Cybercriminals are conducting a phishing campaign targeting password manager users with fake breach notification emails that trick recipients into downloading malware disguised as “secure desktop versions” of LastPass and Bitwarden. The malicious downloads install Syncro MSP agent software configured to deploy ScreenConnect remote access tools, giving attackers full control over compromised systems while remaining hidden from users. Security professionals should educate users that legitimate password manager companies never request master passwords via email and that security incidents are always announced through official channels and verified company blogs.
TLDR Information Security 2025-10-17
Attacks & Vulnerabilities
Fake LastPass, Bitwarden breach alerts lead to PC hijacks (3 minute read)
Cybercriminals are conducting a phishing campaign targeting password manager users with fake breach notification emails that trick recipients into downloading malware disguised as “secure desktop versions” of LastPass and Bitwarden. The malicious downloads install Syncro MSP agent software configured to deploy ScreenConnect remote access tools, giving attackers full control over compromised systems while remaining hidden from users. Security professionals should educate users that legitimate password manager companies never request master passwords via email and that security incidents are always announced through official channels and verified company blogs.
Hackers Exploit Cisco SNMP Flaw to Deploy Rootkit on Switches (2 minute read)
Researchers at Trend Micro uncovered a malware campaign that exploits a recently patched remote code execution vulnerability in older Cisco IOS and IOS XE devices to install a Linux rootkit. This flaw leverages the Simple Network Management Protocol (SNMP) and permits attackers with root privileges to execute arbitrary code, bypassing security controls such as Cisco’s Authentication, Authorization, and Accounting (AAA) framework and Virtual Teletype (VTY) access control lists. Once active, the rootkit conceals running configurations, manipulates logs, and resets timestamps to evade detection, thereby gaining persistent control over affected devices.
Sensitive Customer Info Exposed in Mango Data Breach (2 minute read)
Spanish fashion retailer Mango reported a data breach after one of its third-party service providers experienced unauthorized access. The breached data includes first names, countries, postal codes, email addresses, and phone numbers. Mango stressed that financial information, IDs, usernames, and passwords were not leaked.
Strategies & Tactics
CVE-2025-49844 - The Redis CVSS 10.0 vulnerability and how we responded (4 minute read)
Report URI’s response to the critical Redis vulnerability demonstrates a layered defense strategy: they immediately implemented ACL restrictions to disable EVAL and EVALSHA commands as a temporary mitigation, then leveraged their recently deployed Redis Sentinel high-availability setup to perform zero-downtime upgrades to the patched version. Their existing security posture, which included network isolation, strict firewall rules, role-based access controls, and comprehensive logging, meant they were already protected from exploitation and could quickly verify that no compromise had occurred through command statistics analysis. Security teams should prioritize defense-in-depth architecture that enables rapid response to critical vulnerabilities, including network segmentation, quickly modifiable access controls, and high-availability configurations that allow for seamless patching without service disruption.
Startup Security: Ratios and a 24-Month Hiring Plan (9 minute read)
The author recommends a 1:40 security-to-employee ratio and 1:100 IT-to-employee ratio for startups, based on research from successful companies like GitHub and GitLab. He advocates for organizing security teams into four distinct areas: IT (employee enablement), Security Operations (infrastructure and compliance), GRC (governance and customer-facing security), and Product Security (application security and engineering). The document includes a detailed 24-month hiring plan that scales from 5 security staff at 187 employees to 16 security staff at 600 employees, emphasizing that proper staffing ratios are essential for moving from reactive to proactive security postures.
Automation of VHDX Investigations (12 minute read)
Virtual Hard Disk (VHDX) files are commonly generated by Virtual Desktop Infrastructure (VDI) environments and can be very useful to forensic investigators. Velociraptor is frequently used in investigations but fails to discover or parse the NTUSER.DAT hives in VHDX files without injecting a synthetic ProfileList registry hive or customizing the Windows.Sys.Users artifact to support VHDX discovery logic. To perform this analysis at scale, a single remapping configuration can be used, multiple virtual Velociraptor clients can be launched, or a batch processing approach can be used as a middle ground.
Launches & Tools
MCPTotal Launches to Power Secure Enterprise MCP Workflows (2 minute read)
MCPTotal launched as the first comprehensive security platform for Model Context Protocol (MCP) implementations, addressing critical vulnerabilities in enterprise AI integrations, including supply chain exposures, prompt injection attacks, rogue MCP servers, and data exfiltration risks that traditional security tools cannot monitor. The platform provides a hub-and-gateway architecture with centralized hosting, authentication, credential vaulting, and AI-native firewall capabilities. It monitors MCP traffic and enforces real-time policies while offering a vetted catalog of secure MCP servers. Security professionals should recognize that MCP adoption creates a new attack surface requiring specialized monitoring and governance, and should evaluate solutions that provide visibility into AI-to-enterprise system connections, implement proper authentication controls, and establish policies for employee MCP usage to prevent shadow IT risks.
SecureVibes is an AI-native security system for vibecoded applications that uses Claude’s multi-agent architecture to find security vulnerabilities in your code base autonomously.
Mondoo provides an agentic vulnerability management platform enabling organizations to categorize, prioritize, and remediate risks across on-prem, cloud, SaaS, and endpoints.
Miscellaneous
SOC 2 is dead, long live SOC 2! (12 minute read)
The author argues that SOC 2 and other security compliance frameworks have fundamental flaws: vague control requirements disconnected from specific threats, audit methodologies that only assess current state rather than historical effectiveness, and static reports that quickly become outdated in dynamic environments. He proposes ALCOVE (Assurance Levels for Control Operating Viability & Effectiveness), a new framework inspired by software supply chain security models that would provide continuous monitoring, threat-informed requirements, and real-time dashboards showing historical control effectiveness. The proposal includes integrating cyber insurance incentives to drive adoption, where insurers would receive continuous control data from vendors in exchange for premium discounts, creating better-aligned incentives across all stakeholders.
Apple has removed another anti-ICE app on the App Store. The “Eyes Up” app shared location data of arrests that have already happened and holds archives of arrest videos.
Nation-state hackers deliver malware from “bulletproof” blockchains (4 minute read)
Hackers, including those working for North Korea, are distributing malware using Ethereum and BNB blockchains, making it immune to takedowns and almost impossible to trace. By embedding malicious code in blockchain smart contracts, attackers can bypass traditional security measures, easily update payloads, and use job scams to lure developers into running these contracts as part of the interview process.
Quick Links
PowerSchool hacker gets sentenced to four years in prison (2 minute read)
A 19-year-old college student received a four-year prison sentence and $14 million restitution order for breaching PowerSchool’s systems using stolen subcontractor credentials.
Chinese Threat Group ‘Jewelbug’ Quietly Infiltrated Russian IT Network for Months (2 minute read)
Chinese threat group Jewelbug conducted a five-month intrusion into a Russian IT service provider from January to May.
Auction house Sotheby’s finds its data on the block after cyberattack (3 minute read)
Sotheby’s experienced a cyberattack in July.