Daily Brief

Cisco has revealed a critical vulnerability in Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC), allowing unauthenticated attackers to execute arbitrary code. The flaw, tracked as CVE-2025-20337, has a maximum CVSS score of 10.0, indicating a severe risk. Similar to previously patched CVE-2025-20281, this vulnerability involves insufficient validation of user-supplied input through a specific API. Attackers can exploit the flaw by sending a crafted API request to obtain root privileges without needing valid credentials. The issue affects ISE and ISE-PIC releases 3.3 and 3.4 and has been patched in subsequent versions. Releases prior to 3.2 are not impacted. No current evidence suggests this vulnerability has been exploited in malicious activities. The report follows another concerning series of attacks involved CVE-2025-25257, targeting Fortinet FortiWeb appliances for unauthorized access.

UK retailer Co-op confirmed a significant data breach affecting 6.5 million members, involving theft of personal data during a cyberattack in April. The breach included member contact information but did not expose financial or transactional details. CEO Shirine Khoury-Haq publically apologized, expressing the breach as a personal attack on the community of members and employees. The attack forced the shutdown of vital IT systems and led to the deployment of DragonForce ransomware, causing disruptions including food shortages. The breach initially began with a social engineering attack enabling attackers to reset an employee's password and access the network. Exposed data included a critical Windows Active Directory Services database, enhancing the threat actors' ability to spread within the network. The cyberattack was linked to known cybercriminal group Scattered Spider, also tied to similar attacks on other major companies. Following the cyber incidents, UK’s National Crime Agency arrested four individuals suspected of involvement in the attacks.

Former U.S. Army soldier, Cameron John Wagenius, pleaded guilty to hacking and extorting telecommunications and technology companies, including AT&T and Verizon. Wagenius, operating under aliases such as 'kiberphant0m', engaged in cybercrimes from April 2023 to December 2024. The charges include wire fraud conspiracy, aggravated identity theft, and extortion related to computer fraud, carrying a maximum potential sentence of 27 years. He and his co-conspirators used methods like SSH Brute for unauthorized access and discussed tactics in Telegram group chats. Their criminal activities involved SIM-swapping and selling stolen data on cybercrime forums, with ransom demands reaching up to $1 million. Wagenius's cybercrimes were conducted while he was on active duty, complicating the case and indicating security lapses in military personnel monitoring. The convicted hacker's sentencing is scheduled for October 6, considering this case and another involving unlawful transfer of phone records.

Ukrainian hacking groups, including BO Team and the Ukrainian Cyber Alliance, launched a cyberattack against Gaskar Integration, a key Russian drone manufacturer. The hackers claimed to have destroyed 47TB of technical data and 10TB of backup files essential for drone production at Gaskar. The attack reportedly disabled the entire IT infrastructure of Gaskar, affecting operations to the extent that building access systems malfunctioned, requiring manual override via fire alarms. Attackers also alleged collaboration between Gaskar and China in drone production and training, hinting at international implications. Confidential employee data from Gaskar was also leaked online by the hackers as part of their claims. The extent of the data breach and damage to Gaskar's production capabilities could potentially delay Russian drone deliveries to conflict zones. Neither Gaskar nor the Ukrainian Ministry of Defence provided comments on the incident according to media inquiries.

Louis Vuitton confirmed the data breaches in the UK, South Korea, and Turkey were caused by the same cyberattack, likely orchestrated by the ShinyHunters group. The company has been actively notifying affected customers and has involved relevant authorities, including the Information Commissioner's Office. Personal data, but not payment information, was compromised in the breach, originating from unauthorized system access on July 2, 2025. Immediate actions to contain the breach included blocking the unauthorized access and deploying additional technical security measures. The breaches at Louis Vuitton are part of a pattern of similar incidents at other high-profile companies, indicating a targeted approach by the ShinyHunters. ShinyHunters is known for multiple significant data thefts and remains partly active despite recent arrests related to the group. Louis Vuitton is continuing its investigation with cybersecurity experts to prevent future incidents and assess the extent of the breach.

