Daily Digest

PhantomRaven Supply Chain Attack Hits npm; Conduent Breach Exposes 10.5M; CISA Flags Actively Exploited Flaws

PhantomRaven Supply Chain Attack Hits npm; Conduent Breach Exposes 10.5M; CISA Flags Actively Exploited Flaws

October 31, 2025
7 articles (5 new, 2 updated)
21 min read

Summary

This cybersecurity brief for October 31, 2025, covers a surge in sophisticated threats. Highlights include the 'PhantomRaven' supply chain attack on npm using novel evasion techniques, a massive data breach at Conduent affecting 10.5 million individuals, and CISA adding critical, actively exploited vulnerabilities in XWiki and VMware to its KEV catalog. Other major incidents include a prolonged nation-state breach at a key telecom provider, a significant Azure outage, and escalating ransomware campaigns from the Qilin group.

Filter by Category

New Articles (5)

CISA KEV Alert: XWiki RCE Flaw Actively Exploited for Cryptomining

CRITICAL

CISA Adds Critical Unauthenticated RCE in XWiki (CVE-2025-24893) to KEV Catalog Amid Active Exploitation

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability in the XWiki enterprise wiki platform, CVE-2025-24893, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, rated 9.8 on the CVSS scale, allows an unauthenticated attacker to execute arbitrary code by injecting malicious Groovy expressions into a search query. Security researchers at VulnCheck have confirmed active exploitation in the wild, with attackers using the vulnerability to deploy cryptocurrency mining malware. CISA has mandated that federal agencies patch the flaw promptly due to the immediate risk.

October 31, 2025
4 min read
CVE-2025-24893XWikiRCECISAKEV +2 more
CISA KEV Alert: XWiki RCE Flaw Actively Exploited for Cryptomining
Vulnerability
Patch Management
Cyberattack

VMware Zero-Day LPE Flaw Exploited by China-Linked Actor Added to CISA KEV

HIGH

CISA Adds Actively Exploited VMware Privilege Escalation Zero-Day (CVE-2025-41244) to KEV Catalog

CISA has added CVE-2025-41244, a high-severity local privilege escalation (LPE) vulnerability in VMware products, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw affects VMware Aria Operations and VMware Tools and allows a non-administrative user on a virtual machine to gain root privileges. The vulnerability has been exploited as a zero-day since mid-October 2024, with attribution pointing to UNC5174, a suspected China-linked threat actor. The flaw is an untrusted search path vulnerability, and a public proof-of-concept is available, increasing the risk to unpatched systems.

October 31, 2025
4 min read
CVE-2025-41244VMwarezero-dayprivilege escalationCISA +2 more
VMware Zero-Day LPE Flaw Exploited by China-Linked Actor Added to CISA KEV
Vulnerability
Threat Actor
Patch Management

Finance Execs Targeted in Sophisticated LinkedIn Phishing Scheme with Fake Board Invites

MEDIUM

Phishing Campaign on LinkedIn Lures Finance Executives with Fake Board Invitations to Steal Microsoft Credentials

A sophisticated phishing campaign is targeting finance executives through LinkedIn direct messages, using fake invitations to an executive board as a lure. The multi-stage attack, detailed by Push Security, aims to harvest Microsoft credentials and session cookies to bypass MFA. The attack chain leverages trusted services to appear legitimate, starting with a Google open redirect, leading to a fraudulent portal hosted on Google Firebase, and using a Cloudflare CAPTCHA to evade security bots. This non-email-based phishing vector is reportedly becoming significantly more common, accounting for over a third of recent attempts tracked by researchers.

