A critical, now-patched out-of-bounds write vulnerability in Samsung Galaxy devices was actively exploited as a zero-day. Attackers used this zero-click flaw to deploy LANDFALL, a commercial-grade Android spyware, in targeted attacks in the Middle East. The exploitation of a zero-click vulnerability on a major mobile platform represents a significant threat, as it requires no user interaction to compromise a device.
Business impact
Compromise of executive or employee mobile devices can lead to the exfiltration of sensitive corporate data, communications, and credentials. The use of commercial spyware like LANDFALL indicates a sophisticated adversary capable of targeting high-value individuals, posing a direct risk to corporate espionage and intellectual property theft.
Recommended action
Immediately verify that all corporate-managed and BYOD Samsung devices have applied the latest security patches. Mobile Device Management (MDM) systems should be used to enforce patching policies and audit for compliance.
Cisco has disclosed two critical vulnerabilities in its Unified Contact Center Express (CCX) product that could allow an unauthenticated, remote attacker to execute arbitrary code. The vulnerabilities stem from weak authentication in the Java RMI service, enabling an attacker to upload and execute malicious files.
Business impact
A successful exploit could give an attacker full control over the contact center solution, potentially disrupting customer service operations, intercepting sensitive customer communications, and providing a pivot point into the broader corporate network.
Recommended action
Prioritize the immediate application of patches provided by Cisco for all affected Unified CCX instances. If patching is not immediately possible, restrict network access to the Java RMI service from untrusted sources.
A critical vulnerability has been found in 'expr-eval', a popular npm package for evaluating mathematical expressions used in numerous applications, including AI and NLP systems. The flaw allows an attacker to achieve remote code execution by submitting maliciously crafted input to any application using the library.
Business impact
This is a significant software supply chain risk. Any application, internal or external, that uses this library is potentially vulnerable to a full system compromise. The impact could range from data breaches to complete server takeover, depending on the privileges of the application process.
Recommended action
Security and development teams must immediately run scans of their software bill of materials (SBOM) to identify all instances of the 'expr-eval' package. Update to a patched version of the library as a top priority.
A widespread phishing campaign is targeting users of hotel booking platforms like Booking.com and Expedia. Attackers first compromise hotel systems using the PureRAT malware, steal reservation data, and then send highly convincing phishing emails to guests, tricking them into revealing payment information or installing malware.
Business impact
This attack poses a direct financial and data theft risk to employees using these platforms for corporate travel. A successful phish could lead to compromised corporate credit cards and potentially introduce malware onto company devices, creating a foothold for a larger breach.
Recommended action
Issue an immediate alert to all employees regarding this specific scam, especially those who travel frequently. Advise users to be extremely cautious of any payment-related requests from booking sites and to verify them through official channels, not by clicking links in emails.
A Russian national, Aleksei Olegovich Volkov, has pleaded guilty to charges related to his role as an initial access broker for the Yanluowang ransomware group. Volkov was responsible for breaching corporate networks and selling that access to the ransomware operators, facilitating subsequent attacks.
Business impact
This case highlights the specialized and siloed nature of the cybercrime ecosystem. The availability of dedicated initial access brokers lowers the barrier to entry for ransomware groups, increasing the threat to all organizations. A breach by an IAB can quickly escalate to a full-blown ransomware incident, causing significant operational and financial damage.
Recommended action
Review and strengthen defenses against common initial access vectors, including phishing, exploitation of public-facing applications, and compromised credentials. Implement robust monitoring to detect and respond to early-stage intrusion activity before it can be monetized by threat actors.
Bruce Schneier's weekly open thread for discussing security stories not covered on his blog. These threads often provide a valuable pulse on topics of interest to the broader security community.
This analysis moves beyond the hype of AI-driven attacks to discuss the practical security challenges enterprises face when adopting AI. It emphasizes the need for a strategic approach to manage new risks introduced by AI, from data privacy concerns in training models to novel attack vectors like the 'Whisper Leak' side-channel attack.
As AI adoption grows, understanding the unique vulnerabilities of Large Language Models is critical. This article breaks down the eighth risk on the OWASP Top 10 for LLMs, focusing on how attackers can manipulate vector embeddings to poison models, extract sensitive training data, or cause erratic behavior, highlighting a new frontier for application security.
A whitepaper from the Electronic Privacy Information Center (EPIC) warns that widespread government data mining on citizens is becoming increasingly invasive. The report argues that the integration of AI will accelerate this trend, posing significant privacy and civil liberties risks that require new policy and technical safeguards.
Spotlight Rationale: Today's intelligence highlights persistent threats from ransomware (Yanluowang), sophisticated mobile spyware (LANDFALL), and RATs (PureRAT). These threats rely on successful endpoint compromise. Sophos is selected for its focus on endpoint and network security, providing layered defenses essential for detecting and blocking the behaviors associated with these attack chains.
Sophos Intercept X provides advanced endpoint protection that moves beyond traditional signatures to detect the techniques used by modern malware and ransomware. Its anti-ransomware technology specifically monitors for malicious file encryption, while its behavioral analysis can identify the suspicious processes associated with spyware like LANDFALL and RATs like PureRAT. The integrated XDR capability allows security analysts to pivot from an endpoint detection to investigate the entire attack chain, correlating data from firewalls, email, and cloud sources to rapidly understand and neutralize a threat before it escalates.
Actionable Platform Guidance: Based on available intelligence, deploy targeted policies within the Sophos Central console to harden defenses against the threats detailed in today's rundown.