International law enforcement, led by Europol, executed Operation Eastwood to dismantle over 100 servers tied to the pro-Russian NoName057(16) network. The operation, which involved 19 countries, led to the arrest of two Russian nationals in France and Spain, and seven additional arrest warrants were issued. NoName057(16), a group of Russian-speaking sympathizers, launched attacks targeting websites of governments and institutions supporting Ukraine. Europol estimates that the network includes over 4,000 supporters who utilize a botnet built from several hundred servers to amplify their DDoS attacks. Recent attacks by this group include disruptions to Swedish banks, German companies, and government websites in Switzerland and the UK. Thirteen individuals were questioned regarding their involvement with the NoName057(16), with two main instigators identified but not publicly named. The crackdown was supported by cybersecurity forces from multiple countries and assisted by nonprofits like ShadowServer and abuse.ch for technical operations.

Cybersecurity experts identified a new variant of the malware loader Matanbuchus, known as Matanbuchus 3.0, which is designed to evade detection and utilize advanced infiltration techniques. Matanbuchus is marketed as malware-as-a-service on cybercrime forums, used to deploy ransomware and other malicious payloads by exploiting social engineering tactics. An incident involving Microsoft Teams showcased attackers impersonating IT help desk personnel, tricking employees into activating Matanbuchus via remote assistance and PowerShell scripts. The loader incorporates features like enhanced communication protocols, in-memory operations, and support for remote shell commands, increasing its stealth and operational flexibility. Matanbuchus 3.0 checks for administrative privileges and the presence of security tools on infected systems before executing further commands and communicating with a command-and-control server. Persistence is achieved by using sophisticated techniques such as COM manipulation and shellcode injection to schedule tasks. The updated service is offered at high rental prices, reflecting its sophisticated capabilities and the emphasis on targeted, stealthy attacks on enterprise systems. Researchers emphasize the evolving threat landscape and the risks posed by sophisticated loaders that exploit enterprise collaboration tools like Microsoft Teams to distribute malware.

Cloudflare's 1.1.1.1 DNS Resolver service outage on July 14 was due to an internal configuration error, not a cyberattack or BGP hijack. The misconfiguration linked 1.1.1.1 Resolver IP prefixes to an offline Data Localization Suite service, causing global service disruption. The issue was identified and resolved within approximately one hour, with full restoration achieved shortly thereafter. Cloudflare disclosed that the misconfiguration impacted multiple IP ranges and primarily affected UDP, TCP, and DNS-over-TLS traffic. DNS-over-HTTPS traffic was largely unaffected due to different routing mechanisms. Post-incident, Cloudflare plans to upgrade its systems to prevent similar issues, focusing on abstract service topologies for gradual deployments and health monitoring. The company acknowledged shortcomings in their legacy systems and internal documentation, which failed to catch the misconfiguration during peer review.

SonicWall SMA appliances have been compromised by a new malware, known as OVERSTEP, which modifies the boot process and installs a user-mode rootkit. The attacks, conducted by threat actor UNC6148, possibly utilized an undetected zero-day vulnerability allowing persistence and data theft from fully-patched but unsupported devices. UNC6148 has been active since at least October and uses data theft and extortion tactics; sensitive files stolen in these attacks have appeared on the World Leaks data-leak site. Researchers suggest the threat actor gained initial access by exploiting known vulnerabilities to steal local administrator credentials before devices were updated to the latest firmware. During an observed attack, the actor utilized a reverse shell to conduct reconnaissance and manipulate files on the compromised device, then deployed the OVERSTEP rootkit. OVERSTEP provides the attacker with capabilities to stealthily maintain access, manipulate system logs, and steal sensitive information like passwords and certificates. Despite attempts to trace and understand all access and modifications, researchers face challenges due to anti-forensic features of the rootkit which obscure much of the malicious activity. Security professionals are advised to monitor for potential compromises and conduct thorough investigations using indicators of compromise provided by Google Threat Intelligence Group.

Recent infections in Fortinet FortiWeb units employed public RCE exploit CVE-2025-25257. The Shadowserver Foundation detected 85 instances on July 14, and 77 the next day, linking them to this exploit. CVE-2025-25257, a pre-authenticated SQL injection vulnerable in numerous FortiWeb versions, was identified as the attack vector. Public exposure of exploits on July 11 led to active exploitations, highlighting the immediate need for updates to patched versions. A majority of the compromised systems are located in the United States. FortiWeb functions as a Web Application Firewall high in demand among enterprises and governmental bodies. Administrators urged to update urgently or disable HTTP/HTTPS admin interfaces to protect against these attacks.

