Cybersecurity Newsletter Weekly – Discord, Red Hat Data Breach, 7-Zip Vulnerabilities and Sonicwall Firewall Hack

Welcome to this week’s edition of the Cybersecurity Newsletter Weekly, where we dive into the most pressing threats and vulnerabilities shaping the digital landscape.

As cyber risks continue to evolve at breakneck speed, our October 12, 2025, roundup spotlights a Discord platform breach exposing user data to potential exploitation, the alarming Red Hat data leak that compromised enterprise credentials and source code, critical flaws in 7-Zip software enabling arbitrary code execution, and a sophisticated hack targeting SonicWall firewalls that could bypass network defenses.

These incidents underscore the urgent need for proactive patching and monitoring. Stay ahead with our detailed breakdowns and mitigation strategies below.

Threats

Threat Actors Enhance WARMCOOKIE Backdoor

The WARMCOOKIE backdoor, first detected in mid-2024 via phishing campaigns, has been updated with new features for better stealth and functionality. Recent variants use dynamic string banks for folder paths and mutexes, enabling execution of executables, DLLs, and PowerShell scripts through temporary directories. These changes allow operators to maintain persistent access in enterprise networks, evading detection while deploying secondary payloads.

Ransomware Groups Abuse Remote Access Tools

Ransomware operators in 2025 have increasingly targeted legitimate remote access tools like AnyDesk and Splashtop for persistence in enterprise environments. Attackers hijack preinstalled tools or silently install them using command-line flags to blend malicious activity with normal IT operations, often escalating privileges and disabling defenses. This tactic has led to encrypted data, wiped backups, and extended dwell times in campaigns linked to groups like LockBit and Black Basta.

APT Hackers Weaponize ChatGPT for Malware and Phishing

A China-aligned APT group, tracked as UTA0388, has exploited OpenAI’s ChatGPT since June 2025 to generate sophisticated malware payloads and personalized spear-phishing emails. The AI assists in creating obfuscated code for initial access, C2 modules, and convincing phishing content that bypasses traditional filters by eliminating grammatical errors. This integration accelerates attack development, making campaigns more efficient and harder to detect.

Crimson Collective Targets AWS for Data Exfiltration

The Crimson Collective, a new threat group, focuses on AWS environments by compromising access keys and escalating privileges to steal sensitive data, as seen in their claimed breach of Red Hat’s GitLab repositories. They use tools like TruffleHog for credential reconnaissance, create new user accounts for persistence, and leverage AWS services for exfiltration to avoid traditional C2 detection. This approach highlights vulnerabilities in cloud misconfigurations and supply chain elements.

Attackers Exploit Velociraptor DFIR Tool in Ransomware Hits

Ransomware actors, including Storm-2603, have repurposed the open-source DFIR tool Velociraptor (version 0.73.4.0) via a privilege escalation flaw (CVE-2025-6264) to gain remote access in attacks on VMware ESXi and Windows servers. The tool enables stealthy endpoint monitoring, lateral movement, and deployment of Warlock, LockBit, and Babuk ransomware after initial access through SharePoint vulnerabilities. This abuse underscores the risks of dual-use security tools in unmonitored environments.

Hackers Advance ClickFix with Cache Smuggling Technique

A new ClickFix variant employs cache smuggling to deliver malware without direct downloads, masquerading as a Fortinet VPN checker to trick users into running PowerShell commands via the browser cache. The technique stores obfuscated ZIP payloads as fake JPEG images, extracting them to set up scheduled tasks for C2 connections post-reboot. This evolution evades network-based detections and has been observed in campaigns targeting public Wi-Fi users.

SnakeKeylogger Spreads Through Phishing Emails

SnakeKeylogger, a .NET-based credential stealer, is distributed via weaponized emails posing as CPA payment files with ISO or ZIP attachments containing BAT scripts that invoke PowerShell for payload execution. It captures keystrokes, clipboard data, screenshots, and browser credentials before exfiltrating to C2 servers, often impersonating financial institutions to lure victims. The malware’s modular design and reliance on native Windows tools make it persistent and hard to detect without behavioral analysis.

