Category: Cyber News

Highlights of the Week

• Microsoft released its August “Patch Tuesday” on August 12, fixing over 90 security flaws. Among these were multiple zero-day vulnerabilities in Windows and Office suites that could permit remote code execution.
• Cisco issued emergency advisories for vulnerabilities in IOS and NX-OS, some of which could allow denial-of-service attacks on networking infrastructure. The company also flagged growing supply chain threats, especially after a breach attempt targeting telecom firms using compromised Cisco equipment.
• Fortinet pushed updates to its FortiGate firewalls to address critical buffer overflow issues—mitigating potential ransomware risks.
• Noteworthy attacks this week included a major DDoS assault on European financial institutions, likely state-sponsored, which disrupted services across the region.
• New ransomware variants, such as LockBit, exploited unpatched systems, particularly in health care.
• Security experts issued warnings about AI-assisted attacks, urging organizations to double down on patching, threat intelligence, and proactive defense.

Cyber Attacks

• ClickFix Trick Exploits Windows
  Threat actors are using a technique dubbed “ClickFix,” luring users via phishing or fake error alerts to run malicious PowerShell commands. This can drop malware like Havoc, which maintains persistence and exfiltrates data through cloud services. Organizations should scrutinize PowerShell logs and educate users to avoid suspicious prompts.
• DarkBit Hits VMware ESXi Hosts
• The DarkBit group is targeting VMware ESXi servers with custom ransomware that encrypts VM disk files using AES-128-CBC and RSA-2048. Some decryptors were later released, but victims are urged to patch systems and monitor abnormal encryption activity.
• Attack on Canada’s House of Commons
• On August 9, attackers leveraged a Microsoft vulnerability to infiltrate Canada’s House of Commons infrastructure, exfiltrating employee names, roles, and email addresses. The Canadian Centre for Cyber Security is investigating; attribution has not been confirmed.
• New FireWood Backdoor Targets Linux
• A variant of FireWood, associated with the Gelsemium APT, is attacking Linux servers via web shells, enabling command execution and data theft. Administrators should scan for web shell artifacts and reinforce shell access controls.
• PhantomCard Android Malware Uses NFC for Theft
• PhantomCard, a Brazilian cybercrime tool, abuses NFC to steal card information in real time. Delivered through fake security apps, it masquerades as a payment terminal. Users should only install verified apps and disable NFC when idle.
• Phishing via Microsoft Teams Remote Control
• Malicious actors are exploiting Teams’ remote-control feature during meetings, tricking victims into granting system access. To counter this, organizations should disable remote control or verify access requests thoroughly.
• Gmail Phishing Evades Filters
• A sophisticated Gmail phishing campaign now bypasses defenses by spoofing Google alerts, passing DKIM checks, and hosting credential-harvesting pages on sites.google.com. Recipients receive fake subpoenas or security notices. Users should inspect sender details and avoid clicking on unsolicited links.

Vulnerabilities Disclosed

• Ivanti Connect Secure / Policy Secure / ZTA
  Four issues were patched, including two high-severity buffer overflow vulnerabilities (CVE-2025-5456, CVE-2025-5462). Other fixes addressed XML external entity injection and symbolic link mishandling. Cloud users benefit from auto-updates; on-premises users must patch manually.

• SAP August Security Release
  SAP addressed 15 vulnerabilities—three were critical code injection flaws (CVEs 2025-42957, 2025-42950, 2025-27429) in S/4HANA and Landscape Transformation. Other issues included authorization bypass, XSS, and path traversal in NetWeaver and Business One. Update priorities should target high-risk enterprise systems first.

• Microsoft August Patch – 107 Fixes
  Microsoft’s update fixes 107 vulnerabilities, including 36 remote-code execution flaws (10 critical) across components like Windows Graphics, Office, Excel, and Hyper-V. Elevation-of-privilege issues (40 total) also feature prominently, along with spoofing, denial-of-service, and information disclosure flaws. No zero-days were disclosed this cycle, but quick patching is highly recommended.

