Daily Brief

The Cybersecurity Information Sharing Act (CISA) of 2015 may lapse on October 1, coinciding with a potential U.S. federal government shutdown. CISA facilitates the exchange of cyber threat indicators between businesses and the government, a practice deemed crucial by its supporters for national cyber defense. Critics argue CISA compromises privacy, allowing federal surveillance under the guise of cybersecurity, despite mandates to remove unrelated personal information. Efforts to extend CISA through a continuing resolution have stalled in Congress, entangled in broader disputes over healthcare funding and spending levels. Former FBI officials assert that CISA has prevented billions in cyber incident losses and fostered a culture of proactive information sharing. The lapse of CISA could increase vulnerability to cyberattacks, particularly affecting small and medium-sized businesses reliant on shared threat intelligence. Congressional gridlock persists, with no immediate resolution in sight, raising concerns over the continuity of critical cybersecurity measures.

Researchers identified phishing campaigns impersonating Ukrainian government agencies, using malicious SVG files to deliver CountLoader, which subsequently drops Amatera Stealer and PureMiner. The phishing emails masquerade as notices from the National Police of Ukraine, leveraging SVG files to initiate harmful downloads. CountLoader acts as a distribution vector for Amatera Stealer and PureMiner, both deployed as fileless threats via .NET AOT compilation and process hollowing. Amatera Stealer gathers system information and data from browsers, applications, and cryptocurrency wallets, posing significant data theft risks. A separate campaign by a Vietnamese-speaking group uses copyright infringement themes to deploy PXA Stealer, evolving into PureRAT, a sophisticated backdoor. These campaigns illustrate a progression from simple phishing tactics to advanced, multi-layered malware deployment, indicating a maturing threat landscape. Organizations are advised to enhance email security measures and educate employees about the risks of opening unsolicited attachments.

Microsoft is set to introduce a security feature in Edge to detect and revoke malicious sideloaded extensions, launching globally in November for standard multi-tenant instances. Sideloading allows developers to test extensions locally, but it also opens avenues for users to install potentially harmful third-party extensions not vetted for malware. Recent attacks exploiting sideloaded extensions have impacted hundreds of thousands of users, prompting Microsoft to enhance its security measures. The new feature's detection methods remain unspecified, but it aims to protect users from extensions that could compromise security or performance. Microsoft has updated its Edge extension developer tools, including the Publish API, to bolster security and streamline the extension update process. Additional Edge security enhancements include an AI-powered scareware blocker and HTTPS-First Mode, which strengthens connection security by upgrading HTTP to HTTPS. These initiatives reflect Microsoft's ongoing commitment to improving browser security and protecting users from emerging threats.

Microsoft has discovered a new variant of the XCSSET malware, targeting Apple developers by embedding itself in Xcode projects, a tool used for app development on Apple devices. The malware has been active since 2020, with recent updates including enhanced persistence, obfuscation techniques, and capabilities for cryptocurrency theft. New features include a Firefox-targeting module using a modified HackBrowserData tool and a clipboard hijacker that replaces cryptocurrency wallet addresses with those of the attackers. XCSSET now disables macOS automatic updates and Rapid Security Responses, using tactics like run-only compiled AppleScripts to evade detection. Microsoft has collaborated with Apple and GitHub to remove affected repositories and advises developers to scrutinize projects, maintain updated macOS systems, and use robust endpoint security tools. Despite limited attacks, the malware's persistence and evolution highlight ongoing vulnerabilities within Apple's developer ecosystem. Developers are urged to remain vigilant, as compromised Xcode projects can unknowingly execute malicious payloads, posing significant security risks.

Salesforce is dealing with multiple lawsuits after a breach involving third-party app Salesloft exposed customer data, sparking concerns of identity theft. The lawsuits, filed in Northern California, claim Salesforce's security measures were inadequate, though Salesforce denies any compromise of its platform. Attackers exploited OAuth tokens from Salesloft's Drift app, gaining unauthorized access to Salesforce data, confirmed by Google's Threat Intelligence Group. Staci Johnson's lawsuit demands Salesforce disclose compromised data details and enhance security practices to prevent future breaches. The breach has affected several Salesforce customers, including TransUnion and Farmers Insurance, though the direct connection to Salesforce remains unconfirmed. Impacted individuals are advised to monitor financial accounts and credit reports closely to prevent potential identity theft and fraud. Salesforce has reiterated its commitment to data protection, directing users to its Trust page for guidance on safeguarding customer information.