MalTerminal Uses GPT-4 for Dynamic Ransomware Generation

MalTerminal, an early LLM-embedded malware, leverages OpenAI’s GPT-4 API to generate ransomware encryption code or reverse shells on the fly, adapting payloads during runtime for evasion. Discovered as a potential proof-of-concept, it prompts the AI for malicious scripts based on user input, shifting signatures dynamically and challenging static detection methods. This represents a novel use of LLMs in malware, potentially enabling autonomous attacks.

Cyber Attacks

Oracle E-Business Suite Zero-Day RCE

The UK’s National Cyber Security Centre (NCSC) issued an urgent warning about a critical zero-day vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882, which enables unauthenticated remote code execution via the BI Publisher Integration component. Organizations using EBS versions 12.2.3 to 12.2.14, particularly those with internet-exposed instances, face high risk from specially crafted HTTP requests that require no authentication or user interaction. Exploitation could lead to data exfiltration or system takeover, with indicators including anomalous servlet URIs and suspicious outbound connections. Mitigation involves applying Oracle’s October 2023 Critical Patch Update and dedicated patch, alongside scanning for IoCs and restricting public access with web application firewalls. Read more

CISA Adds Windows Privilege Escalation to KEV Catalog

CISA added CVE-2021-43226, a privilege escalation vulnerability in the Microsoft Windows Common Log File System (CLFS) Driver, to its Known Exploited Vulnerabilities catalog on October 6, 2025. This flaw allows local authenticated attackers to elevate privileges to SYSTEM level through buffer overflows triggered by malicious CLFS log files, affecting Windows 10, 11, and various Server editions. Proof-of-concept code is circulating, heightening risks in environments where initial access has been gained via phishing. Federal agencies and critical infrastructure must patch by October 27, 2025, prioritizing domain controllers and using tools like Microsoft Baseline Security Analyzer for assessments. Monitor Event IDs 4656 and 4658 for unauthorized access attempts involving clfs.sys. Read more

Cisco ASA/FTD 0-Day Authentication Bypass

Cisco disclosed a zero-day vulnerability, CVE-2025-20362, in ASA and FTD software that enables authentication bypass through a path traversal flaw in the VPN web server component. Attackers can exploit this critical issue, rated CVSS 9.1, on devices with remote access VPN enabled to gain unauthorized access without credentials. A proof-of-concept has been released, and active exploitation is underway, potentially leading to remote code execution in chained attacks. Affected versions include those prior to recent patches; users should immediately apply updates from Cisco’s advisory and review configurations for exposed VPN portals. Enhanced logging and intrusion detection rules are recommended to spot traversal attempts in access logs. Read more

Surge in Attacks on Palo Alto GlobalProtect Portals

Attacks targeting Palo Alto Networks PAN-OS GlobalProtect login portals have escalated dramatically, with over 2,200 unique IP addresses launching probes in recent days. This surge follows patterns seen before vulnerability disclosures, focusing on reconnaissance for weaknesses like the prior CVE-2024-3400 command injection flaw. Malicious actors are scanning for unpatched firewalls to enable remote code execution with root privileges. Organizations should audit March 2025 logs, apply all PAN-OS patches, block suspicious IPs, and implement multi-factor authentication on VPNs. Threat hunting and enhanced monitoring of portal access attempts are critical to detect ongoing campaigns. Read more

Mustang Panda Deploys Novel DLL Side-Loading

Chinese threat actor Mustang Panda has resurfaced with a new DLL side-loading technique to deliver malware, targeting government and military entities in East Asia. The campaign uses weaponized RAR archives containing legitimate signed executables paired with malicious DLLs, evading detection by leveraging trusted binaries. Once sideloaded, the DLLs deploy variants of ToneShell backdoor, communicating via custom encrypted protocols mimicking TLS traffic. Victims extract and run the files, leading to data exfiltration and persistence through autorun entries. Defenses include scanning archives for mismatched DLLs, restricting executable downloads, and monitoring for anomalous network patterns like FakeTLS headers. Read more