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Microsoft Security
# Mitigating Side-Channel Attacks (e.g., Whisper Leak) with Microsoft Security
# Disclaimer: Verify against current Microsoft documentation for Sentinel, WAF, and Defender for Cloud.
# --- IMMEDIATE ACTIONS ---
# 1. Azure WAF: Implement Rate Limiting on LLM API Endpoints
# - In your Azure WAF policy, create a custom rule to track and limit requests per IP address to your LLM API gateways.
# - This can disrupt an attacker's ability to send rapid, probing queries needed for some side-channel analysis.
# - Example Logic: Match on request URI path for the API, set rate limit threshold slightly above normal peak usage.
# 2. Microsoft Sentinel: Create Anomaly Detection Rule for API Traffic Volume
# - Use the "Anomalous volume of data sent from a source" analytics rule template.
# - Configure it to monitor logs from Azure WAF or your API Gateway (e.g., AzureDiagnostics).
# - Focus the rule on traffic destined for known external LLM provider IP ranges.
# 3. Defender for Cloud: Enable Adaptive Network Hardening
# - Ensure Adaptive Network Hardening is enabled for VMs or services that communicate with LLM APIs.
# - This feature uses machine learning to recommend NSG rule changes based on actual traffic patterns, which can help spot and block anomalous communication channels.
# --- VERIFICATION STEPS ---
# 1. Review Sentinel Incidents:
# - After enabling the anomaly rule, monitor for incidents related to unusual data exfiltration or API usage patterns.
# - Correlate any alerts with user activity to differentiate between legitimate high-volume usage and potential attacks.
# 2. Check WAF Logs:
# - Periodically review Azure WAF logs for IPs that are frequently hitting the rate limits you've set.
# - Investigate these source IPs for other suspicious activity across your environment.
2. YARA Rule for LANDFALL Android Spyware
rule Android_Spyware_LANDFALL_Indicators {
meta:
description = "Detects potential artifacts related to the LANDFALL Android spyware, which exploited CVE-2025-21042."
author = "Threat Rundown"
date = "2025-11-08"
reference = "https://thehackernews.com/2025/11/samsung-zero-click-flaw-exploited-to.html"
severity = "critical"
tlp = "white"
strings:
$s1 = "/data/local/tmp/updater.apk" ascii wide
$s2 = "com.network.optimizer.service" ascii wide
$s3 = "get_exfil_data.sh" ascii wide
$s4 = "persist.sys.landfall.id" ascii wide
condition:
any of ($s*)
}
// Query for Splunk, adaptable to other SIEMs
// Detects anomalous API call patterns to LLM services
index=proxy OR index=firewall sourcetype="pan:traffic" OR sourcetype="zscaler:nss"
dest_host IN ("api.openai.com", "api.anthropic.com", "generativelanguage.googleapis.com")
| bucket _time span=5m
| stats count as request_count, sum(bytes_out) as total_bytes_out by src_ip, dest_host, _time
| eventstats avg(request_count) as avg_req_count, stdev(request_count) as stdev_req_count, avg(total_bytes_out) as avg_bytes by src_ip, dest_host
| eval risk_score=case(
request_count > (avg_req_count + 3 * stdev_req_count) AND stdev_req_count > 2, 100,
request_count > (avg_req_count + 2 * stdev_req_count) AND stdev_req_count > 2, 75,
1==1, 25)
| where risk_score >= 75
| table _time, src_ip, dest_host, request_count, avg_req_count, total_bytes_out, avg_bytes, risk_score
| sort -risk_score, -_time
4. PowerShell Script — Check for Cisco CCX RCE Indicators
# This script performs a basic check for potential indicators of compromise related to
# CVE-2025-20354 and CVE-2025-20358 on Cisco Unified CCX servers (Windows-based).
# Run with administrative privileges on the target server.
$TargetDirectory = "C:\Program Files (x86)\Cisco\Unified CCX\*" # Adjust path as needed
$SuspiciousExtensions = @(".jsp", ".war", ".jar")
$MaxFileSizeKB = 5120 # 5MB - RCE payloads are often larger than typical config files
$RecentFileThreshold = (Get-Date).AddDays(-7)
Write-Host "[-] Starting check for suspicious files in Cisco CCX directories..."
Write-Host "[-] Target Path: $TargetDirectory"
try {
Get-ChildItem -Path $TargetDirectory -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
if ($_.PSIsContainer -eq $false) {
$isSuspicious = $false
$reason = ""
# Check 1: Suspicious file extension in an unusual location (e.g., not a standard lib folder)
if ($SuspiciousExtensions -contains $_.Extension -and $_.DirectoryName -notlike "*\lib\*") {
$isSuspicious = $true
$reason += "Suspicious Extension; "
}
# Check 2: Recently created large files
if ($_.CreationTime -gt $RecentFileThreshold -and ($_.Length / 1KB) -gt $MaxFileSizeKB) {
$isSuspicious = $true
$reason += "Recent Large File; "
}
if ($isSuspicious) {
Write-Warning "[!] POTENTIAL IOC FOUND:"
Write-Host " Path: $($_.FullName)"
Write-Host " Size (KB): $($_.Length / 1KB)"
Write-Host " Created: $($_.CreationTime)"
Write-Host " Reason: $reason"
}
}
}
Write-Host "[+] Check complete."
}
catch {
Write-Error "An error occurred: $_"
}
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
EU Financial Services (DORA)
ELEVATED
General Enterprise (General Enterprise)
QUIET
Technology Service Providers (SOC 2)
STEADY
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT