Daily Brief

Cybersecurity researchers identified two malicious Rust crates, faster_log and async_println, designed to steal Solana and Ethereum wallet keys, accumulating 8,424 downloads. These crates impersonated the legitimate fast_log library, embedding routines to scan and exfiltrate private keys via HTTP POST to a command and control endpoint. The threat actors employed typosquatting techniques, retaining logging functionality while introducing malicious code to extract sensitive information from Rust files. Crates.io maintainers have removed the malicious packages and disabled the associated accounts, preserving logs for further analysis and response. The campaign exploited minimal code changes and deceptive practices to create a significant supply chain risk, demonstrating vulnerabilities in software distribution channels. No downstream dependencies were identified, limiting the spread, but the incident highlights the need for rigorous review processes in open-source libraries. The incident serves as a reminder of the persistent threats posed by supply chain attacks, necessitating enhanced vigilance and security measures in software development ecosystems.

Cisco has identified a high-severity vulnerability, CVE-2025-20352, in IOS and IOS XE Software, potentially allowing remote code execution or denial-of-service attacks. The flaw stems from a stack overflow in the SNMP subsystem, exploitable by sending crafted SNMP packets over IPv4 or IPv6 networks. Affected devices include Meraki MS390 and Cisco Catalyst 9300 Series Switches running Meraki CS 17 and earlier; a patch is available in IOS XE Software Release 17.15.4a. No workarounds exist, but Cisco advises restricting SNMP access to trusted users and monitoring systems with the "show snmp host" command. Disabling affected OIDs could mitigate risks, though it may impact device management functions like discovery and hardware inventory. The vulnerability is actively exploited, highlighting the need for immediate patching and adherence to Cisco's mitigation recommendations. Organizations using impacted Cisco devices should prioritize updating to the latest software release to safeguard against potential exploits.

Two critical vulnerabilities in Supermicro's Baseboard Management Controller (BMC) firmware could allow attackers to gain persistent control over server systems. The flaws, identified as CVE-2024-10237 and CVE-2025-6198, enable unauthorized firmware updates, potentially compromising both BMC and main server OS. CVE-2025-6198 can bypass the BMC's Root of Trust, allowing malicious firmware to persist across reboots and OS reinstalls, posing significant security risks. Binarly researchers demonstrated the ability to inject malicious firmware by exploiting validation logic flaws, highlighting the need for robust security checks. Supermicro has confirmed the vulnerabilities and released firmware updates to address the issues, urging prompt action to secure affected systems. The persistence of BMC firmware vulnerabilities can lead to severe operational disruptions, with past incidents resulting in mass server failures. CISA has previously noted active exploitation of similar vulnerabilities, emphasizing the importance of timely patching and monitoring.

A recent phishing attack targets Python developers by impersonating the Python Package Index (PyPI) to steal credentials, posing a significant threat to software supply chains. Attackers use a fraudulent domain, pypi-mirror.org, to trick developers into providing credentials, risking account hijacking and potential malware injection into Python packages. The Python Software Foundation advises developers who entered credentials on the fake site to change their PyPI passwords immediately and review account security history. This attack mirrors previous npm phishing incidents, with attackers potentially using compromised accounts to distribute malware across widely used packages. Experts warn of the high-severity risk, as compromised accounts could propagate malware through continuous integration systems, affecting thousands of downstream builds rapidly. The campaign is a continuation of earlier attacks, indicating a persistent threat to open-source ecosystems, with new domains likely to be used in future phishing attempts. Developers are urged to treat this as a serious attempt to weaponize software distribution, not just another phishing incident, highlighting the need for vigilance in credential management.

Kali Linux has launched version 2025.3, introducing ten new tools and enhancing Wi-Fi capabilities, catering to cybersecurity professionals and ethical hackers. The update includes Nexmon support for Broadcom and Cypress Wi-Fi chips, enabling advanced features like Monitor Mode and Frame Injection, especially benefiting Raspberry Pi users. Kali NetHunter, the mobile penetration testing platform, now supports Samsung S10 and introduces new features for car hacking with an updated UI and bug fixes. Users can upgrade to Kali 2025.3 through existing installations or download new ISO images, enhancing the platform's accessibility and functionality. The release encourages upgrading to WSL2 for Windows users, offering improved performance and graphical app support, enhancing user experience. These developments aim to strengthen the capabilities of cybersecurity practitioners in conducting thorough security assessments and research.

