CISA orders agencies to fix Cisco firewall zero day flaws by noon today

Check out my latest CSO piece, which examines whether the docking of Qantas' CEO pay signals a new era of cyber breach accountability.

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

In a series of coordinated releases with Cisco and the UK's National Cyber Security Centre, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a new emergency directive ordering US federal agencies to secure their Cisco firewall devices against two flaws that have been exploited in zero-day attacks.

Emergency Directive 25-03 was issued to Federal Civilian Executive Branch (FCEB) agencies on September 25 and requires them to implement patches for CVE-2025-20333 and CVE-2025-20362 vulnerabilities in Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) software.

"The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks," CISA warned.

"CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service."

The US cybersecurity agency now requires all FCEB agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26.

Cisco has released security updates to address the two security flaws earlier today, saying that CVE-2025-20333 can allow authenticated attackers to remotely gain code execution on vulnerable devices, while CVE-2025-20362 enables remote threat actors to access restricted URL endpoints without authentication.

When chained, the two vulnerabilities can enable unauthenticated attackers to gain complete control of unpatched devices remotely.

"Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis," Cisco said, adding that the attacks targeted 5500-X Series devices with VPN web services enabled.

One industry source said the hackers are likely tied to China. However, CISA is not focused on attributing the activity to a specified nation-state or cybercrime syndicate at this time, Chris Butera, acting deputy executive assistant director for CISA’s Cybersecurity Division, told reporters in a briefing. Hundreds of the Cisco devices are used inside the federal government, he added. (Sergiu Gatlan / Bleeping Computer and David DiMolfetta / NextGov/FCW)

Related: Cisco, NCSC, CVE, CVE, CISA, NextGov/FCW, Washington Post, CyberScoop, sec.cloudapps.cisco.com, SecurityWeek, Cyber Security News, PCMag, Reuters, CSO, Axios, Security Affairs, CRN, The Record, Recorded Future, Bloomberg, Independent, UNN, Reuters, CSO Online, DataBreachToday

Microsoft terminated the Israeli military’s access to technology it used to operate a powerful surveillance system that collected millions of Palestinian civilian phone calls made each day in Gaza and the West Bank.

Microsoft told Israeli officials late last week that Unit 8200, the military’s elite spy agency, had violated the company’s terms of service by storing the vast trove of surveillance data in its Azure cloud platform, sources familiar with the situation said.

The decision to cut off Unit 8200’s ability to use some of its technology results directly from an investigation published by the Guardian last month. It revealed how Azure was being used to store and process the trove of Palestinian communications in a mass surveillance programme.

In a joint investigation with the Israeli-Palestinian publication +972 Magazine and the Hebrew-language outlet Local Call, the Guardian revealed how Microsoft and Unit 8200 had worked together on a plan to move large volumes of sensitive intelligence material into Azure.

The project began after a meeting in 2021 between Microsoft’s chief executive, Satya Nadella, and the unit’s then commander, Yossi Sariel.

In response to the investigation, Microsoft ordered an urgent external inquiry to review its relationship with Unit 8200. Its initial findings have now led the company to cancel the unit’s access to some of its cloud storage and AI services. (Harry Davies and Yuval Abraham / The Guardian)

Related: Microsoft on the Issues, The Verge, Wall Street Journal, Reuters, Al Jazeera, NBC News, The Guardian, JNS, Bloomberg, Sky News, Ynet News, Financial Times, New York Times

A report issued by the Senate Committee on Homeland Security and Governmental Affairs (HSGAC) adds new insight into how Elon Musk’s so-called Department of Government Efficiency (DOGE) operated as a rogue entity within the US government, slashing staff and funding, gaining access to government systems, and overriding agency decision-making.

The report describes how this incursion happened, while raising grave concerns about the possibility of a catastrophic data breach that would affect all Americans and serious questions about who DOGE operatives answer to.

Oversight staff detail how DOGE gained control over federal agencies, focusing their probe on three of DOGE’s primary targets: the General Services Administration (GSA), the Office of Personnel Management (OPM), and the Social Security Administration (SSA).

“A clear pattern emerged across agencies—officials who questioned DOGE were pushed out, and DOGE-affiliated personnel were installed in key positions such as Chief Information Officer,” the report finds. “The DOGE associates were then able to grant approval to other DOGE employees to work with sensitive data without restrictions.”

