Daily Brief

Okta Threat Intelligence researchers uncovered VoidProxy, a phishing-as-a-service platform targeting Microsoft 365 and Google accounts, including those using third-party SSO providers like Okta. The service employs adversary-in-the-middle tactics to capture credentials, MFA codes, and session cookies in real time, posing a significant threat to account security. Attack initiation involves emails from compromised accounts at services like Constant Contact, using shortened links to redirect victims to phishing sites. Malicious sites utilize disposable domains and Cloudflare protection to obscure IP addresses, enhancing their evasiveness and perceived legitimacy. Phishing targets are presented with fake login pages mimicking Microsoft or Google, while federated accounts face additional phishing stages impersonating SSO flows. VoidProxy's proxy server intercepts and duplicates session cookies, making them accessible to attackers via the platform's admin panel. Okta recommends measures such as restricting sensitive app access to managed devices, enforcing risk-based controls, and using IP session binding to mitigate risks. Users employing phishing-resistant authentication methods like Okta FastPass were shielded from VoidProxy's attack sequence and received alerts about potential threats.

Companies face potential multi-million dollar fines and lawsuits if data on decommissioned devices is not adequately erased before disposal. Morgan Stanley incurred $155 million in total liabilities due to improper disposal of hard drives containing sensitive customer information. The incident involved a third-party vendor selling unwiped devices, highlighting the importance of vendor oversight and accountability. Proper data sanitization requires adherence to guidelines such as NIST 800-88, which recommends methods based on data sensitivity and risk. Organizations can opt for third-party sanitization services, which offer verification and certification, or utilize software solutions for in-house data erasure. Ensuring data destruction compliance is critical, as regulations like HIPAA and the FTC Disposal Rule impose strict requirements on handling personal information. Asset recovery programs from OEMs like Dell and HP provide environmentally responsible options that can offset costs through equipment resale.

WhiteCobra has infiltrated the Visual Studio marketplace and Open VSX registry with 24 malicious extensions, targeting VSCode, Cursor, and Windsurf users. The extensions appear legitimate, boasting professional design and inflated download counts, making them difficult to distinguish from genuine products. WhiteCobra's campaign includes a wallet-draining mechanism that starts by executing a seemingly benign file, which then triggers a secondary script. The malicious payloads are platform-specific, deploying LummaStealer malware on Windows and an unknown malware family on macOS. WhiteCobra previously executed a $500,000 crypto-theft using a fake Cursor editor extension, indicating a well-organized and persistent threat. Koi Security emphasizes the need for improved verification mechanisms on extension platforms to prevent such malicious activities. Users are advised to scrutinize extensions for impersonation attempts and rely on known, reputable projects to mitigate risks.

The FBI issued a flash alert about UNC6040 and UNC6395, cybercriminal groups targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens in the Salesloft Drift application, linked to a GitHub breach from March to June 2025. Salesloft has responded by isolating Drift infrastructure, taking the AI chatbot offline, and enhancing security with multi-factor authentication and GitHub hardening. UNC6040, active since October 2024, uses vishing to gain access to Salesforce instances, employing modified Salesforce Data Loader and custom scripts for data exfiltration. Extortion activities by UNC6040 are linked to another cluster, UNC6240, claiming to be ShinyHunters, which may escalate tactics by launching a data leak site. ShinyHunters, Scattered Spider, and LAPSUS$ have reportedly consolidated efforts but announced a temporary shutdown, likely to avoid law enforcement scrutiny. Despite the group's claims of going dark, experts caution that such pauses are often temporary, and organizations should remain vigilant against potential data resurfacing and persistent threats.

ESET researchers have uncovered HybridPetya, a new ransomware strain capable of bypassing UEFI Secure Boot, exploiting a patched vulnerability (CVE‑2024‑7344) in unrevoked Windows systems. HybridPetya combines features of the infamous Petya and NotPetya, encrypting the Master File Table on NTFS partitions and displaying a fake Windows "CHKDSK" message during the encryption process. The ransomware remains a proof-of-concept with no current evidence of active deployment in the wild, but its technical capabilities pose a potential future threat. Unlike NotPetya, HybridPetya functions as true ransomware, allowing decryption of files upon payment, rather than simply wiping data. The bootkit works by installing a malicious EFI application, responsible for encryption, on the EFI System Partition, compromising modern UEFI-based systems. Microsoft's revocation of the vulnerability in the dbx on updated machines mitigates the immediate risk, though vigilance is advised for unpatched systems. This discovery adds to a growing list of Secure Boot bypasses, including BlackLotus and Bootkitty, emphasizing the need for ongoing monitoring and patch management.

