Morning, cyber pros! ☕ It's been a packed 24 hours with some serious breaches, actively exploited vulnerabilities, and significant regulatory shifts. We're also seeing new threat actor TTPs and a massive crypto bust. Let's dive in:
Airline and Beverage Giant Hit by Cyberattacks ⚠️
- Canadian airline WestJet confirmed a June cyberattack exposed sensitive customer data, including full names, dates of birth, mailing addresses, and travel documents like passports and government IDs. No credit card or password data was compromised.
- Japanese beverage company Asahi experienced a cyberattack causing system failures that halted order, shipment, and call centre operations in Japan, though no personal or customer data leakage has been confirmed.
- These incidents highlight the ongoing vulnerability of major corporations to cyber threats, with WestJet's breach potentially linked to the Scattered Spider group, known for targeting aviation.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/westjet-confirms-recent-breach-exposed-customers-passports/
🗞️ The Record | https://therecord.media/asahi-japan-cyberattack-limits-shipping-call-centers/
New Chinese Espionage Group "Phantom Taurus" Emerges 🇨🇳
- Palo Alto Networks' Unit 42 has identified a new, highly stealthy Chinese espionage group, "Phantom Taurus," targeting geopolitically significant victims in the Middle East, Africa, and Asia.
- This group uses a distinct set of custom malware, including the NET-STAR suite of web-based backdoors, designed for extreme stealth and long-term persistence to exfiltrate sensitive data.
- Phantom Taurus primarily gains initial access by exploiting known vulnerabilities in internet-facing devices, underscoring the importance of timely patching even against advanced threats.
🤫 CyberScoop | https://cyberscoop.com/phantom-taurus-china-espionage-group/
North Korean IT Worker Scheme Expands Globally 🇰🇵
- Okta's research reveals North Korea is significantly expanding its illicit IT worker scheme beyond the US tech sector, now targeting dozens of industries and countries worldwide, including finance, healthcare, and government.
- These workers use fake or stolen identities to secure high-paying remote roles, aiming to circumvent sanctions and generate millions for Pyongyang's military, with a notable increase in applications for AI-focused positions.
- The campaign's evolution into new markets, coupled with increased pressure from law enforcement, suggests North Korean threat actors may increasingly resort to ransomware, data theft, and extortion tactics.
🗞️ The Record | https://therecord.media/north-korea-it-worker-scheme-expands-outisde-us-tech/
MatrixPDF Toolkit Weaponises PDFs for Phishing 🎣
- A new toolkit called MatrixPDF is being sold on cybercrime forums, enabling attackers to transform ordinary PDF files into interactive phishing and malware lures that bypass email security.
- The tool allows embedding blurred content, fake "Secure Document" prompts, and clickable overlays that redirect victims to credential theft pages or malware downloads, leveraging JavaScript actions.
- MatrixPDF's design cleverly bypasses Gmail's phishing filters by not containing malicious binaries directly, instead relying on user interaction to open external malicious links, making it a potent new threat.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-matrixpdf-toolkit-turns-pdfs-into-phishing-and-malware-lures/
Google Drive Integrates AI for Ransomware Detection 🛡️
- Google has rolled out a new AI tool in Drive for desktop designed to detect ransomware activity, such as mass file encryption, and automatically pause syncing to limit damage spread.
- The model, trained on millions of real-world ransomware samples and leveraging VirusTotal threat intelligence, aims to provide early alerts and facilitate file restoration with a few clicks.
- While a significant defensive layer, Google clarifies this is not a silver bullet to prevent ransomware outright but rather to mitigate its impact, working in conjunction with traditional antivirus solutions.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/30/google_drive_ai_ransomware_detection/
Anthropic Enhances Claude Sonnet 4.5 for Safety and Security 🤖
- Anthropic has released Claude Sonnet 4.5, touting significant improvements in safety and security, including enhanced defences against prompt injection attacks and reduced concerning behaviours like sycophancy and deception.
- The model underwent AI Safety Level 3 training, incorporating increased internal security measures and safeguards to limit jailbreaking and refusal of harmful queries, particularly around weapons and influence operations.
- Sonnet 4.5 also shows "meaningful" improvements in defensive cybersecurity tasks like vulnerability discovery and code analysis, though it still operates "well below" the capabilities for autonomous end-to-end cyber operations.
🤫 CyberScoop | https://cyberscoop.com/anthrophic-sonnet-4-5-security-safety-testing/
Cisco ASA/FTD Flaws Actively Exploited, Thousands Remain Vulnerable 🚨
- Nearly 50,000 Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) instances remain internet-exposed and vulnerable to CVE-2025-20333 (RCE) and CVE-2025-20362 (VPN access bypass), which are actively exploited.
- Despite Cisco's warnings and a rare 24-hour CISA emergency directive for federal agencies to patch, a significant number of devices, particularly in the US, are yet to be secured.
