Daily Brief

Threat actors exploited a zero-day vulnerability, CVE-2025-53690, in legacy Sitecore deployments, leading to remote code execution through ViewState deserialization attacks. The flaw arises from the reuse of a sample ASP.NET machine key in production environments, enabling attackers to craft malicious payloads. Mandiant discovered the exploitation, which involves deploying WeepSteel malware for reconnaissance, gathering system and network data under the guise of standard responses. Attackers escalated privileges by creating administrator accounts, disabling password expiration, and using tools like Earthworm and Dwagent for persistence and data exfiltration. Sitecore's security bulletin advises immediate replacement and encryption of static <machineKey> values in web.config for affected versions up to 9.0. XM Cloud and other Sitecore services are not impacted, but multi-instance deployments with static keys remain at risk. Regular rotation of static machine keys is recommended to enhance security and prevent similar vulnerabilities.

Russian state-sponsored group APT28 has deployed a new Outlook backdoor, NotDoor, targeting companies within NATO member countries, affecting multiple sectors. NotDoor is a VBA macro for Outlook that monitors emails for specific trigger words, enabling data exfiltration and command execution on compromised systems. The malware is delivered via a OneDrive exploit, utilizing DLL side-loading to execute a malicious DLL, which installs the VBA backdoor and disables macro security protections. NotDoor employs obfuscated VBA code and uses PowerShell commands to maintain persistence and evade detection, including disabling Outlook dialogue messages. The attack chain involves creating a staging folder for data exfiltration and using custom encryption to send stolen data to a Proton Mail address. This operation showcases advanced obfuscation techniques and abuse of cloud services, complicating threat intelligence efforts and maintaining a low profile. The incident underscores the need for robust email security measures and vigilance against sophisticated nation-state cyber threats.

Texas Attorney General Ken Paxton filed a lawsuit against PowerSchool after a breach exposed data of 62 million students, including 880,000 Texans, in December 2024. The breach involved stolen credentials from a subcontractor, leading to a ransom demand of $2.85 million in Bitcoin to prevent data disclosure. Exposed data included names, addresses, phone numbers, passwords, Social Security numbers, and medical information of students and faculty. PowerSchool's security failures were cited as violations of the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act. The attacker, identified as 19-year-old Matthew D. Lane, pleaded guilty to orchestrating the breach and subsequent extortion attempts on school districts. PowerSchool admitted to paying a ransom but the attacker continued extorting schools, threatening to release data if further payments were not made. A CrowdStrike investigation uncovered additional breaches in August and September 2024, but could not confirm if the same attacker was responsible. The incident raises significant concerns over data security in educational institutions and the handling of sensitive information by third-party providers.

GhostRedirector, an emerging threat cluster, has compromised 65 Windows servers across Brazil, Thailand, and Vietnam, deploying the Rungan backdoor and Gamshen IIS module. ESET researchers identified the malware, which manipulates search engine results to boost target website rankings, potentially damaging the reputation of compromised hosts. The attacks exploit vulnerabilities, likely SQL injection flaws, using PowerShell for deploying additional tools from a staging server. Rungan backdoor awaits specific URL requests to execute embedded commands, while Gamshen conducts SEO fraud by modifying server responses to Googlebot requests. GhostRedirector is suspected to be China-aligned, evidenced by hard-coded Chinese strings and a code-signing certificate linked to Shenzhen Diyuan Technology Co., Ltd. The group demonstrates persistence by deploying multiple remote access tools and creating rogue user accounts to maintain long-term server access. Industries affected include education, healthcare, insurance, transportation, technology, and retail, with targets spanning Peru, the U.S., Canada, Finland, India, the Netherlands, the Philippines, and Singapore.

Chess.com reported a data breach involving unauthorized access to a third-party file transfer application, impacting over 4,500 users, a small fraction of its 100 million user base. The breach occurred from June 5 to June 18, 2025, and was discovered on June 19, prompting an immediate investigation and notification to law enforcement. The breach did not compromise Chess.com's own infrastructure or member accounts, focusing solely on the third-party application used by the platform. Exposed data includes names and other personally identifiable information, though no financial data was compromised, and there is no evidence of data misuse. Chess.com has enhanced security measures and is providing affected users with 1-2 years of free identity theft and credit monitoring services. Users are encouraged to enroll in the monitoring services by December 3, 2025, to mitigate potential risks. This incident follows a previous cyber event in November 2023, where 800,000 user records were scraped due to an API flaw.

