Alright cyber pros, it's been a busy 24 hours with some big news on breaches, critical vulnerabilities under active attack, and some interesting shifts in threat actor tradecraft. Let's dive in:

Recent Cyber Attacks & Breaches 🚨

- Auction house Sotheby's was breached on July 24, leading to the theft of unspecified customer data, including Social Security Numbers and financial account information. They're offering 12 months of credit monitoring.
- Financial services company Prosper also suffered a data breach, impacting over 17.6 million accounts, with names, SSNs, financial details, and other sensitive PII exposed.
- Matthew Lane, a 19-year-old, has been sentenced to four years in prison for hacking educational technology company PowerSchool, exposing data for over 70 million students and teachers and causing $14 million in losses.
- Microsoft successfully disrupted Rhysida ransomware attacks in early October by revoking over 200 certificates used to sign malicious Microsoft Teams installers, which deployed the Oyster backdoor via malvertising.
- Video game software development company Unity Technologies had its Unity SpeedTree checkout page compromised with a malicious skimmer, stealing payment information from 428 users.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/16/sothebys_breach/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/auction-giant-sothebys-says-data-breach-exposed-customer-information/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/have-i-been-pwned-warns-of-prosper-data-breach-impacting-176-million-accounts/
🗞️ The Record | https://therecord.media/powerschool-hacker-sentenced-4-years
🤫 CyberScoop | https://cyberscoop.com/powerschool-hacker-matthew-lane-sentenced/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/microsoft-disrupts-ransomware-attacks-targeting-teams-users/
🌐 The Hacker News | https://thehackernews.com/2025/10/threatsday-bulletin-15b-crypto-bust.html

Actively Exploited Vulnerabilities & Zero-Days ⚠️

- US Senator Bill Cassidy is pressing Cisco for answers regarding critical firewall flaws (CVE-2025-20333 and CVE-2025-20362) in ASA and FTD devices, exploited since May by Chinese APT "UAT4356" (ArcaneDoor campaign) to breach federal agencies. CISA issued a 24-hour emergency patching directive.
- CISA has added CVE-2025-54253 (CVSS 10.0), a critical misconfiguration flaw in Adobe Experience Manager (AEM) Forms on JEE <= 6.5.23.0, to its KEV catalog due to active exploitation. This RCE flaw exploits an exposed `/adminui/debug` servlet; FCEB agencies must patch by November 5.
- Gladinet has patched CVE-2025-11371, a local file inclusion (LFI) zero-day in CentreStack exploited since late September. This LFI bypasses a previous RCE mitigation by allowing attackers to extract the ASP.NET machine key from `Web.config` and forge a malicious ViewState payload. Update to CentreStack 16.10.10408.56683 or disable the `temp` handler.
- Threat actors are exploiting CVE-2025-20352, a recently patched RCE in Cisco IOS and IOS XE SNMP, on older, unprotected Cisco 9400, 9300, and 3750G switches to deploy a Linux rootkit. This rootkit establishes persistent access, sets a universal password, and bypasses security controls.
- Microsoft has patched CVE-2025-55315 (CVSS 9.9), a request smuggling vulnerability in ASP.NET Core's Kestrel web server. This flaw could bypass authentication or CSRF checks, and developers should patch all supported versions immediately.
- NVIDIA has released fixes for CVE-2025-23280 and CVE-2025-23330 in its Linux Display Driver, which allowed local unprivileged processes to achieve kernel read/write primitives.
- Framework Systems Linux devices were shipped with signed UEFI shell components containing "BombShell" flaws, exploitable via the `mm` command to bypass Secure Boot and load bootkits. Framework has released updates.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/16/cisco_senate_scrutiny/
🌐 The Hacker News | https://thehackernews.com/2025/10/cisa-flags-adobe-aem-flaw-with-perfect.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-maximum-severity-adobe-flaw-now-exploited-in-attacks/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/gladinet-fixes-actively-exploited-zero-day-in-file-sharing-software/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-exploit-cisco-snmp-flaw-to-deploy-rootkit-on-switches/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/16/microsoft_aspnet_core_vulnerability/
🌐 The Hacker News | https://thehackernews.com/2025/10/threatsday-bulletin-15b-crypto-bust.html

