Major Incidents or Breaches

  • Tens of thousands of outdated or end-of-life ASUS routers have been compromised globally in “Operation WrtHug,” exploiting six vulnerabilities to create a large botnet, with most affected devices located in Taiwan, the U.S., and Russia.
  • Cloudflare experienced a major outage, its worst in six years, caused by an internal database access control change, resulting in widespread service disruption for nearly six hours.
  • A 45-year-old California man pleaded guilty to laundering $25 million in cryptocurrency stolen from a $230 million heist.
  • The U.S., UK, and Australia have sanctioned Russian bulletproof hosting provider Media Land for supporting ransomware gangs and other cybercrime operations.

Newly Discovered Vulnerabilities

  • Two zero-day vulnerabilities in Fortinet’s FortiWeb web application firewall have been disclosed and exploited in the wild, including an OS command injection flaw enabling arbitrary code execution. CISA has mandated U.S. agencies to patch the latest flaw within seven days.
  • A critical remote code execution vulnerability (CVE-2025-11001) in 7-Zip, based on symbolic links, is under active exploitation.
  • The W3 Total Cache WordPress plugin contains a critical PHP command injection flaw that can be exploited via malicious comments.
  • SolarWinds patched three critical remote code execution vulnerabilities in its Serv-U software.
  • A two-year-old authentication flaw in the Ray AI framework is being exploited in ongoing attacks to compromise clusters and deploy cryptocurrency miners and LLM-generated payloads.

Notable Threat Actor Activity

  • The China-aligned PlushDaemon APT group has been observed deploying a Go-based network backdoor (“EdgeStepper”) and a network implant to facilitate adversary-in-the-middle (AitM) attacks, including hijacking software update mechanisms in supply-chain attacks.
  • The TamperedChef malvertising campaign is distributing malware globally through fake installers masquerading as popular software.
  • A Python-based WhatsApp worm is spreading the Eternidade Stealer banking trojan across Brazilian devices, using social engineering and WhatsApp hijacking.
  • The Sneaky2FA phishing-as-a-service kit has added Browser-in-the-Browser (BitB) attack capabilities, enabling more convincing phishing attacks to steal credentials and bypass two-factor authentication.
  • The ShinyHunters group is developing a new ransomware-as-a-service platform called ShinySp1d3r.
  • Mac users are being targeted by a new information stealer, DigitStealer, which is notable for its advanced capabilities.

Trends, Tools, or Tactics of Interest

  • Q3 2025 threat reports highlight increased ransomware activity in Germany, a rise in mobile and IoT-targeted malware, and growing sophistication in attack techniques.
  • AI is increasingly being leveraged by cybercriminals to enhance phishing campaigns, automate attacks, and scale operations.
  • Agentic AI systems, such as ServiceNow’s Now Assist, are vulnerable to second-order prompt injection and agent hijacking, which can be exploited to alter agent behavior or compromise networks.
  • DevOps environments face risks from weak access controls, misconfigurations, and accidental data loss in code repositories.
  • Researchers demonstrated that critical railway braking systems are susceptible to tampering using low-cost hardware.
  • Unicode-related security risks extend beyond internationalized domain names, impacting broader systems and applications.

Regulatory or Policy Developments Affecting the Security Industry

  • The U.S., UK, and Australia have coordinated sanctions against Russian bulletproof hosting providers supporting ransomware and cybercrime.
  • CISA released new guides to help safeguard critical infrastructure from unmanned aircraft systems threats and to combat bulletproof hosting cybercrime.
  • National data laws are creating fragmented and potentially vulnerable systems for international organizations due to conflicting regulatory requirements.