CISA Warns of Actively Exploited Zero-Days in Fortinet & Dassault Systems; Massive Infostealer Dump Exposes 183M Credentials

Massive "Synthient" Data Dump from RedLine and Vidar Infostealers Exposes 183 Million Credentials

A colossal 3.5-terabyte dataset named "Synthient," containing 183 million unique email and password combinations, has been indexed by Have I Been Pwned. The credentials were not stolen from a single service breach but were aggregated over time from devices infected with infostealer malware such as RedLine and Vidar. While Google confirmed its systems were not directly compromised, the leak poses a severe risk of credential stuffing attacks across countless online services. The data includes 16.4 million credentials never before seen in breach databases, highlighting the ongoing threat of malware-based data harvesting. Security experts urge immediate password updates and the adoption of multi-factor authentication (MFA).

credential stuffinginfostealerpassword reusedata leakcybersecurity

Data Breach

Cerner Discloses Patient Data Breach at Alaskan Hospital Months After Initial Intrusion

Cerner Corporation Notifies Mat-Su Regional Medical Center of Patient Data Breach from Legacy System Compromise

Electronic health records (EHR) vendor Cerner Corporation has informed Mat-Su Regional Medical Center in Alaska of a data breach affecting patient information. The security incident, which involved unauthorized access to legacy Cerner systems, was first detected in February 2025 but originated as early as January. The compromised data could include patient names, Social Security numbers, medical records, diagnoses, and other sensitive health information. The breach did not affect the hospital's own systems, but highlights significant supply chain risks in the healthcare sector. Cerner is offering two years of identity protection services to affected patients.

healthcare breachsupply chain attackpatient dataHIPAAEHR +1 more

Data Breach

Supply Chain Attack

Regulatory

Slow Email Breach Response Leads to 79% Higher Ransomware Risk, Report Finds

INFORMATIONAL

Barracuda Report: Delayed Email Breach Response Correlates to 79% Chance of Ransomware

A new report from Barracuda Networks reveals a strong correlation between slow incident response times for email breaches and the likelihood of a subsequent ransomware attack. Organizations that take over nine hours to remediate an email compromise face a 79% higher chance of also being hit by ransomware. The study found that 78% of organizations experienced an email breach in the last year, with attackers often gaining access and deploying ransomware in under an hour. The high cost of recovery, especially for small businesses, underscores the critical need for automated detection and rapid response capabilities to contain initial email-based threats.

incident responseemail securityphishingransomwarecybersecurity report

Slow Email Breach Response Leads to 79% Higher Ransomware Risk, Report Finds

Security Operations

CISA Warns of Actively Exploited Flaws in Dassault Systèmes' Manufacturing Software

CISA Adds Actively Exploited Dassault Systèmes DELMIA Apriso Flaws to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities in Dassault Systèmes' DELMIA Apriso manufacturing software to its Known Exploited Vulnerabilities (KEV) catalog. The flaws, CVE-2025-6205 (CVSS 9.1) and CVE-2025-6204 (CVSS 8.0), are being actively exploited in the wild. Attackers can chain them to create a privileged user account and then achieve remote code execution, leading to a full system compromise. The software is widely used in critical manufacturing sectors like automotive and aerospace. Federal agencies have been given a three-week deadline to apply patches released in August 2025.

KEVzero-dayCISAmanufacturingICS security +1 more

CISA Warns of Actively Exploited Flaws in Dassault Systèmes' Manufacturing Software

Industrial Control Systems

Apache Tomcat Flaws Expose Servers to Path Traversal and RCE Risk

New Apache Tomcat Vulnerabilities Impact Versions 9, 10, and 11, Posing RCE Risk

The Apache Software Foundation has disclosed two new vulnerabilities impacting Apache Tomcat versions 9, 10, and 11. The most severe flaw, CVE-2025-55752, is a directory traversal vulnerability rated 'Important' that could allow an attacker to bypass security constraints and access protected directories like /WEB-INF/. If HTTP PUT requests are enabled—a non-default setting—this flaw can be escalated to achieve remote code execution (RCE). A second, low-severity flaw, CVE-2025-55754, affects Windows systems and could lead to code execution via malicious console log entries. Users are urged to upgrade to the latest versions to mitigate these risks.

Apache Tomcatpath traversalRCEvulnerabilityJava

Apache Tomcat Flaws Expose Servers to Path Traversal and RCE Risk

North Korean APT BlueNoroff Uses AI-Driven Spyware in New 'GhostCall' and 'GhostHire' Campaigns

BlueNoroff APT Targets Web3 and Venture Capital with AI-Enhanced Spyware on Windows and macOS

The North Korean APT group BlueNoroff is conducting two new financially motivated campaigns, 'GhostCall' and 'GhostHire,' targeting the cryptocurrency and venture capital sectors. According to research from Kaspersky, the group is using sophisticated social engineering, enhanced by generative AI, to lure executives and developers on both Windows and macOS. The attacks involve fake meetings and job offers to trick victims into downloading malware capable of stealing cryptocurrency wallet data, macOS Keychain contents, and other sensitive information. The campaigns show BlueNoroff's increasing focus on macOS and its adoption of AI to accelerate malware development.

BlueNoroffAPTNorth KoreacryptocurrencymacOS +2 more

6 min read

North Korean APT BlueNoroff Uses AI-Driven Spyware in New 'GhostCall' and 'GhostHire' Campaigns

Threat Actor

Phishing

Hacking Team Successor Memento Labs Linked to Chrome Zero-Day and 'Dante' Spyware

Kaspersky Links Memento Labs, Successor to Hacking Team, to 'Dante' Spyware and Chrome Zero-Day Campaign

Kaspersky researchers have linked Memento Labs, the Italian company that succeeded the notorious surveillance vendor Hacking Team, to a cyber-espionage campaign that used a Google Chrome zero-day (CVE-2025-2783). The campaign, dubbed "Operation ForumTroll," targeted entities in Russia and Belarus with phishing links that installed spyware called "Dante." Analysis of Dante revealed code similarities to Hacking Team's old RCS spyware, confirming it as a commercial surveillance tool. The zero-day exploit allowed for infection simply by visiting a malicious website, highlighting the continued threat posed by commercial spyware vendors.

spywarezero-dayHacking TeamMemento LabsGoogle Chrome +1 more

6 min read

Hacking Team Successor Memento Labs Linked to Chrome Zero-Day and 'Dante' Spyware

Threat Actor

Cisco and Citrix VPNs Linked to 5-7x Higher Ransomware Risk, At-Bay Report Finds

INFORMATIONAL

At-Bay Report: VPNs and Email Remain Primary Ransomware Vectors, with Cisco and Citrix Posing Highest Risk

A new report from cyber-insurance provider At-Bay identifies email and remote access as the entry points for 90% of cyber claims in 2024. The 2025 InsurSec Rankings Report found that organizations using on-premise VPNs from vendors like Cisco and Citrix were five to seven times more likely to suffer a ransomware attack compared to those using other remote access solutions. Email fraud, often powered by AI, also saw a 30% surge in claim frequency. The report highlights the effectiveness of Managed Detection and Response (MDR) services in mitigating ransomware and ranks Sophos as the top-performing email security solution.

VPNremote accessransomwarecyber insuranceMDR +1 more

Fortinet Silently Patches Critical, Actively Exploited FortiWeb Zero-Day

Fortinet Deploys Silent Patch for Critical FortiWeb Path Traversal Flaw (CVE-2025-64446) Under Active Exploitation

Fortinet has quietly released a patch for a critical, actively exploited zero-day vulnerability in its FortiWeb Web Application Firewall (WAF). The flaw, tracked as CVE-2025-64446 (CVSS 9.8), is a path traversal vulnerability that allows an unauthenticated remote attacker to create an administrator account and gain full control of the device. Attacks have been observed since at least early October 2025. Fortinet released the fix in version 8.0.2 on October 28 but did not immediately issue a public advisory, delaying awareness. The vulnerability was later added to CISA's KEV catalog, confirming its threat and mandating urgent patching.

zero-dayFortinetFortiWebKEVCISA +2 more

Fortinet Silently Patches Critical, Actively Exploited FortiWeb Zero-Day

Cyberattack

City of Gloversville, NY, Pays Partial Ransom After Attack Compromises Employee Data

New York's City of Gloversville Hit by Ransomware, Pays $150,000 After Employee Payroll Data Stolen

The City of Gloversville, New York, has suffered a ransomware attack that was discovered on October 27, 2025. The attack disrupted city computer systems and compromised the personal and payroll information of current and former employees, including bank account numbers. After initially demanding $300,000, the city council approved a partial ransom payment of $150,000 to the unnamed threat actors in exchange for the return of the stolen data. The incident highlights the ongoing vulnerability of municipalities to ransomware attacks.

ransomwaremunicipal governmentdata breachpublic sectorransom payment

City of Gloversville, NY, Pays Partial Ransom After Attack Compromises Employee Data

Data Breach

Regulatory

Updated Articles (3)

Microsoft Report: AI-Generated Phishing Now 4.5x More Effective, Bypassing Traditional Defenses

Updated: October 28, 2025

AI-Powered Phishing Emails Achieve 54% Click-Through Rate, Microsoft's 2025 Digital Defense Report Reveals

Update:

A colossal collection of 183 million unique email and plaintext password combinations, dubbed 'Synthient Stealer Log Threat Data,' has been discovered on underground forums and added to Have I Been Pwned. This data was aggregated from numerous infostealer malware infections over nearly a year, not from a direct breach of any email provider. This incident underscores the escalating threat from infostealer malware, as highlighted in the Microsoft report, and creates a massive pool of credentials for widespread credential stuffing attacks, significantly increasing the risk of account takeovers and identity theft. Users are urged to check HIBP, reset passwords, and enable MFA.

October 18, 2025

AIPhishingMicrosoftThreat IntelligenceMFA +3 more

Phishing

18 Minutes to Mayhem: Ransomware Attacks Now Fully Automated, Slashing Defender Response Time

Updated: October 28, 2025

Ransomware Automation Reduces Attacker 'Breakout Time' to Just 18 Minutes, ReliaQuest Reports

Update:

A new report from Coveware indicates a significant shift in the ransomware landscape. The percentage of victims paying ransoms dropped to a historic low of 23% in Q3 2025, with average payments plummeting by 66%. This decline is attributed to large enterprises refusing to pay and major RaaS groups, including Qilin, pivoting to a 'high-volume, low-demand' model targeting mid-market companies. Despite lower payments, the overall volume of ransomware incidents remains at an all-time high, increasing pressure on SMBs. This evolution demands continued focus on resilience and robust recovery strategies.

October 23, 2025

7 min read

RansomwareAutomationAIQilinLockBit +3 more

Threat Actor

CISA Orders Federal Agencies to Patch New Actively Exploited Vulnerability

Updated: October 28, 2025

CISA Adds New Vulnerability to Known Exploited Vulnerabilities (KEV) Catalog, Mandating Federal Patching

Update:

CISA has now identified the previously unspecified actively exploited vulnerability as two critical flaws (CVE-2025-6204, code injection; CVE-2025-6205, missing authorization) affecting Dassault Systèmes' DELMIA Apriso manufacturing software. These vulnerabilities, added to the KEV catalog on October 28, 2025, are confirmed to be under active exploitation, posing a severe risk to global manufacturing operations. Successful exploitation could lead to operational shutdowns, intellectual property theft, and potential pivot to OT networks. Organizations using DELMIA Apriso are urged to apply patches immediately as mandated for federal agencies.

October 23, 2025

CISAKEVVulnerabilityPatch ManagementBOD 22-01 +1 more