New Threat Research & Tradecraft 🔬

- North Korean APT UNC5342 is using "EtherHiding" to embed malicious code in smart contracts on Ethereum and BNB Smart Chain, providing bulletproof hosting for malware like JadeSnow loader and InvisibleFerret backdoor.
- Chinese APT "Jewelbug" (REF7707) breached a Russian IT service provider from early to May 2025, a rare east-on-east attack potentially aimed at software supply chain attacks on Russian customers. They used renamed `cdb.exe`, credential dumps, and Yandex Cloud for exfiltration.
- Microsoft's Digital Defense Report 2025 highlights a 32% surge in identity-based attacks, with 97% being password attacks from credential leaks. Infostealer malware, IT help desk scams (e.g., Scattered Spider), and the abuse of AV exclusions by ransomware groups are also on the rise.
- Kaspersky identified "Maverick," a new banking trojan targeting Brazilian users via a WhatsApp worm (SORVEPOTEL), which automates message sending and monitors 26 Brazilian bank sites and 6 crypto exchanges for credential theft.
- Legacy Windows protocols like LLMNR and NBT-NS are being abused for credential theft via poisoning attacks, allowing attackers on the same subnet to capture NTLMv2 hashes. Disabling these protocols and enforcing Kerberos is advised.
- A sophisticated campaign is targeting macOS users with fake Homebrew installer websites that are pixel-perfect replicas, using hidden JavaScript to manipulate clipboards and deliver Odyssey Stealer malware.
- PhantomVAI Loader, a C# malware loader, is distributed via phishing emails with shipment lures, delivering infostealers and RATs like AsyncRAT, XWorm, Formbook, and DCRat, using multi-stage techniques including process hollowing.
- Whisper 2FA, a new phishing-as-a-service (PhaaS) kit, is the third most common after Tycoon and EvilProxy, detected in nearly a million attacks on Microsoft accounts. It uses an AJAX-enabled loop to steal credentials and MFA tokens.
- The Scattered Lapsus$ Hunters (SLSH) cybercrime group announced a temporary hiatus after an FBI site seizure but published data from six targeted companies and vowed to return.
- APTs and ransomware groups are increasingly abusing legitimate Remote Monitoring and Management (RMM) tools (e.g., ConnectWise ScreenConnect, AnyDesk) for initial access, persistence, and lateral movement, often via phishing.
- Research shows AWS X-Ray can be repurposed as a covert Command and Control (C2) server, leveraging annotations to store and query Base64 encoded commands, turning cloud monitoring into a stealthy communication channel.
- A phishing campaign in Colombia uses deceptive judicial notifications with SVG file attachments leading to fake landing pages that deploy an HTML Application for multi-stage AsyncRAT delivery.

🗞️ The Record | https://therecord.media/north-korean-hackers-using-blockchain-hiding-malware
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/16/chinese_russian_cyber_espionage/
🗞️ The Record | https://therecord.media/microsoft-warns-of-surge-identity-hacks-passwords
🌐 The Hacker News | https://thehackernews.com/2025/10/threatsday-bulletin-15b-crypto-bust.html

Threat Landscape Commentary 🌍

- Codific CEO Aram Hovespyan argues that CVE and CVSS systems are flawed, with 34% of CVEs unconfirmed/disputed and CVSS scores inconsistent and mathematically unsound for risk calculations, advocating for threat modeling and contextual triage instead.
- The UK's NCSC reported a 130% increase in "national significant" cyber incidents (204 cases) between Sept 2024 and Aug 2025, coinciding with reports of Chinese state actors compromising classified UK government systems for over a decade.
- The Secure Hosting Alliance (SHA) is introducing a "Trust Seal" to set clear standards for web hosting providers, as AI-enabled attacks escalate and traditional safeguards prove insufficient.
- A historic US/UK operation seized $15 billion in crypto from the Prince Group, a major operator of forced-labor scam compounds involved in "pig butchering" schemes. Separately, German and Bulgarian authorities took down 1,406 fraudulent crypto trading websites.
- Research revealed 39 geostationary satellite communications, including military and business traffic, are broadcast unencrypted and can be intercepted with consumer-grade equipment, exposing sensitive data.
- Chinese cybercrime groups have generated over $1 billion in three years through smishing campaigns targeting US users with fake SMS messages to steal credit card details for use in digital wallets.
- Two new Android malware families, GhostBat RAT and HyperRat, have been detailed, offering extensive data theft and device control capabilities, often distributed via bogus apps and phishing.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/16/cve_cvss_scores_not_useful/
🌐 The Hacker News | https://thehackernews.com/2025/10/threatsday-bulletin-15b-crypto-bust.html
🤫 CyberScoop | https://cyberscoop.com/secure-hosting-trust-seal-cybersecurity-standards-op-ed/

