It's been a busy 24 hours in the cyber world with significant updates on recent breaches, new malware campaigns, critical vulnerabilities, and shifts in government cyber policy. Let's dive in:Recent Cyber Attacks & Breaches - Plex, the media streaming platform, has once again urged users to reset passwords following another data breach that exposed emails, usernames, and hashed passwords. This isn't their first rodeo, so 2FA is a must!- The New York Blood Center disclosed a January ransomware attack that leaked sensitive health information and, for employees, SSNs and financial data, impacting thousands.- HelloGym, a service for major fitness brands, left 1.6 million unencrypted audio call recordings exposed online, containing names, financial details, and potentially biometric voice data, raising serious social engineering and deepfake risks.- The US Department of Defense (DoD) was found to have publicly exposed social media stream keys for years on its DVIDS website, leaving its livestreams vulnerable to hijacking. This has now been fixed.- A Brazilian lesbian dating app, Sapphos, shut down after an API flaw (IDOR) exposed sensitive user data, including identity verification photos, leading to the deletion of its entire user database.- The npm supply chain saw an attack where a developer's account was phished, leading to popular packages being backdoored with crypto-stealing malware. While the attackers only netted about $925, the incident highlights the fragility of the JavaScript ecosystem and the persistent threat of phishing. Bleeping Computer | https://www.bleepingcomputer.com/news/security/plex-tells-users-to-reset-passwords-after-new-data-breach/ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/09/plex_breach/️ The Record | https://therecord.media/blood-center-discloses-details-on--january-ransomware-attack The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/09/gym_audio_recordings_exposed/ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/09/us_dod_exposed_keys/️ The Record | https://therecord.media/brazil-lesbian-dating-app-shuts-down-vulnerability The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/09/npm_supply_chain_attack/New Threat Research & Ransomware ️- Researchers detailed new malware campaigns: MostereRAT, a banking malware turned RAT, uses advanced evasion techniques and drops tools like AnyDesk. "ClickFix-esque" social engineering is distributing MetaStealer via fake AnyDesk installers.- A novel adaptation of ClickFix leverages CSS-based obfuscation and "prompt overdose" to weaponise AI summarisers, potentially delivering malicious instructions for ransomware deployment.- RatOn, a new Android malware, has evolved to include NFC relay and Automated Transfer System (ATS) capabilities, targeting cryptocurrency wallets and banking apps, often distributed via fake TikTok 18+ listings.- Ukrainian national Volodymyr Viktorovich Tymoshchuk has been indicted by the US for his alleged role as an administrator of LockerGoga, MegaCortex, and Nefilim ransomware operations, which targeted hundreds of organisations globally, causing millions in damages. The State Department is offering an $11 million reward for information leading to his arrest.- A threat actor targeting exposed Docker APIs has updated its tooling to deploy a more complex payload, block API access, enable persistent SSH, and install scanning tools, suggesting an evolution towards a sophisticated botnet. The Hacker News | https://thehackernews.com/2025/09/from-mostererat-to-clickfix-new-malware.html The Hacker News | https://thehackernews.com/2025/09/raton-android-malware-detected-with-nfc.html️ The Record | https://therecord.media/lockergoga-megacortex-nefilim-ransomware-ukrainian-indictment-unsealed🤫 CyberScoop | https://cyberscoop.com/nefilim-ransomware-indictment-volodymyr-tymoshchuk-department-of-justice/ Bleeping Computer | https://www.bleepingcomputer.com/news/security/us-charges-admin-of-lockergoga-megacortex-nefilim-ransomware/ Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-hide-behind-tor-in-exposed-docker-api-breaches/Vulnerabilities & Patches ️- SAP has patched 21 vulnerabilities, including three critical flaws in its NetWeaver software. The most severe, CVE-2025-42944 (CVSS 10.0), is an insecure deserialization leading to arbitrary OS command execution.- Adobe released an emergency patch for CVE-2025-54236, dubbed "SessionReaper," a critical vulnerability in Commerce and Magento Open Source that allows unauthenticated account takeover via the REST API.- Microsoft's September Patch Tuesday addressed 81 vulnerabilities, including eight critical and one high-severity, though none are actively exploited. Notable flaws include a deserialization RCE in High Performance Compute Pack (CVE-2025-55232) and elevation of privilege issues in Windows NTLM and SMB protocols. Bleeping Computer | https://www.bleepingcomputer.com/news/security/sap-fixes-maximum-severity-netweaver-command-execution-flaw/ Bleeping Computer | https://www.bleepingcomputer.com/news/security/adobe-patches-critical-sessionreaper-flaw-in-magento-ecommerce-platform/🤫 CyberScoop | https://cyberscoop.com/microsoft-patch-tuesday-september-2025/Threat Landscape Commentary - Senator Angus King (I-ME) described the cyber domain as a "hellscape," criticising recent US government job cuts in cybersecurity agencies like CISA, which he claims has lost 30% of its staff, warning the US is "unilaterally disarming."