Daily Brief

Fortra has disclosed a critical vulnerability, CVE-2025-10035, in its GoAnywhere MFT product, rated 10/10 in severity, potentially leading to command injection attacks. The flaw lies in the deserialization process within the License Servlet, allowing attackers to execute arbitrary commands if they forge a valid license response signature. This vulnerability follows a similar issue, CVE-2023-0669, which was exploited by ransomware groups like LockBit and Black Basta, highlighting ongoing risks. Fortra advises customers to upgrade to patched versions 7.8.4 or 7.6.3, or ensure the admin console is not exposed to the internet to mitigate risks. While Fortra has not confirmed active exploitation, security researchers warn that exploitation in the wild is likely, urging immediate patching. Managed file transfer applications remain prime targets for cybercriminals due to their potential access to sensitive data, underscoring the importance of timely patch management. The incident serves as a reminder of the critical need for robust security practices and proactive vulnerability management in software solutions.

SystemBC malware is driving the REM Proxy network, affecting approximately 1,500 virtual private servers daily across 80 command-and-control servers. The malware transforms infected systems into SOCKS5 proxies, facilitating communication with C2 servers and downloading additional payloads. SystemBC targets both Windows and Linux systems, with a focus on corporate networks, cloud servers, and IoT devices. Nearly 80% of the compromised systems are VPSs, exploited due to numerous unpatched security vulnerabilities, including critical CVEs. The botnet's infrastructure supports high-volume malicious traffic, aiding various criminal groups and proxy services, including those in Russia and Vietnam. The malware's expansion strategy involves brute-forcing WordPress credentials, aiming to sell harvested data on underground forums. SystemBC's sustained activity and adaptability highlight its role as a persistent threat, evolving from ransomware facilitation to bespoke botnet assembly and sale.

Fortra has issued patches for a critical vulnerability in GoAnywhere MFT's License Servlet, tracked as CVE-2025-10035, which could enable command injection attacks. The flaw arises from a deserialization weakness, allowing remote exploitation with low complexity and no user interaction required. GoAnywhere MFT is a secure file transfer tool used by over 9,000 organizations, making it a significant target for threat actors. Fortra swiftly developed patches, releasing GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3, and advised removing public internet access to the Admin Console. The vulnerability's exploitation risk is heightened if systems are exposed online; over 470 instances are currently monitored for exposure. Although active exploitation has not been confirmed, the Clop ransomware gang previously exploited a similar flaw, impacting over 130 organizations. IT administrators are urged to apply updates promptly and review system configurations to mitigate potential unauthorized access.

Fortra has announced a critical vulnerability in its GoAnywhere Managed File Transfer software, identified as CVE-2025-10035, with a maximum CVSS score of 10.0. The flaw involves a deserialization issue in the License Servlet, allowing potential command injection through a forged license response signature. Exploitation requires the system to be publicly accessible over the internet, prompting urgent patching to version 7.8.4 or Sustain Release 7.6.3. Fortra advises restricting public access to the GoAnywhere Admin Console if immediate patching is not feasible to mitigate risks. Previous vulnerabilities in the same product were exploited by ransomware actors, raising concerns about potential weaponization of this new flaw. Security experts warn that with many GoAnywhere MFT instances exposed online, organizations should act swiftly to apply patches and limit external access. No current reports indicate active exploitation, but the history of similar vulnerabilities suggests a high likelihood of future attacks.

Over 17,500 phishing domains linked to Lighthouse and Lucid PhaaS have targeted 316 brands across 74 countries, impacting various industries including financial, governmental, and postal sectors. The PhaaS platforms offer customizable templates and real-time victim monitoring, with prices ranging from $88 weekly to $1,588 annually, facilitating large-scale phishing campaigns. The XinXin group, a Chinese-speaking threat actor, is associated with Lucid, while Lighthouse operates independently yet shares infrastructure and targeting patterns with Lucid. Recent trends show a shift from Telegram to email for credential harvesting, with a 25% increase in email-based phishing, leveraging services like EmailJS for data collection. Phishing tactics include homoglyph attacks using Japanese characters to mimic legitimate domains, deceiving users into installing malicious software targeting cryptocurrency wallets. Scams exploiting American brand identities have surfaced, requiring victims to deposit cryptocurrency under the guise of job opportunities, illustrating the financial motivation behind these attacks. The federated nature of email complicates takedown efforts, as each address must be individually reported, posing challenges for cybersecurity defenses.