Throughout the report, committee investigators describe DOGE representatives as working clandestinely within the agencies they were sent to serve and in spaces kept under armed guard, seemingly not beholden to government officials and frequently not abiding by standard procedures, including possibly security protocols.

DOGE affiliates in the SSA had access to personal data belonging to all Americans, the report claims, citing interviews with whistleblowers from the agency, including Social Security numbers, birthplace, date of birth, and work permit status, and placed the information in an unsecured cloud environment established by DOGE. Earlier this year, SSA chief data officer Chuck Borges filed a whistleblower complaint accusing the agency of mishandling data and creating an insecure server to hold it. DOGE operatives could edit and delete data in this system and potentially share it with private entities or foreign actors, the report finds. It’s unclear if the data was manipulated or shared outside of government.

The committee notes that it’s “very likely” that US adversarial nations, including Russia, China, and Iran, are aware of the cloud system DOGE set up at SSA. (Makena Kelly and Vittorio Elliott / Wired)

Related: Ranking Member Gary Peters, Fast Company, New York Times, NextGov/FCW, Mashable, The Verge, Cyberscoop

According to Dutch newspaper De Telegraaf, authorities arrested two 17-year-old boys suspected of performing espionage tasks for a Russian intelligence service, in what officials call a “unique case” in the Netherlands in which they walked a route past Europol, Eurojust, and the Canadian embassy with a Wi-Fi sniffer.

The boys were allegedly approached on Telegram to engage in the espionage tasks.

The arrests followed a tip from Dutch intelligence (AIVD) on Monday. One teen remains in custody for 14 more days, while the other is under house arrest with an electronic ankle monitor. Both were brought before an examining judge on Thursday.

A father of one suspect described the raid: “We live a quiet life, and suddenly eight men with balaclavas storm into the house. They had a search warrant and ran upstairs. ‘Espionage,’ someone said. ‘Providing services to a foreign power.’ We got very little explanation beyond that.” (NL Times)

Related: BBC News

Hackers say they have stolen the pictures, names, and addresses of around 8,000 children from the Kido nursery chain.

The gang of cyber criminals is using the highly sensitive information to demand a ransom from the company, which has 18 sites in and around London, with more in the US and India.

The criminals say they also have information about the children's parents and carers, as well as safeguarding notes. They claim to have contacted some parents by phone as part of their extortion tactics.

Cyber-security firm Check Point described the targeting of nurseries as "an absolute new low." One of its experts, Graeme Stewart, said: "To deliberately put children and schools in the firing line is indefensible. Frankly, it is appalling."

Jonathon Ellison, from the National Cyber Security Centre, described the hack as "deeply distressing". "Cyber criminals will target anyone if they think there is money to be made, and going after those who look after children is a particularly egregious act," he said. (Joe Tidy / BBC News)

Related: The Register, The Guardian, Sky News, The Independent, The Mirror, The Times, The Telegraph, London Evening Standard, The Sun, Hacker News (ycombinator)

Researchers at Recorded Future discovered that a hacking group, which they formerly called TAG100 but has now relabeled RedNovember, that is associated with widespread compromise of edge devices, is a Chinese state-aligned group.

"RedNovember reflects Beijing's broader strategy of leveraging cyber operations as a force multiplier to advance geopolitical goals and military readiness, maintain intelligence collection and pressure in strategically critical areas like the Panama Canal," said Alexander Leslie, national security and intelligence leader at Recorded Future's Insikt Group.

RedNovember targeted 30 Panamanian organizations in April during US Defense Secretary Pete Hegseth's visit to the country. Similarly, the group's hacking activities were detected in December 2024 while China conducted a surprise military exercise around Taiwan.

The group uses malware infrastructure associated with another Chinese group tracked as UNC5266 by Google Mandiant, indicating overlap in malware infrastructure.

RedNovember has also focused on compromising edge devices, a common target for Chinese and other hackers. Chinese hacking groups that Google Mandiant tracks as UNC3886 and UNC4841 also favor edge devices as a gateway into corporate networks. (Akshaya Asokan / BankInfoSecurity)

Related: Recorded Future, SC Media, Alexander Leslie on LinkedIn

Windows 10 end of support is approaching in less than three weeks, and Microsoft has now been forced to make its extended security updates truly free, without a catch, in certain markets in Europe.

When Windows 10 goes end of support on October 14th, some European customers will no longer be required to turn on Windows Backup to enroll in its Extended Security Updates (ESU).

Microsoft had wanted everyone to turn on Windows Backup to get the extra year of security updates, but thanks to pressure from the Euroconsumers group, this is now changing in the European Economic Area. The consumer advocacy group has been asking Microsoft to do more for those still running Windows 10 across Europe, and it has successfully convinced the software giant to offer the extended security updates for free without the requirement of enabling Windows Backup. (Tom Warren / The Verge)

Related: Windows Central, XDA Developers, Thurrott, BleepingComputer, Engadget, PCMag, TechRadar, PCWorld, Help Net Security, Windows Report, Pureinfotech, WinBuzzer, r/Windows10, r/popculturechat, r/windows, r/technology, r/technews

Researchers at cybersecurity firm UpGuard discovered in late August a publicly accessible Amazon-hosted storage server containing 273,000 PDF documents relating to bank transfers of Indian customers.

The exposed files contained completed transaction forms intended for processing via the National Automated Clearing House, or NACH, a centralized system used by banks in India to facilitate high-volume recurring transactions, such as salaries, loan repayments, and utility payments.

The data was linked to at least 38 different banks and financial institutions.

In its blog post detailing its findings, the UpGuard researchers said that out of a sample of 55,000 documents, more than half of the files mentioned the name of Indian lender Aye Finance, which had filed for a $171 million IPO last year. The Indian state-owned State Bank of India was the next institution to appear by frequency in the sample documents, according to the researchers.

After fruitlessly contacting the parties involved, UpGuard then alerted India’s computer emergency response team, CERT-In. Shortly afterward, the exposed data was secured. (Jagmeet Singh, Zack Whittaker / TechCrunch)

Related: UpGuard

A viral app called Neon, which offers to record your phone calls and pay you for the audio so it can sell that data to AI companies, rapidly rose to the ranks of the top-five free iPhone apps since its launch last week, went offline after a security flaw allowed anyone to access the phone numbers, call recordings, and transcripts of any other user.

TechCrunch discovered the security flaw during a short test of the app and alerted the app’s founder, Alex Kiam (who previously did not respond to a request for comment about the app), to the flaw soon after our discovery.

Kiam said he took down the app’s servers and began notifying users about pausing the app, but fell short of informing his users about the security lapse. (Zack Whittaker and Sarah Perez / TechCrunch)

Related: Engadget, Slashdot

Microsoft Threat Intelligence reports that a new variant of the XCSSET macOS malware has been detected in limited attacks, incorporating several new features, including enhanced browser targeting, clipboard hijacking, and improved persistence mechanisms.

XCSSET is a modular macOS malware that acts as an infostealer and cryptocurrency stealer, stealing Notes, cryptocurrency wallets, and browser data from infected devices. The malware spreads by searching for and infecting other Xcode projects found on the device, so that the malware is executed when the project is built.

"The XCSSET malware is designed to infect Xcode projects, typically used by software developers, and run while an Xcode project is being built," explains Microsoft.

"We assess that this mode of infection and propagation banks on project files being shared among developers building Apple or macOS-related applications." (Lawrence Abrams / Bleeping Computer)

Related: Microsoft, Security Week

Researchers at Koi Security report that an npm package copying the official ‘postmark-mcp’ project on GitHub turned bad with the latest update that added a single line of code to exfiltrate all its users' email communication.

Published by a legitimate-looking developer, the malicious package was a perfect replica of the authentic one in terms of code and description, appearing as an official port on npm for 15 iterations.

Model Context Protocol (MCP) is an open standard that allows AI assistants to interface with external tools, APIs, and databases in a structured, predefined, and secure manner.

Postmark is an email delivery platform, and Postmark MCP is the MCP server that exposes Postmark’s functionality to AI assistants, letting them send emails on behalf of the user or app.

As discovered by Koi Security researchers, the malicious package on npm was clean in all versions through 1.0.15, but in the 1.0.16 release, it added a line that forwarded all user emails to an external address at giftshop[.]club linked to the same developer. (Bill Toulas / Bleeping Computer)

Related: Koi Security, Infosecurity Magazine

ESET researchers Peter Kálnai and Matěj Havránek identified new links between DeceptiveDevelopment's malware and the Lazarus Group's PostNapTea RAT.

