Daily Brief

A critical vulnerability, CVE-2025-9501, in the W3 Total Cache WordPress plugin allows PHP command injection, potentially compromising over one million websites. The flaw affects all versions prior to 2.8.13, enabling unauthenticated users to execute commands via malicious comments. The vulnerability resides in the _parse_dynamic_mfunc() function, which processes dynamic function calls in cached content. A patch was released on October 20, but only 430,000 downloads have occurred, leaving many sites still at risk. WPScan has developed a proof-of-concept exploit, set for release on November 24, which could accelerate malicious exploitation. Administrators are advised to upgrade to version 2.8.13 or disable the plugin to prevent potential attacks. Failure to address this vulnerability could result in attackers gaining full control over affected WordPress sites.

The U.S., U.K., and Australia have sanctioned Russian bulletproof hosting providers aiding ransomware gangs, including LockBit, BlackSuit, and Play, disrupting their operations. Media Land and its affiliates are accused of supporting cybercrime activities, such as phishing, malware delivery, and DDoS attacks against U.S. critical infrastructure. Sanctions target Media Land executives, including Aleksandr Volosovik, linked to cybercrime groups like Evil Corp and Black Basta, freezing their assets and exposing them to further legal actions. Aeza Group LLC and its front company, Hypercore Ltd, are also sanctioned, impacting their ability to operate internationally and collaborate with allied countries. Five Eyes cybersecurity agencies have issued guidance for ISPs to mitigate threats from bulletproof hosting, recommending threat intelligence-based filtering and enhanced customer verification. The sanctions aim to dismantle cybercriminal networks by freezing assets and imposing secondary sanctions on entities transacting with the designated individuals and companies. This coordinated international effort reflects a broader strategy to combat cybercrime by targeting infrastructure providers supporting illicit activities.

A critical vulnerability in 7-Zip, identified as CVE-2025-11001, is actively being exploited, as reported by NHS England Digital. The flaw allows remote attackers to execute arbitrary code through symbolic link manipulation within ZIP files, potentially compromising systems. 7-Zip version 25.00, released in July 2025, addresses this vulnerability, alongside another similar flaw, CVE-2025-11002. The vulnerabilities were introduced in version 21.02 and can be exploited in Windows environments with elevated user permissions or developer mode enabled. Security researcher Dominik released a proof-of-concept exploit, emphasizing the need for users to update to the latest 7-Zip version promptly. The lack of detailed information on the exploitation methods and actors involved increases the urgency for organizations to secure their systems. Organizations should prioritize patch management and ensure that all systems using 7-Zip are updated to mitigate potential risks.

A new campaign uses WhatsApp hijacking and social engineering to spread the Delphi-based banking trojan, Eternidade Stealer, targeting users in Brazil. Attackers leverage a Python script to hijack WhatsApp accounts, marking a shift from previous PowerShell-based methods, and distribute malicious attachments. The campaign exploits WhatsApp's popularity in Brazil, using it as a vector to propagate large-scale attacks on Brazilian institutions. The attack initiates with an obfuscated Visual Basic Script, which leads to the deployment of multiple payloads, including a Python script and an MSI installer. Eternidade Stealer targets banking portals and cryptocurrency services, activating only when relevant applications are accessed to avoid detection. The malware communicates with a command-and-control server using IMAP to dynamically update server addresses, enhancing persistence and evasion. The infrastructure includes management panels for monitoring and geofencing, with access restricted to Brazilian and Argentine systems, redirecting others to a benign error page. Despite its Brazilian focus, the campaign's global footprint is evident, with connections recorded from multiple countries, necessitating vigilance from cybersecurity defenders worldwide.

Operation WrtHug has compromised approximately 50,000 ASUS routers worldwide, primarily targeting outdated models with known vulnerabilities. The campaign predominantly affects routers in Taiwan, Southeast Asia, Russia, Central Europe, and the U.S., with no infections detected in China. Attackers exploit command injection flaws, notably CVE-2025-2492, using ASUS AiCloud services to deploy a global intrusion set. A unique self-signed TLS certificate with a 100-year validity is a key indicator of compromise, replacing ASUS's standard 10-year certificate. The compromised routers may serve as operational relay boxes for stealth operations, facilitating command-and-control activities. ASUS has released security updates to address these vulnerabilities, urging users to update firmware or replace unsupported devices. The campaign shares similarities with the AyySSHush campaign, suggesting potential connections between the two.

