Daily Brief

Apple has issued emergency updates to address a zero-day vulnerability, CVE-2025-43300, exploited in sophisticated attacks against targeted individuals. The flaw, an out-of-bounds write in the Image I/O framework, can lead to memory corruption and potentially allow remote code execution. Impacted devices span a wide range of both older and newer Apple models, necessitating urgent updates to iOS, iPadOS, and macOS versions. Improved bounds checking has been implemented to mitigate this vulnerability, enhancing security against malicious image file processing. This marks the sixth zero-day Apple has patched this year, reflecting ongoing challenges in securing its ecosystem against advanced threats. Users are strongly advised to install the latest security updates immediately to protect against potential exploitation. Details on the attacks remain undisclosed, but the nature of the flaw suggests targeted exploitation, emphasizing the importance of timely patching.

The FBI and Cisco Talos have identified Russian government spies exploiting a seven-year-old Cisco bug in end-of-life devices to infiltrate U.S. critical infrastructure networks. The actors, linked to Russia's FSB, have targeted thousands of networking devices, modifying configurations to enable unauthorized access and collect sensitive information. The exploitation leverages legacy, unencrypted protocols such as Cisco Smart Install and SNMP, with some devices affected by the CVE-2018-0171 vulnerability. Cisco urges immediate upgrades to patched software versions and adherence to security best practices to mitigate ongoing risks. The campaign impacts sectors including telecommunications, higher education, and manufacturing across multiple continents, focusing on strategic interests of the Russian government. The operation aims to gather configuration data for potential future use, with other state-sponsored actors likely pursuing similar activities. Organizations are advised to remain vigilant and consider the broader threat landscape posed by advanced persistent threats targeting outdated infrastructure.

Security researcher Marek Tóth revealed a clickjacking vulnerability affecting popular password manager browser extensions, potentially exposing millions of users to credential and data theft. The attack, termed DOM-based extension clickjacking, manipulates UI elements in web pages, allowing attackers to steal login credentials, 2FA codes, and credit card details. The vulnerability impacts 11 widely-used password managers, including 1Password and iCloud Passwords, by exploiting auto-fill features in browser extensions. Attackers can create fake sites with invisible forms, tricking users into auto-filling credentials, which are then sent to a remote server. Responsible disclosure has led to some vendors, like Bitwarden and Enpass, working on fixes, while others have yet to release patches. Users are advised to disable auto-fill features and configure browser extensions to require manual permission for site access to mitigate risks. US-CERT has been contacted to assign CVE identifiers to these vulnerabilities, highlighting the need for swift vendor response and user awareness.

The U.S. Department of Justice charged Ethan Foltz, 22, with operating the Rapper Bot DDoS-for-hire network, impacting over 18,000 entities in 80 countries. Operation PowerOff led to the seizure of the botnet on August 6, dismantling its infrastructure and halting its malicious activities. Rapper Bot, active since 2021, utilized Mirai-based malware to compromise tens of thousands of DVRs and routers, achieving attack bandwidths of 2 to 6 Tbps. The botnet targeted diverse sectors, including U.S. government systems, media platforms, and tech firms, often involving extortion tactics. Amazon Web Services played a crucial role in tracing the botnet's command and control infrastructure, aiding law enforcement efforts. The botnet's infrastructure showed no signs of resurgence, indicating a successful operation with no backup command centers detected. Foltz faces charges of aiding and abetting computer intrusions, with a potential sentence of up to ten years, although he remains free on a summons.

Commvault has released patches for four vulnerabilities, including two critical unauthenticated remote code execution chains, affecting its backup systems. The first vulnerability chain, involving CVE-2025-57791 and CVE-2025-57790, allows attackers to bypass authentication and execute code as a local admin. Researchers demonstrated that the vulnerabilities could be exploited without preconditions, posing a significant risk to unpatched systems. The second chain, reliant on specific conditions, exploits additional flaws to gain unauthorized admin access and control over the system. Commvault's advisory suggests role-based access control to mitigate risks, though it does not fully prevent exploitation. The company has responded by issuing patches and enhancing security measures such as password hashing in its latest software version. Organizations using Commvault are urged to apply the patches promptly to protect against potential exploitation. This incident underscores the importance of timely patch management and the need for robust security practices in software deployment.

