Cisco has disclosed and patched a critical vulnerability in its Unified Contact Center Express (UCCX) software. The flaw allows an unauthenticated attacker to execute arbitrary commands on the underlying operating system with root-level privileges, potentially leading to a full system compromise.
Business impact
Successful exploitation could result in complete loss of control over the contact center system, leading to service disruption, data theft, and unauthorized access to sensitive customer and corporate information. This poses a significant operational and reputational risk.
Recommended action
Immediately apply the security updates provided by Cisco to all affected UCCX instances. Review systems for any signs of compromise, such as unexpected processes or network connections.
The threat actor group 'Curly COMrades' is using a novel evasion technique by enabling the native Windows Hyper-V role on compromised systems. They then deploy a custom Linux virtual machine within Hyper-V to run malicious tools, effectively hiding their activity from Endpoint Detection and Response (EDR) solutions monitoring the host Windows OS.
Business impact
This technique can render existing EDR and security monitoring tools blind to attacker activity, allowing for extended dwell time, lateral movement, and data exfiltration without detection. It represents a significant evolution in defense evasion tactics.
Recommended action
Monitor for the unauthorized enablement of the Hyper-V role on workstations and servers where it is not expected. Harden systems by restricting administrative privileges required to enable Windows features. See the Detection & Response Kit below for specific queries.
The financial services sector is facing increasing regulatory pressure to move beyond theoretical cyber resilience planning (tabletop exercises) to implementing operationally necessary and prescriptive controls. This shift requires institutions to build robust, turnkey crisis management capabilities to withstand and recover from sophisticated cyberattacks.
Business impact
Failure to meet these evolving regulatory requirements can result in significant fines, operational restrictions, and reputational damage. A lack of demonstrable resilience can impact investor confidence and customer trust.
Recommended action
Review and mature incident response and business continuity plans to align with new prescriptive regulatory frameworks. Invest in automated recovery and response technologies to reduce manual dependencies during a crisis.
As AI investments grow, many organizations are failing to see a return due to hidden security risks and uncontrolled costs. Aligning financial operations (FinOps) with security practices can help identify AI-related vulnerabilities by monitoring for anomalous cloud spending, which often indicates misconfigurations or malicious activity.
Business impact
Unchecked AI development can lead to massive cloud cost overruns and introduce security vulnerabilities. Integrating FinOps provides a new data source for security teams to detect threats and ensure AI operations are both secure and sustainable.
Recommended action
Establish a collaborative process between FinOps, security, and AI development teams. Implement monitoring and alerting on cloud cost anomalies as a potential indicator of security incidents or vulnerabilities.
CISOs face a critical challenge in operationalizing AI for cybersecurity. This framework outlines five essential dimensions for a successful strategy: augmenting security teams with AI, automating security processes, protecting the AI systems themselves, defending against AI-powered attacks, and ensuring the AI security strategy aligns with business objectives. Neglecting any of these dimensions can lead to strategic failure and increased risk.
Recent high-profile cloud outages that disrupted major services are increasing pressure for government regulation and oversight of cloud service providers. The systemic risk posed by the concentration of critical services within a few major cloud platforms is becoming a national-level concern, with potential implications for resilience and reporting mandates.
A new report highlights that the rapid adoption of Large Language Models (LLMs) and AI agents is causing significant API sprawl. This creates major security blind spots, as traditional application security tools are not equipped to handle the complexity and volume of these new API-driven architectures, exposing organizations to new attack vectors.
Business impact
Unmanaged and unsecured APIs can lead to data breaches, unauthorized access to AI models, and service manipulation. The lack of visibility into these new interfaces poses a critical risk to organizations building AI-driven applications.
Recommended action
Implement a continuous API discovery and testing program. Prioritize API security governance to ensure all new endpoints, especially those related to AI services, are inventoried, assessed, and protected.
Spotlight Rationale: Today's intelligence highlights the critical Cisco UCCX root-level command execution flaw. This underscores the need for defense-in-depth, where even if a service is compromised, its ability to impact other systems is limited. A robust, externalized authorization system can provide a crucial layer of defense.
Platform Focus: Amazon Web Services - Amazon Verified Permissions
Amazon Verified Permissions is a scalable, fine-grained permissions management and authorization service. It externalizes authorization logic from application code, allowing security teams to define and manage policies centrally using the Cedar policy language. In a scenario like the Cisco UCCX compromise, if the application's access to other resources (e.g., databases, file shares) were governed by Verified Permissions, the attacker's ability to move laterally or exfiltrate data would be severely restricted, containing the breach despite the initial root compromise.
Actionable Platform Guidance: Implement Amazon Verified Permissions for critical applications to enforce the principle of least privilege. Define granular policies that specify which principals (users, services) can perform which actions on which resources. For example, a policy could prevent a contact center application from accessing sensitive financial databases, regardless of the privileges it holds on its own host.
# Action: Create a sample Cedar policy to restrict access based on role.
# This policy, managed outside the application, can contain a breach by
# preventing a compromised service from performing unauthorized actions.
# 1. Navigate to the Amazon Verified Permissions console.
# 2. Create a new Policy Store.
# 3. Create a new Static Policy with the following Cedar logic:
permit(
principal,
action == Action::"readFile",
resource
)
when {
principal.role == "document_reader" &&
resource.owner == principal
};
# 4. Integrate your application with the Policy Store using the AWS SDK.
# 5. Before performing a sensitive action, call the IsAuthorized API to check
# if the action is permitted by the centrally managed policy.
2. YARA Rule for Curly COMrades Hyper-V Tools
rule Detect_HyperV_Evasion_Tools {
meta:
description = "Detects artifacts related to the unauthorized enablement of Windows Hyper-V, a technique used by Curly COMrades to evade EDR."
author = "Threat Rundown"
date = "2025-11-06"
reference = "https://thehackernews.com/2025/11/hackers-weaponize-windows-hyper-v-to.html"
severity = "high"
tlp = "white"
strings:
$s1 = "Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V" wide ascii
$s2 = "dism.exe /Online /Enable-Feature /FeatureName:Microsoft-Hyper-V" wide ascii
$s3 = "New-VM -Name \"LinuxPayloadVM\"" wide ascii
$s4 = "vmconnect.exe" wide ascii
condition:
any of them
}
// Splunk Query to detect command-line enablement of Hyper-V
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(CommandLine LIKE "%Enable-WindowsOptionalFeature%Microsoft-Hyper-V%" OR CommandLine LIKE "%dism.exe%Enable-Feature%Microsoft-Hyper-V%")
| table _time, host, user, ParentImage, Image, CommandLine
| sort -_time
4. PowerShell Script ā Audit Hyper-V Feature Status
# This script checks a list of computers for the Hyper-V feature status.
$computers = Get-Content -Path .\computers.txt
$results = @()
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Write-Host "Checking $computer..."
try {
$feature = Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -ComputerName $computer -ErrorAction Stop
$status = [PSCustomObject]@{
ComputerName = $computer
FeatureName = $feature.FeatureName
State = $feature.State
Timestamp = Get-Date
}
$results += $status
} catch {
Write-Warning "Could not query $computer: $($_.Exception.Message)"
}
}
else {
Write-Warning "$computer is not reachable."
}
}
# Display results where Hyper-V is enabled
$results | Where-Object { $_.State -eq 'Enabled' } | Format-Table
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
CRITICAL ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT