Author: Staff Writer

Essential Insights AttackIQ’s Ransom Tales series emulates TTPs of prominent ransomware families (Rhysida, Charon, Dire Wolf) to enable organizations to validate and enhance their security controls against evolving threats. Each ransomware emulation reveals detailed operational behaviors—like initial access, persistence, discovery, encryption, and defense evasion—allowing targeted testing of detection and prevention mechanisms. The ransomware strains employ advanced tactics such as DLL sideloading, process injection, EDR bypasses, live data exfiltration, and disruptive techniques like shadow copy deletion and log clearing. Continuous testing using these emulations equips security teams to improve incident response, reduce risk exposure, and adapt defenses against both opportunistic and…

Essential Insights The CISA is still assessing the full scope and impact of attacks exploiting Cisco zero-day vulnerabilities, which have been active since November 2024, affecting federal and critical infrastructure organizations. Cisco detected malicious activity in May, leading to an investigation that took four months to disclose, during which patches were developed to mitigate the vulnerabilities. CISA issued an emergency directive requiring immediate action from federal agencies to identify and address compromised devices, with a focus on detecting threat activity quickly. The attacks are believed to be unrelated to broader China-backed espionage campaigns, though the threat actors may shift tactics…

Fast Facts The Co-operative Group reported an £80 million operating profit loss in the first half of 2025, mainly due to a cyberattack that caused £206 million in revenue loss and additional costs. The cyberattack, linked to the DragonForce ransomware and Scattered Spider affiliates, led to data theft of 6.5 million members and significant system disruptions, including offline systems affecting stock and sales. The group’s response included manual operations and support for franchise partners, but experienced ongoing stock and sales issues, particularly in categories like tobacco. Despite financial impacts, Co-op maintained strong liquidity at £800 million and reported no funding…

Top Highlights SonicWall released firmware updates to counter rootkit malware on SMA 100 devices, amid increased threat activity noted by Google involving UNC6148 and OVERSTEP malware targeting these end-of-life VPN devices. A high-severity (CVSS 8.2) permission bypass vulnerability in OnePlus OxygenOS allows unauthorized access to SMS/MMS data, which remains unpatched as OnePlus investigates. Cybercriminal groups like Scattered Spider and national agencies are revealing extensive breaches involving SIM-swapping, supply chain malware (Shai-Hulud), and exploitation of vulnerabilities in Geoserver and Oracle databases, leading to significant asset and data losses. Emerging threats include stegasaurus SVG malware campaigns, URL spoofing via BiDi Swap attacks,…

Summary Points Critical Flaw Discovered: Salesforce Agentforce is vulnerable to an indirect prompt injection exploit (codenamed ForcedLeak, CVSS score: 9.4), potentially allowing attackers to exfiltrate sensitive CRM data. Attack Mechanics: The exploitation process involves submitting a malicious Web-to-Lead form, tricking the AI into executing hidden commands that leak data to an attacker-controlled domain. Salesforce Response: Salesforce has addressed the vulnerability by securing the expired domain and implementing a Trusted URL allowlist to prevent malicious data transmissions. Importance of AI Security: The incident underscores the need for proactive AI security measures to safeguard against emerging threats and prevent significant data breaches.…

Essential Insights Volvo Group North America notified employees of a data breach linked to a ransomware attack on third-party supplier Miljödata, affecting personal information including Social Security numbers. The August attack on Miljödata compromised data from systems used by various companies and Swedish municipalities, impacting approximately 25 private firms and 200 municipalities, including Stockholm. The DataCarry ransomware group claimed responsibility, leaking data such as emails, names, addresses, government IDs, and employment details, with leaked info posted on multiple platforms. Volvo offers affected employees 18 months of free identity protection and credit monitoring, but the total number of impacted individuals remains…

Summary Points US federal authorities issued an emergency alert after discovering sophisticated, actively exploited zero-day vulnerabilities in Cisco firewalls, linked to a state-sponsored hacking campaign. Cisco identified three related vulnerabilities, with two (CVE-2025-20333 and CVE-2025-20362) being exploited to implant malware, execute commands, and potentially exfiltrate data, prompting urgent patches and device disconnections. The threat actors, possibly Chinese state-affiliated, employed advanced evasion techniques, and the campaign involves remote code execution and persistent memory manipulation, often remaining undetected through reboots. Despite the four-month delay in disclosure, authorities emphasize immediate risk, urging all organizations using affected Cisco devices to act swiftly, as attackers…

Fast Facts Urgent Cybersecurity Directive: CISA mandates U.S. agencies to patch critical vulnerabilities in Cisco products due to an “advanced threat actor” exploiting them in a widespread hacking campaign. Significant Risks Identified: The ongoing ArcaneDoor operation has compromised multiple federal agencies, with at least 10 global organizations breached, indicating deep and sophisticated attacks. Vulnerable Cisco Devices: Critical vulnerabilities in Cisco’s Adaptive Security Appliance and Firepower Threat Defense devices necessitate immediate software upgrades to prevent further exploitation. International Coordination: CISA and the UK’s NCSC have collaborated closely on the investigation, focusing on countering the sophisticated state-sponsored threat actor behind the attacks.…

Fast Facts Researchers uncovered a prolonged Chinese cyberespionage campaign involving the BrickStorm backdoor, with hackers dwelling in networks for an average of 393 days, targeting key industries like SaaS, tech, and legal services. The campaign is linked to UNC5221, a Chinese APT, but is distinct from Silk Typhoon, with malware installed on various appliances, specifically targeting VMware vCenter and ESXi systems for lateral movement. Hackers exploited a zero-day vulnerability in Ivanti products and leveraged compromised network appliances to access and pivot within networks, often evading traditional security measures. The attackers aim to steal intellectual property, including proprietary source code, and…

Essential Insights Cisco warns of two actively exploited zero-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) affecting ASA, FTD, and other firewall products, urging immediate patching. The CVE-2025-20333 flaw allows remote attackers with authentication to execute arbitrary code, while CVE-2025-20362 enables access to restricted URLs without authentication. Cisco has also patched a third critical vulnerability (CVE-2025-20363) that could allow remote code execution on unpatched devices, amid ongoing large-scale attack campaigns detected by GreyNoise. The company previously addressed other significant flaws, including a high-severity IOS/XE vulnerability exploited in the wild, emphasizing the ongoing critical security risks to Cisco devices. Underlying Problem Cisco has issued…