Cybersecurity News: China-linked group linked to new malware, 2024 VMware zero-day still exploited, iOS fixes glitches

By
Sarah Lane
-

In today’s cybersecurity news…

China-Linked group hits governments with stealth malware

Palo Alto Networks’ Unit 42 says a new China-linked hacking group, Phantom Taurus, has spent the past two years targeting governments and telecoms across Africa, the Middle East, and Asia. The group focuses on ministries of foreign affairs, embassies, defense, and geopolitical events, using a custom .NET malware suite called NET-STAR.  Researchers say Phantom Taurus operates with stealth and persistence, using timestomping and advanced evasion to enable long-term intelligence collection for China’s interests. (The Hacker News)

Chinese hackers exploit VMware zero-day since October 2024

Broadcom patched a high-severity VMware Aria Operations and VMware Tools vulnerability that had been exploited in zero-day attacks since October 2024 by UNC5174, a Chinese state-linked threat actor. The flaw allowed unprivileged local attackers to gain root-level access on VMs. The U.S., U.K., and Asian institutions have previously been attacked through multiple exploits, often selling access to networks. Broadcom also recently fixed other VMware zero-days, including two NSX flaws reported by the NSA and three earlier Aria/Tools bugs. (Bleeping Computer)

Apple’s iOS fixes a bevy of glitches

Apple released iOS 26.0.1, fixing Wi-Fi and cellular glitches on iPhone 17, photo artifacts, VoiceOver failures, and blank icons with custom tints. The update also patches a FontParser vulnerability that could let attackers corrupt memory via malicious fonts. iPadOS, macOS, watchOS, tvOS, and visionOS also received bug-fix updates, with iOS 26.1 expected later in October. (ZDNet)

Cyberattack on Asahi disrupts production

Asahi Group said a cyberattack disrupted its Japan operations, causing system failures that halted orders, shipments, call centers, and production at some of its 30 domestic factories. The company is investigating and restoring systems but didn’t give a recovery timeline. No personal data leaks have been confirmed. With nearly 40% market share in Japan, the disruption is expected to be costly for Asahi and resellers. (SecurityWeek)

Huge thanks to our sponsor, Nudge Security

The SaaS supply chain is a hot mesh. As your workforce introduces new SaaS apps and integrations, hidden pathways are created that attackers can exploit to gain access to core business systems. That’s exactly what happened in the Drift breach, and it will happen again.
But, all is not lost. Nudge Security gives you the visibility and control you need to stop these attacks. Within minutes of starting a free trial, you’ll discover every SaaS app and integration in your environment, map your SaaS supply chain, and identify risky OAuth grants that could be exploited. 
The best part? Nudge Security alerts you of breaches impacting your 3rd and 4th party SaaS providers. That’s right, even 4th party! So, you can take action quickly to limit the ripple effects. Learn how Nudge can help you secure your entire SaaS ecosystem at nudgesecurity.com/supplychain

Cyber law and state grants set to go dark as Congress stalls over funding

The Cybersecurity Information Sharing Act and the State and Local Cybersecurity Grant Program are both set to expire as Congress fails to reach a funding agreement. CISA 2015 enables legal threat data sharing, while the grants provide $1 billion to states and localities for cyber defenses. Lawmakers blame each other for the lapse, warning that the expiration will reduce threat sharing and weaken cyber protections against nation-state and criminal attacks, especially for smaller jurisdictions and businesses. (The Record)

Critical My Cloud bug allows remote command injection

Western Digital patched a critical bug in multiple My Cloud NAS models that allowed remote command injection via crafted HTTP POST requests. Firmware version 5.31.108 fixes the issue, but end-of-support devices like My Cloud DL2100 and DL4100 may not get updates. Exploitation could let attackers access, modify, or delete files, change configurations, or execute binaries. Users are urged to update immediately or take devices offline until patched, since unprotected NAS devices have historically been targeted for data theft, botnets, and ransomware. (Bleeping Computer)

‘Klopatra’ trojan makes bank transfers while you sleep

An Android banking Trojan called “Klopatra” has infected more than 3,000 devices in Italy and Spain, disguising itself as the defunct pirate streaming app Mobdro. The malware abuses Accessibility Services to gain full device control, using obfuscation techniques to evade detection. Attackers can reportedly remotely access victims’ phones at night, unlocking devices, opening banking apps, and transferring funds while the screen appears off. (Dark Reading)

Cisco firewalls vulnerable to actively exploited flaws

Nearly 50,000 Cisco ASA and FTD firewalls exposed online remain vulnerable to actively exploited flaws, which allow remote code execution and access to restricted VPN endpoints without authentication. Attacks deploying Line Viper malware and RayInitiator bootkit began before patches were available. The U.S. CISA issued an emergency directive requiring federal agencies to secure or disconnect affected devices, while global exposure remains high, particularly in the U.S., U.K., Japan, Germany, and Russia. Administrators are urged to apply Cisco’s mitigation guidance immediately. (Bleeping Computer)