Cisco Data Breach Exposes User Information Through Vishing Attack
Cisco has confirmed a data breach affecting users registered on Cisco[.]com after a threat actor successfully executed a voice phishing (vishing) attack on a company employee. The incident, discovered on July 24, involved unauthorized access to a third-party cloud-based Customer Relationship Management (CRM) platform used by Cisco. Through this access, the attacker extracted basic profile data from Cisco[.]com account holders, including full names, organization names, email addresses, phone numbers, mailing addresses, Cisco-assigned user IDs, and account metadata including creation dates. While the company emphasized that no passwords, confidential corporate data, or sensitive customer information were accessed, the breach still raises concerns about the security of employee-facing systems and the potential for social engineering to bypass otherwise protected infrastructure. Cisco confirmed that only one CRM instance was compromised and its core products and services remained unaffected. Cisco has not publicly named the specific third-party cloud-based Customer Relationship Management (CRM) platform that was targeted in the attack. The company confirmed only that it was a single instance of a third-party CRM system used by Cisco, which was accessed through a successful vishing attack on an employee. As of now, the exact CRM provider (e.g., Salesforce, HubSpot, etc.) has not been disclosed in any official statement or report. Following the breach, Cisco terminated the attacker’s access and launched an investigation, notifying relevant authorities and affected users as required by law. The company is now implementing additional security measures, including internal awareness training, to help employees recognize and respond to voice-based phishing attempts. However, Cisco has not yet revealed the total number of users impacted or whether the stolen data has been offered for sale or ransom. This breach comes shortly after another recent security lapse in October, when a threat actor named IntelBroker leaked internal Cisco data on BreachForums. That separate incident stemmed from a misconfigured DevHub portal, resulting in the unauthorized download of files belonging to CX Professional Services customers. The recurrence of these breaches highlights the need for enhanced internal controls surrounding third-party platforms and ongoing employee security training, particularly in addressing social engineering threats.
SonicWall SSL VPN Vulnerability Likely Exploited in Akira Ransomware Surge
A critical wave of Akira ransomware attacks has been linked to potential exploitation of SonicWall Gen 7 firewalls through an unknown vulnerability in the SSL VPN service. Security vendors, including Arctic Wolf and Huntress, have reported at least 20 confirmed intrusions since mid-July 2025, where attackers likely used a zero-day flaw to gain unauthorized access, even in environments protected by MFA. The intrusion chain often begins with the SonicWall appliance being breached either by credential compromise or vulnerability exploitation. Once inside, they deploy persistence mechanisms including Cloudflared tunnels, SSH, or remote monitoring tools, and rely on a combination of custom scripts and built-in Windows utilities to harvest credentials, perform reconnaissance, and disable security protections. The attacks are primarily targeting SonicWall TZ and NSa-series firewalls running firmware version 7.2.0-7015 and earlier. While the presence of a zero-day vulnerability is highly likely, security firms have not yet ruled out credential-based attacks involving brute force or credential stuffing. SonicWall has confirmed a significant increase in related incidents over 72 hours and has advised administrators to disable SSL VPN services or restrict them to a trusted list of IP addresses. Additional mitigations include enabling geo-IP and botnet filtering, enforcing multi-factor authentication, and removing inactive local accounts with VPN access. Organizations are also urged to check for indicators of compromise in firewall logs and investigate any unusual access originating from hosting providers rather than typical broadband IP ranges. The attackers' ability to move quickly from VPN access to ransomware deployment within hours underscores the urgent need for advanced endpoint detection, robust account hygiene, and network segmentation to mitigate the damage from ongoing intrusions.
