In today’s cybersecurity news…
TP-Link urges updates for Omada gateways
TP-Link has warned of critical vulnerabilities in its Omada gateway devices across the ER, G, and FR series, urging users to update firmware immediately. The most severe flaws, allow arbitrary OS command execution and command injection, potentially by unauthenticated attackers or after admin authentication. Two additional flaws enable root access and further arbitrary command execution. Users are advised to install the latest firmware, change weak passwords, and restrict management interface access to trusted networks. (Security Affairs)
MuddyWater targets organizations in espionage campaign
Iran-linked threat group MuddyWater has launched a global espionage campaign targeting more than 100 organizations, including embassies, foreign affairs ministries, and telecom firms. The group exploited a compromised email account via NordVPN to distribute weaponized Word documents that deploy the Phoenix v4 backdoor through a FakeUpdate loader. Phoenix, along with custom credential stealers and legitimate RMM tools, allows persistent remote access and intelligence gathering. The campaign demonstrates MuddyWater’s ability to combine custom malware with commercial software for stealth and persistence. (The Hacker News)
“SessionReaper” flaw exploited in Adobe Commerce
Hackers are exploiting a critical vulnerability in Adobe Commerce (formerly Magento) known as SessionReaper, which lets attackers hijack customer accounts via the platform’s REST API. Security firm Sansec detected more than 250 active exploitation attempts after Adobe released an emergency patch six weeks ago, with 62% of Magento stores still unpatched. Most attacks originate from five IP addresses and involve PHP webshell probes. (Bleeping Computer)
Canada fines Cryptomus
Canada fined Cryptomus, a crypto payments platform, $176 million for violating anti-money-laundering laws. FINTRAC found the company failed to report suspicious transactions linked to child sexual abuse material, fraud, ransomware, and sanctions evasion. Cryptomus processed payments for at least 56 Russian crypto exchanges and cybercrime services. Investigations revealed its listed addresses in Canada hosted dozens of MSBs and exchanges that didn’t actually operate there. FINTRAC’s penalty is the largest to date, highlighting ongoing challenges with shadowy money service businesses. (Krebs On Security)
Huge thanks to our sponsor, ThreatLocker
PhantomCaptcha targets Ukraine relief groups
SentinelOne researchers uncovered a phishing campaign dubbed PhantomCaptcha, which targeted Ukraine war relief groups including the Red Cross and UNICEF on October 8th. Attackers impersonated the Ukrainian President’s Office using weaponized PDFs that redirected victims to a fake Zoom page to deploy a WebSocket-based Remote Access Trojan hosted on Russian infrastructure. The campaign showed links to prior COLDRIVER activity and reflected careful planning and rapid infrastructure turnover. (Security Affairs)
Meta launches anti-scam tools for WhatsApp and Messenger
Meta introduced new anti-scam features for WhatsApp and Messenger to help protect users from fraud. Messenger is testing AI-powered scam detection that flags suspicious chats and suggests actions like blocking or reporting senders. WhatsApp now warns users not to share their screens with unknown contacts and adds context when being added to new groups. Meta says it’s disabled nearly 8 million scam-linked accounts this year and removed 21,000 fake support pages. (Bleeping Computer)
TARmageddon flaw in Rust Library leads to RCE
A critical vulnerability dubbed “TARmageddon” was discovered in the Rust library Async-tar, allowing attackers to execute remote code by smuggling malicious entries in nested TAR files. Security firm Edera, which reported the flaw, said both Async-tar and its fork Tokio-tar are abandoned, leaving millions of downstream users at risk. Patched forks like Astral-tokio-tar 0.5.6 have been released, and developers are urged to switch immediately. (SecurityWeek)
Pwn2Own Day 2: Hackers exploit 56 zero-days
Day 2 at Pwn2Own Ireland 2025, researchers exploited 56 zero-day vulnerabilities across devices including the Samsung Galaxy S25, Synology NAS systems, and Philips Hue Bridge, earning $792,750 in total prizes. The standout hack came from Mobile Hacking Lab and Summoning Team, who chained five flaws to breach the Galaxy S25 for $50,000. Vendors have 90 days to patch the bugs before public disclosure. (Bleeping Computer)