CyberNews: 09/10/2025 Edition

Published by Dunateo on 2025-10-09

Today’s roundup

  • Threat actors steal firewall configs, impacting all SonicWall Cloud Backup users
  • From Phishing to Malware: AI Becomes Russia's New Cyber Weapon in War on Ukraine
  • Critical Exploit Lets Hackers Bypass Authentication in WordPress Service Finder Theme
  • Chaos Ransomware Upgrades with Aggressive New C++ Variant
  • DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape
  • Framelink Figma MCP Server Opens Orgs to Agentic AI Compromise
  • China-Nexus Actors Weaponize 'Nezha' Open Source Tool
  • Qilin ransomware claimed responsibility for the attack on the beer giant Asahi
  • Major US law firm says hackers broke into attorneys’ emails accounts
  • SaaS Breaches Start with Tokens - What Security Teams Must Watch

    • Summary

    On October 8, 2025, SonicWall disclosed that an unauthorized party accessed firewall configuration backup files for all customers using its MySonicWall cloud backup service. The stolen encrypted credentials and configuration data increase the risk of targeted attacks, necessitating urgent remediation including credential resets and VPN reconfigurations.

    Russia's SSSCIP reported that Russian hackers have escalated AI use in cyberattacks against Ukraine during H1 2025. AI now generates phishing messages and malware, signifying a significant advancement in their cyber warfare capabilities.

    An actively exploited critical security flaw (CVE-2025-5947, CVSS 9.8) in the Service Finder WordPress theme allows authentication bypass, granting attackers administrative control. Immediate patching for users of the Service Finder Bookings plugin is crucial.

    The Chaos ransomware-as-a-service operation has upgraded to an aggressive new C++ variant. This enhanced version incorporates new encryption, wiper, and cryptocurrency-stealing functionalities, making it a more potent and dangerous threat.

    Ransomware groups DragonForce, LockBit, and Qilin have formed a strategic alliance to boost attack effectiveness by sharing tools and infrastructure. This collaboration, coinciding with LockBit 5.0's release, marks a significant evolution in organized cybercrime.

    A critical bug, CVE-2025-53967, in the Framelink Figma MCP server (for agentic AI connections) can lead to remote code execution (RCE). Organizations using this third-party option must patch immediately to prevent compromise.

    China-linked threat actors are leveraging 'Nezha,' an open-source remote monitoring and management (RMM) tool, in campaigns targeting Asian organizations. This tactic, often initiated via vulnerable web applications, highlights the use of readily available tools for sophisticated intrusions.

    Japan's Asahi Group Holdings confirmed a ransomware attack by the Qilin group in late September 2025, disrupting Japanese operations. Qilin claimed responsibility and leaked 27GB of stolen employee and financial data, which Asahi confirmed appeared online.

    A prominent U.S. law firm reported that hackers, suspected to be a China-linked nation-state actor, breached attorneys' email accounts. This incident highlights severe risks sophisticated state-sponsored groups pose to legal entities holding sensitive client data.

    Token theft is identified as a leading cause of software-as-a-service (SaaS) breaches in 2025. Experts emphasize that overlooked OAuth and API tokens necessitate stronger token hygiene practices to prevent attacks against critical SaaS applications.

    Want to dig deeper?

    Vulnerabilities

    CVE-2025-5947 Critical
    CVE-2025-53967 Critical