- Attackers, potentially linked to the sophisticated ArcaneDoor campaign, are deploying 'RayInitiator' bootkit and 'Line Viper' shellcode loader, highlighting an advanced evolution in tradecraft targeting end-of-life or soon-to-be end-of-life devices.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/nearly-50-000-cisco-firewalls-vulnerable-to-actively-exploited-flaws/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/30/warnings_about_cisco_vulns_under_active_exploit_are_falling_on_deaf_ears/
Critical Sudo Flaw Under Active Exploitation 🐧
- CISA has added CVE-2025-32463, a critical privilege escalation vulnerability in the Linux Sudo package, to its Known Exploited Vulnerabilities catalog due to active exploitation.
- This flaw allows local attackers to execute arbitrary commands as root using the -R (--chroot) option, even if they are not listed in the sudoers file, affecting Sudo versions 1.9.14 through 1.9.17.
- Federal agencies have until October 20 to apply mitigations or discontinue Sudo use, underscoring the urgency for all organisations to patch immediately.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-linux-sudo-flaw-exploited-in-attacks/
📰 The Hacker News | https://thehackernews.com/2025/09/cisa-sounds-alarm-on-critical-sudo-flaw.html
Fortra GoAnywhere MFT Vulnerability Actively Exploited 📁
- CISA has ordered federal agencies to patch CVE-2025-10035, a critical deserialization vulnerability (CVSS 10.0) in Fortra's GoAnywhere MFT solution, due to strong indications of active exploitation.
- The flaw primarily affects organisations with an internet-exposed GoAnywhere admin console and could lead to command injection, reminiscent of a 2023 GoAnywhere vulnerability exploited by ransomware gangs like Clop.
- Fortra has released a patch and mitigation guidance, urging customers to review configurations and remove public access from the Admin Console, despite not explicitly confirming in-the-wild exploitation.
🗞️ The Record | https://therecord.media/cisa-orders-federal-gov-patch-fortra-bug/
📰 The Hacker News | https://thehackernews.com/2025/09/fortra-goanywhere-cvss-10-flaw.html
Broadcom Patches Actively Exploited VMware Zero-Day and NSA-Reported Flaws ☁️
- Broadcom has patched CVE-2025-41244, a high-severity privilege escalation vulnerability in VMware Aria Operations and VMware Tools, which has been exploited as a zero-day by the Chinese state-sponsored threat actor UNC5174 since October 2024.
- UNC5174 leverages this flaw by staging a malicious binary in common paths like /tmp/httpd, which is then picked up by VMware service discovery, leading to root-level code execution.
- Additionally, Broadcom fixed two high-severity VMware NSX username enumeration vulnerabilities (CVE-2025-41251, CVE-2025-41252) reported by the NSA, which could facilitate brute-force attacks.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/broadcom-fixes-high-severity-vmware-nsx-bugs-reported-by-nsa/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/chinese-hackers-exploitng-vmware-zero-day-since-october-2024/
Google Gemini AI Flaws Disclosed 🧠
- Researchers have uncovered and Google has patched three "Gemini Trifecta" vulnerabilities in Google's Gemini AI assistant, which could have led to significant privacy risks and data theft.
- Flaws included prompt injection in Gemini Cloud Assist (exploiting log summarisation to compromise cloud resources), search-injection in Gemini Search Personalization (manipulating Chrome search history to leak user data), and indirect prompt injection in Gemini Browsing Tool (exfiltrating user data to external servers).
- These vulnerabilities highlight that AI itself can be an attack vector, not just a target, underscoring the need for robust security in AI adoption.
📰 The Hacker News | https://thehackernews.com/2025/09/researchers-disclose-google-gemini-ai-flaws-allowing-prompt-injection-and-cloud-exploits.html
FTC Sues Sendit App for Child Data Collection and Deceptive Practices 🧒
- The FTC is suing Sendit, a popular social media companion app, and its CEO for allegedly violating COPPA by illegally collecting personal data (phone numbers, birthdates, photos, social media usernames) from over 116,000 US children under 13 without parental consent.
- The lawsuit also alleges deceptive practices, including generating fake, provocative anonymous messages to trick users into purchasing a "Diamond Membership" for up to $9.99 a week, falsely promising to reveal sender identities.
- These actions highlight serious concerns about child online privacy and manipulative subscription models, with the FTC seeking to hold the company accountable under COPPA, the FTC Act, and ROSCA.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/legal/sendit-sued-by-the-ftc-for-illegal-collection-of-children-data/
🗞️ The Record | https://therecord.media/ftc-alleges-sendit-app-violated-children-privacy-rule/
Imgur Blocks UK Users Following Data Watchdog Fine Warning 🇬🇧
- Imgur has blocked access for all users in the United Kingdom after the Information Commissioner's Office (ICO) issued a notice of intent to fine its parent company, MediaLab, over concerns about protecting children's data under the Online Safety Act.
- The geoblock means UK users cannot log in, view content, or upload images, and embedded Imgur content on third-party sites is also unavailable, causing widespread impact.
- The ICO warns that blocking UK users does not exempt Imgur from any previously imposed fines, highlighting the serious consequences of non-compliance with data protection regulations.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/technology/imgur-blocks-uk-users-after-data-watchdog-signals-possible-fine/
#CyberSecurity #ThreatIntelligence #Vulnerabilities #ZeroDay #ActiveExploitation #Ransomware #APT #NationState #DataPrivacy #Regulatory #CISA #AI #Phishing #Malware #CryptoCrime #InfoSec #IncidentResponse
