Daily Brief

SecurityScorecard's STRIKE team has identified "Operation WrtHug," compromising 50,000 ASUS routers, primarily in Taiwan and Southeast Asia, suggesting potential links to Chinese cyber espionage efforts. The campaign exploits six known vulnerabilities, including CVE-2023-39780, previously associated with the AyySSHush campaign, impacting end-of-life ASUS WRT routers. Despite the shared vulnerabilities, only seven devices were compromised by both WrtHug and AyySSHush, indicating potential evolution or coordination of campaigns. The attack's geographic focus and tactics align with known Chinese APT operations, though definitive attribution remains speculative without further evidence. The compromised routers exhibit a unique self-signed TLS certificate with a 100-year expiration, serving as a key indicator of compromise for affected devices. STRIKE advises patching the vulnerabilities or upgrading to supported routers as the primary mitigation strategy to counter these espionage activities. The operation's stealthy nature and regional targeting suggest a strategic intent to conduct undetected data theft, differing from typical botnet-driven DDoS attacks.

Technology investments are increasingly evaluated on their ability to support business goals, mitigate risk, and enhance shareholder value, beyond just technical sophistication. CIOs and CISOs must present cybersecurity strategies, such as zero trust, as business enablers that align with the company's strategic priorities. Effective boardroom communication involves framing technology proposals in terms of risk and return, addressing financial, operational, and reputational aspects. Understanding board maturity levels is crucial; reactive boards require explanations of risks, while mature boards expect quantifiable outcomes and strategic roadmaps. Positioning technology investments as pathways to operational excellence can elevate discussions from system selection to strategic advantage. Future risks, including AI governance and quantum computing, should be part of board discussions to ensure long-term readiness and resilience. Financial implications of technology investments should be clearly articulated, focusing on impacts to cash flow, margins, and scalability, to gain CFO and audit committee support.

MI5 has issued an espionage alert regarding Chinese intelligence efforts to recruit UK individuals with access to sensitive government information using social media and fake recruitment agents. Security Minister Dan Jarvis informed Parliament about Chinese actors targeting democratic institutions, using cover companies and external headhunters to mask their operations. Two online profiles were identified as headhunters working for Chinese intelligence, seeking to build relationships with targets on platforms like LinkedIn. The alert follows previous incidents, including cyber-operations targeting UK parliamentarians' emails and attempts at election interference by Chinese state-affiliated actors. The UK has removed surveillance equipment from sensitive sites, manufactured by Chinese companies, due to concerns over China's national intelligence law. A £170 million investment has been announced to enhance the security of sovereign and encrypted technology used by UK civil servants. The situation highlights the ongoing threat of foreign interference and the need for robust cybersecurity measures to protect national interests.

Fortinet disclosed a medium-severity vulnerability, CVE-2025-58034, in FortiWeb, actively exploited in the wild, with a CVSS score of 6.7. The flaw allows authenticated attackers to execute unauthorized code on systems via crafted HTTP requests or CLI commands. Fortinet credited Trend Micro researcher Jason McFadyen for identifying the vulnerability under responsible disclosure protocols. The vulnerability has been addressed in updated FortiWeb versions, following Fortinet's PSIRT response and ongoing remediation efforts. Fortinet's silent patching of a related critical vulnerability, CVE-2025-64446, has raised concerns among defenders about inadequate communication. Security experts warn that lack of transparency from vendors can hinder defenders' ability to respond effectively to emerging threats. Organizations using FortiWeb are advised to apply the latest patches promptly to mitigate potential exploitation risks.

A self-replicating botnet, ShadowRay 2.0, is exploiting a critical vulnerability in the Ray AI framework, affecting internet-facing clusters globally since September 2024. The vulnerability, CVE-2023-48022, allows remote code execution via Ray's dashboard API. It remains unpatched due to the original vendor's stance on network environment use. Attackers, identified as IronErn440, leverage Ray's orchestration features for cryptojacking, data theft, and DDoS attacks, targeting high-value GPU environments. The campaign has compromised clusters worth millions in compute capacity, affecting organizations across multiple industries worldwide, including the US and China. Attackers initially used GitLab for malware distribution but shifted to GitHub after GitLab's intervention, showcasing the adaptability and persistence of the threat actors. The botnet employs AI-generated payloads for efficiency, exploiting Ray's lack of built-in authentication to execute malicious operations on exposed clusters. Organizations using Ray should review their network configurations and consider additional security measures to mitigate exposure to this ongoing threat.