• FortiSIEM OS Command-Injection (CVE-2025-25256)
  A serious flaw in Fortinet’s FortiSIEM permits remote command execution without authentication. Affected versions include 5.4–7.3. Proof-of-concept exploits are already circulating. Users are advised to upgrade or restrict port 7900 access immediately.

• Rooted Android Full Control Vulnerability
  A newly revealed vulnerability affects rooted Android devices, potentially giving attackers full control and exposing data. Devices globally could be at risk. Users should reassess rooting and bolster defenses.

• Cisco Secure Client / Secure Firewall DLL Hijacking
  In versions up to 5.1.7.80, a local attacker with authentication may hijack DLLs via weak IPC validation, executing arbitrary code with SYSTEM privileges. The fix is available starting with version 5.1.8.1.

• Snort 3 Detection Weakness
  Vulnerabilities in Snort 3 may allow attackers to elude detection and escalate privileges. Patches targeting relevant Linux kernels and toolsets are essential.

• Elastic EDR Zero Day
  A zero-day in Elastic EDR bypasses endpoint defenses, enabling malware execution and leading to system crashes (BSOD). The flaw was disclosed August 17, 2025—urgent updates are required for protection.

How the Attack works

1. Deception: Users navigating to a compromised website (often impersonating popular trading platforms) are presented with a fake CAPTCHA or “human verification” page that mimics a legitimate Cloudflare security check.
2. OS-Specific Attack: The attacker customizes the instructions based on the victim’s operating system:

• Windows users receive innocuous (harmless) PowerShell instructions.
• macOS users are instructed to open Terminal, paste a seemingly benign, base64-encoded command, and press Enter.

3. Payload Execution: When the macOS command is run, it decodes and executes a script that fetches a highly obfuscated AppleScript payload from a remote server.
4. Data Theft and Exfiltration: The AppleScript performs the core data harvesting activities:

• It prompts the user for their password to escalate privileges.
• It scans the Desktop, Documents, and Library folders for sensitive files (e.g., .pdf, .docx, Keychain databases, and Safari artifacts).
• It enumerates and copies saved credentials, cookies, form history, and encrypted files from major browsers, including MetaMask and Exodus crypto wallet files.
• The collected data is archived into a .zip file and exfiltrated to the attacker’s command-and-control server.

5. Evasion: By relying on the victim to manually execute a one-line Terminal command rather than dropping a traditional malware binary, the “ClickFix” method effectively bypasses signature-based antivirus solutions.

This campaign, linked to the “Odyssey stealer,” underscores the need for users to be highly skeptical of any website instructing them to copy and paste code into their operating system’s command line.

Details of the Vulnerability

• Flaw: The vulnerability exploits Cursor’s Model Context Protocol (MCP) auto-start feature, which automatically executes new entries added to the ~/.cursor/mcp.json configuration file.
• Attack Vector: When a developer connects Cursor to external services (like Slack or GitHub) via an MCP server and then uses the AI agent to process untrusted external data (such as summarizing messages), a sophisticated prompt injection attack can occur.
• Execution: The malicious prompt tricks the AI agent into directly modifying the mcp.json file. Crucially, Cursor IDE writes these suggested edits to the disk and the MCP auto-start feature executes the embedded command immediately, achieving RCE before the user can review or reject the AI’s suggestion.
• Impact: Successful exploitation grants attackers developer-level privileges, enabling potential data theft, ransomware deployment, or complete system compromise.

Mitigation

The vulnerability affects all Cursor IDE versions prior to 1.3. Developers are strongly advised to:

1. Update Immediately to Cursor IDE version 1.3 or later, which contains the fix.
2. Review MCP Configurations to minimize exposure to untrusted external data sources.

This incident highlights a growing security challenge for AI development tools that integrate local systems with external, untrusted content sources.

