In today’s cybersecurity news…
Sotheby’s suffers cyberattack
The world-famous auction house says the breach occurred on July 24, resulting in the theft of “an unspecified amount of data, including Social Security numbers and financial account information.” Spokespeople said the company is not aware of who was behind the attack but added that the attackers broke in despite the company having “layered defenses, strict access controls, secure connections, and advanced threat protections,” along with regularly patched systems, testing of internal incident response plans, back ups, critical services, vetted vendors, and a security trained workforce.
Hackers exploit Cisco SNMP flaw in “Zero Disco’ attacks
Researchers at Trend Micro are warning of a campaign codenamed Operation Zero Disco has exploited a security flaw that impacts Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems. This flaw, which was patched by Cisco last month has a CVE number (CVE-2025-20352) and a CVSS score of 7.7. It is a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem. The intrusions have not been attributed to any known threat actor or group.
Microsoft revokes more than 200 certificates to disrupt ransomware campaign
A campaign is being run by Vanilla Tempest, also known as Vice Spider and Vice Society, with the goal of deploying of Rhysida ransomware. The group has been in operation since 2021 and chiefly performs ransomware attacks on the education and healthcare sectors. Microsoft says it disrupted the group’s campaign in early October by revoking more than 200 certificates that the group used to sign their malware. Victims were attracted to installer websites through SEO poisoning.
LastPass says it has not been hacked amid phishing email scam
A phishing campaign used the subject line “We Have Been Hacked – Update Your LastPass Desktop App to Maintain Vault Security” and was sent from email addresses that included the word lastpass as part of the domain. The link in the email pretends to take potential victims to a new desktop app site but instead goes to a phishing site. While LastPass works to have the domain taken down, Cloudflare has posted warning pages in front of the site advising visitors that these sites are phishing pages.
(InfoSecurity Magazine and LastPass blog)
Huge thanks to our sponsor, Vanta
Is it “Do I have the right controls in place?”
Or “Are my vendors secure?”
….or the really scary one: “how do I get out from under these old tools and manual processes?
Enter Vanta.
Vanta automates manual work, so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires.
Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale.
Vanta also fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit-ready—ALL…THE…TIME.
With Vanta, you get everything you need to move faster, scale confidently—and get back to sleep.
Get started at vanta.com/headlines
Windows 11 updates break localhost HTTP/2 connections
The October Windows 11 updates from Microsoft appear to have broken the “localhost” functionality, making applications that connect back to 127.0.0.1 over HTTP/2 no longer function properly. “Developers commonly use localhost to test websites or debug applications, but it can also be used by applications that need to connect to a locally running service to perform some action or query.” After having installed Tuesday’s patch, some users are no longer able to complete HTTP connections to the localhost. This impacts applications such as Visual Studio debugging, SSMS Entra ID authentication, and the Duo Desktop app, which verifies device security posture and requires connections back to web servers running on the localhost.
Dairy Farmers of America confirms June breach
The organization stated that cybercriminals from the Play ransomware group gained access to the information of employees and members of the cooperative during their June attack, which involved numerous manufacturing plants within its network. A breach notification filed with regulators in Maine said that the personal information of more than 4,500 people was exposed, including PII, driver’s license or state-issued ID numbers and bank account numbers. The organization said in a letter sent to victims, that the gang gained access through a “sophisticated social engineering campaign.”
Microsoft warns of 32% surge in identity hacks, from stolen passwords
In its 85-page Digital Defense Report 2025, Microsoft points to the continued success of password attacks that allow hackers to take over victim accounts. It says that “hackers are increasingly using stolen identities to breach organizations, impersonating employees or contractors before stealing data and launching ransomware, according to new research.” The 32% surge means that 97% of identity attacks are password attacks. Amy Hogan-Burney, a corporate vice president at Microsoft, added that “the vast majority of malicious sign-in attempts an organization might receive are via large-scale password guessing attempts. Attackers get usernames and passwords (‘credentials’) for these bulk attacks by and large from credential leaks.”
CISA adds Adobe Experience Manager Forms flaw to KEV catalog
The flaw has a CVE-2025-54253 and a (CVSS score 10.0). Adobe Experience Manager (AEM) Forms is “a component of Adobe Experience Manager, designed to help organizations create, manage, and automate digital forms and document-based processes. It’s commonly used in industries like banking, insurance, government, and healthcare, where collecting and processing customer data securely and efficiently is critical.” Impacting versions 6.5.23, the flaw, which was addressed by Adobe in August could allow an attacker to bypass security mechanisms and execute code.