Daily Brief

A critical vulnerability in FortiWeb, tracked as CVE-2025-52970, allows remote attackers to bypass authentication, posing a significant risk to affected systems. The flaw, named FortMajeure, involves an out-of-bounds read in cookie parsing, enabling attackers to forge authentication cookies and impersonate users, including administrators. Exploitation requires an active session and brute-forcing a small numeric field, with a search space of approximately 30 requests, simplifying the attack process. Fortinet released a patch on August 12, addressing the issue in versions 7.0 to 7.6; FortiWeb 8.0 versions are unaffected. The vulnerability’s CVSS score of 7.7 may be misleading due to the perceived complexity, though practical exploitation is straightforward and rapid. Security researcher Aviv Y plans to release full exploit details later, allowing administrators time to apply necessary updates and mitigate risks. Immediate patching is crucial as attackers are likely to exploit this vulnerability swiftly once full proof-of-concept details are available.

Microsoft is enhancing Teams with features to block weaponizable file types and detect malicious URLs, aiming to reduce malware and file-based attack risks in chats and channels. The new security measures are in development and will be rolled out globally to Microsoft 365 multi-tenants starting next month, enhancing overall platform security. Teams now integrates with Microsoft Defender for Office 365, allowing security admins to block or delete communications from blocked domains, improving threat management capabilities. A new Prevent Screen Capture feature, introduced in July 2025, protects sensitive information by disabling screen captures during meetings, addressing unauthorized data capture concerns. Microsoft’s Chat brand impersonation protection, targeting phishing attacks, will be available to all users by February 2025, bolstering defenses against external threats. With over 320 million active users, these updates aim to maintain Teams' security integrity across 181 markets and 44 languages, safeguarding a vast global user base.

Researchers have analyzed the ERMAC 3.0 Android banking trojan, uncovering significant vulnerabilities in its infrastructure, which could aid cybersecurity defenses. ERMAC 3.0 expands its malicious capabilities, targeting over 700 banking, shopping, and cryptocurrency applications worldwide, posing a broad threat landscape. The trojan's evolution traces back to Cerberus and BlackRock, sharing lineage with other malware families like Hook, Pegasus, and Loot. Hunt.io accessed the complete source code from an open directory, revealing its backend, frontend, exfiltration server, and Android builder panel. New features in ERMAC 3.0 include advanced form injection methods, an upgraded C2 panel, a new Android backdoor, and encrypted communications. Identified weaknesses include hardcoded JWT secrets, static admin tokens, and default credentials, which could be exploited to disrupt operations. The exposure of these vulnerabilities offers defenders actionable insights to track and mitigate ERMAC-related threats effectively.

EncryptHub, a Russian hacking group, is exploiting a patched Microsoft Management Console vulnerability (CVE-2025-26633) to deploy Fickle Stealer malware via social engineering tactics. The group uses fake IT department communications through Microsoft Teams to initiate remote connections, deploying payloads with PowerShell commands and malicious MSC files. Attackers utilize a Go-based loader, SilentCrystal, leveraging unauthorized access to Brave Support to host malware, indicating sophisticated account compromise capabilities. Tactics also include videoconferencing lures with phony platforms like RivaTalk, delivering malware through MSI installers and sideloading malicious DLLs. The malware gathers and exfiltrates system information, maintains persistence, and uses encrypted PowerShell commands to control infected systems. EncryptHub's adaptive strategies involve blending C2 communications with normal traffic, highlighting the need for robust defense mechanisms and user awareness. Organizations are advised to strengthen layered defense strategies and maintain updated threat intelligence to counteract such evolving threats.

Cisco Talos reports that UAT-7237, a Chinese-speaking APT group, infiltrated a Taiwanese web hosting provider, stealing credentials and installing backdoors for sustained access. The group, linked to broader Chinese APT activities, utilizes a mix of open-source and custom tools, including Cobalt Strike and the SoftEther VPN client for persistent access. UAT-7237 focuses on exploiting known vulnerabilities in unpatched servers to gain initial access, followed by reconnaissance to identify valuable targets. Post-compromise, the group employs tools like JuicyPotato and Mimikatz for privilege escalation and credential theft, alongside custom malware such as SoundBill. The attack strategy includes adjusting system configurations to facilitate malicious activities and storing credentials in cleartext. Talos has published indicators of compromise on GitHub to aid organizations in detecting and mitigating threats from UAT-7237. The group's activities underscore the importance of patch management and vigilance against sophisticated nation-state cyber threats.