ShadowRay 2.0 exploits a critical flaw in Ray Clusters, converting them into a cryptomining botnet, affecting over 230,000 servers globally. The campaign leverages CVE-2023-48022, an unpatched vulnerability, allowing unauthorized job submissions via Ray's Jobs API to deploy malicious payloads. Threat actor IronErn440 uses AI-generated payloads for cryptomining, data theft, and launching DDoS attacks, expanding the campaign's impact beyond mining. Payloads utilize XMRig for Monero mining, employing tactics to evade detection, such as limiting CPU usage and disguising processes. The malware ensures exclusive mining access by terminating rival scripts and blocking other mining pools, maintaining control over compromised clusters. Persistence is achieved through cron jobs and systemd modifications, with payload updates checked every 15 minutes via GitHub repositories. Anyscale advises deploying Ray in secure environments and implementing firewall rules and continuous monitoring to mitigate risks associated with the vulnerability.

Microsoft introduced Cloud Rebuild and Point-in-Time Restore at the Ignite conference, aimed at enhancing Windows 11's recovery capabilities and reducing system downtime. Point-in-Time Restore allows users to revert a Windows 11 system to a previous healthy state, restoring both system settings and local files. Cloud Rebuild facilitates a complete OS reinstall from the cloud, leveraging Autopilot for seamless provisioning and ensuring compliance through Microsoft Intune. These features are designed to swiftly address system failures or faulty updates, significantly cutting recovery time from hours or days to minutes. Microsoft plans to integrate these tools into Microsoft Intune by 2026, enabling remote recovery actions and enterprise-wide coordination. An updated Quick Machine Recovery tool is also being tested, which enhances boot failure resolution without needing physical device access. These advancements reflect Microsoft's ongoing commitment to improving system resilience and operational efficiency for enterprise environments.

Fortinet has released updates to address a zero-day vulnerability, CVE-2025-58034, in its FortiWeb application firewall, actively exploited by threat actors. The flaw, an OS command injection vulnerability, allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. Administrators are urged to upgrade FortiWeb devices immediately to mitigate potential threats from this vulnerability. The vulnerability was identified by Trend Micro's Jason McFadyen and is considered low-complexity, not requiring user interaction for exploitation. Fortinet had previously patched another zero-day, CVE-2025-64446, following reports of its exploitation to create admin-level accounts on exposed devices. CISA has mandated U.S. federal agencies secure systems against CVE-2025-64446 by November 21, emphasizing the critical nature of these vulnerabilities. Fortinet vulnerabilities have historically been targeted in cyber espionage and ransomware attacks, highlighting the importance of timely patching.

The Sneaky 2FA Phishing-as-a-Service kit has integrated Browser-in-the-Browser (BitB) functionality, enabling attackers to mimic legitimate login pages and steal Microsoft account credentials. Push Security reports that attackers use HTML and CSS to create fake browser windows, presenting victims with seemingly authentic Microsoft login URLs to deceive users into entering their credentials. The phishing scheme involves a Cloudflare Turnstile check, followed by a fake Microsoft login page using BitB, exfiltrating credentials and session details for account takeover. Attackers employ bot protection and conditional loading techniques to target specific victims while evading security tools and redirecting non-targets to benign sites. Sneaky 2FA employs obfuscation and disables browser developer tools to hinder analysis, rotating phishing domains frequently to avoid detection. The broader context reveals attackers exploiting browser extensions to fake passkey registrations, allowing unauthorized access to enterprise apps without user devices or biometrics. Organizations are advised to implement conditional access policies and educate users on identifying phishing attempts to mitigate the risk of account compromises.

The FCC is set to vote on repealing cybersecurity rules established after the Salt Typhoon attacks, citing concerns over their legality and effectiveness. The rules, enacted in January 2025 under the Biden administration, required telecom carriers to implement basic security measures to prevent unauthorized access. Telecom industry groups argue the FCC overstepped its legal authority with these rules, claiming they imposed burdensome cybersecurity duties inconsistent with CALEA. The FCC's proposed reversal suggests a shift towards a more collaborative cybersecurity approach, involving federal-private partnerships and existing federal and state requirements. The Salt Typhoon campaign, attributed to Chinese state-backed actors, compromised data from US residents and entities in over 80 countries, highlighting significant cybersecurity vulnerabilities. Critics of the reversal argue it may create a "safe harbor" for lax cybersecurity practices, potentially undermining efforts to protect national security. The decision reflects ongoing debates about the balance between regulatory oversight and industry-led cybersecurity initiatives in safeguarding critical infrastructure.