Google Enhances Scam Protections and Account Recovery ✅

- Google has rolled out new safety measures for Google Messages, including blocking users from visiting flagged spam links unless explicitly marked as "not spam."
- Account recovery has been improved with a "Sign in with Mobile Number" option, requiring only a lock-screen passcode, and the introduction of "Recovery Contacts" for trusted friends/family to assist.
- Additionally, the Key Verifier feature is now available for all Android 10+ users, adding an extra layer of security for Google Messages by verifying communication partners.

🌐 The Hacker News | https://thehackernews.com/2025/10/threatsday-bulletin-15b-crypto-bust.html

#CyberSecurity #ThreatIntelligence #Ransomware #DataBreach #Vulnerability #ZeroDay #APT #Malware #Phishing #IdentityTheft #CryptoScams #IncidentResponse #InfoSec

Sotheby’s latest breach exposed sensitive personal and financial data, spotlighting a growing cybersecurity worry in high-stakes auctions. Could this be a harbinger for the whole industry? Find out more.

https://thedefendopsdiaries.com/sothebys-data-breach-implications-response-and-lessons-for-the-auction-industry/

#databreach
#cybersecurity
#sothebys
#auctionsecurity
#infosec
#dataprotection
#identitytheft
#cyberattack
#securitybreach

17.6 million accounts exposed in the latest Prosper breach – a wake-up call for anyone using peer-to-peer lending. Are you sure your personal data is truly secure? Read more to find out the full impact.

https://thedefendopsdiaries.com/prosper-data-breach-exposes-176-million-accounts-implications-for-peer-to-peer-lending-security/

#databreach
#prosper
#cybersecurity
#peertopeerlending
#identitytheft

🔐 PowerSchool Hack: Lessons for EdTech Security

A 19-year-old hacker faces a proposed 7-year sentence for accessing millions of student and teacher records. This case highlights the dangers of insufficient authentication and the sophistication of modern cybercriminals.

💬 What are your recommended strategies for protecting sensitive data in education technology platforms?

Follow @technadu for more updates and expert cybersecurity analysis.

#CyberSecurity #EdTech #DataProtection #PowerSchoolBreach #IdentityTheft #InfoSec #TechNadu #DigitalSecurity

New Yorkers, watch out! Scammers are sending fake 'Inflation Refund' texts that look just like official state alerts. Could this be your next target? Find out how to stay safe.

https://thedefendopsdiaries.com/fake-inflation-refund-texts-target-new-yorkers-in-sophisticated-smishing-scam/

#smishing
#phishingscam
#identitytheft
#cybersecurity
#newyork
#infosecurity
#fraudprevention
#socialengineering
#taxscam

It’s not like this isn’t EXACTLY the kind of threat people who were actually paying attention have been banging on about for these past 30 years—long enough for a whole new generation of halfwit legislators to ponder jamming a fork into the metaphorical wall socket.

http://archive.today/2025.10.09-193913/https://www.404media.co/the-discord-hack-is-every-users-worst-nightmare/ #privacy #AgeVerification #IdentityTheft #FFS

We spend our lives chasing borrowed identities

job titles, family roles, social masks, and call it growth.

But that isn’t growth, it’s theft.

Because true wealth isn’t about acquiring something new, it lies in reclaiming what has always been yours.

Watch this unfiltered conversation with the NDTV

on the urgent question: Who are you beneath all the labels?  

#IdentityTheft #AuthenticSelf #AcharyaPrashant #MustWatch #NDTV

Australian Associated Press: Bindi Irwin targeted in dozens of fake AI-generated posts. “As Robert Irwin turns heads with his recent Dancing with the Stars performances, his big sister Bindi is being targeted with fake, AI-generated claims on Facebook.”

https://rbfirehose.com/2025/10/07/australian-associated-press-bindi-irwin-targeted-in-dozens-of-fake-ai-generated-posts/