Cisco patched a critical vulnerability in its Secure Firewall Management Center, identified as CVE-2025-20265, which could allow remote command injection by unauthenticated attackers. The flaw, rated a perfect 10.0 on the CVSS scale, stems from improper input handling in the RADIUS authentication subsystem during login processes. Exploitation requires the Firewall Management Center to be configured with RADIUS authentication for web or SSH management interfaces. Cisco's centralized management platform is widely used by enterprises, government agencies, and educational institutions, making this vulnerability a significant concern. No active exploitation of this vulnerability has been reported, but the potential for abuse remains, especially by state-sponsored actors known to target Cisco products. This vulnerability follows a series of maximum-severity flaws in Cisco products, prompting urgent patching across affected systems. Cisco's internal security testing identified the flaw, emphasizing the importance of proactive vulnerability management and timely patch deployment.

Cisco Talos has identified UAT-7237, a Chinese-speaking APT group, targeting Taiwanese web infrastructure, aiming for long-term access using customized open-source tools. The group is a sub-entity of UAT-5918, known for attacking Taiwan's critical infrastructure since 2023, with activities dating back to at least 2022. UAT-7237 employs a unique shellcode loader, SoundBill, to deploy secondary payloads like Cobalt Strike, and uses SoftEther VPN for persistent access. Attack vectors include exploiting known vulnerabilities in unpatched servers, followed by reconnaissance to assess target value for further exploitation. Tools such as JuicyPotato for privilege escalation and Mimikatz for credential extraction are utilized, with recent attacks embedding Mimikatz into SoundBill. The group’s activities suggest a high proficiency in Chinese, as indicated by language settings in their VPN configurations. The discovery coincides with Intezer's identification of a new variant of the FireWood backdoor, linked to China-aligned Gelsemium, though with low confidence. These developments underscore the ongoing threat posed by state-sponsored actors using sophisticated, evolving tactics to compromise critical infrastructure.

Colt Technology Services faces a cyberattack causing a multi-day outage affecting hosting, porting services, and Voice API platforms. The attack began on August 12, impacting operations across 30 countries. Initially described as a "technical issue," the incident was later confirmed as a cyberattack, forcing Colt to take specific systems offline, affecting customer communication and support services. The WarLock ransomware group claims responsibility, offering to sell one million documents allegedly stolen from Colt for $200,000, including financial, employee, and customer data. Security researcher Kevin Beaumont suggests the breach likely involved exploiting a remote code execution vulnerability in Microsoft SharePoint, CVE-2025-53770, which was patched by Microsoft in July. Colt has notified authorities but has not provided details about the perpetrators or the attack type. Restoration timelines for affected systems remain uncertain. The incident underscores the critical need for robust cybersecurity measures, especially in telecommunications, where service disruptions can have widespread implications. This attack serves as a reminder of the importance of timely patch management and vulnerability assessments to prevent exploitation of known security flaws.

Cisco disclosed a critical remote code execution vulnerability, CVE-2025-20265, in its Secure Firewall Management Center software, affecting enterprise and government networks using RADIUS authentication. The flaw, scoring 10 out of 10 in severity, allows unauthenticated attackers to execute arbitrary shell commands with elevated privileges through crafted input during the RADIUS authentication phase. Affected versions include FMC 7.0.7 and 7.7.0, with Cisco releasing free patches to mitigate the risk. Customers with valid service contracts can access these updates through regular channels. As a temporary measure, Cisco suggests disabling RADIUS authentication, switching to alternatives like local user accounts or SAML single sign-on, though users must assess the impact on their environments. The vulnerability was identified internally by Cisco's security team, and there are currently no reports of it being exploited in the wild. Alongside this critical fix, Cisco addressed 13 high-severity vulnerabilities across various products, urging users to apply the latest updates to safeguard their systems.

A cyberattack exploiting Citrix vulnerabilities has disrupted the Dutch Public Prosecution Service, keeping speed cameras offline across the Netherlands since July 17. The attack has affected the reactivation of fixed, average, and flex speed cameras, primarily on A and N roads, crucial for traffic monitoring. The Public Prosecution Service is conducting a phased relaunch to minimize further disruptions, with the first step being the reinstatement of email communications. The interconnected nature of systems with judiciary and law enforcement agencies has necessitated careful coordination to restore full operations. The Dutch NCSC reported that these vulnerabilities were exploited as early as May, impacting several critical organizations in the country. The ongoing outage presents challenges for traffic law enforcement and highlights the need for robust cybersecurity measures in interconnected systems. The Public Prosecution Service is actively working with partners and stakeholders to mitigate the impact on victims, suspects, and the justice system.