- Anthropic's Claude Code, an AI for security reviews, has been shown to miss vulnerabilities and potentially introduce new risks by executing code during testing. Researchers advise against fully trusting AI for security without rigorous human oversight.- National Cyber Director Sean Cairncross called on the private sector to collaborate with the federal government to advance an "America First" vision in cyberspace, emphasising the need for strategic coherence and shifting the burden of risk to adversaries.️ The Record | https://therecord.media/angus-king-cyber-domain-cuts-cisa The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/09/ai_security_review_risks/️ The Record | https://therecord.media/sean-cairncross-oncd-billington-cybersecurity-speech/Data Privacy Concerns - WhatsApp's former head of security is suing Meta, alleging retaliation for reporting systemic security failings, including 1,500 engineers having unrestricted access to user data without audit trails, violating FTC privacy orders. The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/08/whatsapp_exsecurity_head_sues_company/Regulatory & Legal Actions ️- The US Treasury Department has sanctioned 19 individuals and organisations involved in major cyber scam hubs in Burma and Cambodia, which collectively stole over $10 billion from Americans last year and rely on forced labour.- The UK's Online Safety Act has been toughened, making self-harm content a "priority offence" that legally requires tech companies to proactively prevent its publication, rather than just removing it.- The Department of Justice is pursuing civil forfeiture of $5 million in Bitcoin stolen from five victims through SIM swapping attacks between late 2022 and early 2023, with funds traced through multiple wallets to an online casino.- New cybersecurity rules under the Cybersecurity Maturity Model Certification (CMMC) program will come into effect on November 9, requiring all US DoD contractors to meet specific compliance levels based on the sensitivity of unclassified information they handle.🤫 CyberScoop | https://cyberscoop.com/southeast-asia-scam-hubs-sanctions/ Bleeping Computer | https://www.bleepingcomputer.com/news/security/us-sanctions-cyber-scammers-who-stole-billions-from-americans/ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/09/selfharm_online_safety_act/️ The Record | https://therecord.media/us-seeks-5-million-bitcoin-taken-in-sim-swaps The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/09/new_cybersecurity_compliance_rules_dod/Government Cyber Structure ️- The Trump administration has decided to maintain the "dual-hat" leadership of US Cyber Command and the National Security Agency, shelving plans to split the roles due to the immense complexity and time required for such a reorganisation.️ The Record | https://therecord.media/cyber-command-nsa-dual-hat-single-leader-trump-administrationOther Noteworthy Updates - Encrypted messaging app Signal is rolling out a new opt-in feature offering 100MB of free, encrypted cloud storage for media from the past 45 days, with a paid tier for 100GB, funded by user subscriptions as a non-profit.- Finnish phone maker HMD Global is launching HMD Secure, a new business unit focused on sovereign mobile security products for European governments and critical customers, with its first "Euro-made" Android smartphone, the HMD Ivalo XE, due in Q1 2026.- Microsoft is working to resolve an anti-spam bug that is mistakenly blocking URLs and quarantining emails for Exchange Online and Microsoft Teams users, caused by its engine incorrectly flagging URLs within other URLs as malicious.- Mitsubishi Electric is set to acquire industrial cybersecurity firm Nozomi Networks for approximately $883 million, with Nozomi continuing to operate independently, highlighting the growing focus on securing operational technology (OT) environments. The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/09/storage_message_signal/ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/09/hmd_ivalo_xe/ Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/microsoft-anti-spam-bug-blocks-links-in-exchange-online-teams/️ The Record | https://therecord.media/nozomi-networks-mitsubishi-electric-acquisition🤫 CyberScoop | https://cyberscoop.com/nozomi-networks-mitsubishi-electric-acquisition-ot-ics-cybersecurity/#CyberSecurity #ThreatIntelligence #Ransomware #Malware #Vulnerabilities #DataBreach #SupplyChainAttack #SocialEngineering #AI #DataPrivacy #RegulatoryCompliance #InfoSec #IncidentResponse #PatchTuesday