Google has identified the Brickstorm malware, used by suspected Chinese hackers, targeting U.S. technology and legal sectors for over a year. Brickstorm is a Go-based backdoor that functions as a web server, file manipulation tool, and more, aiding in data exfiltration. The malware remained undetected for an average of 393 days, affecting SaaS providers and Business Process Outsourcers, potentially enabling further zero-day exploit development. Attackers utilized anti-forensics scripts to obscure entry paths, complicating the identification of initial access vectors, likely involving edge device zero-day exploits. Brickstorm operates on non-EDR-supported appliances, disguising communication as legitimate traffic, and employs a malicious Java Servlet Filter to escalate privileges. The malware's primary goal is to exfiltrate emails and internal data, maintaining stealth by using SOCKS proxy tunneling and never reusing C2 domains or malware samples. Mandiant has released a scanner script to aid defenders, though it may not detect all Brickstorm variants or persistence mechanisms. This operation underscores the persistent threat to entities tied to China's economic and security interests, with a focus on developers and administrators.

Cisco has issued patches for a critical zero-day vulnerability, CVE-2025-20352, affecting IOS and IOS XE Software, currently being exploited in the wild. The flaw resides in the SNMP subsystem, allowing authenticated attackers to trigger denial-of-service conditions or gain root access. Exploitation involves sending crafted SNMP packets over IPv4 or IPv6 networks, with attacks observed following compromised administrator credentials. Cisco advises immediate software upgrades to mitigate risks, as no workarounds exist beyond limiting SNMP access to trusted users. In addition to the zero-day patch, Cisco addressed 13 other vulnerabilities, including an XSS flaw and a denial-of-service issue with available exploit code. The urgency of patching is underscored by the potential for attackers to fully control affected systems, posing significant operational risks. Organizations are encouraged to prioritize updates to prevent exploitation and maintain network security integrity.

RedNovember, a Chinese state-sponsored group, has targeted government and private sectors across Africa, Asia, North America, South America, and Oceania from June 2024 to July 2025. The group employs tools such as the Go-based backdoor Pantegana and Cobalt Strike to infiltrate and maintain persistence in high-profile organizations. Notable victims include ministries, state security organizations, defense contractors, and intergovernmental bodies, indicating a broad intelligence-gathering mandate. RedNovember exploits known vulnerabilities in perimeter appliances from major vendors like Check Point, Cisco, and Palo Alto Networks to gain initial access. The use of open-source tools like Pantegana and Spark RAT complicates attribution, a common tactic among espionage actors to evade detection. VPN services are utilized to manage compromised servers, ensuring secure communication and control over the infiltrated networks. The group's activities reflect a strategic focus on sectors critical to national security and economic interests, highlighting the need for robust cybersecurity defenses.

Rapid7 researchers identified a flaw in OxygenOS, allowing apps to access SMS data without user permission, affecting OnePlus devices from versions 12 to 15. The vulnerability, CVE-2025-10184, stems from unprotected content providers in the modified Android Telephony package, enabling unauthorized SMS data access. Exploitation involves blind SQL injection, allowing attackers to infer SMS content by brute-forcing database entries character by character. Despite multiple disclosure attempts since May, OnePlus did not initially respond, prompting Rapid7 to publish the vulnerability details and proof-of-concept. OnePlus has acknowledged the issue and initiated an investigation, though no patch is currently available for affected devices. Users are advised to limit app installations, prefer reputable publishers, and switch to OTP apps for two-factor authentication to mitigate risks. The incident underscores the need for rigorous security practices in software modifications and prompt vendor response to vulnerability disclosures.

Interpol's Operation HAECHI VI, spanning five months, led to the seizure of over $439 million linked to global cyber-enabled financial crimes. The operation involved law enforcement from 40 countries, targeting crimes like voice phishing, investment fraud, and business email compromise. Authorities seized 400 cryptocurrency wallets and blocked more than 68,000 bank accounts connected to these cybercriminal activities. Notable arrests included 45 individuals in Portugal for social security fraud and a Thai-West African group for laundering $6.6 million from a Japanese corporation. Operation HAECHI VI follows previous successful operations, with HAECHI V seizing $400 million and arresting over 5,500 suspects in 2024. Interpol's ongoing efforts demonstrate the effectiveness of international collaboration in combating cybercrime and protecting financial systems. The operation encourages further global cooperation to enhance the fight against cyber-enabled crime and safeguard communities worldwide.