US National Cyber Director Sean Cairncross announced plans for a new National Cyber Strategy, emphasizing offensive measures against foreign cyber threats targeting US infrastructure. The strategy aims to introduce consequences for adversaries, moving beyond the current defensive-focused posture, and involves collaboration between government and private sectors. Cairncross noted the absence of a cohesive long-term strategy, highlighting the need for a unified approach to deter persistent cyber attacks. The upcoming strategy document will feature six pillars, designed to coordinate actions across the US cyber domain, though specific details remain undisclosed. Industry leaders, including Mandiant's Kevin Mandia and Google's Sandra Joyce, echoed concerns about the current defensive asymmetry and the need for effective threat intelligence sharing. Joyce criticized the current government model, citing the quick resurgence of threats like the Lumma malware, and called for more actionable intelligence from private firms. The timeline for the strategy's release remains unspecified, with Cairncross focusing on developing a comprehensive action plan to address ongoing cyber threats.

Microsoft plans to integrate Sysmon natively into Windows 11 and Windows Server 2025, enhancing security monitoring capabilities without requiring standalone installations. Sysmon, a tool from Microsoft Sysinternals, is widely used for threat hunting and diagnosing persistent issues by monitoring and logging suspicious activities. The integration will allow Sysmon to be installed via Windows 11's "Optional features" settings, streamlining deployment and management across large IT environments. Administrators will benefit from Sysmon's standard feature set, including custom configuration files and advanced event filtering, directly through Windows Update. This move aims to simplify the process of enabling Sysmon, making it more accessible for users and administrators to enhance security postures. Microsoft will release comprehensive documentation and introduce enterprise management features and AI-powered threat detection capabilities in the coming year. Organizations can currently test or deploy Sysmon using the individual tool available on the Sysinternals site, with guidance from SwiftOnSecurity's example configurations.

Google released an emergency patch for a high-severity Chrome vulnerability, CVE-2025-13223, actively exploited in the wild, marking the seventh zero-day addressed this year. The flaw resides in the V8 JavaScript engine and involves type confusion, potentially allowing system crashes and arbitrary code execution, risking full system compromise. Users are urged to update Chrome immediately to mitigate risk, as the vulnerability can be exploited through crafted HTML pages. A second emergency patch addresses another type confusion bug, CVE-2025-13224, discovered by Google's LLM-based tool, Big Sleep, though no exploitation has been reported yet. Google's Threat Analysis Group (TAG) continues to monitor and track exploitation by spyware and nation-state actors, enhancing vigilance against such threats. Previous similar vulnerabilities, such as CVE-2025-10585, have been exploited, indicating a persistent threat vector requiring ongoing attention and rapid response. Organizations should prioritize timely updates and patch management to safeguard systems against emerging threats and maintain operational security.

Microsoft plans to integrate Sysmon natively into Windows 11 and Windows Server 2025, eliminating the need for separate Sysinternals tool deployment. Sysmon, a tool for monitoring and logging suspicious activities, will be accessible via Windows 11's "Optional features" settings and updated through Windows Update. The integration will simplify deployment and management, enhancing coverage in large IT environments by eliminating the need for individual installations. Sysmon's native support will retain its standard features, including custom configuration files and advanced event filtering, crucial for threat hunting. Administrators can enable Sysmon via Command Prompt, allowing for both basic and advanced monitoring based on custom configurations. Microsoft will release comprehensive Sysmon documentation and introduce new enterprise management features and AI-powered threat detection capabilities next year. This development is expected to bolster security operations by providing more streamlined and efficient monitoring capabilities across Windows environments.

Microsoft Teams will soon allow users to report messages mistakenly flagged as threats, enhancing detection accuracy and bolstering organizational security. This feature is part of a broader rollout expected to be globally available by November 2025, targeting users of Microsoft Defender for Office 365 Plan 2 or Microsoft Defender XDR. The reporting capability will be enabled by default across desktop, mobile, and web platforms, with administrative control available for toggling the feature on or off. Complementary security enhancements include automatic blocking of screen recordings and warnings for potentially malicious links in private messages. These updates aim to improve user experience and trust in Microsoft Teams, which serves over 320 million monthly users worldwide. The initiative reflects Microsoft's ongoing commitment to refining its security measures and adapting to evolving cybersecurity challenges.