Samsung patched a critical Android vulnerability (CVE-2025-21043) that allowed remote code execution, affecting devices running Android OS versions 13 through 16. The flaw, found in the image processing library libimagecodec.quram.so, was exploited in the wild before the patch, potentially impacting apps like WhatsApp. Meta and WhatsApp's security teams reported the vulnerability to Samsung, indicating a possible link to a similar Apple OS-level flaw (CVE-2025-43300). Apple's vulnerability, also an out-of-bounds write issue, was patched on August 20, addressing a sophisticated attack vector targeting specific users. Amnesty International's Security Lab is investigating these attacks, suggesting involvement of a commercial surveillanceware vendor targeting civil society individuals. The incidents underline the critical need for timely vulnerability management and cross-platform collaboration in addressing emerging threats. While Samsung and Meta have not disclosed specific attackers, the nature of the attacks points to highly targeted campaigns, raising concerns over digital privacy.

HybridPetya, a new ransomware strain, can bypass UEFI Secure Boot to install malicious applications, posing a significant threat to system security. Inspired by Petya/NotPetya, HybridPetya encrypts systems, demanding a $1,000 Bitcoin ransom for decryption, simulating previous destructive attacks. ESET researchers discovered HybridPetya on VirusTotal, noting its potential as a research project or early-stage cybercrime tool. The ransomware exploits CVE-2024-7344, a vulnerability in Microsoft-signed applications, allowing bootkit deployment even with Secure Boot active. HybridPetya installs into the EFI System Partition, replacing critical boot files and using a Salsa20 key for encryption, similar to NotPetya tactics. Microsoft addressed CVE-2024-7344 in the January 2025 Patch Tuesday update, emphasizing the importance of timely security updates for protection. Indicators of compromise for HybridPetya are available on GitHub, aiding in defense against this emerging threat. Maintaining offline backups remains a crucial strategy for ransomware defense, ensuring data recovery without ransom payment.

CISA has released a vision document aiming to take a dominant role in the future of the Common Vulnerabilities and Exposures (CVE) program, a global standard for vulnerability identification. Earlier this year, the CVE program faced potential shutdown when CISA nearly allowed MITRE's contract to expire, later extending it through March 2026. The CVE Foundation, formed by board members, advocates for transitioning the program to a nonprofit entity with international coordination and diverse funding, opposing CISA's control. Nicholas Andersen, CISA's Executive Assistant Director for Cybersecurity, asserts that a government-led system is essential for national cyber defense, dismissing privatization due to potential conflicts of interest. The vision document suggests CISA seeks to correct past missteps and establish long-term stewardship, emphasizing the need for government oversight over alternative governance models. MITRE, the nonprofit managing CVE since 1999, remains committed to supporting CISA and its partners, despite the current governance challenges. The ongoing debate over CVE's governance highlights the complexities of balancing national security interests with the need for transparent and diversified management.

CISA has issued a warning about a critical remote code execution vulnerability in DELMIA Apriso, a manufacturing management solution by Dassault Systèmes. The vulnerability, CVE-2025-5086, has a critical severity score of 9.0 and affects all DELMIA Apriso versions from Release 2020 to 2025. This flaw involves deserialization of untrusted data, potentially allowing attackers to execute arbitrary code remotely on affected systems. Active exploitation attempts have been observed, involving malicious SOAP requests that load and execute a harmful .NET executable. CISA has added this vulnerability to its Known Exploited Vulnerabilities list, urging federal agencies to apply patches by October 2. While the directive is mandatory for federal entities, global enterprises using DELMIA Apriso should also heed the warning and implement necessary security measures. The vulnerability impacts industries such as automotive, aerospace, and electronics, where DELMIA Apriso is integral to production and quality management processes.

Samsung released a security update addressing CVE-2025-21043, a critical vulnerability allowing arbitrary code execution on Android devices. The flaw, rated 8.8 on the CVSS scale, involves an out-of-bounds write in the libimagecodec.quram.so library. Affected Android versions include 13 through 16, with the vulnerability privately disclosed to Samsung in August 2025. Samsung confirmed the vulnerability had been exploited in the wild but did not provide details on the attackers or specific exploitation methods. This patch follows Google's recent fixes for two other Android vulnerabilities, indicating ongoing targeted attacks on the platform. Organizations using Samsung Android devices should prioritize applying the latest security updates to mitigate potential risks. The incident underscores the importance of timely vulnerability management and collaboration between vendors and security researchers.