DeceptiveDevelopment, a North Korea-aligned group that has been active since at least 2023, overlaps with the Contagious Interview and WageMole campaigns, plus a gang that CrowdStrike tracks as Famous Chollima.

Its members pose as recruiters, posting fake profiles on social media along the lines of Lazarus' Operation Dream Job, which tricked job seekers into clicking on malicious links. But in this case, the cybercriminals primarily reach out to software developers and typically those involved in cryptocurrency projects.

The malware analysts note the increasingly "blurred lines between targeted APT activity and cybercrime, particularly in the overlap between malware campaigns by DeceptiveDevelopment and the operations of North Korean IT workers." (Jessica Lyons / The Register)

Related: Virus Bulletin, WeLiveSecurity

Truck, bus, and industrial equipment maker Volvo Group North America is notifying current and former employees of a data breach involving third-party supplier Miljödata.

A Swedish IT company, Miljödat, fell victim to a ransomware attack in August. During the attack, the hackers stole personal information from Adato, a support system for rehabilitation, and Novi, a support system for HR personnel notes.

The incident impacted approximately 25 private companies, including large companies such as Scandinavian airline SAS and metals company Boliden, and roughly 200 Swedish municipalities, including the country’s capital, Stockholm.

Numerous educational institutions, such as the University of Boråthe s, Linköping University, Lund University, Örebro University, and the Swedish University of Agricultural Sciences, also disclosed the impact of the attack.

The incident was claimed by the DataCarry ransomware group, which added Miljödata to its Tor-based leak site and published data allegedly stolen from the company the next day.

In breach notification letters, Volvo Group North America says the incident impacted its employees’ names and Social Security numbers. (Ionut Arghire / Security Week)

Related: Mass.gov, Security Affairs, Cyber Daily

The US Department of Defense unveiled a new five-phased framework for assessing cyber risks on its networks, dubbed the Cybersecurity Risk Management Construct, to replace its old risk management system.

“The previous Risk Management Framework was overly reliant on static checklists and manual processes that failed to account for operational needs and cyber survivability requirements. These limitations left defense systems vulnerable to sophisticated adversaries and slowed the delivery of secure capabilities to the field,” the department said.

“The CSRMC addresses these gaps by shifting from ‘snapshot in time’ assessments to dynamic, automated, and continuous risk management, enabling cyber defense at the speed of relevance required for modern warfare.”

The new framework involves a five-phase lifecycle aligned to system development and operations with an additional ten foundational tenets.

“This construct represents a cultural fundamental shift in how the Department approaches cybersecurity,” Katie Arrington, who is performing the duties of the DoD chief information officer, said.

“With automation, continuous monitoring, and resilience at its core, the CSRMC empowers the DoW [Department of War] to defend against today’s adversaries while preparing for tomorrow’s challenges,” she added, using the Trump administration’s new moniker for the DoD. (Mark Pomerleau / Breaking Defense)

Related: Department of Defense, Industrial Cyber, digwatch, MeriTalk

UK Prime Minister Keir Starmer announced today plans for a compulsory UK-wide digital ID scheme that requires every employee to hold a digital identity document.

Addressing the Global Progress Action Summit alongside the leaders of Canada, Australia, and Iceland, Starmer said his left-leaning Labour government, like others, had been "squeamish" about discussing voters' concerns on immigration, which allowed the right-wing Reform party to gain popularity.

Starmer believes the digital ID will help crack down on illegal working.

"That is why today I am announcing this government will make a new, free-of-charge, digital ID mandatory for the right to work by the end of this parliament," he said. (Reuters)

Related: BBC News, The Independent, The Guardian

Best Thing of the Day: Cyber Defenders Are Getting Smarter

Enhanced cybersecurity measures and incident response protocols have helped major insured companies reduce the impact of significant cyber losses this year, with the frequency of cyber insurance claims holding steady during the first half of 2025.

Worst Thing of the Day: Farewell TikTok, It Was Good to Know You

Some of Donald Trump's closest billionaire friends will now be in control of TikTok, with Oracle and its cofounder Larry Ellison playing a “big” role in managing the app.

Closing Thought