TP-Link confirmed a zero-day vulnerability affecting multiple router models, initially reported by researcher Mehrun in May 2024, with a patch developed for European models. The vulnerability involves a stack-based buffer overflow in TP-Link’s CWMP implementation, potentially allowing remote code execution through SOAP message manipulation. Exploitation could lead to DNS rerouting, traffic interception, and payload injection, posing significant risks to affected networks. CISA added two other TP-Link vulnerabilities, CVE-2023-50224 and CVE-2025-9377, to its Known Exploited Vulnerability catalog, exploited by the Quad7 botnet. The Quad7 botnet uses compromised routers for malicious activities, including credential theft via password spray attacks on cloud services. TP-Link advises users to update firmware, change default passwords, and disable CWMP if unnecessary to mitigate risks until comprehensive patches are available. Organizations should consider network segmentation and enhanced monitoring to protect critical infrastructure from potential exploitation.

The French data protection authority, CNIL, fined Google €325 million for displaying ads in Gmail without user consent, violating French cookie regulations. Investigations from 2022 to 2023 revealed Google breached Article L. 34-5 of the French Postal and Electronic Communications Code, impacting over 74 million accounts. Google failed to inform new users about mandatory cookie placement for advertising, breaching Article 82 of the French Data Protection Act. CNIL noted Google's negligence, referencing previous fines in 2020 and 2021 for similar cookie-related violations. The fine reflects the significant number of affected users in France, with 53 million individuals exposed to unauthorized advertisements. CNIL remains vigilant on cookie compliance, warning against non-consensual practices and the use of 'cookie walls' to access services. On the same day, CNIL fined Shein's Irish subsidiary €150 million for similar cookie consent violations.

Browser-based attacks are increasingly targeting business applications and data, exploiting decentralized internet apps and varied communication channels. Phishing attacks have evolved, using advanced techniques like reverse-proxy Attacker-in-the-Middle kits to bypass most MFA methods, posing significant detection challenges. ClickFix attacks trick users into executing malicious code via browser interactions, often bypassing endpoint controls and targeting personal or BYOD devices. Malicious OAuth integrations exploit user authorization to gain access to business apps, bypassing traditional authentication and access controls. Attackers leverage malicious browser extensions to capture logins and session cookies, with compromised extensions impacting millions of users. Malicious file delivery remains a core malware distribution method, with attackers using files to redirect users to phishing pages or deliver malware. Stolen credentials and MFA gaps continue to facilitate account takeovers, highlighting the need for improved login monitoring and MFA enforcement. Push Security offers a browser-based security platform to detect and respond to these threats, addressing the blind spots in current security measures.

Bridgestone Americas confirmed a cyberattack affecting manufacturing facilities in North America, including sites in South Carolina and Quebec. The company is actively investigating the incident. The attack prompted immediate containment measures, preventing customer data theft and deep network infiltration, according to Bridgestone's initial assessments. The disruption could potentially lead to supply chain issues and product shortages, as the company works to restore full operational capacity. Bridgestone's response team is operating around the clock to mitigate impacts and ensure business continuity, prioritizing data protection and customer obligations. No ransomware groups have claimed responsibility, and the nature of the attack remains unspecified, though past incidents involved ransomware. The 2022 LockBit ransomware incident at Bridgestone serves as a reminder of the ongoing threat landscape for large manufacturing entities. The incident underscores the importance of robust cybersecurity protocols and rapid response capabilities in mitigating operational disruptions.

As free support for many Windows 10 editions ends, enterprises may incur $7.3 billion in costs for Extended Security Updates to maintain security compliance. Nexthink's analysis suggests approximately 181 million enterprise devices still run Windows 10, with a significant portion potentially missing the upgrade deadline. Extended Security Updates are priced at $61 per device annually, impacting budgets significantly as organizations delay transitioning to newer operating systems. Nexthink reports Windows 11 exhibits higher instability, with more system crashes and hard resets compared to Windows 10, complicating migration decisions. Driver issues and poorly planned migrations are identified as primary causes of Windows 11's instability, rather than Microsoft's quality control. Nexthink advises that operating system migrations should focus on enhancing employee experience and performance, not just compliance, to ensure successful transitions. With millions of migrations pending, organizations must strategize effectively to mitigate disruption and enhance operational efficiency.