The attackers assert they achieved deep access to critical systems, from booking engines to executive email, by penetrating the network in mid-2024, reportedly using targeted phishing and zero-day exploits. This persistent access eventually escalated to “Tier-0 domain controllers,” giving them full administrative control over essential platforms like Sirax, SharePoint, Exchange, CRM, and ERP.

The claimed culmination of the operation, which they termed a “strategic strike,” was the erasure or “bricking” of approximately 7,000 physical and virtual servers on July 27, 2025. This was coupled with the theft of over 20 TB of sensitive data, including flight logs, passenger records, and internal communications. Screenshots allegedly showing Active Directory folders were posted on Telegram as proof.

The Consequences

• On Monday morning, Aeroflot cited an “information-system failure” as it was forced to cancel 49 domestic and regional flights out of Moscow’s Sheremetyevo Airport, causing terminals to be overrun with stranded passengers.
• The disruption has caused Aeroflot’s stock price on the Moscow Exchange to drop by over 4%.
• Russia’s Prosecutor General has initiated a criminal investigation into “unauthorised access,” confirming the severity of the cyber-attack. Kremlin spokesperson Dmitry Peskov labeled the situation “quite alarming.”
• Cybersecurity analysts estimate that rebuilding the airline’s digital infrastructure could take months and cost “tens of millions of dollars,” marking a significant operational and symbolic blow in the context of the Russo-Ukrainian conflict.

The hackers have since threatened to release the stolen personal data of Aeroflot passengers. If confirmed, this leak would expose millions of customer records and escalate the geopolitical tensions surrounding the incident.

The Problem

The vulnerability resides in how Livewire v3 handles component state updates—specifically, its hydration mechanism. This flaw allows an attacker to manipulate server-side processes to achieve remote command execution without needing any user interaction or login credentials.

While the attack complexity is rated as high (requiring a specific component configuration), the lack of authentication or user interaction makes this an extremely dangerous, network-based threat.

Affected Systems

• Product: Livewire v3 framework
• Affected Versions: 3.0.0-beta.1 through 3.6.3
• Impact: Complete system compromise (Confidentiality, Integrity, and Availability).

The Fix

• There is no viable workaround. Users must treat this as an emergency.
• All users running affected versions of Livewire v3 must upgrade immediately to version 3.6.4.

Key Takeaways

• The Threat: RCE flaw in Livewire v3 allows attackers to take control of Laravel web apps.
• The Danger: No authentication or user interaction is required for exploitation.
• The Scope: Affects millions of applications running versions 3.0.0-beta.1 through 3.6.3.
• The Action: Patch immediately to Livewire v3.6.4.

Attack Mechanism

Unlike phishing, which relies on a user clicking, RenderShock attacks start immediately when a malicious file is passively processed by the system.

The flaw targets automatic file-handling services, including:

• Windows Explorer Preview Pane
• macOS Quick Look
• Windows Search Indexer

By embedding malicious code in files like PDFs, Office documents, and even basic LNK files, the attacker can silently trigger actions when the system attempts to generate a preview thumbnail or index the content.

Attackers’ Primary Goal

The primary goal of RenderShock is initial access and information theft. Key capabilities include:

1. NTLM Credential Theft: By leveraging UNC paths in a file’s metadata, the attack forces the system to automatically send NTLMv2 password hashes to an attacker’s remote server when the file is simply previewed.
2. Remote Code Execution: Advanced payloads can execute code by exploiting flaws in preview handlers, achieving full system compromise.

Action for Defenders

Since this is a fundamental design weakness, security teams must implement immediate mitigations:

• Disable Preview Features: Turn off the Preview Pane in Windows Explorer and Quick Look on macOS.
• Block SMB Traffic: Restrict outbound Server Message Block (SMB) traffic (TCP 445) to untrusted networks to prevent NTLM hash leaks.
• Behavioral Monitoring: Deploy EDR and behavioral tools to detect unusual network connections from typically “safe” processes like explorer.exe and searchindexer.exe.