Trend Micro reports the emergence of LockBit 5.0, a ransomware variant capable of targeting Windows, Linux, and VMware ESXi environments, posing a heightened threat to enterprise systems. The new strain features enhanced evasion techniques, including heavy obfuscation, anti-analysis packing, and cross-platform capabilities, complicating detection and response efforts. LockBit 5.0's modular architecture and stealthy encryption routines allow simultaneous attacks across enterprise networks, from endpoints to critical servers and virtualization platforms. Each encrypted file receives a random 16-character extension, complicating data restoration and increasing recovery challenges for affected organizations. Despite a recent law enforcement operation, LockBit's affiliate program has been reactivated, indicating a strategic comeback with refreshed incentives for operators. The ransomware's ability to terminate security processes and delete backups, particularly in ESXi environments, further undermines traditional recovery strategies. Security teams are urged to implement comprehensive cross-platform defenses, with a focus on protecting virtualization infrastructure against this evolving ransomware threat.

Security researchers identified active exploitation of a critical vulnerability (CVE-2025-10035) in Fortra's GoAnywhere Managed File Transfer (MFT) software, affecting tens of thousands of systems globally. The flaw allows attackers to execute remote code, create backdoor admin accounts, and deploy additional malicious payloads, posing significant risks to organizations using the software. Fortra's disclosure of the vulnerability on September 18 lacked transparency, leading to criticism from researchers who found evidence of exploitation beginning on September 10. The vulnerability is particularly concerning due to GoAnywhere MFT's widespread use among Fortune 500 companies, with over 20,000 instances still exposed to the internet. Previous attacks on MFT solutions, including a notable incident involving Cl0p ransomware, highlight the ongoing threat to data transfer systems and the need for robust security measures. Organizations are advised to review their systems for indicators of compromise and consider initiating incident response investigations to mitigate potential impacts. The situation underscores the importance of timely and clear communication from vendors to enable effective defensive actions by affected organizations.

Organizations are rapidly adopting AI, with 92% of technology leaders planning increased AI spending by 2025, yet many lack adequate security measures to protect these deployments. A significant gap exists between AI adoption and security readiness, with only 37% of organizations having processes to assess AI security before deployment, according to the World Economic Forum. Smaller businesses are particularly vulnerable, with 69% lacking safeguards like monitoring training data or inventorying AI assets, exposing them to potential cyber threats. Insecure AI deployments pose compliance risks and empower cybercriminals by lowering the entry barrier for attacks, making scams faster and harder to detect. Accenture's research indicates that only 10% of companies are "Reinvention-Ready," combining mature cyber strategies with integrated monitoring and response capabilities, reducing AI-powered attack risks by 69%. For managed service providers, the rise of AI presents both challenges and opportunities, as clients demand AI tools while relying on MSPs for security against AI-enabled attacks. Enterprises must prioritize AI security at the board level, establish governance frameworks, and train cybersecurity teams to address emerging AI-driven threats to ensure responsible deployment.

A critical vulnerability, CVE-2025-10035, in Fortra's GoAnywhere MFT software is actively exploited, enabling remote command injection without authentication. Fortra disclosed the flaw on September 18, 2025, though exploitation evidence dates back to September 10, 2025, indicating a zero-day status. The vulnerability is a deserialization issue in the License Servlet, allowing attackers with forged license signatures to inject commands. Security researchers from WatchTowr Labs identified the exploitation, noting the creation of backdoor accounts and misuse of legitimate binaries for persistent access. Attackers executed commands to assess user privileges and explore lateral movement, posing significant risks to compromised environments. Fortra advises upgrading to patched versions 7.8.4 or 7.6.3 and removing public internet exposure for the Admin Console to mitigate risks. Administrators are urged to inspect log files for specific error strings to detect potential impacts and enhance defenses against this vulnerability.

A vulnerability in Salesforce's Agentforce allowed attackers to exploit AI agents via prompt injection, risking exposure of sensitive customer data. The flaw, named "ForcedLeak," originated from a DNS misconfiguration and was demonstrated using an expired domain purchased for $5. Salesforce has patched the vulnerability, implementing trusted URL allow-lists to prevent AI agents from accessing untrusted domains. The attack leveraged indirect prompt injection, embedding malicious instructions processed by AI when users interacted with the system. Researchers used Salesforce's Web-to-Lead feature, exploiting the description field's 42,000-character limit for multi-step instruction sets. This incident underscores the evolving security challenges posed by AI-integrated business tools, emphasizing the need for robust AI governance. Salesforce continues to collaborate with the research community to enhance security measures and protect against emerging AI vulnerabilities.

