China-linked group linked to new malware, 2024 VMware zero-day still exploited, iOS fixes a bevy of glitches - Cybersecurity Headlines

Cyber Security Headlines – October 1, 2025

Host: Sarah Lane
Main Theme:
A rapid-fire roundup of critical global cybersecurity incidents, with a focus on state-sponsored threats, software vulnerabilities, disruptive cyberattacks, and shifting legal frameworks in cybersecurity.

Key Stories & Discussion Points

1. China-Linked Group Targets Governments with Stealthy Netstar Malware

[00:10]

Phantom Taurus, a newly observed China-linked hacking group, has spent two years attacking government and telecom targets in the Middle East and Asia.
Objectives include infiltrating Ministries of Foreign Affairs, embassies, and defense, especially during geopolitical events.
They deploy a custom malware suite called Netstar, noted for its stealth and persistence.
Advanced techniques: Time-stomping and evasion methods enable long-term intelligence gathering for Chinese interests.

Quote [00:16]: “Researchers say that Phantom Taurus operates with stealth and persistence, using time stamping and advanced evasion to enable long-term intelligence collection for China’s interests.” — Sarah Lane

2. VMware Zero-Day Exploited by Chinese Threat Actors

[00:40]

Since October 2024, Chinese actor UNC5174 exploited a high-severity VMware Aria vulnerability, allowing unprivileged local attackers to gain root access on VMs.
Broadcom has released a patch for this and recently addressed additional zero-day vulnerabilities (including two reported by the NSA).
This flaw has affected US, UK, and Asian organizations, with incidents of attackers selling network access.

3. Apple Moves Quickly to Fix iOS 17 Glitches and Serious Vulnerability

[01:14]

iOS 26.0.1 addresses critical Wi-Fi/cellular connectivity problems, photo artifacts, and voiceover failures impacting iPhone 17.
Notably, it patches a font parser vulnerability that could corrupt memory via malicious fonts.
Other Apple platforms (iPadOS, macOS, watchOS, tvOS, visionOS) received similar bug fixes, reflecting a widespread QA push.

Quote [01:27]: “The update also patches a font parser vulnerability that could let attackers corrupt memory via malicious fonts.” — Sarah Lane

4. Major Cyber Attack on Asahi Shuts Down Production in Japan

[01:40]

The Asahi Group suffered a cyberattack that halted orders, shipments, call centers, and production at some of its 30 Japanese factories.
System failures caused by the attack; no confirmation yet on personal data leaks.
Impact expected to be costly given Asahi’s nearly 40% market share in Japan.

5. Looming Funding Crisis for US Cybersecurity Laws and State Grants

[03:22]

Both the Cybersecurity Information Sharing Act (CISA 2015) and the State and Local Cybersecurity Grant Program (over $1 billion in funding) are set to expire as Congress stalls on a new funding deal.
Potential consequences: reduced threat sharing, limited cyber defense for smaller jurisdictions, weakened protections against nation-state and criminal threats.

Quote [03:35]: “Some lawmakers are warning that the expiration will reduce threat sharing and weaken cyber protections against nation, state and criminal attacks, especially for smaller jurisdictions and businesses.” — Sarah Lane

6. Critical My Cloud NAS Vulnerability Patched, but End-of-Life Devices Remain at Risk

[04:00]

Western Digital patched a major remote command injection bug affecting My Cloud NAS devices via HTTP POST requests.
Firmware 5.31.108 resolves this, but older / unsupported models (e.g., DL2100, DL44100) won’t get updates—urging immediate action or device removal from networks.
Vulnerable NAS devices remain frequent targets for botnets, ransomware, and data theft.

7. Cleopatra Trojan Targets European Android Users

[04:40]

The Cleopatra banking trojan has infected over 3,000 Android devices in Italy and Spain, disguised as the defunct Mob Drone streaming app.
Leverages accessibility services for full device control and executes fraudulent bank transfers at night while the screen stays off.
Uses sophisticated obfuscation to evade detection and “remotely access victims’ phones at night.”

Quote [05:03]: “Attackers can reportedly remotely access victims’ phones at night, unlocking devices, opening banking apps, and transferring funds while the screen appears to be off.” — Sarah Lane

8. Cisco Firewall Flaws Leave Tens of Thousands Exposed to Exploitation

[05:25]

About 50,000 Cisco ASA and FTD firewalls remain exposed to vulnerabilities enabling remote code execution and unauthorized VPN access.
Deployment of Viper malware and Ray Initiator bootkit preceded the availability of patches.
US CISA issued an emergency directive for federal agencies; global exposure high, especially in US, UK, Japan, Germany, and Russia.