Update: Chollima APT Exploits Job Seekers to Breach U.S. Orgs via Malicious NPM Packages
The North Korean-linked Chollima APT group, also referred to as Famous Chollima, has been conducting a stealthy cyber espionage campaign since at least December 2022, targeting U.S.-based organizations through job seekers in the software and IT sectors. Posing as recruiters or hiring managers, the attackers use fake identities to initiate convincing interview setups via common video conferencing platforms, where they socially engineer victims into downloading malicious NPM packages. These packages, often hosted on GitHub, are disguised as sample projects or technical assessments and contain obfuscated JavaScript designed to deploy a cross-platform backdoor named InvisibleFerret. The malware, written in Python, runs silently on Windows, macOS, and Linux, making it ideal for targeting developers who typically have Python pre-installed. The infection chain is structured to mimic legitimate developer workflows, exploiting the trust engineers place in GitHub and the standard practices of cloning repositories and running test code during interviews. These repositories, built with standard NPM initialization commands, embed payloads in files including payload[.]js, and are initially seeded with non-malicious commands to pass casual scrutiny before switching to more harmful code obfuscated through tools including BEAR-C2. Some victims are specifically chosen for their recent layoffs, increasing the likelihood that they still have access to sensitive corporate environments, thereby giving attackers indirect access without directly breaching hardened enterprise infrastructure. Despite the campaign's technical depth, mistakes, including leaving GitHub repository comments enabled, have exposed some operations when researchers left public warnings, underscoring occasional lapses in operational security. This campaign reveals a dangerous blend of human deception and technical precision, exploiting real-world job search processes to bypass defenses and infiltrate high-value targets.
Update: Raspberry Robin Malware Evolves with Advanced Capabilities
Raspberry Robin, also known as Roshtyak, is a sophisticated malware strain first observed in 2021, initially spreading through infected USB drives. It functions primarily as a downloader, designed to infect systems and deliver additional malicious payloads. Over time, it has evolved into a highly evasive and persistent threat, especially on Windows environments. In its latest iteration, researchers at Zscaler’s ThreatLabz have identified major updates aimed at resisting detection and analysis. The malware now includes multiple initialization loops with flattened control flow, which inflates the code with unnecessary instructions to slow down brute-force decryption and reverse engineering. It also obfuscates stack pointers, making it harder for decompilation tools, including IDA Pro, to reconstruct functions without manual correction. Even its conditional logic has been obscured using complex instructions, preventing analysts from efficiently mapping out its decision-making processes during static analysis. To evade network forensics, it now embeds broken TOR onion addresses for its command-and-control servers, which are dynamically corrected in memory using per-sample algorithms. Other notable changes include the use of expiration dates that limit malware execution to one week per sample, as well as randomized memory mappings between internal modules to prevent detection through behavioral signatures. Altogether, these enhancements reflect a highly adaptive threat that requires defenders to shift away from traditional signature-based detection toward dynamic analysis and proactive behavioral monitoring. To reduce exposure, defenders should disable unused USB ports, deploy behavior-based endpoint detection tools, monitor for abnormal memory execution patterns, and block traffic to known anonymizing services, including TOR.
Update: PXA Stealer Malware Campaign Utilizes Telegram to Automate Attacks
PXA Stealer is a Python-based malware that has grown into a large-scale, highly structured data theft operation run by Vietnamese-speaking cybercriminals. Since its discovery in late 2024 by Cisco researchers, it has infected over 4,000 unique IPs across 62 countries, including the United States, South Korea, and parts of Europe. It is designed to steal personal and corporate data, including saved passwords, credit card information, browser cookies, and autofill data from infected machines. Victims are often lured into opening malicious files that display decoy content, including copyright violation notices, to distract them while the malware installs silently in the background. Once active, PXA Stealer sends the stolen data to Telegram channels operated by the attackers, which are connected to criminal marketplaces where logs are sold to other threat actors for activities including financial fraud, identity theft, or breaking into corporate accounts. The malware’s infection process has evolved to use DLL side-loading and layered staging techniques to avoid detection. It begins with a seemingly harmless file that triggers a hidden DLL responsible for loading the actual stealer payload. The malware can extract browser data by injecting itself into live browser sessions, bypassing common security features, and also targets other sources, including VPN clients, cloud command-line tools, Discord, and file-sharing services. It utilizes hardcoded Telegram bot tokens and chat IDs to maintain communication with its operators, who receive real-time alerts, status updates, and access to the data. Telegram is not just used for exfiltration but also as the backbone for managing stolen data and reselling it through automated services like the Sherlock platform. These recent campaigns show significant upgrades in tradecraft, combining distraction, stealth, automation, and aggressive monetization, making PXA Stealer a serious threat to both individuals and organizations. To reduce risk, organizations should block unauthorized Telegram traffic, monitor for unusual DLL activity, and educate users on how to avoid suspicious file downloads during online interactions.
