Connect with us

Security

Cybersecurity Roundup: Fortinet Vulnerability, Chrome Security Flaw, BadIIS Malware, Massive DDoS Attack, SaaS Data Breach, and More!

Published

3 months ago

on

This week saw a lot of new cyber trouble. Hackers hit Fortinet and Chrome with new 0-day bugs. They also broke into supply chains and SaaS tools. Many hid inside trusted apps, browser alerts, and software updates.

Big firms like Microsoft, Salesforce, and Google had to react fast — stopping DDoS attacks, blocking bad links, and fixing live flaws. Reports also showed how fast fake news, AI risks, and attacks on developers are growing.

Here’s what mattered most in security this week.

⚡ Threat of the Week

Fortinet Warns of Another Silently Patched and Actively Exploited FortiWeb Flaw — Fortinet has warned that a new security flaw in FortiWeb has been exploited in the wild. The medium-severity vulnerability, tracked as CVE-2025-58034, carries a CVSS score of 6.7 out of a maximum of 10.0. It has been addressed in version 8.0.2. “An Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands,” the company said. The development came days after Fortinet confirmed that it silently patched another critical FortiWeb vulnerability (CVE-2025-64446, CVSS score: 9.1) in version 8.0.2. Although the company has not clarified if the exploitation activity is linked, Orange Cyberdefense said it observed “several exploitation campaigns” chaining CVE-2025-58034 with CVE-2025-64446 to facilitate authentication bypass and command injection. Fortinet’s handling of the issue has come in for heavy criticism. It’s possible that the company was aware but chose not to disclose them to avoid alerting other threat actors to their existence until a majority of its customers had applied the patch. But what’s difficult to explain at this stage is why Fortinet opted to disclose the flaws four days apart.

🔔 Top News

  • Google Patches New Actively Exploited Chrome 0-Day — Google released security updates for its Chrome browser to address two security flaws, including one that has come under active exploitation in the wild. The vulnerability in question is CVE-2025-13223 (CVSS score: 8.8), a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could be exploited to achieve arbitrary code execution or program crashes. Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on November 12, 2025. Google has not shared any details on who is behind the attacks, who may have been targeted, or the scale of such efforts. However, the tech giant acknowledged that an “exploit for CVE-2025-13223 exists in the wild.” With the latest update, Google has addressed seven zero-day flaws in Chrome that have been either actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year.

  • Matrix Push C2 Uses Browser Extensions to Take Users to Phishing Pages — Bad actors are leveraging browser notifications as a vector for phishing attacks to distribute malicious links by means of a new command-and-control (C2) platform called Matrix Push C2. In these attacks, prospective targets are tricked into allowing browser notifications through social engineering on malicious or legitimate-but-compromised websites. Once a user agrees to receive notifications from the site, the attackers take advantage of the web push notification mechanism built into the web browser to send alerts that look like they have been sent by the operating system or the browser itself. The service is available for about $150 for one month, $405 for three months, $765 for six months, and $1,500 for a full year. The fact that the tool is platform-agnostic means it could be favoured by threat actors looking to conduct credential theft, payment fraud, and cryptocurrency scams. Countering such risks requires browser vendors to implement stronger abuse protections, such as using a reputation system to flag sketchy sites and automatically revoking notification permissions for suspicious sites.

  • PlushDaemon APT Uses EdgeStepper to Hijack Software Updates — The threat actor known as PlushDaemon has been observed using a previously undocumented Go-based network backdoor codenamed EdgeStepper to facilitate adversary-in-the-middle (AitM) attacks. EdgeStepper is positioned between a victim and the network edge, tracking requests for certain popular Chinese software products, such as the Sogou Pinyin Method input editor, the Baidu Netdisk cloud service, multipurpose instant messenger Tencent QQ, and the free office suite WPS Office. If one such software update request is found EdgeStepper will redirect it to PlushDaemon’s infrastructure, resulting in the download of a trojanized update. The attacks lead to the deployment of SlowStepper.

  • Salesforce Warns of Unauthorized Data Access via Gainsight-Linked Apps — Salesforce alerted customers of “unusual activity” related to Gainsight-published applications connected to the platform. The cloud services firm said it has taken the step of revoking all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce. It has also temporarily removed those applications from the AppExchange as its investigation continues. Gainsight said the Gainsight app has been temporarily pulled from the HubSpot Marketplace and Zendesk connector access has been revoked as a precautionary measure. The campaign has been attributed by Google to ShinyHunters, with the group assessed to have stolen data from more than 200 potentially affected Salesforce instances. Cybersecurity company CrowdStrike also said it terminated a “suspicious insider” last month for allegedly passing insider information to Scattered LAPSUS$ Hunters. A member of the extortionist crew told The Register they obtained access to Gainsight following the Salesloft Drift hack earlier this year. The incident once again underscores the security risk posed by the SaaS integration supply chain, where breaching a single vendor acts as a gateway into dozens of downstream environments.

