their demands are unmet. Google and Salesforce have alerted organizations potentially impacted by the breach, emphasizing the data was stolen from SalesLoft's Drift application. The breach involved the theft of OAuth tokens, granting unauthorized access to multiple Salesforce environments through the compromised application. Salesforce's response includes collaboration with external experts and authorities to investigate and mitigate the impact of the extortion attempts. The incident underscores the importance of robust third-party application security and the risks associated with integration vulnerabilities.

Cybercriminals are targeting WordPress sites with malicious JavaScript injections, redirecting users to deceptive sites through compromised theme files like "functions.php". Attackers use Google Ads references to evade detection, while the "brazilc[.]com" domain serves as a remote loader for dynamic payloads. The infection chain leverages the "porsasystem[.]com" domain, leading victims to ClickFix-style pages for malware distribution, including information stealers. The IUAM ClickFix Generator phishing kit enables attackers to create customizable phishing pages mimicking browser verification challenges, enhancing the lure's effectiveness. These phishing kits facilitate sophisticated, multi-platform attacks, lowering entry barriers for cybercriminals by promising antivirus and web protection bypass. A new ClickFix variant employs cache smuggling, storing data in the browser's cache to evade detection, without downloading explicit malicious files. The campaign uses a Fortinet VPN Compliance Checker guise, executing an obfuscated payload via PowerShell, masked as a cached JPEG image.

A critical vulnerability, CVE-2025-5947, in the Service Finder WordPress theme allows attackers to bypass authentication and gain administrator access. The flaw affects versions 6.0 and older, with a severity score of 9.8, due to improper validation of the original_user_id cookie. Over 13,800 exploitation attempts have been recorded since August 1, with a significant surge of 1,500 daily attacks observed recently. Attackers use an HTTP GET request with a specific query parameter to impersonate users, primarily originating from five IP addresses. Aonetheme, the theme's vendor, released a patch in version 6.1 on July 17, but exploitation began shortly after public disclosure. Website administrators are advised to apply the security update immediately or discontinue use to mitigate potential risks. Wordfence recommends reviewing logs for suspicious activities, as attackers can erase evidence of compromise with administrator access. The vulnerability's active exploitation status necessitates urgent attention to prevent unauthorized access and potential data breaches.