Picus Security's Blue Report 2025 reveals a decline in ransomware prevention effectiveness, dropping from 69% in 2024 to 62% in 2025, highlighting increased vulnerability. Double extortion tactics, involving both data encryption and theft, have become standard, with some groups now focusing solely on data theft to evade detection. Data exfiltration prevention rates plummeted to 3%, exposing organizations to heightened risk during the critical stages of ransomware attacks. Emerging ransomware strains such as FAUST, Valak, and Magniber are bypassing defenses as effectively as well-known families like BlackByte and BabLock. Breach and Attack Simulation (BAS) is emphasized as a critical tool for continuously validating organizational defenses against evolving ransomware threats. The report stresses the importance of moving beyond assumptions of security readiness to proven resilience through continuous testing and validation. Organizations are urged to adopt BAS to identify and rectify weaknesses in their cybersecurity posture, ensuring preparedness against both established and new ransomware threats.

UK authorities arrested two teenagers linked to the Scattered Spider group, responsible for extorting over $115 million from more than 100 organizations. Thalha Jubair and Owen Flowers appeared in court for their alleged roles in a cyberattack on Transport for London and other high-profile intrusions. The group employed SIM-swapping and social engineering tactics to infiltrate networks, notably targeting helpdesks to reset passwords and gain unauthorized access. US authorities charged Jubair with computer fraud, wire fraud, and money laundering, citing his involvement in 120 network intrusions, including attacks on the US federal court system. Investigators traced ransom payments to cryptocurrency wallets controlled by Jubair, leading to the seizure of approximately $36 million in digital currency. The arrests highlight the effectiveness of international law enforcement collaboration and public-private partnerships in combating sophisticated cybercrime operations. This operation serves as a warning to cybercriminals that anonymity is not guaranteed, and law enforcement can penetrate even well-concealed activities.

A security researcher discovered a critical flaw in Entra ID, potentially granting access to nearly every tenant worldwide, which Microsoft has since mitigated. The vulnerability involved flawed token validation, allowing unauthorized cross-tenant access through undocumented "Actor tokens" used for service-to-service communication. The flaw was linked to the legacy Azure Active Directory Graph API, which failed to validate the originating tenant of the tokens. This issue could have compromised services using Entra ID for authentication, including SharePoint Online and Exchange Online, posing significant security risks. The vulnerability was rated as "Critical" with a CVE issued on September 4, scoring a base of 10, indicating severe potential impact. Microsoft swiftly addressed the issue, and no abuse was detected in their internal telemetry, ensuring users need not take further action. The researcher provided KQL queries for administrators to check for potential past abuse, despite the lack of logs for the Actor tokens.

Tines introduces an AI-powered workflow to automate alert triage, leveraging over 1,000 pre-built workflows available in its Community Edition. Developed by Michael Tolan and Peter Wrenn, the workflow integrates AI agents to identify and execute Standard Operating Procedures (SOPs) from Confluence. The automation process reduces manual intervention, minimizing human error and ensuring consistent handling of security alerts. Alerts trigger AI analysis, which identifies relevant SOPs and performs remediation, while keeping teams informed via Slack. The solution aims to improve response times and operational efficiency for security teams by streamlining alert management processes. Organizations can customize the workflow to suit their existing technology stack, enhancing flexibility and integration capabilities. The guide provides step-by-step instructions for configuring and testing the workflow, ensuring seamless implementation and operation.

Radware identified a critical flaw in OpenAI's Deep Research tool, known as "ShadowLeak," which allowed attackers to exfiltrate sensitive data from user inboxes without interaction. The vulnerability enabled attackers to embed hidden instructions within emails, prompting ChatGPT to unknowingly send sensitive data to an attacker-controlled server. The attack operated invisibly from OpenAI's infrastructure, bypassing traditional security measures and leaving minimal forensic evidence for incident responders. Potential data at risk included personally identifiable information, internal memos, legal documents, and login credentials, posing significant compliance and regulatory risks. OpenAI addressed the issue with a patch released on September 3, following Radware's disclosure of the vulnerability on June 18. Radware recommends treating AI agents as privileged users, implementing HTML sanitization, and enhancing logging to prevent similar vulnerabilities. Organizations are urged to review AI tool integrations to ensure robust input sanitization and control over data access to mitigate future risks.