TPG Telecom has confirmed a data breach at its subsidiary iiNet, affecting approximately 280,000 customer records, including email addresses, phone numbers, and physical addresses. The breach resulted from the theft of a single employee's credentials, highlighting the persistent risk of credential-based cyberattacks. The compromised data includes active customer email addresses, landline phone numbers, usernames, street addresses, and modem setup passwords. TPG Telecom has engaged external cybersecurity experts to manage the breach's containment and cleanup, ensuring no further unauthorized access. The company is proactively contacting affected customers to provide guidance and assistance, while also notifying unaffected customers to confirm their data security. This incident underscores the critical need for robust credential management and phishing prevention measures to protect sensitive customer information. TPG Telecom's swift response aims to mitigate any potential reputational damage and reassure its extensive customer base across multiple brands.

Recent studies reveal agentic AI browsers like Perplexity's Comet are vulnerable to phishing, prompt injection, and fake online shopping schemes. These AI tools, designed for autonomous online tasks, often lack robust security measures against both traditional and novel cyber threats. Guardio's tests demonstrated Comet's susceptibility to purchasing items from fake websites and interacting with phishing emails without user confirmation. In a controlled experiment, Comet completed a purchase on a simulated fake Walmart site, highlighting risks in AI-driven transactions. Another test showed Comet processing a phishing email from a fake Wells Fargo source, leading to potential credential theft scenarios. Prompt injection tests further exposed vulnerabilities, with Comet executing hidden commands embedded in a fake CAPTCHA page. As agentic AI browsers gain popularity, users are advised to manually input sensitive information and avoid delegating critical tasks to these tools. The evolving threat landscape suggests a need for enhanced security protocols as AI models become targets for scalable cyber exploits.

The FBI has identified a Russian state-sponsored group, Static Tundra, exploiting a critical Cisco vulnerability for cyber espionage. The flaw, CVE-2018-0171, affects Cisco IOS and IOS XE software. Targeted sectors include telecommunications, higher education, and manufacturing across North America, Asia, Africa, and Europe, with a strategic focus on Ukraine and its allies post-2022. The attackers exploit the vulnerability to gain unauthorized access, collect configuration files, and conduct reconnaissance, using tools like SYNful Knock to maintain network persistence. Static Tundra employs SNMP to modify device configurations, allowing additional access and defense evasion by altering TACACS+ settings to disrupt logging. The group uses GRE tunnels to redirect traffic and exfiltrates data via TFTP or FTP, focusing on unpatched and end-of-life network devices for long-term intelligence gathering. Cisco advises patching the vulnerability or disabling Smart Install to mitigate risks, emphasizing the importance of securing network devices to prevent unauthorized access. The campaign reflects Russia's shifting strategic goals, with Static Tundra adapting its operations to align with evolving government priorities.

Cybercriminals are using legitimate ADFS redirects to lead users to phishing pages, effectively bypassing traditional URL detection and multi-factor authentication defenses. The attack begins with malicious sponsored links in Google search results, redirecting users through Microsoft's trusted office.com domain to a phishing site. Push Security researchers identified that attackers set up a custom Microsoft tenant to manipulate ADFS, enabling unauthorized credential collection. The phishing campaign does not target specific industries or roles, suggesting it may be an experimental method by threat actors. Attackers used conditional loading to ensure only valid targets reach the phishing page, enhancing the attack's sophistication. Push Security advises monitoring ADFS redirects and scrutinizing ad parameters in Google redirects to detect potential phishing attempts. This technique underscores the need for vigilant security measures, as attackers continue to innovate in bypassing traditional defenses.

Six major password managers, including 1Password and LastPass, are vulnerable to clickjacking flaws, risking exposure of user credentials, 2FA codes, and credit card details. The vulnerabilities allow attackers to overlay invisible HTML elements over password manager interfaces, tricking users into triggering autofill actions on malicious sites. Independent researcher Marek Tóth presented these findings at DEF CON 33, with cybersecurity company Socket verifying and coordinating disclosure with affected vendors. Attack methods include manipulating DOM elements and using scripts that adapt in real-time to identify and exploit the active password manager. While some vendors like Bitwarden have released fixes, others like 1Password have dismissed the issue as a general web risk, leaving users potentially exposed. Users are advised to disable autofill functions and use copy/paste until updates are applied to mitigate the risk of data leakage. The incident reflects the ongoing challenges in securing browser-based password managers against sophisticated web-based attacks.

Security leaders are urged to innovate email security strategies, moving beyond traditional methods to address evolving threats and business needs. The article draws parallels between the evolution of antivirus to EDR and the current state of email security, advocating for a similar transformation. Traditional email security tools, like secure email gateways, are compared to legacy antivirus solutions, which are limited in preventing sophisticated attacks such as phishing and BEC. Material Security proposes an "EDR for email" approach, emphasizing post-breach protections and limiting the impact of successful attacks. As organizations increasingly use platforms like Microsoft 365 and Google Workspace, email breaches can lead to broader access to sensitive data across various applications. The article suggests that standalone email security is insufficient, advocating for integrated, layered defenses across all productivity tools. Security teams are encouraged to adopt a mindset shift, integrating email security into a broader, more resilient strategy akin to EDR's role in endpoint protection.

