China-linked group linked to new malware, 2024 VMware zero-day still exploited, iOS fixes glitches

The CISO Show That Vendors Also Love

Palo Alto Networks’ Unit 42 says a new China-linked hacking group, Phantom Taurus, has spent the past two years targeting governments and telecoms across Africa, the Middle East, and Asia. The group focuses on ministries of foreign affairs, embassies, defense, and geopolitical events, using a custom .NET malware suite called NET-STAR.  Researchers say Phantom Taurus operates with stealth and persistence, using timestomping and advanced evasion to enable long-term intelligence collection for China’s interests. (The Hacker News)

Broadcom patched a high-severity VMware Aria Operations and VMware Tools vulnerability that had been exploited in zero-day attacks since October 2024 by UNC5174, a Chinese state-linked threat actor. The flaw allowed unprivileged local attackers to gain root-level access on VMs. The U.S., U.K., and Asian institutions have previously been attacked through multiple exploits, often selling access to networks. Broadcom also recently fixed other VMware zero-days, including two NSX flaws reported by the NSA and three earlier Aria/Tools bugs. (Bleeping Computer)

Apple released iOS 26.0.1, fixing Wi-Fi and cellular glitches on iPhone 17, photo artifacts, VoiceOver failures, and blank icons with custom tints. The update also patches a FontParser vulnerability that could let attackers corrupt memory via malicious fonts. iPadOS, macOS, watchOS, tvOS, and visionOS also received bug-fix updates, with iOS 26.1 expected later in October. (ZDNet)

Asahi Group said a cyberattack disrupted its Japan operations, causing system failures that halted orders, shipments, call centers, and production at some of its 30 domestic factories. The company is investigating and restoring systems but didn’t give a recovery timeline. No personal data leaks have been confirmed. With nearly 40% market share in Japan, the disruption is expected to be costly for Asahi and resellers. (SecurityWeek)

The Cybersecurity Information Sharing Act and the State and Local Cybersecurity Grant Program are both set to expire as Congress fails to reach a funding agreement. CISA 2015 enables legal threat data sharing, while the grants provide $1 billion to states and localities for cyber defenses. Lawmakers blame each other for the lapse, warning that the expiration will reduce threat sharing and weaken cyber protections against nation-state and criminal attacks, especially for smaller jurisdictions and businesses. (The Record)

Western Digital patched a critical bug in multiple My Cloud NAS models that allowed remote command injection via crafted HTTP POST requests. Firmware version 5.31.108 fixes the issue, but end-of-support devices like My Cloud DL2100 and DL4100 may not get updates. Exploitation could let attackers access, modify, or delete files, change configurations, or execute binaries. Users are urged to update immediately or take devices offline until patched, since unprotected NAS devices have historically been targeted for data theft, botnets, and ransomware. (Bleeping Computer)

An Android banking Trojan called “Klopatra” has infected more than 3,000 devices in Italy and Spain, disguising itself as the defunct pirate streaming app Mobdro. The malware abuses Accessibility Services to gain full device control, using obfuscation techniques to evade detection. Attackers can reportedly remotely access victims’ phones at night, unlocking devices, opening banking apps, and transferring funds while the screen appears off. (Dark Reading)

Nearly 50,000 Cisco ASA and FTD firewalls exposed online remain vulnerable to actively exploited flaws, which allow remote code execution and access to restricted VPN endpoints without authentication. Attacks deploying Line Viper malware and RayInitiator bootkit began before patches were available. The U.S. CISA issued an emergency directive requiring federal agencies to secure or disconnect affected devices, while global exposure remains high, particularly in the U.S., U.K., Japan, Germany, and Russia. Administrators are urged to apply Cisco’s mitigation guidance immediately. (Bleeping Computer)

Spotify, Apple Podcasts, YouTube, RSS link, Amazon Music, add as an Alexa Skill, or search “Cyber Security Headlines” on your favorite podcast app.