SonicWall Breach Exposes Customer Backups

SonicWall confirmed a data breach where hackers stole firewall configuration backup files for all customers, potentially exposing sensitive network details. The unauthorized access occurred through a compromised third-party support portal, allowing retrieval of backups without authentication in some cases. This incident heightens risks of targeted attacks using stolen configs to craft exploits or map internal networks. Affected customers should rotate credentials, review access logs, and apply any available patches to SonicWall devices. The company is notifying impacted users and enhancing portal security with stricter controls. Read more

Vulnerabilities

Google Chrome RCE Vulnerability

Researchers disclosed a critical remote code execution flaw in Google Chrome’s V8 JavaScript engine, stemming from a WebAssembly type canonicalization bug that fails to distinguish nullability in reference types, enabling hash collisions via birthday attacks. The exploit combines this with a V8 sandbox bypass using JavaScript Promise Integration flaws to achieve full stack control and execute shellcode, such as spawning calc.exe on Windows. Users should update to Chrome version M137.0.7151.57 or later to patch the nullability checks and restore type safety.

Redis RCE Vulnerability

A 13-year-old use-after-free vulnerability in Redis, tracked as CVE-2025-49844 with a CVSS score of 10.0, allows post-authentication attackers to escape the Lua sandbox and execute arbitrary code on the host system via crafted scripts. This flaw affects an estimated 330,000 internet-exposed Redis instances, with 60,000 lacking authentication, enabling data theft, encryption, or lateral movement. Mitigation involves upgrading to patched versions released on October 3, 2025, enabling authentication, disabling Lua if unused, and restricting network access.

OpenSSH ProxyCommand Vulnerability

OpenSSH versions before 10.1 contain a command injection flaw, CVE-2025-61984, that bypasses prior fixes by allowing control characters like newlines in usernames passed via ProxyCommand, leading to remote code execution in shells like Bash. Attackers can exploit this through malicious Git submodules in recursive clones if SSH configs use unquoted %r tokens, injecting payloads after a syntax error. Upgrade to OpenSSH 10.1, which bans control characters, or quote %r in ProxyCommand directives to prevent exploitation.

AWS ClientVPN macOS Vulnerability

A critical privilege escalation vulnerability, CVE-2025-11462, in AWS Client VPN for macOS versions 1.3.2 to 5.2.0 arises from improper log rotation validation, allowing non-admin users to create symbolic links and overwrite system files for root access. Attackers can exploit this to execute arbitrary code as root by targeting files like crontab during log writes, compromising the entire macOS device. Upgrade to version 5.2.1 immediately, as no other mitigations exist, and restrict local file modifications in log directories. Read more: https://cybersecuritynews.com/aws-clientvpn-for-macos-vulnerability/varutra+3

CrowdStrike Falcon Sensor Vulnerability

CrowdStrike disclosed two medium-severity flaws in its Falcon sensor for Windows, CVE-2025-42701 (race condition, CVSS 5.6) and CVE-2025-42706 (logic error, CVSS 6.5), enabling attackers with prior code execution to delete arbitrary files and disrupt system stability. These TOCTOU and origin validation issues affect Windows 7 and later, potentially targeting sensor or OS components. Apply sensor version 7.29 or hotfixes for earlier versions to remediate, as no remote exploitation is possible without initial access. Read more:

https://cybersecuritynews.com/crowdstrike-falcon-windows-sensor-vulnerability/

GitLab Security Update

GitLab released patches in versions 18.4.2, 18.3.4, and 18.2.8 to address multiple DoS vulnerabilities, including high-severity CVE-2025-10004 allowing unauthenticated GraphQL queries to exhaust resources by requesting large blobs. Another high-severity issue, CVE-2025-11340, permits read-only token users to perform unauthorized writes in Enterprise Edition via GraphQL mutations. Self-managed instances should upgrade promptly, while GitLab.com and Dedicated are already protected; monitor advisories for further risks.

7-Zip Vulnerabilities

Two high-severity flaws in 7-Zip, CVE-2025-11001 and CVE-2025-11002 (both CVSS 7.0), involve improper symbolic link handling in ZIP files, enabling directory traversal and arbitrary file writes leading to code execution upon extraction. Attackers craft malicious archives to escape extraction paths and overwrite sensitive files, affecting versions before 25.00 released in July 2025. Update to 7-Zip 25.01 manually, as no auto-updates exist, and avoid extracting untrusted archives to prevent compromise.

GitHub Copilot Vulnerability

A critical flaw in GitHub Copilot Chat (CVSS 9.6) allows remote prompt injection combined with CSP bypass to exfiltrate private repository data, including AWS keys and source code, by encoding content in URLs or images rendered in victim chats. Attackers influence responses across users via hidden Markdown comments in pull requests, injecting malicious code suggestions or prompts to access private repos. GitHub fixed this by disabling image rendering in Copilot Chat; users should avoid clicking suspicious links in AI responses and monitor for anomalous data access.

Malicious Code in Antivirus

The IAmAntimalware technique enables attackers to inject malicious code into antivirus processes, bypassing defenses by hiding malware within security software for persistence and evasion. This requires initial system access for code injection, potentially via privilege escalation, allowing manipulation of alerts and undetected operations. Mitigate by monitoring AV process integrity, enforcing code signing, updating software regularly, and using layered EDR for anomalous behavior detection.

Data Breach

Red Hat Breach

Crimson Collective compromised Red Hat Consulting’s infrastructure, exfiltrating 32 million files including sensitive data from over 5,000 enterprise customers like Vodafone and HSBC, with ties to LAPSUS$ via attacker “Miku” (Thalha Jubair). Exposed .pfx certificates from financial and airline sectors enable man-in-the-middle attacks and spoofing, affecting critical infrastructure in finance, healthcare, and transport. Experts recommend certificate rotation and credential updates to mitigate secondary risks from leaked network details and API keys.

Discord Data Exposure

A Zendesk breach at Discord’s third-party support exposed 1.5 TB of data for ~70,000 users, including 2.1 million ID photos, names, emails, and partial billing info, claimed by Scattered Lapsus$ Hunters. Access lasted 58 hours via a compromised agent account, targeting support interactions without affecting passwords or full cards. Discord terminated the vendor, notified users via email, and engaged forensics and law enforcement to counter the extortion.

Microsoft Events Flaw

A vulnerability in Microsoft Events exposed user names and emails from registration/waitlist databases due to access control misconfigurations, discovered by teen hacker Faav. This risks phishing and identity theft for event participants, highlighting needs for better data segregation. Microsoft patched the issue, urging audits and minimized data handling to prevent exploitation.

Tools

Forensic-Timeliner v2.2 Update

Forensic-Timeliner, a Windows forensic tool developed by Acquired Security for DFIR investigators, has released version 2.2 with enhanced automation and improved artifact support. This update consolidates CSV outputs from tools like EZ Tools, KAPE, Axiom, Chainsaw, Hayabusa, and Nirsoft into a unified timeline, enabling rapid reconstruction of event sequences and identification of indicators of compromise. New features include silent mode for headless execution, filter previews via Spectre.Console tables, and keyword tagging for Timeline Explorer integration, alongside date filtering, deduplication, and YAML-configurable parsers for customizable enrichment.

llm-tools-nmap Kali Linux Tool

Kali Linux 2025.3 introduces llm-tools-nmap, an experimental plugin that integrates Simon Willison’s LLM tool with Nmap for AI-driven network scanning and security auditing. This bridge allows natural language commands to translate into Nmap actions, supporting network discovery, quick scans of common ports, service detection, OS profiling, and NSE script execution. Installation requires Python 3.7+, the LLM tool, and Nmap, with functions like nmap_quick_scan and nmap_script_scan invoked via the –functions flag, though users must ensure permissions and comply with policies due to experimental risks.

VirusTotal Platform Access Changes

VirusTotal has updated its platform to simplify access and pricing, introducing streamlined tiers to enhance usability for researchers while rewarding contributors. The free Community Tier remains for individuals with file/URL scanning and public API access, while the Lite Tier at $5,000/year offers advanced search, YARA rules, and private API for small teams. A new Contributor Tier provides free blindspot feeds and discounts for engine partners, and the customizable Duet Tier supports enterprises with high API quotas, emphasizing collaboration under Google Threat Intelligence.

Linux and Windows

Microsoft Teams Multitasking Update

Microsoft plans to introduce a multitasking feature in Teams next month, enabling users to open channels in separate windows for better workflow efficiency. This addresses frequent user complaints about switching between conversations in a single interface, which disrupts focus and productivity. The update, tracked as feature ID 509110, extends existing pop-out options for chats and meetings to channels, allowing persistent visibility of important discussions alongside other tasks. For example, developers can monitor technical channels while coding, reducing context switching and mental fatigue. This enhancement signals Microsoft’s commitment to usability improvements in its collaboration platform. Read more

Microsoft 365 Outage Blocks Access

A major Microsoft 365 outage struck on October 8, 2025, blocking access to Teams, Exchange Online, and the admin center for users worldwide. The issue stemmed from a directory operations problem in backend infrastructure, prompting immediate investigation by Microsoft teams. By late evening, engineers identified the cause and began rebalancing affected services to redirect traffic and restore functionality. Recovery progressed overnight, with services returning online for most users by October 9, though monitoring continued to ensure stability. This incident underscores the risks of authentication dependencies in cloud environments. Read more

Linux Kernel ksmbd Vulnerability Exploited

Security researcher Norbert Szetei released a proof-of-concept exploit for CVE-2025-37947, a high-severity out-of-bounds write flaw in the Linux kernel’s ksmbd SMB server module on October 9, 2025. This vulnerability allows authenticated local attackers to corrupt kernel memory, potentially enabling privilege escalation to root access. The ksmbd component handles SMB3 file sharing, making it a prime target for network-based attacks in Linux environments. No patches are available yet, but distributions like SUSE are developing fixes amid active exploitation reports. Organizations using ksmbd should disable the module or restrict access until remediation. Read more

Microsoft 365 Outage Disrupts Services

On October 9, 2025, another Microsoft 365 disruption affected global users, preventing authentication and access to Teams and Exchange Online due to Azure Front Door capacity issues. The outage, linked to Kubernetes instance failures, caused delays and timeouts across regions including Europe and Africa. Microsoft mitigated by restarting affected instances and rerouting traffic, restoring about 98% of services while investigating recent configuration changes. Intermittent problems persisted for some, including cloud PC access via web clients. This event highlights cascading risks in interconnected cloud infrastructure. Read more

Microsoft Azure Global Outage

Microsoft Azure faced a widespread outage on October 9, 2025, impacting services like the Azure Portal, Entra ID, and tied Microsoft 365 components across multiple regions. The disruption originated from capacity loss in 21 Azure Front Door environments, exacerbated by Kubernetes orchestration failures and potential misconfigurations in North America. Engineers rebalanced infrastructure and initiated failovers, resolving most issues within hours but prompting reviews of traffic management for resilience. This affected business operations globally, emphasizing the need for robust disaster recovery in cloud-dependent setups. Penetration testing could help identify similar vulnerabilities preemptively. Read more

Windows 11 Update and Shutdown Bug Fix

Microsoft addressed a persistent Windows 11 bug in October 2025 preview builds, where the “Update and shutdown” option would restart the PC instead of powering it off after installing updates. This issue, reported since 2023, often led to unexpected reboots and fan noise during idle periods as failed updates triggered retries. The fix ensures proper shutdown behavior, allowing post-update phases to complete on next boot. It applies to versions like 24H2 and 25H2, with stable rollout expected soon. Users on preview channels can test it now to verify reliability. Read more

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Cybersecurity Newsletter Weekly – Discord, Red Hat Data Breach, 7-Zip Vulnerabilities and Sonicwall Firewall Hack appeared first on Cyber Security News.