DevOps platforms like GitHub, Bitbucket, and GitLab hold critical data, making them attractive targets for cyber threats, including ransomware and insider attacks. The Shared Responsibility Model places the onus on users to secure their data, emphasizing the need for stringent access controls and automated backups. Each platform offers unique security features: GitHub includes secret scanning and push protection, while GitLab focuses on role segregation and patching. Common vulnerabilities include weak access controls, improper repository permissions, and lack of multi-factor authentication, which can be exploited through various attack vectors. A notable supply-chain attack on GitHub involved a malicious update to a popular GitHub Action, potentially exposing thousands of repositories. Preventive measures include enforcing MFA, using ephemeral runners, and maintaining external immutable backups to mitigate risks. Organizations are encouraged to shift security practices left and ensure compliance with industry regulations to protect DevOps data effectively. Implementing a comprehensive backup and disaster recovery strategy, such as using third-party solutions like GitProtect, can safeguard against data loss and ensure business continuity.

CISA has directed U.S. government agencies to patch a new Fortinet FortiWeb vulnerability within a week, following its exploitation in zero-day attacks. The vulnerability, CVE-2025-58034, allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. This flaw has been added to CISA's Known Exploited Vulnerabilities Catalog, emphasizing its potential risk to federal systems. Agencies must secure their systems by November 25th under Binding Operational Directive 22-01, with a reduced remediation timeframe due to active exploitation. Another Fortinet vulnerability, CVE-2025-64446, has also been added to the catalog, with a patch deadline of November 21st. Fortinet vulnerabilities are frequently targeted in cyber espionage and ransomware attacks, as seen in past incidents involving state-sponsored groups. The urgency in patching these vulnerabilities reflects the ongoing threat landscape and the necessity for robust cybersecurity measures.

Researchers from Austria identified a flaw in WhatsApp's user enumeration feature, potentially exposing personal data of over 3.5 billion users worldwide. The flaw allowed the extraction of phone numbers, names, and profile images at a rate of 100 million accounts per hour, using a tool based on Google's libphonenumber. The vulnerability was exploited without encountering rate limiting or IP blocking, raising concerns about WhatsApp's security measures. Personal data collected included sensitive information such as sexual orientation, political views, and links to other platforms, posing privacy risks. WhatsApp's parent company, Meta, has since implemented anti-scraping measures and confirmed the deletion of data collected by researchers. The incident underscores the importance of robust security protocols to prevent large-scale data scraping and potential misuse by cybercriminals. Meta's response to the vulnerability was delayed, taking nearly a year to address the issue, but effective countermeasures are now in place.

SecurityScorecard's STRIKE team identified Operation WrtHug, exploiting six vulnerabilities in outdated ASUS routers, impacting tens of thousands of devices in Taiwan, the U.S., and Russia. The campaign leverages ASUS AiCloud's n-day vulnerabilities to gain high privileges on end-of-life routers, using a unique self-signed TLS certificate for network integration. Affected routers are predominantly linked to ASUS AiCloud services, with 99% of compromised devices presenting the same certificate, set to expire in 2122. Exploited vulnerabilities include CVE-2023-41345 to CVE-2025-2492, with potential ties to other China-linked botnets like AyySSHush, raising concerns of coordinated efforts. The operation suggests possible involvement of China-affiliated actors, given the targeting patterns and overlaps with tactics seen in previous Chinese ORB campaigns. The campaign underscores the risks associated with end-of-life devices, emphasizing the need for timely updates and decommissioning of outdated hardware. SecurityScorecard warns of the increasing trend of mass infections targeting network devices, urging organizations to bolster defenses against such widespread threats.

ShinyHunters, in collaboration with Scattered Spider, has developed ShinySp1d3r, a new ransomware-as-a-service platform, marking a shift from using third-party encryptors to deploying their own. The emerging RaaS was first revealed on a Telegram channel, with the group attempting to extort Salesforce and Jaguar Land Rover through data theft. ShinySp1d3r uses the ChaCha20 encryption algorithm, with RSA-2048 protecting private keys, and features unique file extensions and metadata headers. Each encrypted device will display a ransom note and a customized Windows wallpaper, urging victims to negotiate within three days to avoid public exposure. ShinyHunters is developing versions for Linux and ESXi, alongside a "lightning version" optimized for speed, indicating ongoing enhancements to their ransomware toolkit. The group claims healthcare entities are off-limits, although past ransomware gangs have not adhered to such promises, raising skepticism about enforcement. Operations will exclude attacks on Russia and CIS countries, likely to avoid legal repercussions for affiliates in those regions.

