Daily Brief

Threat actors exploited a remote code execution vulnerability (CVE-2025-20352) in Cisco devices, targeting older models like the 9400, 9300, and 3750G series lacking endpoint detection solutions. The vulnerability affects the Simple Network Management Protocol (SNMP) in Cisco IOS and IOS XE, allowing attackers with root privileges to deploy a Linux rootkit for persistent access. Trend Micro identified this campaign as 'Operation Zero Disco', noting the malware sets a universal access password and can manipulate logs and bypass access controls. The rootkit includes a UDP controller to listen on any port, disabling logs, and enabling lateral movement across VLANs through ARP spoofing and internal firewall rule bypassing. Despite newer switches having Address Space Layout Randomization (ASLR) protection, they remain susceptible to persistent targeting, emphasizing the need for robust security measures. Trend Micro recommends a low-level firmware and ROM region investigation if a compromise is suspected, as no reliable detection tool currently exists for these attacks. Indicators of compromise (IoCs) related to 'Operation Zero Disco' have been published to aid in identifying affected systems.

Microsoft disrupted a series of Rhysida ransomware attacks by revoking over 200 certificates used to sign malicious Microsoft Teams installers. The threat group, Vanilla Tempest, used deceptive domains mimicking Microsoft Teams to distribute fake installers, infecting systems with the Oyster backdoor. The campaign involved malvertising tactics, including search engine ads and SEO poisoning, to push fake Teams installers that compromised Windows devices. Upon execution, the malicious installers deployed Oyster malware, enabling remote access for data theft, command execution, and further payload deployment. Vanilla Tempest, also known as VICE SPIDER, has been active since June 2021, targeting sectors like education, healthcare, IT, and manufacturing. The group has a history of using various ransomware strains, including BlackCat and Zeppelin, and was previously warned against by the FBI and CISA. Microsoft's intervention reflects ongoing efforts to counteract sophisticated cybercrime tactics leveraging trusted software distribution channels.

Symantec's Threat Hunter Team identified a Chinese APT group, Jewelbug, infiltrating a Russian IT service provider, signaling a rare instance of espionage between the two nations. The intrusion spanned from early 2025 to May, granting Jewelbug months of undetected access to critical infrastructure, including servers and code repositories. Jewelbug employed tactics such as renaming Microsoft's cdb.exe to "7zup.exe" and used Yandex Cloud for exfiltration, exploiting the trust Russian firms place in local services. The attack potentially aimed at a software supply chain assault, threatening a wide network of Russian companies with espionage or operational disruption. This incident challenges the notion of Russia being off-limits to Chinese cyber operations, suggesting a shift in Beijing's intelligence strategy. Previous reports indicate Chinese groups have targeted Russian military and corporate networks since mid-2022, seeking sensitive military and technological data. The evolving use of cloud-native C2 channels by Jewelbug highlights a trend toward more sophisticated and stealthy cyber operations. Russian IT providers and their clients should reassess their cybersecurity strategies in light of this emerging threat landscape.

Gladinet addressed a zero-day local file inclusion vulnerability in its CentreStack solution, exploited since late September, by releasing a security update in version 16.10.10408.56683. The vulnerability, CVE-2025-11371, allowed attackers to read critical configuration files and leverage them for remote code execution through a previously identified flaw, CVE-2025-30406. Huntress researchers identified the flaw as a bypass for earlier mitigations against a deserialization vulnerability, leading to unauthorized access and potential system compromise. The root cause was traced to a sanitization failure in the temp-download handler, which enabled directory traversal and unauthorized file access under NT AUTHORITY\SYSTEM. Administrators are urged to install the latest update or apply temporary mitigations by disabling the temp handler in the Web.config file to prevent exploitation. Huntress provided technical insights and a minimal proof-of-concept exploit, though the full exploit chain remains undisclosed to limit potential abuse. Organizations using CentreStack should prioritize patching to safeguard against potential threats and maintain operational security integrity.

North Korean threat actor UNC5342 has adopted the EtherHiding technique to distribute malware via blockchain smart contracts, marking a first for state-sponsored cyber operations. The campaign, known as Contagious Interview, targets developers through LinkedIn, using social engineering to deploy malicious code under the guise of job assessments. EtherHiding involves embedding harmful code within smart contracts on public blockchains like Ethereum, making malware distribution resilient to takedown efforts. This method leverages the pseudonymous nature of blockchain transactions, complicating efforts to trace the deployment of malicious smart contracts. Attackers can update the malicious payload within the smart contract at any time, enhancing the flexibility and persistence of the threat. The attack chain affects Windows, macOS, and Linux systems, utilizing three different malware families to achieve its objectives. This development signals a significant shift in the cyber threat landscape, as nation-state actors increasingly use innovative techniques to evade detection and enhance operational resilience.

Threat actor UNC5142 is leveraging blockchain smart contracts to distribute information-stealing malware, targeting both Windows and macOS users via compromised WordPress sites. Google Threat Intelligence Group identified approximately 14,000 web pages with injected JavaScript linked to UNC5142, indicating widespread exploitation of vulnerable WordPress sites. The attack chain involves a multi-stage JavaScript downloader, CLEARSHORT, which uses smart contracts on the BNB Smart Chain to deliver malware payloads. The attack utilizes the ClickFix tactic, deceiving users into executing malicious commands, leading to system infections with stealer malware. UNC5142's infrastructure includes a sophisticated three-smart contract system, enhancing operational agility and resistance to detection and takedown efforts. The group's campaigns have evolved significantly, employing a proxy pattern architecture that allows for rapid updates without modifying compromised site scripts. The use of blockchain technology provides the threat actor with increased resiliency, blending malicious activities with legitimate Web3 operations. Despite a pause in activity since July 2025, the group's past success suggests a potential for future sophisticated campaigns.

Synacktiv discovered the LinkPro rootkit during an investigation of compromised AWS-hosted infrastructure, exploiting Linux systems with advanced concealment techniques. Attackers leveraged a vulnerable Jenkins server, identified as CVE-2024-23897, to deploy the rootkit via a malicious Docker Hub image on Kubernetes clusters. LinkPro uses eBPF modules for stealth, activating through a "magic packet" with a specific TCP window size, allowing remote command execution within a one-hour window. The rootkit modifies the "/etc/ld.so.preload" file to conceal itself, affecting all programs using shared libraries, including glibc, by intercepting system calls. LinkPro supports multiple communication protocols, enabling versatile command and control operations, and complicates network activity correlation with firewall logs. The attack's financial motivation remains suspected, though the threat actors' identities are currently unknown. This incident emphasizes the need for robust patch management and monitoring of exposed services to prevent similar infiltrations.

CISA has issued an alert regarding active exploitation of a critical vulnerability in Adobe Experience Manager, identified as CVE-2025-54253, which allows remote code execution. This vulnerability affects Adobe Experience Manager Forms on JEE versions 6.5.23 and earlier, stemming from a misconfiguration issue that permits unauthenticated access. Researchers Adam Kues and Shubham Shah disclosed the flaw to Adobe in April, but it remained unpatched until August, despite proof-of-concept exploit code being publicly available. Adobe's delayed response left systems exposed for over 90 days, prompting CISA to add this flaw to its Known Exploited Vulnerabilities Catalog. Federal agencies are mandated to secure their systems by November 5th under Binding Operational Directive 22-01, with CISA urging all organizations to prioritize patching. Administrators are advised to restrict Internet access to AEM Forms if immediate patching is not possible, to mitigate potential exploitation risks. The vulnerability's exploitation poses significant risks to federal and private sector enterprises, emphasizing the need for timely security updates and proactive defense measures.

Google has launched a new Gmail feature allowing users to designate trusted contacts to assist in account recovery when traditional methods are unavailable. This initiative aims to address challenges associated with passkeys, particularly when users lose access to their devices, hindering account access. Users can select up to 10 trusted contacts, who will receive a code to verify recovery requests, enhancing security through number-matching authentication. Google implements additional security measures, such as device history and IP checks, to ensure the legitimacy of recovery attempts and prevent unauthorized access. While the feature enhances account recovery, it requires contacts to possess strong cybersecurity awareness to avoid potential social engineering attacks. This feature is currently available for personal Gmail accounts, but not for Google Workspace or accounts enrolled in the Advanced Protection Program. Google's ongoing efforts in account recovery solutions aim to maintain high privacy and security standards while providing users with reliable access options.

North Korean group UNC5342 utilizes the EtherHiding technique to embed malware within smart contracts on public blockchains, targeting cryptocurrency through sophisticated social engineering. The Google Threat Intelligence Group reports this novel method, marking the first known use by a state-backed actor, leveraging Binance Smart Chain and Ethereum for malware distribution. EtherHiding offers anonymity, resistance to takedown efforts, and low-cost, flexible payload updates, complicating detection and response efforts. Attackers initiate campaigns with fake job interviews, tricking software developers into downloading malicious files disguised as coding tests from platforms like GitHub or NPM. The Jadesnow loader retrieves encoded payloads from blockchains, executing the InvisibleFerret malware to steal credentials and exfiltrate data via command and control channels. Credential-stealing targets include passwords, credit cards, and cryptocurrency wallets, with malware updates occurring frequently and at minimal cost. Organizations are advised to enforce strict download restrictions, control browser updates, and implement robust web access and script execution policies to mitigate risks.