Plex has alerted users to update their media servers urgently due to a security flaw affecting versions 1.41.7.x to 1.42.0.x, though a CVE-ID is yet to be assigned. The vulnerability was identified through Plex's bug bounty program, leading to the release of a patched version, 1.42.1.10060, now available for download. While specific details about the flaw remain undisclosed, users are advised to update promptly to prevent potential exploitation by threat actors. This proactive notification is unusual for Plex, highlighting the severity of the issue and the importance of securing systems against potential threats. Past vulnerabilities in Plex Media Server, such as the CVE-2020-5741, have been linked to significant breaches, emphasizing the need for timely updates. The urgency in patching is underscored by the risk of reverse engineering by attackers, which could lead to the development of exploits. Users are reminded of the potential consequences of unpatched vulnerabilities, including unauthorized access and data breaches, as seen in previous incidents involving Plex.

The U.S. Treasury's OFAC has renewed sanctions against Russian crypto exchange Garantex for processing over $100 million in illicit transactions linked to ransomware since 2019. Sanctions now extend to Grinex, Garantex's successor, and three Garantex executives, alongside six associated companies in Russia and Kyrgyzstan. Garantex was initially sanctioned in April 2022 for facilitating transactions from darknet markets and ransomware groups like Hydra and Conti. Despite a March 2025 law enforcement takedown, Garantex rebranded as Grinex, continuing to process significant transaction volumes with 82% linked to sanctioned entities. Garantex's infrastructure and customer deposits were moved to Grinex, which has facilitated billions in cryptocurrency transactions since its inception. The U.S. Department of State has offered rewards for information leading to the arrest of Garantex leaders, including $5 million for key figure Serda. The U.S. DoJ has seized over $2.8 million in cryptocurrency linked to ransomware activity, part of broader efforts to disrupt cybercrime networks. The integration of the A7A5 token into Grinex illustrates ongoing challenges in curbing illicit finance through cryptocurrency platforms.

Agentic AI, capable of autonomous decision-making, is reshaping privacy dynamics by acting on behalf of users without constant oversight, raising new trust-related challenges. These AI systems interpret and act upon sensitive data, potentially altering user interactions and decision-making processes, impacting personal and professional spheres. Traditional privacy frameworks, like GDPR and CCPA, may prove inadequate as they assume linear data transactions, whereas agentic AI operates contextually. The erosion of privacy may occur not through data breaches but through shifts in power and purpose, as AI systems infer, share, or suppress information. Ethical boundaries and trust primitives, such as authenticity and veracity, are crucial as AI agents blur traditional privacy norms and legal boundaries. The potential for AI agents to be subpoenaed, audited, or reverse-engineered poses significant risks to user privacy and the concept of AI-client privilege. Organizations must prioritize designing AI systems that align with user values and can explain their actions, ensuring ethical coherence and trust in AI interactions.

Colt Technology Services experienced a cyber incident impacting its customer portal and Voice API platform, leading to a temporary shutdown of these services as a protective measure. The attack targeted internal systems, reportedly separate from customer-supporting infrastructure, with no evidence of unauthorized access to customer or employee data. In response, Colt proactively took systems offline and notified authorities, while engaging third-party cybersecurity experts to assist in restoration efforts. The disruption began on August 12, with services like Colt Online remaining unavailable, prompting customers to seek support through alternative communication channels. Technical investigations suggest potential cybercriminal activity, with Shodan scans revealing interactions with Colt's SharePoint servers, which were subsequently secured with enhanced firewall protections. The incident underscores the importance of robust cybersecurity measures, especially for multinational firms with extensive global operations and customer bases. As restoration efforts continue, Colt emphasizes customer patience and commitment to resolving the issue swiftly, while maintaining transparency through regular status updates.

The U.S. Department of the Treasury has sanctioned Grinex, a successor to the Russian crypto-exchange Garantex, for facilitating money laundering for ransomware groups. Grinex was promoted on Telegram channels associated with Garantex after U.S. authorities seized Garantex's domains for processing $100 million in illicit transactions. Two Garantex administrators were charged, with one arrested in India, as part of the ongoing crackdown on cybercriminal networks. Garantex had ties to major cybercrime groups, including Hydra, Conti RaaS, and several ransomware gangs such as LockBit and Ryuk. Grinex's creation was reportedly a direct response to sanctions and asset freezes impacting Garantex, continuing its operations under a new name. The Treasury's Office of Foreign Assets Control renewed sanctions against Garantex and its associates, including six partner companies in Russia and Kyrgyzstan. The Department of State announced a $6 million reward for information leading to the arrests or convictions of Garantex executives, emphasizing the threat to national security. Grinex has processed billions in cryptocurrency transactions, raising concerns about the integrity of virtual asset service providers.