Today on CISO Series…
Mark your calendars for this Friday’s Super Cyber Friday, featuring the session titled “Hacking the Death of EDR.”
In today’s cybersecurity news…
Russian state hackers replace burned malware with new tools
According to Google’s threat intelligence team, the Russian state-sponsored hacking group known as Coldriver, or Star Blizzard, has introduced three new malware strains: NOROBOT, YESROBOT, and MAYBEROBOT. This development follows the exposure of their previous tool, LostKeys, in May. The new malware is reportedly being deployed with greater aggression than prior campaigns, specifically designed to evade detection and extract sensitive data from high-value targets. Google suggests that Coldriver is now leveraging custom malware to gather more profound intelligence from victims who have already been phished. (The Record)
Recent Windows updates cause login issues on some PCs
Microsoft has acknowledged that Windows updates released since August 29th are causing login failures on systems with duplicate Security Identifiers (SIDs). This issue leads to Kerberos and NTLM authentication failures across Windows 11 24H2, 25H2, and Windows Server 2025. The problem arises from a new security check that rejects authentication between devices sharing SIDs, often created when systems are cloned without utilizing Sysprep. Microsoft recommends either rebuilding the affected systems or reaching out to support for a temporary Group Policy fix. (Bleeping Computer)
Sophisticated campaign targets servers of high-profile organizations
Kaspersky researchers have identified a likely Chinese-speaking threat actor behind the “PassiveNeuron” campaign, which has been targeting government, financial, and industrial servers across Asia, Africa, and Latin America since 2024. This campaign employs custom implants named “Neursite” and “NeuralExecutor,” alongside Cobalt Strike, to exploit SQL servers and maintain persistence through large disguised DLL files. While Kaspersky notes that the tactics align with Chinese APTs, the attribution remains low-confidence. (Secure List)
CISA adds new flaws to known exploited vulnerabilities catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added high-severity vulnerabilities in Oracle E-Business Suite, Microsoft Windows SMB Client, Kentico Xperience CMS, and Apple JavaScriptCore to its Known Exploited Vulnerabilities catalog. These vulnerabilities could enable data theft, privilege escalation, and remote code execution. Federal agencies are required to patch these flaws by November 10th, while private organizations are advised to update their affected systems. (Security Affairs)
Huge thanks to our sponsor, ThreatLocker
Laser auto cyberattacks emerge
Researchers from France’s Alternative Energies and Atomic Energy Commission (CEA) and semiconductor firm Soitec have unveiled a new chip architecture called Fully Depleted Silicon-on-Insulator, designed to defend against laser fault injection attacks targeting automotive microcontrollers. This innovative design incorporates an insulating oxide layer that complicates circuit manipulation via focused laser beams, effectively thwarting attacks that could flip bits or bypass authentication. Additionally, it enhances cost efficiency and aids automakers in complying with global cybersecurity standards. (Dark Reading)
Hackers exploit zero-days at Pwn2Own Ireland
During the inaugural day of Pwn2Own Ireland 2025, researchers successfully exploited 34 zero-days across various devices, including QNAP and Synology NAS, printers, smart home gadgets, and networking equipment, amassing a total of 2,500 in rewards. Team DDOS notably chained eight zero-days to compromise a QNAP router and NAS, earning 0,000, while the Summoning Team topped the leaderboard with 2,500. This contest, co-sponsored by Meta, QNAP, and Synology, not only rewards zero-day exploits but also promotes responsible disclosure, granting vendors a 90-day window to patch vulnerabilities before public disclosure. (Bleeping Computer)
GlassWorm attacks VS code supply chain
Koi Security researchers have discovered a new self-propagating malware named GlassWorm, which has infected approximately 36,000 developer systems by exploiting Visual Studio Code extensions. This worm cleverly employs invisible Unicode characters to conceal its code, pilfers credentials from GitHub, NPM, and OpenVSX, installs remote access tools, and transforms developer machines into criminal proxy nodes. It also utilizes the Solana blockchain and Google Calendar for command and control. Microsoft has since removed the compromised extensions. (Dark Reading)
PolarEdge targets routers in expanding botnet campaign
PolarEdge, a botnet malware targeting Cisco, ASUS, QNAP, and Synology routers, was first detected in February, with activity tracing back to June 2023. This malware installs a TLS-based backdoor to fingerprint hosts, receive commands, and execute tasks, employing anti-analysis techniques and process masquerading to avoid detection. PolarEdge can function in either connect-back or debug modes, seemingly aimed at constructing a vast network of compromised devices, reminiscent of GhostSocks’ strategy of using infected systems as SOCKS5 proxies. (The Hacker News)
Subscribe to Cyber Security Headlines podcast
Stay informed by subscribing to the Cyber Security Headlines podcast on Spotify, Apple Podcasts, YouTube, RSS link, Amazon Music, or by adding it as an Alexa Skill. You can also search for “Cyber Security Headlines” on your preferred podcast app.