Traditional Managed Detection and Response (MDR) services are becoming insufficient as businesses face continuous new exposures across hybrid infrastructures and distributed ecosystems. Unified Exposure Management Platforms (UEMPs) offer a proactive approach by continuously identifying, validating, and remediating vulnerabilities before adversaries can exploit them. The shift towards preemptive security is driven by increased regulatory scrutiny and the need for measurable risk reduction tied to business outcomes. UEMPs integrate asset discovery, vulnerability assessment, validation, and remediation, connecting technical evidence directly with business impact. These platforms use Breach and Attack Simulation (BAS) and Automated Penetration Testing to validate exploitability, providing actionable insights for security teams. By operationalizing the Continuous Threat Exposure Management model, UEMPs reduce potential dwell time from identification to mitigation, enhancing organizational resilience. Picus Security, recognized by Gartner, exemplifies this emerging category, offering platforms that unify discovery, validation, and remediation for comprehensive security posture management.

Microsoft has released a patch for a critical ASP.NET Core vulnerability in the Kestrel web server, rated 9.9 on the CVSS scale, marking it as their highest-ever score. The flaw, identified as CVE-2025-55315, involves request smuggling, allowing unauthorized actions such as user impersonation and bypassing security checks. The vulnerability affects all supported versions of ASP.NET Core, including pre-release versions, potentially impacting applications depending on their configuration and code. Developers are advised to update their .NET SDK or Kestrel.Core package to the latest versions to mitigate the risk, with a focus on evaluating specific application vulnerabilities. The issue is longstanding, affecting applications deployed using the framework-dependent model; updates must be applied at the server level in these cases. While no known exploits have been reported, Microsoft emphasizes the importance of patching promptly to prevent potential security breaches. Organizations should assess their application setups to determine exposure risk, especially those using Kestrel directly or behind a proxy.

Microsoft has launched a voice-activated feature for its AI-powered Copilot on Windows 11, allowing users to initiate conversations using the "Hey Copilot" wake word. This feature, tested by Windows Insiders since May, requires manual activation and is designed to improve user engagement with the Copilot app. Once activated, users will see a microphone icon and hear a chime, indicating that Copilot is ready to assist with tasks such as troubleshooting and app guidance. The wake word recognition operates offline using a local 10-second audio buffer, ensuring user privacy, although internet access is necessary for processing requests. Microsoft reports increased user interaction with Copilot when using voice commands, suggesting a trend towards more natural and intuitive user interfaces. Additional Copilot capabilities include generating Office documents and connecting with third-party accounts like Gmail and Google Drive, enhancing productivity and integration. Microsoft continues to expand Copilot's functionalities, including the recent introduction of Gaming Copilot and content-aware Copilot Chat for Microsoft 365 business customers.

Microsoft announced the Copilot Actions feature for Windows 11, enabling AI agents to perform tasks on local files and applications, enhancing productivity and efficiency. This new feature will initially be available to Windows Insiders through Copilot Labs, expanding on the web-based Copilot Actions introduced earlier this year. Copilot Actions transforms AI agents from passive assistants to active collaborators, capable of updating documents, organizing files, and more. Each AI agent operates within its own Agent Workspace, ensuring isolation and preventing interaction with the user's desktop environment. Security measures include distinct agent accounts, limited privileges, and cryptographic signing to ensure operational trust and compliance with Microsoft's privacy standards. Agents will initially access standard Windows data folders, with plans for more granular security controls to be introduced in the future. Feedback from the preview program will guide further development, with full release anticipated later this year as part of Microsoft's Secure Future Initiative.

U.S. Senator Bill Cassidy has requested Cisco clarify its response to critical firewall flaws, CVE-2025-20333 and CVE-2025-20362, which impacted at least one federal agency. The flaws prompted an emergency directive from CISA, requiring federal agencies to patch affected Cisco devices within 24 hours to mitigate significant risks. Cisco's Adaptive Security Appliance and Firepower Threat Defense devices were exploited by the ArcaneDoor campaign, linked to the Chinese-associated group UAT4356. Exploitation of these vulnerabilities began as early as May, with attackers deploying implants and exfiltrating data from compromised systems. Cassidy's letter emphasizes the need for Cisco to align its guidance with CISA's and ensure comprehensive communication with all affected customers. The senator's demands highlight the broader issue of vendor accountability, particularly for those providing critical infrastructure to both government and private sectors. Cisco has been given a deadline of October 27 to respond to the senator's inquiries, a timeline that tests its transparency and readiness to address security concerns.