Daily Digest

CISA Emergency Directive Issued After F5 Source Code Theft by Nation-State Actor; Microsoft Patches Four Actively Exploited Zero-Days

CISA Emergency Directive Issued After F5 Source Code Theft by Nation-State Actor; Microsoft Patches Four Actively Exploited Zero-Days

October 16, 2025
5 articles (3 new, 2 updated)
15 min read

Summary

This cybersecurity brief for October 16, 2025, covers a critical supply chain threat following the theft of F5 source code by a Chinese nation-state actor, prompting a CISA emergency directive. Concurrently, Microsoft's October Patch Tuesday addresses over 170 flaws, including four actively exploited zero-days. Other major events include the disruption of a ransomware campaign using signed malware, the discovery of a Chinese APT targeting a Russian IT firm, a massive data breach affecting two major airlines, and the disclosure of critical flaws in industrial control systems.

Filter by Category

New Articles (3)

Microsoft Thwarts Ransomware Campaign by Revoking 200+ Malicious Code-Signing Certificates

HIGH

Microsoft Disrupts Vanilla Tempest (Vice Society) by Revoking Over 200 Code-Signing Certificates Used to Sign Fake Microsoft Teams Installers

Microsoft has taken decisive action to disrupt a ransomware campaign by the threat group Vanilla Tempest (also known as Vice Society), which has been targeting education and healthcare. The group was using over 200 fraudulently obtained code-signing certificates to sign counterfeit Microsoft Teams installers. These fake installers delivered the Oyster backdoor, which in turn deployed the Rhysida ransomware. By revoking the certificates from providers like DigiCert, SSL.com, and its own Trusted Signing service, Microsoft has significantly hindered the malware's ability to evade detection.

October 16, 2025
5 min read
RansomwareVanilla TempestVice SocietyRhysidaCode Signing +3 more
Microsoft Thwarts Ransomware Campaign by Revoking 200+ Malicious Code-Signing Certificates

Full Industrial Control: Two CVSS 10.0 Flaws Found in Red Lion ICS RTUs

CRITICAL

Researchers Disclose Two CVSS 10.0 Vulnerabilities in Red Lion Industrial RTUs, Allowing Unauthenticated Remote Code Execution

Security researchers have discovered and disclosed two critical vulnerabilities, both rated CVSS 10.0, in Red Lion Sixnet series industrial remote terminal units (RTUs). The flaws, CVE-2023-42770 (authentication bypass) and CVE-2023-40151 (remote code execution), can be chained together. An unauthenticated attacker can exploit them over the network to execute arbitrary commands with root privileges on affected devices, which are commonly used in critical infrastructure sectors like energy and water treatment, posing a risk of severe physical disruption.

October 16, 2025
5 min read
ICSOT SecurityVulnerabilityCritical InfrastructureCVSS 10 +4 more
Full Industrial Control: Two CVSS 10.0 Flaws Found in Red Lion ICS RTUs

New 'LinkPro' Linux Rootkit Uses eBPF and 'Magic Packets' for Ultimate Stealth

HIGH

Novel 'LinkPro' Linux Rootkit Discovered Using eBPF for Stealth and Remote Activation via Magic Packet

Security researchers have uncovered a sophisticated new GNU/Linux rootkit named 'LinkPro' after investigating a compromised AWS environment. The malware demonstrates advanced stealth capabilities by leveraging extended Berkeley Packet Filter (eBPF) modules to hide its processes and files from security tools. Furthermore, it employs a novel activation mechanism, lying dormant until it receives a specially crafted 'magic packet' over the network. The initial intrusion vector was a vulnerable Jenkins server, from which the attackers deployed the rootkit via a malicious Docker image.

October 16, 2025
6 min read
LinkProLinuxRootkiteBPFMalware +4 more
New 'LinkPro' Linux Rootkit Uses eBPF and 'Magic Packets' for Ultimate Stealth

Updated Articles (2)

Qilin Ransomware Group Adds New Victims to Leak Site

HIGH

Qilin Ransomware Group Continues Attacks, Listing New U.S. Victims on Data Leak Site

Update:

The Qilin ransomware group has significantly escalated its operations in October 2025, claiming numerous new victims across the United States, France, and Africa. This includes critical infrastructure targets like electric cooperatives, as well as healthcare authorities, real estate firms, and municipalities, demonstrating a broader and more impactful targeting strategy. The update also provides a more comprehensive list of MITRE ATT&CK techniques commonly used by Qilin affiliates, such as T1566 (Phishing) and T1190 (Exploit Public-Facing Application) for initial access, and T1041 (Exfiltration Over C2 Channel) for data exfiltration. This indicates an increased threat level and wider operational scope for the group.

October 14, 2025
Updated: October 16, 2025
4 min read
RansomwareQilinRaaSDouble ExtortionData Leak
Qilin Ransomware Group Adds New Victims to Leak Site

Vietnam Airlines Breach: 7.3M Customer Records Exposed in Salesforce Supply Chain Attack

HIGH

Data of 7.3 Million Vietnam Airlines Customers Leaked in Attack by 'Scattered LAPSUS$ Hunters'

Update:

The data breach attributed to 'Scattered LAPSUS$ Hunters' has significantly expanded in scope, now explicitly confirming Qantas as a victim alongside Vietnam Airlines. The total number of affected customers has risen to approximately 13 million, comprising 7.32 million from Vietnam Airlines and 5.7 million from Qantas. The compromised data, stolen in June 2025 via a breach of a technology partner's Salesforce accounts, includes full names, dates of birth, email addresses, phone numbers, and loyalty program details, increasing the risk of targeted phishing and identity theft for a larger pool of individuals.

October 12, 2025
Updated: October 16, 2025
5 min read
Data BreachSupply Chain AttackVietnam AirlinesSalesforceScattered LAPSUS$ Hunters +1 more
Vietnam Airlines Breach: 7.3M Customer Records Exposed in Salesforce Supply Chain Attack

📢 Share This Publication

Help others stay informed about cybersecurity threats

📅 Daily Edition

Curated and deduplicated every day from dozens of trusted sources — giving you one clean, consolidated view of what matters in cybersecurity.

🔢 Deduplication Applied

Related stories are merged into a single evolving article rather than repeated as separate entries — cutting through noise so you only read what's new.

🔗 Full Articles Linked

Every entry links to its full enriched article — complete with MITRE ATT&CK mappings, extracted IOCs, and actionable detection and mitigation guidance.