The COLDRIVER APT group, linked to Russia, has initiated a new campaign deploying BAITSWITCH and SIMPLEFIX malware, targeting various sectors since 2019. Zscaler ThreatLabz identified the multi-stage ClickFix campaign, which uses fake CAPTCHA prompts to execute malicious PowerShell commands, compromising victim systems. BAITSWITCH acts as a downloader, fetching the SIMPLEFIX PowerShell backdoor from an attacker-controlled domain, enabling further system infiltration. The campaign targets NGOs, human rights defenders, and Russian exiles, aligning with COLDRIVER's historical victim profile focused on civil society. Parallel attacks by groups like BO Team and Bearlyfy demonstrate increased cyber activity against Russian entities, utilizing phishing and ransomware tactics. Bearlyfy has been active since early 2025, demanding ransoms in cryptocurrency, with infrastructure links to the pro-Ukrainian PhantomCore group. The ongoing threat landscape highlights the persistent risk of sophisticated APT campaigns employing multi-stage and varied attack vectors.

Volvo North America reported a breach of employee data following a ransomware attack on their HR system provider, Miljödata, affecting names and social security numbers. The breach was part of a larger attack by the DataCarry ransomware group on Miljödata's Adato system, impacting multiple organizations using the cloud-hosted service. Affected data includes 870,000 unique email addresses and various personal details, with 1.5 million individuals impacted overall, according to the investigation. Miljödata has initiated an investigation and is reviewing security measures, while Volvo continues to monitor the situation closely to mitigate further risks. The attack disrupted public services across 200 Swedish regions and affected several universities, highlighting the extensive reach of the breach. Organizations using the Adato system experienced varying levels of data exposure, with some confirming the compromise of sensitive employee information. This incident underscores the critical need for robust cybersecurity practices and third-party risk management to protect sensitive data from similar threats.

Breach and Attack Simulation (BAS) serves as a critical tool for CISOs, providing real-world testing of security defenses similar to crash tests in the automotive industry. Traditional security dashboards and compliance reports often offer a false sense of security, lacking the rigorous testing BAS provides to identify exploitable weaknesses. The Blue Report 2025, based on 160 million adversary simulations, reveals hidden vulnerabilities that only emerge under simulated attack conditions. BAS provides continuous, controlled attack scenarios, offering proof of defense effectiveness rather than relying on hypothetical security measures. By using BAS, organizations can prioritize real threats, reducing noise and focusing resources on critical exposures that matter most. The integration of AI with BAS is set to enhance predictive capabilities, ensuring defenses are robust against future threats. The upcoming Picus BAS Summit 2025 will explore advancements in attack simulation and AI, offering insights into the evolving landscape of security validation.

The US CISA and UK NCSC have issued urgent directives to patch vulnerabilities in Cisco's ASA and FTD firewalls, exploited by an advanced threat actor. Federal agencies have a 24-hour deadline to identify affected devices, check for compromises, and apply necessary patches to mitigate risks. The vulnerabilities, CVE-2025-20333 and CVE-2025-20362, allow attackers to implant malware, execute commands, and potentially exfiltrate data from compromised systems. Cisco has released patches and confirmed that these vulnerabilities have been exploited since May, linked to the ArcaneDoor campaign targeting government and telecom networks. The ArcaneDoor campaign is attributed to a group dubbed UAT4356, suspected to have state-sponsored backing, using custom tools for espionage. Security researchers have identified connections between attacker IPs and major Chinese networks, raising concerns about state involvement. The incident follows another zero-day exploit in Cisco's IOS software, raising questions about the company's vulnerability management practices.

The UK government aims to implement a mandatory digital ID system for all legal residents by 2029, requiring it for employment verification. Prime Minister Keir Starmer promotes the initiative as a means to enhance border security and streamline access to services, despite previous government opposition. Digital IDs will be stored on mobile devices, with plans to accommodate those without smartphone access, addressing concerns for digitally excluded groups. The proposal has sparked civil liberties concerns, with critics arguing it could lead to increased surveillance and unnecessary bureaucracy for law-abiding citizens. The digital ID will not be required for accessing benefits or healthcare services, aiming to balance security with ease of access for citizens. Critics, including campaign group Big Brother Watch, argue the scheme may not effectively deter illegal immigration and could impose undue burdens on the public. The government plans public consultations to address concerns and refine the digital ID system, ensuring inclusivity and practicality.