In today’s cybersecurity news…
Hackers use Windows Hyper-V to evade EDR detection
According to a new report from Bitdefender, a threat actor group known as Curly COMrades has been seen “exploiting virtualization technologies as a way to bypass security solutions and execute custom malware.” The group has apparently enabled the Hyper-V role on selected victims’ systems to deploy a minimalistic, Alpine Linux-based virtual machine. This allows them to deploy their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat. The activity and victims appear to be centred in the country of South Caucasus country of Georgia. (The Hacker News)
Critical Cisco UCCX flaw lets attackers run commands as root
Cisco has released security updates to patch this vulnerability which has a CVE number (CVE-2025-20354). It exists within the Unified Contact Center Express (UCCX) software and could enable attackers to execute commands with root privileges. Cisco describes it UCCX platform as a “contact center in a box,” a “software solution for managing customer interactions in call centers, supporting up to 400 agents.” In a security released Wednesday, Cisco attributed the vulnerability to “improper authentication mechanisms associated to specific Cisco Unified CCX features.” (BleepingComputer)
Poland reports three major cyberattacks
Authorities in Poland are looking into a series of recent cyberattacks, which Digital Affairs Minister Krzysztof Gawkowski says are now a daily occurrence. The three largest in this recent spate focused on the online loan platform SuperGrosz, which confirmed the theft of PII belonging to at least 10,000 customers, a DDoS attack on Poland’s payment infrastructure, “briefly disrupting Blik, the country’s leading mobile payment system used for instant transfers and cash withdrawals,” and as well as Nowa Itaka, Poland’s largest travel agency. There is no official confirmation that these incidents are linked, but Gawkowski attributed the attack on Blik as coming from Russia. (The Record)
The Louvre’s video security password was reportedly ‘Louvre’
Analysis of one of the most brazen museum robberies in history, the theft of the French Crown Jewels from the Galerie d’Apollon at the Louvre Museum in Paris shows that the museum has endured lax security measures that go back many years. The password for video surveillance system, for example, was “Louvre,” and this was according to a security audit performed in 2014. Key parts of its security software were more than two decades old and are unsupported by its developer. These specific examples may not have been directly involved in last month’s jewel heist but represent significant delays in updating and expanding the museum’s security. The director of The Louvre, Laurence des Cars had struggled for years to obtain necessary upgrades. She tendered her resignation following the theft, but culture minister, Rachida Dati, refused it. (PC World) (The Guardian)
Huge thanks to our sponsor, ThreatLocker
The most common passwords are still the ones you and everyone else knows they are
A new report from research company Comparitech shows that among the top 100 most used passwords of 2025, eight out of the top ten are variations of 123456, with the other two being “password” and “admin.” In fact variations of these three together pretty much occupy the entire 100 with just three standouts: gin, a row of 10 asterisks, root, India123 and minecraft. Comparitech consumer privacy advocate Paul Bischoff said in an email interview with The Register that companies that do not enforce good password technique is the most pressing problem. (The Register)
SonicWall attributes attack on customer portal to undisclosed nation-state
Mandiant has now concluded its investigation into the October brute-force attack that exposed firewall configuration files of every SonicWall customer who used the company’s cloud backup service. The company is placing blame on an undisclosed nation state that gained access to the cloud backup files using an API call. CEO Bob VanKirk said in a video published alongside the update, “there was no impact to any SonicWall product, firmware, source code, production network, or to any customer data or any other SonicWall system.” However, Ryan Dewhurst, head of proactive threat intelligence at watchTowr, previously told CyberScoop those files contain a “treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations and more.” (Cyberscoop)
EU Parliament votes to advance controversial Europol data sharing proposal
On Tuesday, lawmakers in the European Union’s Parliament voted to move ahead with a proposal that would allow Europol to expand data sharing and biometric data collection as part of its effort to fight human trafficking and migrant smuggling. This proposal will now be subject to a full plenary vote later this month. The proposal expands data sharing between national governments and Europol and allows for more substantial processing of biometric data. (The Record)
Sandworm hackers use data wipers to disrupt Ukraine’s grain sector
In an ongoing story, Russian hacker group Sandworm has “deployed multiple data-wiping malware families in attacks targeting Ukraine’s education, government, and the grain sector, the country’s main revenue source.” According to ESET, these attacks occurred in June and September and are a continuation of Sandworm’s destructive campaign against Ukraine. Unlike ransomware, where the data is typically stolen and then encrypted, wiper malware is used purely in sabotage operations. (BleepingComputer)