A suspected China-nexus group, UNC5221, is deploying the BRICKSTORM backdoor to infiltrate U.S. legal, SaaS, and technology sectors, aiming for long-term access and data theft. The campaign targets SaaS providers to access downstream customer environments and data, while legal and tech sectors are targeted for national security and trade information. BRICKSTORM, a Go-based backdoor, features capabilities such as file manipulation, shell command execution, and SOCKS relay, communicating via WebSockets with a command-and-control server. The group exploits Ivanti Connect Secure vulnerabilities for initial access, deploying BRICKSTORM on Linux and BSD appliances, often evading traditional endpoint detection and response tools. A malicious Java Servlet filter, BRICKSTEAL, is used to capture vCenter credentials, facilitating privilege escalation and lateral movement within VMware environments. The campaign's sophistication allows attackers to remain undetected for over a year, emphasizing the need for organizations to enhance their threat hunting and detection capabilities. Google has developed a shell script scanner to help potential victims identify BRICKSTORM activity, urging organizations to proactively search for such backdoors. The operation's focus on high-value targets poses a significant threat, with implications for national security and enterprise technology vulnerabilities.

Google Threat Intelligence reports China-linked groups breached multiple enterprise networks since March, deploying backdoors for long-term data theft, remaining undetected for an average of 393 days. The intrusions are attributed to UNC5221, exploiting zero-day vulnerabilities in Ivanti devices, distinct from other known Chinese threat groups like Silk Typhoon. Affected sectors include legal services, SaaS providers, BPOs, and technology firms, with implications for data security and potential downstream access. BRICKSTORM backdoor, primarily used in these attacks, evades detection on systems lacking traditional EDR tools, complicating early threat identification. Mandiant released a free scanner to detect BRICKSTORM activity on *nix-based systems, aiding organizations in identifying and mitigating these threats. Attackers utilized compromised credentials to move laterally within networks, targeting VMware systems and exploiting advanced techniques to maintain persistence. The campaign's complexity and adaptability suggest continued threats over the next one to two years, urging enterprises to enhance monitoring and response strategies. Google advises a TTP-based approach for threat hunting, focusing on network behavior patterns rather than traditional indicators of compromise.

Huntress analysts identified a new ransomware variant, Obscura, which was first executed across multiple hosts in a victim organization on August 29, 2025. The ransomware was found on the domain controller, utilizing the NETLOGON folder for automatic deployment across infrastructure, complicating containment efforts. Obscura is a Go binary that disables recovery by deleting volume shadow copies and uses scheduled tasks to enable Remote Desktop Protocol access. The ransomware demands administrative privileges to terminate security processes and execute encryption, leveraging Windows API calls for privilege checks. Encryption strategy varies based on file size, employing XChaCha20 encryption with Curve25519 keys, and appending a unique footer for decryption. Analysts noted Obscura's file filtering mechanism, which excludes critical system files from encryption to maintain system functionality. Organizations are advised to closely monitor domain controllers and endpoints for unusual activities, including file modifications and suspicious access patterns. The emergence of Obscura and similar variants like Crux and Cephalus reflects ongoing threat actor adaptation following law enforcement disruptions.

The UK's National Crime Agency has arrested a suspect linked to a ransomware attack affecting Collins Aerospace's MUSE software, causing disruptions at European airports. The attack has led to flight cancellations and delays at major airports including Heathrow, Brussels, and Berlin Brandenburg. Collins Aerospace's MUSE software, used for passenger processing, operates on customer-specific networks outside RTX's enterprise network, complicating the response. RTX Corporation activated its incident response plan, engaging internal and external cybersecurity experts to contain and remediate the attack. The suspect, arrested under the Computer Misuse Act, has been released on conditional bail as investigations continue. Affected airlines and airports have shifted to backup or manual processes, experiencing operational challenges and delays. The incident underscores the vulnerability of critical infrastructure to ransomware attacks and the importance of robust cybersecurity measures.

Google identified the Brickstorm malware used by suspected Chinese hackers in prolonged espionage operations against U.S. technology and legal sectors, with an average dwell time of 393 days. Brickstorm, a Go-based backdoor, functions as a web server, file manipulation tool, and SOCKS relay, facilitating data exfiltration and stealthy network infiltration. The malware targets edge devices lacking EDR support, such as VMware vCenter/ESXi endpoints, masking communications as legitimate traffic to evade detection. Attackers employed Bricksteal, a malicious Java Servlet Filter, to capture credentials and clone Windows Server VMs, enabling lateral movement and persistent access. The operations focus on exfiltrating emails and code repositories, with UNC5221 activity cluster linked to China's economic and security interests. Mandiant released a scanner script to help detect Brickstorm, though it may not identify all variants or persistence mechanisms. The campaign's complexity is heightened by UNC5221's use of unique C2 domains and malware samples, complicating forensic investigations.