Key Takeaways

The Threat: RenderShock is a 0-Click attack that requires no user action.

The Vulnerability: Exploits systems that automatically preview and index files (e.g., Quick Look).

The Result: Silent NTLM credential harvesting and remote code execution.

The Fix: Disable system preview features and block outbound SMB.

The Evasion Technique

RingReaper completely sidesteps the primary method EDRs use for detection: monitoring system calls (syscalls).

Instead of using traditional syscalls like read, write, and connect, the tool performs all its malicious operations (such as network communication and file access) through io_uring‘s asynchronous Input/Output (I/O) operations. This approach is designed for speed but, in this case, allows the attacker to:

1. Generate minimal auditable events.
2. Operate below the radar of EDR solutions that are only listening for standard syscalls.

Why It Matters

This is considered a paradigm shift in Linux malware. The technique effectively makes RingReaper “Fully Undetectable” (FUD) by current EDRs, allowing attackers to perform sophisticated actions like privilege escalation and data exfiltration without being seen.

Key Takeaways

The Threat: RingReaper is a new Linux tool capable of fully evading EDRs.

The Method: It exploits the io_uring kernel feature to perform operations without using traditional syscalls.

The Gap: Current EDRs only monitor traditional syscalls, leaving a blind spot for io_uring activity.

The Defense: Security monitoring must be updated to track operations within the io_uring kernel feature.

Main Takeaways

• Critical vulnerabilities in Airoha chip-based devices permit full control over device memory (RAM/flash) via BLE GATT and RFCOMM without any pairing.
• Affected brands include Sony, Bose, Marshall, Beyerdynamic, JBL, etc.
• Fixes were supplied to manufacturers in June 2025, but no firmware updates have been made public yet.

Researchers at ERNW found flaws affecting Bluetooth audio devices (headphones, earbuds, speakers) using Airoha SoCs (System on Chips).
The vulnerabilities allow an attacker within ~10 meters to exploit Bluetooth Low Energy (BLE) GATT, Bluetooth Classic (RFCOMM), and a custom protocol to:

• Read/write device memory (RAM/flash).
• Extract Bluetooth link keys (used to authenticate/bond devices).
• Impersonate trusted devices.
• Establish unauthorized hands-free (HFP) connections to eavesdrop via microphone.

Scope

Some of the affected models include:

• Sony: WH-1000XM4, WH-1000XM5, WF-1000XM5, WF-C500
• Marshall: ACTON III, MAJOR V, MINOR IV, STANMORE III
• Bose QuietComfort Earbuds; Beyerdynamic Amiron 300; Jabra Elite 8 Active; plus various JBL models.
• Wireless speakers, dongles, and pro audio gear are also impacted. Often manufacturers weren’t aware their devices used vulnerable Airoha chips.

Vulnerability Details:

CVE	Name / Description	Impact	CVSS Score
CVE-2025-20700	Missing Authentication for GATT Services	Read/write device memory; access sensitive data	8.8 (High)
CVE-2025-20701	Missing Authentication for Bluetooth BR/EDR	Full device takeover over Classic Bluetooth	8.8 (High)
CVE-2025-20702	Critical Capabilities of a Custom Protocol	Full RAM & flash access, link key extraction, impersonation potential	9.6 (Critical)

These vulnerabilities let attackers operate without being paired to or recognized by the Bluetooth device. Just proximity is sufficient.

Impact

• Eavesdrop via the mic (Hands-Free Profile)
• Listen in on what the device is playing (media) or trick the device to play/stop/share media
• Extract stored link keys to impersonate the device or gain persistent access even after disconnects
• Spread malware to other nearby vulnerable devices via GATT services (“wormable” behavior)

High-value individuals (journalists, diplomats, business leaders) are especially at risk.

