Daily Digest

Actively Exploited WSUS Flaw Triggers Emergency Patch; Qilin Ransomware Becomes 2025's Top Threat

Actively Exploited WSUS Flaw Triggers Emergency Patch; Qilin Ransomware Becomes 2025's Top Threat

October 28, 2025
10 articles (8 new, 2 updated)
30 min read

Summary

This cybersecurity brief for October 28, 2025, covers several critical developments. Microsoft is scrambling to contain an actively exploited RCE vulnerability in WSUS (CVE-2025-59287) after a botched patch, forcing an emergency update. In the ransomware landscape, the Qilin group has surged to become the most prolific threat of 2025 with over 700 attacks, while payment rates have hit a record low. Other major incidents include a data breach at Sweden's power grid operator claimed by the Everest gang, a massive leak of 4.8 million patient records from Kenya's M-TIBA health platform, and new CISA alerts for critical flaws in industrial control systems and endpoint management software.

Filter by Category

New Articles (8)

Everest Ransomware Hits Swedish Power Grid Operator, Steals 280GB of Data

HIGH

Everest Ransomware Group Claims Data Breach at Swedish Power Grid Operator Svenska kraftnät

Sweden's national electricity operator, Svenska kraftnät, has confirmed a data breach following a claim by the Everest ransomware group. The attackers alleged on their dark web leak site that they had stolen 280 GB of internal data. Svenska kraftnät stated that the attack was confined to an external file transfer system and that the nation's core power grid operations and electricity supply were not affected. An investigation is underway to determine the scope of the compromised data.

October 28, 2025
5 min read
EverestRansomwareData BreachSwedenCritical Infrastructure +2 more
Everest Ransomware Hits Swedish Power Grid Operator, Steals 280GB of Data
Cyberattack
Data Breach
Industrial Control Systems

Massive Breach at Kenyan Health Platform M-TIBA Exposes 4.8 Million Patients

CRITICAL

Threat Actor 'Kazu' Claims Massive Data Breach of Kenyan Health Platform M-TIBA, Affecting 4.8 Million Users

A threat actor named 'Kazu' has claimed responsibility for a catastrophic data breach against M-TIBA, a major mobile health platform in Kenya backed by Safaricom. The hacker alleges the theft of 2.15 terabytes of data, impacting up to 4.8 million users. The compromised information reportedly includes a vast trove of personally identifiable information (PII) and highly sensitive protected health information (PHI), such as patient diagnoses and treatment records from nearly 700 healthcare facilities. A 2GB data sample has already been leaked to substantiate the claim.

October 28, 2025
5 min read
Data BreachHealthcarePHIPIIKenya +3 more
Massive Breach at Kenyan Health Platform M-TIBA Exposes 4.8 Million Patients
Data Breach
Threat Actor
Cloud Security

CISA Warns of Critical Flaws in Global Fuel Gauge Systems, Risking Infrastructure Disruption

CRITICAL

CISA Issues Alert for Critical Vulnerabilities in Veeder-Root Fuel Gauge Systems Used in Global Energy Sector

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory for two vulnerabilities in Veeder-Root's TLS4B Automatic Tank Gauge (ATG) systems, which are used globally to monitor fuel levels. The most severe flaw, CVE-2025-58428, has a CVSS score of 9.9 and could allow a remote, authenticated attacker to execute system-level commands, potentially causing widespread disruption to fuel infrastructure. A second flaw, CVE-2025-55067, relates to the 'Year 2038' problem and could cause denial-of-service conditions.

October 28, 2025
5 min read
ICSOTCISAVeeder-RootCritical Infrastructure +3 more
CISA Warns of Critical Flaws in Global Fuel Gauge Systems, Risking Infrastructure Disruption
Industrial Control Systems
Vulnerability
Patch Management

Critical Apache Tomcat Flaws Expose Servers to RCE and Console Hijacking

HIGH

Apache Software Foundation Patches Critical Tomcat Vulnerabilities Leading to Potential RCE

The Apache Software Foundation has released patches for two critical vulnerabilities, CVE-2025-55752 and CVE-2025-55754, affecting Apache Tomcat versions 9, 10, and 11. The most severe flaw, CVE-2025-55752, is a directory traversal bug that can be escalated to remote code execution (RCE) if non-default settings like PUT requests are enabled. The second flaw could allow for console manipulation on Windows systems. Administrators are urged to upgrade to the latest versions immediately.

October 28, 2025
5 min read
Apache TomcatVulnerabilityRCEDirectory TraversalPatch Management +1 more
Critical Apache Tomcat Flaws Expose Servers to RCE and Console Hijacking
Vulnerability
Patch Management
Cyberattack

North Korea's BlueNoroff APT Targets macOS Users with New 'GhostCall' Malware

HIGH

North Korean APT BlueNoroff Deploys New 'GhostCall' and 'GhostHire' Malware in Campaigns Targeting macOS Users in Crypto Sector

The North Korean advanced persistent threat (APT) group BlueNoroff has been linked to two new sophisticated campaigns, 'GhostCall' and 'GhostHire,' which specifically target macOS users. According to Kaspersky, the financially motivated group, a subset of the Lazarus Group, is targeting venture capitalists and Web3 developers with fake Zoom and Microsoft Teams clients, AI-enhanced social engineering, and a new suite of malware designed to steal cryptocurrency. Victims have been identified globally, including in Japan, Italy, France, and Singapore.

October 28, 2025
5 min read
BlueNoroffAPT38Lazarus GroupmacOSMalware +3 more
North Korea's BlueNoroff APT Targets macOS Users with New 'GhostCall' Malware
Threat Actor
Malware
Phishing

U.S. Coast Guard Poised for 'Generational Change' in Maritime Cybersecurity with $25B Funding

INFORMATIONAL

U.S. Coast Guard Receives Billions in New Funding for Comprehensive Maritime Cybersecurity Overhaul

The U.S. Coast Guard (USCG) is set for a 'generational change' in maritime cybersecurity, according to an analysis by the Center for Strategic and International Studies (CSIS). Nearly $25 billion in new funding, combined with expanded regulatory authorities, will allow the USCG to comprehensively modernize its systems, implement a zero-trust architecture, and enforce new cybersecurity standards across the entire U.S. Marine Transportation System. The move signals a major strategic shift, elevating cyberspace to an operational domain on par with air, land, and sea.

October 28, 2025
4 min read
US Coast GuardMaritime SecurityCSISPolicyRegulation +2 more
U.S. Coast Guard Poised for 'Generational Change' in Maritime Cybersecurity with $25B Funding
Policy and Compliance
Regulatory
Industrial Control Systems

CISA Adds Actively Exploited Motex LANSCOPE RCE Flaw to KEV Catalog

CRITICAL

CISA Adds Critical Motex LANSCOPE Endpoint Manager Vulnerability (CVE-2025-61932) to KEV Catalog Amid Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Motex's LANSCOPE Endpoint Manager, CVE-2025-61932, to its Known Exploited Vulnerabilities (KEV) catalog following confirmation of active attacks. The flaw, rated 9.3 CVSS, allows for unauthenticated remote code execution on affected endpoints. Attackers have reportedly been weaponizing the vulnerability to install backdoors on victim systems, primarily observed in Japan. Federal agencies are now mandated to patch by November 12, 2025.

October 28, 2025
4 min read
CISAKEVMotexLANSCOPEVulnerability +2 more
CISA Adds Actively Exploited Motex LANSCOPE RCE Flaw to KEV Catalog
Vulnerability
Patch Management
Cyberattack

Over-Privileged Active Directory Domain-Join Accounts Create Major Security Risk

HIGH

Misconfigured Active Directory Domain-Join Accounts Provide Reliable Path to Domain Compromise

A new security analysis reveals that Active Directory (AD) domain-join accounts, even when configured according to official guidance, often inherit excessive privileges that create a reliable pathway for attackers to achieve full domain compromise. These specialized accounts, used for automated machine provisioning, can have their credentials exposed during deployment. Attackers can then abuse the account's powerful default permissions, such as object ownership and rights related to Resource-Based Constrained Delegation (RBCD), to escalate privileges and take over computer objects.

October 28, 2025
5 min read
Active DirectoryPrivilege EscalationRBCDMisconfigurationKerberos +1 more
Over-Privileged Active Directory Domain-Join Accounts Create Major Security Risk
Security Operations
Vulnerability
Threat Intelligence

Updated Articles (2)

Microsoft Report: AI-Generated Phishing Now 4.5x More Effective, Bypassing Traditional Defenses

HIGH

AI-Powered Phishing Emails Achieve 54% Click-Through Rate, Microsoft's 2025 Digital Defense Report Reveals

Update:

A colossal collection of 183 million unique email and plaintext password combinations, dubbed 'Synthient Stealer Log Threat Data,' has been discovered on underground forums and added to Have I Been Pwned. This data was aggregated from numerous infostealer malware infections over nearly a year, not from a direct breach of any email provider. This incident underscores the escalating threat from infostealer malware, as highlighted in the Microsoft report, and creates a massive pool of credentials for widespread credential stuffing attacks, significantly increasing the risk of account takeovers and identity theft. Users are urged to check HIBP, reset passwords, and enable MFA.

October 18, 2025
Updated: October 28, 2025
5 min read
AIPhishingMicrosoftThreat IntelligenceMFA +3 more
Microsoft Report: AI-Generated Phishing Now 4.5x More Effective, Bypassing Traditional Defenses
Phishing
Threat Intelligence
Malware

18 Minutes to Mayhem: Ransomware Attacks Now Fully Automated, Slashing Defender Response Time

CRITICAL

Ransomware Automation Reduces Attacker 'Breakout Time' to Just 18 Minutes, ReliaQuest Reports

Update:

A new report from Coveware indicates a significant shift in the ransomware landscape. The percentage of victims paying ransoms dropped to a historic low of 23% in Q3 2025, with average payments plummeting by 66%. This decline is attributed to large enterprises refusing to pay and major RaaS groups, including Qilin, pivoting to a 'high-volume, low-demand' model targeting mid-market companies. Despite lower payments, the overall volume of ransomware incidents remains at an all-time high, increasing pressure on SMBs. This evolution demands continued focus on resilience and robust recovery strategies.

October 23, 2025
Updated: October 28, 2025
7 min read
RansomwareAutomationAIQilinLockBit +3 more
18 Minutes to Mayhem: Ransomware Attacks Now Fully Automated, Slashing Defender Response Time
Ransomware
Threat Actor
Threat Intelligence

📢 Share This Publication

Help others stay informed about cybersecurity threats