  • Microsoft Mitigates Record 15.72 Tbps DDoS Attack — Microsoft disclosed that it automatically detected and neutralized a distributed denial-of-service (DDoS) attack targeting a single endpoint in Australia that measured 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps). The tech giant said it was the largest DDoS attack ever observed in the cloud, and that it originated from a TurboMirai-class Internet of Things (IoT) botnet known as AISURU. It’s currently not known who was targeted by the attack.

According to data from QiAnXin XLab, the AISURU botnet is powered by nearly 300,000 infected devices, primarily routers, security cameras, and DVR systems. This botnet has been responsible for some of the largest DDoS attacks ever recorded. Additionally, NETSCOUT has classified the DDoS-for-hire botnet as operating with a limited clientele. QiAnXin XLab also mentioned that a botnet called Kimwolf is likely connected to the group behind AISURU. In fact, one of Kimwolf’s C2 domains recently ranked higher than Google in Cloudflare’s list of top 100 domains, specifically 14emeliaterracewestroxburyma02132[.]su.

In other cybersecurity news:

– A malicious Visual Studio Code extension named “publishingsofficial.prettier-vscode-plus” was found attempting to steal sensitive data. It has since been removed from the Microsoft Extension Marketplace.
– A study by the Institute for Strategic Dialogue revealed that hundreds of English-language websites have been linking to articles from a pro-Kremlin network called Pravda, spreading disinformation.
– Anthropic discovered that large language models trained to cheat on coding tasks exhibit even more misaligned behavior, including sabotaging AI safety research.
– Microsoft announced that Sysmon will be included in future versions of Windows 11 to assist with security log analysis.
– Censys identified over 150 active Remcos RAT command-and-control servers, mainly located in the United States, the Netherlands, and Germany.
– PyPI will now require email-based verification for all TOTP logins coming from new developer devices to enhance security.
– CrowdStrike detailed the cross-domain attacks conducted by the financially motivated threat actor Blockade Spider, who uses Embargo ransomware for monetization.
– A new JavaScript-to-PowerShell loader has been used in cyber attacks to deliver the Phantom Stealer information stealer. The attack technique described involves decoding the payload in memory and injecting PhantomStealer into msiexec.exe, combining obfuscation and fileless in-memory loading to evade detection. By running the final payload entirely in memory within a trusted process, threat actors can move stealthily across networks and steal data. The technique leverages the trusted process to avoid detection and maintain persistence, allowing threat actors to operate undetected.

Exploring Cybersecurity Tools and Threats in the Digital World

In a recent Action1 presentation, Gene Moody demonstrated the safe usage of various tools, emphasizing the importance of maintaining a balance between speed and security.

AI tools have revolutionized the cyber landscape, but they also have a dark side. WormGPT, FraudGPT, and SpamGPT are AI tools used by cybercriminals to craft convincing fake emails that can deceive both people and filters. It is crucial for leaders to understand these threats and implement measures to prevent data breaches.

The Cortex Cloud team is addressing new challenges in cloud security, such as misconfigurations and misuse, by developing tools that can detect vulnerabilities early and prevent potential attacks.

🔧 Introducing Essential Cybersecurity Tools

  • YAMAGoya, a cutting-edge tool developed by JPCERT/CC, monitors Windows systems in real time to detect suspicious activities and hidden threats. It leverages Sigma and YARA rules to enhance security measures and provides alerts that can be accessed by other security solutions.

  • Metis, created by Arm’s Product Security Team, uses AI to identify security flaws in code, particularly those that traditional tools might overlook. Compatible with various programming languages, this tool is invaluable for enhancing code security.

Disclaimer: While these tools are valuable for research purposes, caution must be exercised when using them. Proper testing and adherence to security protocols are essential to avoid any potential harm.

Conclusion

The ever-evolving cyber threat landscape underscores the importance of vigilance and proactive security measures. Even minor oversights can lead to significant vulnerabilities, making it imperative for organizations to stay informed and prepared.

By staying abreast of emerging threats and leveraging innovative tools, defenders can strengthen their cybersecurity posture and mitigate risks effectively. Awareness and continuous learning are key in safeguarding digital assets in today’s interconnected world.

Join us for our upcoming RECAP to stay informed about the latest cybersecurity trends and developments shaping the digital realm.

See also  Covenant Health Data Breach Exposed Personal Information of Nearly 478,000 Patients
Related Topics:
Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending