Daily Brief

CISA has identified two malware strains exploiting vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM) within an unnamed organization's network. The vulnerabilities, an authentication bypass and remote code execution flaw, were used to execute arbitrary code, allowing attackers to access protected resources without authentication. Attackers leveraged these flaws around May 15, 2025, following the release of a proof-of-concept exploit, enabling system information collection and credential dumping. Malware persistence was achieved by injecting code via malicious Java class listeners, which intercepted HTTP requests to decode and decrypt payloads for execution. To mitigate risks, organizations should update EPMM to the latest version, monitor for suspicious activities, and enforce access restrictions on mobile device management systems. The incident underlines the critical need for timely patch management and vigilant monitoring of network activities to prevent exploitation of known vulnerabilities.

Google has issued an emergency patch for a critical Chrome vulnerability, CVE-2025-10585, already being exploited in the wild, urging users to update their browsers immediately. The flaw is a type confusion issue in the V8 JavaScript and WebAssembly engine, potentially leading to system crashes or arbitrary code execution. Users are advised to update to the latest Chrome versions: 140.0.7339.185/.186 for Windows and macOS, and 140.0.7339.185 for Linux, to mitigate the risk. This marks the sixth Chrome zero-day vulnerability addressed this year, with previous exploits targeting users in Russia and enabling unauthorized code execution. WatchGuard also released a patch for CVE-2025-9242, a critical remote code execution flaw in its Firebox firewalls, affecting VPN configurations with dynamic gateway peers. Google Threat Analysis Group suspects the Chrome vulnerability may have been used by nation-state actors and commercial spyware vendors to target high-value individuals. Organizations should ensure automatic browser updates are enabled, and consider implementing additional security measures to safeguard against potential exploits.

SonicWall confirmed a security breach in its cloud backup service, affecting less than 5% of its firewall installed base, with attackers accessing sensitive configuration data. The breach resulted from brute-force attacks targeting preference files, which, despite encrypted credentials, contained exploitable information for potential firewall compromise. SonicWall swiftly disabled the cloud backup feature, rotated internal keys, and implemented infrastructure and process changes to mitigate further risks. A leading third-party incident response firm has been engaged to validate findings and assist in reviewing affected environments, ensuring comprehensive remediation. Impacted customers are advised to log into MySonicWall, verify device serial numbers, regenerate keys, change admin passwords, and re-import secure configurations. SonicWall has committed to full transparency, providing ongoing updates through its knowledge base while continuing its investigation into the incident. This breach adds to recent challenges for firewall vendors, with SonicWall urging administrators to promptly apply mitigation guidance to secure their environments.

Over 855,000 individuals were impacted by data breaches at three US healthcare providers, exposing sensitive personal and medical information. Goshen Medical Center reported a breach affecting 456,385 individuals, revealing personal data including social security and medical record numbers. Retina Group of Florida disclosed an attack impacting 153,429 individuals, with potential exposure of sensitive health information, as per legal investigations. Medical Associates of Brevard's breach affected 246,711 individuals, compromising data such as names, birthdates, and health insurance details. All affected individuals have been offered credit monitoring and identity protection services, a standard response in such incidents. These incidents underscore the healthcare sector's vulnerability to cyberattacks, with significant implications for data security and patient trust. While these breaches did not disrupt healthcare services, they highlight ongoing risks, as seen in past attacks with severe operational impacts. The global nature of healthcare cyberattacks is evident, with similar incidents causing substantial disruptions and financial losses internationally.

SystemBC malware targets vulnerable commercial VPS systems, maintaining around 1,500 bots daily to facilitate malicious traffic routing and conceal command-and-control activities. Compromised servers are globally dispersed, each with at least one critical vulnerability, and many with multiple security issues, enabling prolonged infections. Researchers from Lumen Technology’s Black Lotus Labs report that SystemBC operates with over 80 command-and-control servers, supporting other criminal proxy networks. SystemBC is leveraged by various threat actors, including ransomware gangs, and has a significant client base, such as Russian web-scraping services and Vietnamese proxy networks. The malware's infrastructure allows for extensive data transfer, with a single IP generating over 16 gigabytes of proxy data in 24 hours, far exceeding typical proxy network activity. Despite law enforcement efforts, including Operation Endgame, SystemBC remains resilient, continuing to evade disruption and providing stable, high-volume traffic for its users. Black Lotus Labs offers detailed technical analysis and indicators of compromise to assist organizations in identifying and mitigating SystemBC-related threats.

Two teenagers, linked to the Scattered Spider hacking group, were arrested in the UK for their roles in the August 2024 cyberattack on Transport for London (TfL). The suspects, Owen Flowers and Thalha Jubair, face charges of computer misuse and fraud, with Jubair also charged in the U.S. for extensive network breaches. The TfL attack disrupted internal systems and online services, impacting refund processing but initially seemed not to compromise customer data. Later updates confirmed data breaches. The National Crime Agency (NCA) found further evidence connecting Flowers to attacks on U.S. healthcare companies, leading to additional charges. The U.S. Department of Justice charged Jubair with conspiracies involving computer fraud and extortion, linked to 120 breaches and $115 million in ransom payments. The incident exemplifies the rising threat from cybercriminals in the UK and other English-speaking regions, as noted by the NCA. TfL, a critical part of the UK’s infrastructure, serves over 8.4 million Londoners, emphasizing the potential impact of such cyberattacks. Previous breaches, including one by the Clop ransomware group, highlight ongoing vulnerabilities in TfL's cybersecurity posture.

SonicWall has detected unauthorized access to firewall configuration backup files stored in the cloud, affecting less than 5% of its MySonicWall customers. The breach involved brute-force attacks targeting cloud backup services, allowing threat actors to access encrypted credentials and other sensitive information. Although the credentials were encrypted, the data could potentially aid attackers in exploiting the associated firewalls. No leaks have been reported thus far. SonicWall is urging affected customers to reset credentials and import updated preference files to secure their systems against potential threats. The incident is not linked to ransomware but coincides with Akira ransomware group activities exploiting a SonicWall vulnerability (CVE-2024-40766). The Akira group has been targeting unpatched SonicWall devices, using recovery codes to bypass multi-factor authentication and disable security defenses. Organizations are advised to handle recovery codes with extreme care, akin to privileged account passwords, to prevent unauthorized access and potential attacks.

Microsoft 365, with over 400 million users, is increasingly targeted by cybercriminals due to its widespread adoption in business environments, creating a significant risk landscape. The integration of services like Outlook, SharePoint, Teams, and OneDrive expands the attack surface, enabling attackers to exploit interconnected vulnerabilities for broader access. Recent zero-day vulnerabilities in SharePoint, such as CVE-2025-53770, were actively exploited, affecting over 75 servers, demonstrating the cascading risks within Microsoft 365. Backup and recovery systems within Microsoft 365 are often inadequate, potentially preserving malicious content, with 40% of scanned email backups containing phishing links. Organizations must implement robust security measures, including zero trust architecture and multifactor authentication, while maintaining productivity benefits. Regular assessments of Microsoft 365 configurations and third-party integrations are essential to mitigate persistent security gaps and protect against sophisticated threats. Proactive hardening of defenses tailored to cloud collaboration threats provides a competitive advantage and protects sensitive assets from potential cyberattacks.

Cybersecurity researchers have identified CountLoader, a new malware loader employed by Russian ransomware groups, facilitating the delivery of tools like Cobalt Strike and PureHVNC RAT. CountLoader is used by Initial Access Brokers or ransomware affiliates linked to LockBit, Black Basta, and Qilin, targeting Ukrainian individuals through PDF-based phishing attacks. The malware exists in .NET, PowerShell, and JavaScript versions, with the JavaScript variant offering extensive file downloading and execution methods. CountLoader's PowerShell version was previously distributed using DeepSeek-related decoys, tricking users into installation and enabling network traffic manipulation. The malware establishes persistence by creating a scheduled task mimicking a Google Chrome update, allowing for continuous exploitation and data collection. Infrastructure supporting CountLoader includes over 20 unique domains, acting as a conduit for various post-exploitation tools and remote access trojans. The interconnected nature of the Russian ransomware ecosystem reveals operational overlaps, with threat actors prioritizing human capital over specific malware strains.

The Python Software Foundation invalidated PyPI tokens stolen in the GhostAction attack, preventing potential misuse for malware distribution. The attack involved malicious GitHub Actions workflows attempting to exfiltrate PyPI tokens to remote servers, impacting over 570 repositories. GitGuardian played a crucial role in identifying the attack, though initial response was delayed due to communication issues. Over 3,300 secrets, including API tokens and access keys, were stolen across multiple ecosystems such as npm, DockerHub, and Cloudflare. PyPI advised maintainers to switch to short-lived Trusted Publishers tokens and review security logs for suspicious activity. Despite the breach, no PyPI repositories were compromised, and project owners were contacted to secure their accounts. The incident underscores the importance of robust token management and timely communication in mitigating supply chain vulnerabilities.