UK charities express concerns about Ofcom's enforcement of the Online Safety Act, questioning the effectiveness of current measures in deterring violations by online platforms. The Online Safety Act mandates platforms to implement age assurance systems, but stakeholders argue that Ofcom's enforcement lacks transparency and robustness. Maximum penalties for non-compliance include fines up to £18 million or 10% of annual global revenue, yet enforcement actions remain under scrutiny for their effectiveness. Critics argue that the safe harbor provision may discourage innovation, as platforms adhering strictly to Ofcom's guidelines are shielded from penalties, even if better solutions exist. Newer online threats, such as those posed by Com groups, challenge Ofcom's ability to keep pace with evolving risks, raising concerns about the protection of vulnerable users. Ofcom has initiated investigations into 69 websites and apps suspected of non-compliance, signaling a proactive approach to enforcing online safety regulations. Continuous stakeholder engagement, including upcoming sessions with Ofcom's chief executive, aims to refine and enhance the regulatory framework to better address emerging online harms.

ESET researchers identified collaboration between Russian hacking groups Gamaredon and Turla, targeting Ukrainian entities with the Kazuar backdoor, particularly in the defense sector. Gamaredon tools, PteroGraphin and PteroOdd, were used to execute Turla's Kazuar backdoor on Ukrainian systems, indicating coordinated efforts to breach specific targets. The attacks, linked to the Russian Federal Security Service, intensified following Russia's 2022 invasion of Ukraine, underscoring the geopolitical motivations behind the cyber operations. Kazuar malware, updated to version 3, features enhanced capabilities, including new network transport methods and data exfiltration techniques, posing significant risks to compromised systems. Gamaredon's initial access methods remain unclear but historically involve spear-phishing and malicious LNK files, suggesting continued reliance on social engineering tactics. The collaboration reflects a strategic alliance, with Gamaredon providing access and Turla deploying sophisticated malware, demonstrating the evolving threat landscape in cyber warfare. ESET's findings emphasize the need for robust cybersecurity measures and international cooperation to counter state-sponsored cyber threats effectively.

The U.K.'s National Crime Agency arrested two teenagers linked to the Scattered Spider group for the August 2024 cyber attack on Transport for London (TfL). Thalha Jubair, 19, and Owen Flowers, 18, are accused of causing significant disruption and financial losses to TfL, part of the U.K.'s critical infrastructure. Flowers is also charged with targeting U.S. healthcare companies, including SSM Health Care Corporation and Sutter Health, highlighting the group's international reach. Jubair faces charges under the Regulation of Investigatory Powers Act for not surrendering device passwords, complicating the investigation. The U.S. Department of Justice charged Jubair with computer fraud, wire fraud, and money laundering, linked to 120 network intrusions and extortion of 47 U.S. entities. The cyber attacks involved social engineering, unauthorized network access, data theft, and ransom demands, with victims paying at least $115 million. Law enforcement seized cryptocurrency wallets and digital assets worth $36 million, disrupting the group's financial operations. These arrests underscore the growing cybercrime threat from English-speaking countries, as highlighted by the NCA earlier this year.

MI6 has introduced a dark web portal named "Silent Courier" to securely recruit informants worldwide, enhancing its digital tradecraft capabilities. The portal utilizes Tor for anonymity, allowing individuals to share sensitive information about global instability or hostile intelligence activities without exposure. Instructions for potential informants are available in eight languages on MI6's new YouTube channel, emphasizing secure communication practices. Users are advised to use a clean device, incognito browsing, and a commercial VPN trial to access the portal, avoiding identifiable information. The initiative aims to attract genuine informants while potentially exposing malicious actors' tradecraft through their interactions with the site. This move reflects MI6's adaptation to modern intelligence challenges, ensuring secure and anonymous channels for critical information exchange. The portal's launch signifies a strategic shift towards leveraging digital platforms for intelligence gathering in an increasingly interconnected world.

CISA has identified two malware strains exploiting vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM) within an unnamed organization's network. The vulnerabilities, an authentication bypass and remote code execution flaw, were used to execute arbitrary code, allowing attackers to access protected resources without authentication. Attackers leveraged these flaws around May 15, 2025, following the release of a proof-of-concept exploit, enabling system information collection and credential dumping. Malware persistence was achieved by injecting code via malicious Java class listeners, which intercepted HTTP requests to decode and decrypt payloads for execution. To mitigate risks, organizations should update EPMM to the latest version, monitor for suspicious activities, and enforce access restrictions on mobile device management systems. The incident underlines the critical need for timely patch management and vigilant monitoring of network activities to prevent exploitation of known vulnerabilities.