Mitigation

• Monitor the device maker’s website or support portal for firmware updates.
• Remove Bluetooth pairing if you suspect your device may be targeted.
• Limit device Bluetooth exposure; turn off Bluetooth when not needed.
• Use devices in environments where nearby attackers are less likely.
• Check for unusual behavior: unexpected voice transmission, unknown connections, etc.

Main Takeaways

• There’s a flaw in Meshtastic’s packet-handling logic that could let an attacker intercept or manipulate messages across the mesh network.
• Malicious actors might exploit this to inject false messages, tamper with routing, or downgrade message integrity.
• Users should update to patched versions, validate firmware integrity, and monitor for unexpected network behavior.

Meshtastic allows devices to form peer-to-peer mesh networks for messaging without relying on cellular or Wi-Fi infrastructure. The vulnerability lies in how nodes process and forward certain packet types. Under specific circumstances, crafted packets can confuse nodes or bypass verification steps, letting an adversary inject or alter traffic.

Because mesh networks rely on trust and propagation across nodes, a malicious node or attacker in proximity could interfere widely—even if only a single device is compromised.

Risks & Attack Scenarios

• Message interception / eavesdropping: Attackers could insert themselves in the routing path and view messages not originally intended for them.
• Spoofing & fake messages: Malicious actors might inject false messages that appear valid, misleading users.
• Network disruption: By tampering with routing or packet flow, attackers could degrade or partition parts of the mesh.
• Downgrade or integrity attack: Under certain conditions, integrity checks or authentication routines may be bypassed or weakened.

Mitigation

• Install updates: Use the patched version of Meshtastic as soon as it’s available.
• Check firmware integrity: Use signed firmware and verify checksums before flashing devices.
• Restrict physical access: Prevent attackers from gaining close proximity, since many exploits require local radio access.
• Monitor routing anomalies: Look for unexpected node behavior, routing detours, or traffic patterns that deviate from the norm.
• Enable stronger cryptography: Where possible, enforce end-to-end encryption and validate node identities.
• Segment mesh networks: If feasible, limit mesh reach to trusted nodes and avoid open participation.

Takeaways

• A bug in Service Control triggered by a policy update with blank fields caused the system to crash globally.
• The failure led to a cascading outage across multiple Google Cloud and Workspace products.
• Google disabled the problematic feature, scaled back changes, and is rearchitecting Service Control to “fail open” in future incidents.

What Happened

• Google had added a feature for more granular quota validation. However, the new code lacked proper error handling and wasn’t behind a feature flag.
• A policy change with unintended blank metadata fields was inserted into regional databases and replicated globally.
• When Service Control tried to process that policy, it encountered a null pointer exception, causing the binary to crash across all regions.
• The binary crash loops triggered a vast disruption in API services.
• In the most affected region (us-central1), restarting Service Control caused overload on the underlying Spanner database due to a “herd effect” — many tasks restarted at once without backoff.
• Recovery took longer in that region; Google throttled restarts and rerouted traffic to multi-regional databases to reduce load.

Impact

• Disruption spanned Google Cloud Platform, Workspace, and numerous dependent services (Compute Engine, BigQuery, Cloud Storage, and more).
• Third-party platforms relying on Google infrastructure were also hit (Spotify, Discord, Snapchat, etc.).
• The outage led to widespread 503 errors and degraded access across many regions.
• Regions outside us-central1 largely restored in a couple of hours; us-central1 took nearly 2h 40m just to fully recover.

---

Mitigations

• Google immediately froze changes to the Service Control stack and halted manual policy pushes.
• They disabled the offending quota checks with a “red-button” kill switch.
• They’re redesigning Service Control so that if an internal check fails, the system “fails open” rather than blocking all API traffic.
• Planned improvements include better error handling, stricter feature flags, modular architecture, and avoiding global replication of unvalidated metadata.
• They also intend to audit systems consuming globally replicated data and implement randomized backoff to avoid database overloads during recovery.