Daily Brief

Attackers are exploiting a configuration flaw in Sitecore products, specifically targeting a ViewState deserialization vulnerability, CVE-2025-53690, to achieve remote code execution. The vulnerability affects Sitecore Experience Manager, Experience Platform, Experience Commerce, and Managed Cloud, particularly when using static machine keys from older documentation. Successful exploitation can lead to unauthorized access and deployment of WEEPSTEEL malware, which collects system, network, and user information from compromised machines. Mandiant disrupted an attack exploiting this flaw, preventing full lifecycle observation but noting attackers' deep understanding of the vulnerability and product. The US Cybersecurity and Infrastructure Security Agency has added CVE-2025-53690 to its Known Exploited Vulnerabilities catalog, urging immediate key rotation and patching. Sitecore's updated deployments now generate random machine keys, mitigating the risk; organizations using older versions should update and secure their configurations promptly. This incident underscores the importance of regularly updating security configurations and avoiding the use of default or sample keys in production environments.

Researchers from Nanjing University and The University of Sydney developed A2, an AI system that identifies and validates vulnerabilities in Android applications, discovering 104 zero-day flaws in 169 apps. A2 achieved 78.3% coverage on the Ghera benchmark, outperforming traditional static analysis tools like APKHunt, which only reached 30% coverage. The AI system's validation capability reduces false positives, offering a more efficient approach to vulnerability detection, crucial for security teams burdened by low-signal warnings. A2 employs a three-step validation process to confirm vulnerabilities, such as an intent redirect flaw in a widely installed Android app, demonstrating its ability to find impactful issues. The system's cost-effectiveness is notable, with detection costs ranging from $0.003 to $3.35 per APK, and full validation costs between $0.59 and $26.85 per vulnerability. A2's success signals a shift in cybersecurity, with AI-driven tools potentially transforming how vulnerabilities are discovered and addressed, prompting increased activity in both defense and exploitation. While promising for bug bounty hunters, A2's capabilities also highlight the need for rapid defensive measures to prevent exploitation of uncovered vulnerabilities.

GhostRedirector, a China-aligned cybercrime group, has compromised 65 Windows servers globally, using custom malware to manipulate Google search rankings for gambling sites. The group employs two newly identified malware strains, Rungan and Gamshen, to execute backdoor operations and SEO fraud, respectively. Infections began in December, with initial access likely gained through SQL injection vulnerabilities, followed by privilege escalation using PowerShell and potato-family exploits. The operation targets a broad range of sectors, including education, healthcare, and retail, with a geographical focus on South America and South Asia. Attackers utilize tools like Comdai for backdoor capabilities and Zunput for website information collection, ensuring sustained access and manipulation. ESET researchers discovered that some malware samples were signed with a certificate from TrustAsia RSA, indicating potential misuse of legitimate code-signing processes. The campaign's primary goal is to enhance gambling sites' search rankings by creating deceptive backlinks, exploiting Google's SEO mechanisms for financial gain.

Threat actors exploited a zero-day vulnerability, CVE-2025-53690, in legacy Sitecore deployments, leading to remote code execution through ViewState deserialization attacks. The flaw arises from the reuse of a sample ASP.NET machine key in production environments, enabling attackers to craft malicious payloads. Mandiant discovered the exploitation, which involves deploying WeepSteel malware for reconnaissance, gathering system and network data under the guise of standard responses. Attackers escalated privileges by creating administrator accounts, disabling password expiration, and using tools like Earthworm and Dwagent for persistence and data exfiltration. Sitecore's security bulletin advises immediate replacement and encryption of static <machineKey> values in web.config for affected versions up to 9.0. XM Cloud and other Sitecore services are not impacted, but multi-instance deployments with static keys remain at risk. Regular rotation of static machine keys is recommended to enhance security and prevent similar vulnerabilities.

Russian state-sponsored group APT28 has deployed a new Outlook backdoor, NotDoor, targeting companies within NATO member countries, affecting multiple sectors. NotDoor is a VBA macro for Outlook that monitors emails for specific trigger words, enabling data exfiltration and command execution on compromised systems. The malware is delivered via a OneDrive exploit, utilizing DLL side-loading to execute a malicious DLL, which installs the VBA backdoor and disables macro security protections. NotDoor employs obfuscated VBA code and uses PowerShell commands to maintain persistence and evade detection, including disabling Outlook dialogue messages. The attack chain involves creating a staging folder for data exfiltration and using custom encryption to send stolen data to a Proton Mail address. This operation showcases advanced obfuscation techniques and abuse of cloud services, complicating threat intelligence efforts and maintaining a low profile. The incident underscores the need for robust email security measures and vigilance against sophisticated nation-state cyber threats.