Cybersecurity researchers have identified a new prompt injection technique, PromptFix, which manipulates AI-driven browsers into executing hidden malicious instructions embedded within fake CAPTCHA checks. The technique targets AI models like Perplexity's Comet, tricking them into interacting with phishing pages and fraudulent storefronts without user intervention, presenting significant security risks. The attack leverages social engineering tactics to exploit AI's core design goals, leading to a new threat landscape termed "Scamlexity," where AI's convenience is weaponized. Tests on Comet revealed it could auto-fill sensitive user details and complete transactions on fake sites, bypassing user verification, demonstrating the exploit's potential for data theft. PromptFix also affects ChatGPT's Agent Mode, although its sandboxed environment limits direct impact on user systems, highlighting varying vulnerabilities across AI platforms. The findings stress the need for AI systems to adopt proactive defenses, including phishing detection, URL reputation checks, and domain spoofing countermeasures. The rise of AI-driven threats has been noted by security firms, with adversaries using GenAI platforms to automate phishing and distribute malware, lowering barriers for cybercrime. Companies like Lovable have responded by removing malicious sites and enhancing AI security measures, but the evolving threat landscape demands continuous vigilance and innovation.

Enterprises face growing risks from AI agents operating without oversight, often deployed by business units seeking rapid results, leading to potential security vulnerabilities. These shadow AI agents, lacking proper identification and ownership, can be exploited to access sensitive data or escalate privileges, posing significant security threats. Traditional security frameworks are ill-equipped to manage autonomous software agents, as they primarily focus on human identities and activities. The webinar "Shadow Agents and Silent Threats" aims to educate businesses on securing AI identities and implementing effective governance strategies. Expert Steve Toole will provide insights into managing AI-driven identities, ensuring accountability, and establishing necessary security protocols. Organizations must act promptly to transform shadow AI agents into secure assets, preventing them from becoming liabilities in the face of potential cyber threats. Proactive measures are crucial to maintaining innovation while safeguarding enterprise security against the evolving landscape of AI-driven threats.

Modern businesses face an evolving threat landscape, increasing risks in frequency, complexity, and potential impact, necessitating robust business continuity and disaster recovery (BCDR) strategies. Conducting a Business Impact Analysis (BIA) is crucial for identifying critical functions and informing continuity plans, ensuring core services resume swiftly during disruptions. IT leaders play a pivotal role in BIA, providing insights into system dependencies, validating recovery commitments, and operationalizing recovery strategies with appropriate tools. The BIA process involves identifying critical functions, assessing downtime impacts, defining recovery time objectives (RTOs) and recovery point objectives (RPOs), and documenting dependencies. Industry-specific threat vectors, such as ransomware in healthcare or phishing in education, require tailored response plans to protect critical systems and maintain operations. Datto provides a unified platform for backup and disaster recovery, leveraging BIA insights to automate recovery actions and optimize resource allocation for rapid recovery. Datto's technology enhances recovery performance, reduces storage needs, and protects backups from ransomware, integrating seamlessly with BCDR workflows for efficient recovery. In a dynamic business environment, a well-executed BIA, supported by Datto's solutions, ensures operational resilience and competitive advantage.

North Korean hackers, identified as the Kimsuky group, targeted diplomatic missions in South Korea between March and July 2025, using spear-phishing emails to compromise embassy staff and foreign ministry personnel. The campaign employed GitHub as a covert command-and-control channel, leveraging cloud storage platforms like Dropbox and Daum Cloud to deliver the Xeno RAT malware variant. Attackers crafted emails in multiple languages, impersonating trusted diplomatic contacts to deliver malicious ZIP files, which included Windows shortcuts executing PowerShell scripts for further infiltration. The operation's infrastructure and tactics suggest potential collaboration or overlap with China-based operatives, with activity patterns aligning with Chinese national holidays. In parallel, North Korean IT workers infiltrated over 320 companies by posing as remote employees, utilizing AI tools to enhance their operations and evade detection. These workers employed generative AI for creating résumés and deepfake technology for video interviews, complicating traditional security measures. The campaign's sophistication and strategic use of technology pose significant challenges to international cybersecurity defenses, emphasizing the need for enhanced vigilance and adaptive security strategies.