Kunal Mehta, a 45-year-old from Irvine, California, admitted to laundering $25 million in a $230 million cryptocurrency heist, becoming the eighth defendant to plead guilty in this case. The heist involved a group using social engineering tactics to access victims' cryptocurrency accounts, with operations spanning from October 2023 to March 2025. The crime ring consisted of young individuals from various U.S. states and abroad, who connected through online gaming before engaging in organized cyber theft and laundering activities. Mehta's role involved creating shell companies to legitimize the laundering process, charging a 10% fee for converting stolen cryptocurrency into cash and making wire transfers. The stolen funds financed extravagant lifestyles, including luxury cars, private jets, and high-end accessories, highlighting the significant financial impact of the criminal activities. Law enforcement's investigation revealed critical errors made by the group, linking laundered funds back to the original stolen amounts, aiding in their capture. The FBI emphasizes vigilance against online scams, urging individuals to avoid sharing personal information through unsolicited communications.

The article discusses the use of ThreatLocker Ringfencing™ to enhance security by applying granular containment to trusted applications, preventing their misuse by threat actors. Traditional security measures like Endpoint Detection and Response (EDR) are reactive, often leading to costly cybercrime incidents; Ringfencing offers a proactive alternative. Ringfencing enforces least privilege by restricting what approved applications can access, including files, registry keys, and network resources, thereby reducing attack vectors. This approach prevents applications from executing unauthorized child processes, such as PowerShell or Command Prompt, which are often exploited in cyberattacks. Implementing Ringfencing involves a phased approach, starting with monitoring and simulation to avoid operational disruptions and ensure policy effectiveness. Organizations benefit from transitioning to a proactive security model, aligning with Zero Trust principles and reducing the burden on cybersecurity teams. Regular policy review and refinement are essential to maintain effectiveness and minimize administrative overhead, ensuring ongoing protection against application misuse.

AppOmni has identified a vulnerability in ServiceNow's Now Assist AI, enabling prompt injection attacks through default configurations, potentially leading to unauthorized data access and privilege escalation. The attack leverages Now Assist's agent-to-agent discovery capabilities, allowing malicious actors to manipulate AI agents into performing unauthorized actions such as data exfiltration and record modification. This vulnerability arises from the expected behavior of AI agents, where default settings facilitate agent collaboration, inadvertently exposing systems to security risks. ServiceNow has acknowledged the intended behavior but updated its documentation to clarify the implications and recommended configurations to mitigate risks. Organizations are advised to implement supervised execution modes for privileged agents, disable certain autonomous properties, and monitor AI agents for unusual activities to prevent exploitation. The incident underscores the importance of scrutinizing AI configurations as enterprises increasingly integrate AI into their operations, highlighting potential security gaps in automated systems. Failure to address these vulnerabilities could expose organizations to significant data breaches and operational disruptions, emphasizing the need for robust AI security measures.

PlushDaemon, a China-aligned threat group, employs EdgeStepper, a Go-based network backdoor, to execute adversary-in-the-middle attacks by rerouting DNS queries through malicious nodes. The group has been active since 2018, targeting sectors such as semiconductors, automotive, and manufacturing across the U.S., New Zealand, Cambodia, and parts of Asia. EdgeStepper compromises edge network devices by exploiting software vulnerabilities or weak credentials, redirecting software update traffic to attacker-controlled infrastructure. The attack involves two modules: the Distributor, which resolves DNS node IP addresses, and the Ruler, which configures IP packet filter rules. PlushDaemon's malware, SlowStepper, extracts sensitive data and credentials from infected systems, demonstrating advanced capabilities for global cyber espionage. Recent campaigns have targeted entities in Cambodia and South Korea, highlighting the group's focus on strategic industries and geopolitical interests. ESET has identified ten active China-aligned APT groups using similar software update hijacking techniques, indicating a broader trend in cyber espionage tactics.

The China-linked PlushDaemon group is conducting cyberespionage by hijacking software updates, targeting sectors in the US, China, Taiwan, and other countries since 2018. Key targets include electronics manufacturers, universities, and a Japanese automotive plant in Cambodia, indicating a focus on industrial and academic espionage. Attackers exploit router vulnerabilities to install the EdgeStepper implant, redirecting update traffic to malicious infrastructure for further exploitation. EdgeStepper intercepts DNS queries, deploying the LittleDaemon malware downloader, which installs the SlowStepper backdoor for extensive data theft. SlowStepper, previously used against South Korean VPN users, enables system information collection, file operations, and credential theft. Recommended defenses include updating router firmware, using strong passwords, disabling unnecessary remote access, and employing DNS over HTTPS or TLS. Cryptographic verification of software updates is crucial to prevent trojanized packages, ensuring integrity and authenticity of update processes.