Author: Staff Writer

Top Highlights Organizations failed to patch known exploited vulnerabilities promptly, allowing threat actors to exploit CVE-2024-36401 on GeoServers, highlighting the need for immediate remediations per KEV Catalog guidelines. The federal agency’s incident response plan was not tested or exercised, and lacked procedures for third-party engagement and resource access, leading to delayed containment and limited investigation capabilities. Continuous review of EDR alerts was neglected, resulting in a three-week undetected intrusion, emphasizing the importance of proactive threat monitoring and endpoint protection for critical systems. CISA recommends implementing robust vulnerability management, regular IRP testing, comprehensive logging, and multi-factor authentication to strengthen defenses against…

Top Highlights Cisco released security updates to fix a high-severity zero-day (CVE-2025-20352) in IOS and IOS XE, exploited through a stack-based buffer overflow in the SNMP subsystem, enabling DoS or full system control. Attackers, with low privileges, can exploit the vulnerability remotely via crafted SNMP packets, while high-privileged attackers can execute code as root, especially if SNMP credentials are compromised. No direct workarounds exist; administrators are advised to limit SNMP access to trusted sources until patches are applied to prevent exploitation. In addition to this, Cisco patched 13 other vulnerabilities, including critical flaws in IOS XE and Wireless LAN Controllers,…

Essential Insights Researchers have identified YiBackdoor, a new malware sharing significant code similarities with IcedID and Latrodectus, potentially used together in cyberattacks and serving as a precursor for ransomware deployment. YiBackdoor can execute arbitrary commands, collect system info, capture screenshots, and dynamically expand functionalities via plugins, while employing anti-analysis techniques and persistence through registry modifications. The malware’s initial deployment involves copying itself into a random directory, registering via regsvr32.exe, and connecting to C2 servers for command execution, with limited deployment suggesting ongoing development or testing. Overlaps with IcedID and Latrodectus include code injection methods, encryption routines, and configuration handling, indicating…

Summary Points Traditional incident response relies on manual processes vulnerable to sophisticated ransomware that encrypts backups, complicating recovery efforts. Backup systems are prime targets for financially motivated attackers; thorough data verification is crucial to prevent futile recovery attempts. Cyber Recovery offers an integrated platform approach, combining real-time system monitoring, automation, and forensic analysis to minimize damage and speed up restoration. Initiating recovery within a sandbox environment enables deep malware analysis and safer, more effective system restoration post-attack. What’s the Problem? The story describes the chaos that ensues when companies face advanced cyberattacks, particularly ransomware that not only encrypts critical systems…

Top Highlights Kali Linux 2025.3 introduces ten new tools, including Caido, Detect It Easy, Gemini CLI, and innovative modules like krbrelayx and ligolo-mp, enhancing cybersecurity and penetration testing capabilities. The update features integrated Nexmon support, expanding Wi-Fi manipulation functionalities across Raspberry Pi and other devices, facilitating advanced wireless security research. Kali NetHunter now supports running on Samsung S10, with UI updates for Kali Car Hacking (CARsenal), along with improvements such as VPN panel enhancements and support for kernel modules via Magisk. Users can upgrade through command-line methods or download fresh ISO images, with recommendations to upgrade to WSL2 on Windows…

Summary Points Chinese hacker group UNC5221 has been infiltrating U.S. organizations using the BRICKSTORM backdoor for over a year, targeting legal firms, SaaS companies, and tech organizations for espionage, IP theft, and zero-day development. The group exploits vulnerabilities and employs sophisticated techniques, including lateral movement through networks and targeting VMware vCenter, often remaining undetected for approximately 393 days. BRICKSTORM malware is actively developed, targeting Linux, BSD, and VMware systems, with a focus on network appliances and virtual infrastructure, enabling cloning of critical VMs and accessing sensitive data. Attackers use stolen credentials and tools like Microsoft Entra ID, SOCKS proxies, and…

Summary Points A suspected China-linked cyber espionage group is deploying the BRICKSTORM backdoor to target U.S. legal, SaaS, BPO, and tech sectors, aiming for persistent access to stolen data and national security info. BRICKSTORM, a sophisticated Go-based malware, can set up as a web server, perform file operations, execute commands, and communicate covertly via WebSockets with C2 servers. The group exploits vulnerabilities like Ivanti Connect Secure and uses stealth techniques such as in-memory modifications and credential theft to evade detection and maintain long-term presence. The campaign’s goal is to compromise high-value targets, including administrators and developers, to enable lateral movement,…

Essential Insights Cisco discloses a actively exploited zero-day vulnerability (CVE-2025-20352) in IOS and IOS XE, allowing remote code execution or DoS through SNMP subsystem stack overflow. All versions of SNMP (v1, v2c, v3) are vulnerable; attackers can escalate privileges from limited access to full system control, especially if they have administrator credentials. The flaw was first identified during support case investigation, with attackers leveraging compromised credentials, highlighting the need for strong credential management and timely patching. Cisco recommends immediate software updates and offers mitigations like SNMP view configurations, but emphasizes that patching is necessary as no official workarounds fully remediate…

Top Highlights Non-Human Identities (NHIs) function as machine “passports” in cloud environments, with encrypted secrets and permissions that are crucial for secure system interactions. Effective lifecycle management of NHIs—covering discovery, classification, access provisioning, continuous monitoring, and decommissioning—is essential for maintaining robust cloud security. Securing NHIs across industries, especially in regulated sectors like finance and healthcare, supports compliance, reduces risks, and enhances operational efficiency through automation. Bridging gaps between security and R&D, automating NHI management, and aligning with compliance standards are vital strategies for future-proofing organizations against evolving cyber threats. Problem Explained The story explains the critical importance of managing Non-Human…

Quick Takeaways A man in his 40s was arrested in West Sussex in connection with the Collins Aerospace hacking that caused major European flight disruptions. The suspect is suspected of violating the Computer Misuse Act and has been released on conditional bail as investigations are ongoing. The attack is linked to a variant of Hardbit ransomware, impacting key airline hubs like Heathrow, Brussels, and Berlin airports. Authorities consider the arrest a positive development, but the investigation remains in early stages and ongoing. Underlying Problem U.K. authorities announced on Wednesday that they had arrested a man in his 40s from West…