Microsoft's August 2025 security updates have led to unexpected User Account Control prompts, affecting app installations for non-admin users across all supported Windows versions. The issue stems from a patch addressing CVE-2025-50173, a vulnerability allowing privilege escalation due to weak authentication, prompting new admin credential requests. Affected scenarios include running MSI repair commands, installing user-specific applications, and executing Windows Installer during Active Setup, impacting standard user operations. The change impacts deployment through Configuration Manager and the use of Autodesk applications like AutoCAD, Civil 3D, and Inventor CAM. Microsoft is developing a fix to permit certain apps to bypass UAC prompts during MSI repair operations, with a release planned in an upcoming update. A temporary workaround involves running affected apps as an administrator or using Group Policy configurations via Known Issue Rollback. The update also caused issues with NDI streaming software on Windows 10 and 11, though no link was found to SSD and HDD data corruption reports.

Cybercriminals are exploiting Platform X's AI assistant, Grok, to bypass malvertising protections and spread malicious links to millions of users. Guardio Labs identified the technique, codenamed Grokking, which leverages video card-promoted posts with hidden links in metadata fields. Fraudsters tag Grok in replies to prompt the AI to display malicious links, amplifying them through search engine optimization and domain reputation. The links redirect users to ad networks pushing fake CAPTCHA scams and information-stealing malware, utilizing a Traffic Distribution System (TDS). Hundreds of accounts have been identified using this method, posting continuously until suspended for policy violations, indicating a highly organized operation. The incident reveals vulnerabilities in AI-driven systems and the need for enhanced monitoring and security measures on social media platforms.

The French data protection authority fined Google $379 million and Shein $175 million for setting advertising cookies without user consent, violating French data protection laws. Google encouraged users to accept cookies for personalized ads, failing to inform them clearly about the implications, breaching Article 82 of the French Data Protection Act. Shein has updated its systems to comply with regulations but plans to appeal the decision, indicating potential legal proceedings. Google must comply with new cookie consent regulations within six months or face additional penalties of €100,000 per day. A U.S. jury recently found Google violated user privacy by collecting data post opt-out, leading to a $425 million compensatory damages award. The U.S. FTC fined Disney $10 million for collecting children's data without parental consent, requiring compliance with COPPA regulations. The FTC is also addressing privacy violations by Apitor Technology for unauthorized collection of children's geolocation data via a third-party SDK.

CISA has added two TP-Link router vulnerabilities, CVE-2023-50224 and CVE-2025-9377, to its Known Exploited Vulnerabilities catalog due to active exploitation evidence. TP-Link routers affected by these flaws have reached end-of-life status, meaning they no longer receive active support or security updates. Despite the end-of-life status, TP-Link released firmware updates in November 2024 to address these vulnerabilities, responding to malicious exploitation activities. The vulnerabilities are linked to the Quad7 botnet, used by a China-linked threat actor, Storm-0940, for conducting evasive password spray attacks. Federal Civilian Executive Branch agencies are advised to implement necessary mitigations by September 24, 2025, to protect their networks from potential threats. This alert follows a similar CISA action on another TP-Link vulnerability, CVE-2020-24363, affecting the TL-WA855RE Wi-Fi Ranger Extender. Organizations are encouraged to upgrade to newer hardware to ensure continued security and optimal performance against emerging threats.

Sainsbury's has initiated an eight-week trial of live facial recognition technology in two stores to address increasing shoplifting incidents and ensure staff and customer safety. The trial follows a survey indicating 63% customer support for using facial recognition to identify repeat offenders, amidst rising retail crime rates in the UK. The British Retail Consortium reports a 25% increase in theft incidents over the past year, costing the industry £2.2 billion, with significant daily violence against shopworkers. Privacy campaigners, including Big Brother Watch, express concerns over potential false accusations and privacy violations, urging a halt to the trial and government intervention. Sainsbury's CEO emphasizes the focus on identifying serious offenders, not monitoring customers, with non-recognized facial data deleted immediately to address privacy concerns. Other UK retailers, such as Asda and Iceland, are also exploring facial recognition technology to mitigate shoplifting and protect employees from rising threats and violence. The trial reflects a broader trend in the retail sector towards adopting advanced surveillance technologies to combat crime, despite ongoing privacy debates.