Two teenagers, Owen Flowers and Thalha Jubair, face charges for a cyberattack on Transport for London (TfL) in August 2024, causing significant disruption and financial losses. The National Crime Agency (NCA) and City of London Police led the investigation, resulting in charges under the Computer Misuse Act for conspiracy to commit unauthorized acts. The attack affected TfL's operations, disabling back-office functions and ticketing systems, and exposing sensitive customer data, including refund and bank information of 5,000 Oyster cardholders. Flowers is also charged with attacks on U.S. healthcare organizations, SSM Health Care Corporation and Sutter Health, indicating a broader pattern of cybercriminal activity. The NCA aims to disrupt the activities of the alleged cybercrime group, Scattered Spider, to which the teenagers are reportedly linked, reflecting a growing threat from UK-based cybercriminals. The incident underscores the importance of robust cybersecurity measures for critical infrastructure, with TfL committing to ongoing system monitoring and protective actions. The case illustrates the complexity of attributing cyberattacks to individuals and groups, highlighting the challenges faced by law enforcement in pursuing cybercriminals.

Cloudflare experienced an API outage on September 12 due to a coding error involving a React useEffect hook, impacting the platform's dashboard and multiple APIs for over an hour. The outage stemmed from repeated, unnecessary calls to the Tenant Service API, which is integral to API request authorization, resulting in an overload. Troubleshooting was challenging as the problem appeared to be with API availability, masking the dashboard's role in causing the overload. The core issue was a React useEffect hook with a problematic object in its dependency array, leading to excessive API calls during a single dashboard render. Community discussions emerged about the useEffect hook, with opinions varying on its necessity and potential for misuse in React applications. Cloudflare has increased the Tenant Service's capacity and enhanced monitoring to better handle similar load spikes in the future. Additional information has been added to API calls to help distinguish retries from new requests, aiding in quicker issue identification.

Cybersecurity researchers identified two malicious PyPI packages, sisaws and secmeasure, designed to deliver the SilentSync RAT to Windows systems, targeting Python developers. SilentSync enables remote command execution, file exfiltration, and screen capturing, while also extracting web browser data, including credentials and cookies. The packages mimicked legitimate libraries, with sisaws impersonating Argentina's SISA health system package, using a function to download additional malware. Both packages have been removed from PyPI, but they demonstrated the potential for supply chain attacks through typosquatting and impersonation tactics. SilentSync is primarily aimed at Windows but includes capabilities for Linux and macOS, such as modifying system settings to ensure persistence. The malware communicates with a hard-coded endpoint to execute Python code directly in memory, enabling data theft and evasion of detection. This incident underscores the importance of vigilance in monitoring software repositories and implementing robust security measures to protect against supply chain threats.

CISOs face the challenge of balancing AI innovation with security, requiring dynamic governance systems that adapt to rapid technological changes and organizational needs. Rigid AI policies often fail; a flexible, real-world approach is necessary to manage risks like data leaks and shadow AI without stifling innovation. AI governance should include comprehensive inventories, model registries, and cross-functional committees to ensure transparency and shared responsibility across the organization. Policies must evolve with business dynamics, aligning with actual use cases and measurable outcomes to remain relevant and enforceable. Sustainable AI governance involves equipping employees with secure AI tools and promoting positive usage behaviors to prevent reliance on unapproved alternatives. The SANS Institute emphasizes the importance of utilizing AI for cyber defense and protecting AI systems from adversarial threats, as outlined in their Secure AI Blueprint. SANS Cyber Defense Initiative 2025 offers strategic courses for leaders to integrate AI governance with business strategy, enhancing security culture and enabling safe AI adoption.

Insight Partners revealed a ransomware attack in January compromised personal data of over 12,000 individuals, including employees and limited partners. The breach involved data-encrypting malware, initially described as a "sophisticated social engineering attack," targeting HR and finance servers. Attackers exfiltrated sensitive data before encryption began on January 16, 2025, when the breach was detected and halted by Insight's IT team. Stolen data encompassed banking and tax records, information on Insight funds, and personal details of employees and limited partners. Insight Partners, managing over $90 billion in assets, supports major tech and cybersecurity firms like Twitter and SentinelOne. The firm has notified affected parties and offers complimentary credit or identity monitoring services as part of its response. Security measures have been enhanced, including system rebuilds and patching vulnerabilities, to prevent future incidents. Details on the perpetrators, ransom demands, or payments remain undisclosed, with Insight Partners declining further comment.