The pro-Russian NoName057(16) hacking group, known for launching DDoS attacks, was targeted in an extensive law enforcement operation named "Operation Eastwood." Europol and Eurojust led the operation with collaborative efforts from 12 countries, including the USA and multiple European nations. The operation resulted in the disruption of over 100 servers used by NoName057(16), with primary actions conducted on July 15, 2025. Targets of NoName057(16) span across Europe and Israel, affecting NATO sites, government agencies, and critical infrastructure sectors. Two individuals were arrested, and seven European arrest warrants were issued, focusing on those believed to be core members and administrators of the group. Authorities extended their reach to warn approximately 1,100 participants and 17 administrators of the group through Telegram messages, about their potential criminal liability. Despite significant setbacks to NoName057(16), Europol indicates that due to core members residing in Russia, the group might soon recover and continue their operations.

Unknown attackers are exploiting fully patched, end-of-life SonicWall VPN appliances, deploying a novel backdoor and rootkit named OVERSTEP. Google’s Threat Intelligence Group links the campaign to "UNC6148," a previously uncategorized threat actor. The malware alters the appliance’s boot process, maintaining persistent unauthorized access and facilitating the theft of sensitive credentials. High confidence is expressed that attackers are using previously stolen credentials and OTP seeds to access SonicWall Secure Mobile Access (SMA) 100 series appliances. Mandiant’s analysis revealed local administrator credentials were used to initiate an SSL-VPN session, although the origin of these credentials remains unclear. Attack implementation might involve known vulnerabilities or potentially an unreported zero-day, with the attackers manually clearing logs to minimize detection. OVERSTEP's capabilities include stealing passwords, certificates, and OTPs and manipulating network access control policies for persistence. Google urges businesses using vulnerable SonicWall devices to inspect their systems for signs of compromise, citing limited but significant impact on victim organizations.

Google's Threat Intelligence Group identified threat cluster UNC6148 targeting SonicWall SMA 100 series with a backdoor called OVERSTEP. These attacks utilize stolen credentials and OTP seeds, likely exfiltrated from the devices as early as January 2025. UNC6148 possibly exploited known vulnerabilities or zero-day flaws to gain unauthorized access and establish SSL-VPN sessions, despite normal security restrictions. The attackers deployed OVERSTEP to alter the appliance's boot processes for persistent access and to conceal their activities within the system. OVERSTEP uses advanced techniques such as hijacking library functions and hooking into APIs to hide artifacts and receive commands. The rootkit's capabilities include deleting specific log entries to obscure their activities, complicating forensic analysis and detection. Google associates these attacks with potential ransomware deployment and data theft, linking UNC6148 to data posted on a notorious extortion gang's leak site. Recommendations include acquiring disk images for forensic purposes and possibly working with SonicWall for further analysis to counter the rootkit’s anti-forensic measures.

Cybersecurity researchers have identified a critical design flaw in Windows Server 2025, affecting delegated Managed Service Accounts (dMSAs) and group Managed Service Accounts (gMSAs). The vulnerability, termed "Golden dMSA," allows attackers to bypass authentication processes and generate passwords for all dMSAs and gMSAs, enabling persistent and unlimited access across Active Directory. Exploitation of this flaw is considered low complexity but requires access to the Key Distribution Service (KDS) root key, typically held by highly privileged accounts. The flaw involves a predictable password-generation structure that simplifies brute-force attacks, making it computationally easy to derive service account passwords. The presence of the KDS root key allows attackers to derive the current password for any dMSA or gMSA without contacting the domain controller, which can facilitate lateral movement and credential harvesting across domains. The attack can turn a single domain compromise into a persistent backdoor affecting every dMSA account forest-wide. Microsoft has responded to the disclosure of this vulnerability, emphasizing that the protection features were not designed to prevent domain controller compromises. Semperis has released an open-source proof-of-concept to demonstrate the power and reach of the Golden dMSA attack technique.

AI technology is being rapidly adopted in businesses, acting similarly to employees with significant system access. The integration of AI, especially through platforms like OpenAI, poses unique identity and security challenges not covered by traditional models. Enterprises must choose between developing their own AI solutions or buying from external providers, with both paths presenting significant security risks. AI agents can access and control sensitive data, creating potential backdoors for data breaches when compromised. Effective AI security requires continuous access control and real-time identity and device risk evaluations. Beyond Identity provides solutions to secure AI access by linking agent permissions to verified user identities and updating access controls based on current security posture. Businesses are encouraged to attend Beyond Identity's webinar to learn more about securing internal AI systems and to see a demo of effective access controls.