Texas Attorney General Ken Paxton filed a lawsuit against PowerSchool after a breach exposed data of 62 million students, including 880,000 Texans, in December 2024. The breach involved stolen credentials from a subcontractor, leading to a ransom demand of $2.85 million in Bitcoin to prevent data disclosure. Exposed data included names, addresses, phone numbers, passwords, Social Security numbers, and medical information of students and faculty. PowerSchool's security failures were cited as violations of the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act. The attacker, identified as 19-year-old Matthew D. Lane, pleaded guilty to orchestrating the breach and subsequent extortion attempts on school districts. PowerSchool admitted to paying a ransom but the attacker continued extorting schools, threatening to release data if further payments were not made. A CrowdStrike investigation uncovered additional breaches in August and September 2024, but could not confirm if the same attacker was responsible. The incident raises significant concerns over data security in educational institutions and the handling of sensitive information by third-party providers.

GhostRedirector, an emerging threat cluster, has compromised 65 Windows servers across Brazil, Thailand, and Vietnam, deploying the Rungan backdoor and Gamshen IIS module. ESET researchers identified the malware, which manipulates search engine results to boost target website rankings, potentially damaging the reputation of compromised hosts. The attacks exploit vulnerabilities, likely SQL injection flaws, using PowerShell for deploying additional tools from a staging server. Rungan backdoor awaits specific URL requests to execute embedded commands, while Gamshen conducts SEO fraud by modifying server responses to Googlebot requests. GhostRedirector is suspected to be China-aligned, evidenced by hard-coded Chinese strings and a code-signing certificate linked to Shenzhen Diyuan Technology Co., Ltd. The group demonstrates persistence by deploying multiple remote access tools and creating rogue user accounts to maintain long-term server access. Industries affected include education, healthcare, insurance, transportation, technology, and retail, with targets spanning Peru, the U.S., Canada, Finland, India, the Netherlands, the Philippines, and Singapore.

Chess.com reported a data breach involving unauthorized access to a third-party file transfer application, impacting over 4,500 users, a small fraction of its 100 million user base. The breach occurred from June 5 to June 18, 2025, and was discovered on June 19, prompting an immediate investigation and notification to law enforcement. The breach did not compromise Chess.com's own infrastructure or member accounts, focusing solely on the third-party application used by the platform. Exposed data includes names and other personally identifiable information, though no financial data was compromised, and there is no evidence of data misuse. Chess.com has enhanced security measures and is providing affected users with 1-2 years of free identity theft and credit monitoring services. Users are encouraged to enroll in the monitoring services by December 3, 2025, to mitigate potential risks. This incident follows a previous cyber event in November 2023, where 800,000 user records were scraped due to an API flaw.

TP-Link confirmed a zero-day vulnerability affecting multiple router models, initially reported by researcher Mehrun in May 2024, with a patch developed for European models. The vulnerability involves a stack-based buffer overflow in TP-Link’s CWMP implementation, potentially allowing remote code execution through SOAP message manipulation. Exploitation could lead to DNS rerouting, traffic interception, and payload injection, posing significant risks to affected networks. CISA added two other TP-Link vulnerabilities, CVE-2023-50224 and CVE-2025-9377, to its Known Exploited Vulnerability catalog, exploited by the Quad7 botnet. The Quad7 botnet uses compromised routers for malicious activities, including credential theft via password spray attacks on cloud services. TP-Link advises users to update firmware, change default passwords, and disable CWMP if unnecessary to mitigate risks until comprehensive patches are available. Organizations should consider network segmentation and enhanced monitoring to protect critical infrastructure from potential exploitation.

The French data protection authority, CNIL, fined Google €325 million for displaying ads in Gmail without user consent, violating French cookie regulations. Investigations from 2022 to 2023 revealed Google breached Article L. 34-5 of the French Postal and Electronic Communications Code, impacting over 74 million accounts. Google failed to inform new users about mandatory cookie placement for advertising, breaching Article 82 of the French Data Protection Act. CNIL noted Google's negligence, referencing previous fines in 2020 and 2021 for similar cookie-related violations. The fine reflects the significant number of affected users in France, with 53 million individuals exposed to unauthorized advertisements. CNIL remains vigilant on cookie compliance, warning against non-consensual practices and the use of 'cookie walls' to access services. On the same day, CNIL fined Shein's Irish subsidiary €150 million for similar cookie consent violations.

Browser-based attacks are increasingly targeting business applications and data, exploiting decentralized internet apps and varied communication channels. Phishing attacks have evolved, using advanced techniques like reverse-proxy Attacker-in-the-Middle kits to bypass most MFA methods, posing significant detection challenges. ClickFix attacks trick users into executing malicious code via browser interactions, often bypassing endpoint controls and targeting personal or BYOD devices. Malicious OAuth integrations exploit user authorization to gain access to business apps, bypassing traditional authentication and access controls. Attackers leverage malicious browser extensions to capture logins and session cookies, with compromised extensions impacting millions of users. Malicious file delivery remains a core malware distribution method, with attackers using files to redirect users to phishing pages or deliver malware. Stolen credentials and MFA gaps continue to facilitate account takeovers, highlighting the need for improved login monitoring and MFA enforcement. Push Security offers a browser-based security platform to detect and respond to these threats, addressing the blind spots in current security measures.

Bridgestone Americas confirmed a cyberattack affecting manufacturing facilities in North America, including sites in South Carolina and Quebec. The company is actively investigating the incident. The attack prompted immediate containment measures, preventing customer data theft and deep network infiltration, according to Bridgestone's initial assessments. The disruption could potentially lead to supply chain issues and product shortages, as the company works to restore full operational capacity. Bridgestone's response team is operating around the clock to mitigate impacts and ensure business continuity, prioritizing data protection and customer obligations. No ransomware groups have claimed responsibility, and the nature of the attack remains unspecified, though past incidents involved ransomware. The 2022 LockBit ransomware incident at Bridgestone serves as a reminder of the ongoing threat landscape for large manufacturing entities. The incident underscores the importance of robust cybersecurity protocols and rapid response capabilities in mitigating operational disruptions.

As free support for many Windows 10 editions ends, enterprises may incur $7.3 billion in costs for Extended Security Updates to maintain security compliance. Nexthink's analysis suggests approximately 181 million enterprise devices still run Windows 10, with a significant portion potentially missing the upgrade deadline. Extended Security Updates are priced at $61 per device annually, impacting budgets significantly as organizations delay transitioning to newer operating systems. Nexthink reports Windows 11 exhibits higher instability, with more system crashes and hard resets compared to Windows 10, complicating migration decisions. Driver issues and poorly planned migrations are identified as primary causes of Windows 11's instability, rather than Microsoft's quality control. Nexthink advises that operating system migrations should focus on enhancing employee experience and performance, not just compliance, to ensure successful transitions. With millions of migrations pending, organizations must strategize effectively to mitigate disruption and enhance operational efficiency.

Microsoft's August 2025 security updates have led to unexpected User Account Control prompts, affecting app installations for non-admin users across all supported Windows versions. The issue stems from a patch addressing CVE-2025-50173, a vulnerability allowing privilege escalation due to weak authentication, prompting new admin credential requests. Affected scenarios include running MSI repair commands, installing user-specific applications, and executing Windows Installer during Active Setup, impacting standard user operations. The change impacts deployment through Configuration Manager and the use of Autodesk applications like AutoCAD, Civil 3D, and Inventor CAM. Microsoft is developing a fix to permit certain apps to bypass UAC prompts during MSI repair operations, with a release planned in an upcoming update. A temporary workaround involves running affected apps as an administrator or using Group Policy configurations via Known Issue Rollback. The update also caused issues with NDI streaming software on Windows 10 and 11, though no link was found to SSD and HDD data corruption reports.

Cybercriminals are exploiting Platform X's AI assistant, Grok, to bypass malvertising protections and spread malicious links to millions of users. Guardio Labs identified the technique, codenamed Grokking, which leverages video card-promoted posts with hidden links in metadata fields. Fraudsters tag Grok in replies to prompt the AI to display malicious links, amplifying them through search engine optimization and domain reputation. The links redirect users to ad networks pushing fake CAPTCHA scams and information-stealing malware, utilizing a Traffic Distribution System (TDS). Hundreds of accounts have been identified using this method, posting continuously until suspended for policy violations, indicating a highly organized operation. The incident reveals vulnerabilities in AI-driven systems and the need for enhanced monitoring and security measures on social media platforms.