October 31, 2025
5 min read
phishingLinkedInsocial engineeringcredential theftMFA bypass +1 more
Finance Execs Targeted in Sophisticated LinkedIn Phishing Scheme with Fake Board Invites
Phishing
Threat Actor
Cloud Security

Telecom Giant Ribbon Communications Breached by Nation-State Actor for 10 Months

HIGH

Ribbon Communications Discloses 10-Month Breach by Suspected Nation-State Actor

Telecommunications provider Ribbon Communications has disclosed a significant security breach by a suspected nation-state actor. According to an SEC filing, the attackers first gained access in December 2024 and remained undetected for nearly a year until September 2025. The company, which serves critical clients including the U.S. Department of Defense and major carriers like Verizon, stated the actor accessed several customer files stored on two laptops outside the main network. The long dwell time and the nature of the target suggest a sophisticated espionage campaign, raising serious concerns about supply chain security in the telecommunications sector.

October 31, 2025
5 min read
nation-stateAPTtelecomsupply chain attackdata breach +1 more
Telecom Giant Ribbon Communications Breached by Nation-State Actor for 10 Months
Cyberattack
Threat Actor
Supply Chain Attack

Canada Issues National Alert as Hacktivists Target Critical Infrastructure

HIGH

Canadian Centre for Cyber Security Issues National Alert on Hacktivist Breaches of Industrial Control Systems

The Canadian Centre for Cyber Security, along with the RCMP, has issued a national alert warning of increasing cyberattacks by hacktivists against the nation's critical infrastructure. The advisory follows multiple successful breaches of internet-accessible Industrial Control Systems (ICS) in sectors like water treatment, food, and manufacturing. The alert notes a tactical shift by hacktivists from simple DDoS attacks to more disruptive intrusions into Operational Technology (OT). Authorities are urging organizations, especially in under-regulated sectors, to immediately inventory and secure exposed ICS/OT devices, recommending VPNs with 2FA and enhanced monitoring to mitigate the risk to public safety.

October 31, 2025
4 min read
ICSOT SecuritySCADAcritical infrastructurehacktivism +2 more
Canada Issues National Alert as Hacktivists Target Critical Infrastructure
Industrial Control Systems
Policy and Compliance
Cyberattack

Updated Articles (2)

Conduent Data Breach: 10 Million+ Individuals' Personal & Medical Data Exposed

HIGH

Government Services Contractor Conduent Confirms Data Breach Affecting Over 10 Million People

Update:

New details reveal the Conduent data breach, affecting 10.5 million individuals, is attributed to the SafePay ransomware group. Attackers exfiltrated a massive 8.5 terabytes of sensitive data, including SSNs and medical records, leading to $25 million in direct costs for Conduent. The incident, now considered the eighth-largest healthcare breach, also highlights criticism over delayed victim notifications and the company's failure to offer free identity theft protection.

October 30, 2025
Updated: October 31, 2025
4 min read
Data BreachConduentPIIPHIGovernment Contractor +3 more
Conduent Data Breach: 10 Million+ Individuals' Personal & Medical Data Exposed
Data Breach
Threat Intelligence
Regulatory

Qilin Ransomware Claims 700 Victims in 2025, Becoming Top Global Threat

HIGH

Qilin Ransomware Becomes Most Prolific RaaS Operation of 2025, Surpassing 700 Attacks on Critical Sectors

Update:

A new Cisco Talos report provides updated insights into the Qilin ransomware group's TTPs. The manufacturing sector is now identified as the most heavily targeted, accounting for 23% of attacks. Qilin affiliates are observed using legitimate tools like Cyberduck for data exfiltration and PsExec for lateral movement. Notably, they employ standard Windows applications such as notepad.exe and mspaint.exe to view sensitive data, a tactic likely aimed at evading detection. The report also mentions the use of two distinct encryptor variants and character encodings suggesting Russian-speaking actors.

October 28, 2025
Updated: October 31, 2025
5 min read
QilinRansomwareRaaSDouble ExtortionThreat Actor +2 more
Qilin Ransomware Claims 700 Victims in 2025, Becoming Top Global Threat
Ransomware
Threat Actor
Cyberattack

📢 Share This Publication

Help others stay informed about cybersecurity threats