Apple has alerted French users about a new spyware campaign targeting their devices, marking the fourth notification of such attacks in 2025. The targeted attacks focus on individuals with significant roles, including journalists, lawyers, and politicians, according to CERT-FR. The campaign exploits a security flaw in WhatsApp (CVE-2025-55177) and an Apple iOS bug (CVE-2025-43300) to execute zero-click attacks. WhatsApp has notified fewer than 200 users potentially affected by these sophisticated threats. Apple has introduced Memory Integrity Enforcement in new iPhone models to counteract memory corruption vulnerabilities and hinder spyware deployment. A recent Atlantic Council report notes a sharp increase in U.S. investments in spyware technology, surpassing other nations like Israel and Italy. The report identifies numerous new entities in the spyware market, highlighting the growing complexity and global reach of this industry.

An attack on smart laundry machines at the University of Amsterdam's Spinozacampus has impacted 1,250 students, leaving them without convenient laundry services since July. The digital payment system of five machines was compromised, allowing free use until management decided to close the facility due to financial losses. Duwo, the building management company, has not resolved the issue and refuses to absorb the costs, citing the need for income to maintain affordable services. Students face operational challenges, with only one analog machine available, leading to fears of hygiene issues such as lice infestations. The University of Amsterdam has not provided additional support, directing inquiries back to Duwo, leaving students to find alternative laundry solutions. This incident exemplifies the vulnerabilities of IoT devices, as attacks on such systems have been increasing, with IoT assaults rising significantly in recent years. The situation underscores the importance of robust cybersecurity measures for IoT devices to prevent similar disruptions in essential services.

Cyberattacks require immediate clarity, control, and a reliable recovery plan to mitigate damage and ensure swift recovery. Real-time visibility is crucial for identifying the nature of the attack and determining compromised systems, enabling informed decision-making. Effective control involves containing the attack's spread through predefined roles, playbooks, and integrated incident response technologies. A robust backup and recovery solution acts as a lifeline, restoring systems and maintaining client trust post-attack. Preparation, including advanced monitoring and incident response planning, differentiates successful recovery from potential disaster. The Acronis Threat Research Unit emphasizes the importance of readiness in cybersecurity, providing insights and support to IT teams.

CISA has added CVE-2025-5086, a critical flaw in Dassault Systèmes DELMIA Apriso software, to its Known Exploited Vulnerabilities catalog due to active exploitation. The vulnerability, affecting versions from Release 2020 to 2025, allows remote code execution through deserialization of untrusted data, posing significant security risks. Exploitation attempts have been traced to an IP address in Mexico, involving HTTP requests with Base64-encoded payloads targeting specific software endpoints. The payload decodes to a GZIP-compressed Windows DLL, identified as "Trojan.MSIL.Zapchast.gen," capable of electronic surveillance and data exfiltration. "Trojan.MSIL.Zapchast.gen" has been linked to phishing campaigns over the past decade, with capabilities to capture keystrokes, screenshots, and active application lists. Federal Civilian Executive Branch agencies have been instructed to implement necessary updates by October 2, 2025, to mitigate potential threats. Organizations using affected software should prioritize patching and monitoring for unusual network activity to protect against exploitation.

HybridPetya, a new ransomware strain, has been identified by ESET, capable of bypassing UEFI Secure Boot using a patched vulnerability, CVE-2024-7344, affecting UEFI-based systems. Unlike its predecessors, HybridPetya encrypts the Master File Table on NTFS partitions, using a malicious EFI application to compromise systems. The ransomware comprises a bootkit and installer, with the bootkit encrypting files and displaying misleading messages to victims, demanding $1,000 in Bitcoin for decryption. Select variants exploit a remote code execution vulnerability in the Howyar Reloader UEFI application, bypassing Secure Boot by loading a cloaked bootkit binary. Microsoft addressed the vulnerability in its January 2025 Patch Tuesday update, revoking the vulnerable binary to mitigate the threat. ESET's telemetry indicates no active deployment of HybridPetya in the wild, suggesting it may be a proof-of-concept rather than a widespread threat. The emergence of HybridPetya underscores the increasing interest in Secure Boot bypasses among both researchers and malicious actors, posing ongoing challenges to system security.