Notable Quotes & Memorable Moments

On Phantom Taurus’s sophistication:
“Phantom Taurus operates with stealth and persistence, using time stamping and advanced evasion to enable long-term intelligence collection for China’s interests.” — Sarah Lane [00:16]
On the risks of Congressional inaction:
“Some lawmakers are warning that the expiration will reduce threat sharing and weaken cyber protections against nation, state and criminal attacks, especially for smaller jurisdictions and businesses.” — Sarah Lane [03:35]
On the Cleopatra Trojan’s novel tactics:
“Attackers can reportedly remotely access victims’ phones at night, unlocking devices, opening banking apps, and transferring funds while the screen appears to be off.” — Sarah Lane [05:03]

Timestamps for Key Segments

China-linked Phantom Taurus group and Netstar malware: [00:10]
VMware zero-day and global targeting: [00:40]
Apple iOS, iPadOS, macOS updates and critical fixes: [01:14]
Asahi cyberattack disrupts Japanese supply chain: [01:40]
Congressional standoff and expiring cyber grants/law: [03:22]
Western Digital My Cloud critical vulnerability: [04:00]
Cleopatra Android trojan attacks in EU: [04:40]
Cisco firewall zero-days and global exposure: [05:25]

Summary

This episode details a global landscape where state-sponsored attackers, fast-moving zero-days, and novel malware keep security professionals on high alert. Urgent system patches (Apple, VMware, Western Digital, Cisco) and government grant uncertainties underline the complexity and stakes of defending modern IT infrastructure. Notably, attacks are hitting both public institutions and critical supply chains, as cybercriminals leverage advanced stealth and automation to target users worldwide.

For deeper dives into these stories, visit CISOseries.com.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:07)

These are the cybersecurity headlines for Wednesday, October 1, 2025. I'm Sarah Lane. China Linked Group hits governments with stealth malware Palo Alto Networks Unit 42 says a new China Linked hacking group, Phantom Taurus, has spent the past two years targeting governments and telecoms across the Middle east and Asia. The group focuses on ministries of foreign affairs, embassies, defense and geopolitical events using a custom net malware suite called netstar. Researchers say that Phantom Taurus operates with stealth and persistence, using time stomping and advanced evasion to enable long term intelligence collection for China's interests. Chinese hackers exploit VMware zero day since October 2024 Broadcom patched a high severity VMware Aria operations and VMware tools vulnerability that had been exploited in zero day attacks since October of 2024 by UNC5174, a Chinese state linked threat actor. The flaw allowed unprivileged local attackers to gain root level access on vms. The us, the UK and Asian institutions have previously been attacked through multiple exploits, often selling access to networks. Broadcom also recently fixed other VMware zero days, including two NSX flaws reported by the NSA and three earlier ARIA tools. Bugs Apple's iOS fixes a bevy of glitches Apple released iOS 26.0.1 fixing Wi Fi and cellular glitches on iPhone 17, photo artifacts, voiceover failures and blank icons with custom tints. The update also patches a font parser vulnerability that could let attackers corrupt memory via malicious fonts. IPADOs, Mac OS, WatchOS, TVOs and Vision OS have all received bug fix updates, with iOS 26.1 expected later in October. Cyber attack on Asahi disrupts production Asahi Group said a cyber attack disrupted its Japan operations, causing system failures that halted orders, shipments, call centers and and production at some of its 30 domestic factories. The company is investigating and restoring systems but did not give a recovery timeline. No personal data leaks have been confirmed. With nearly 40% market share in Japan, the disruption is expected to be costly for Asahi and resellers. Huge. Thanks to our sponsor nudge security, the SaaS supply chain is a hot mesh. As your Workforce introduces new SaaS apps and integrations, hidden pathways are created that attackers can exploit and gain access to core business systems. That is exactly what happens in the Drift breach and it will happen again. But all is not lost. Nudge Security gives you the visibility and control you need to stop these attacks within minutes of starting a free trial. You you will discover every SaaS app and integration in your environment, map your SaaS supply chain and identify risky OAuth grants that could be exploited. The best part? Nudge Security alerts you of breaches impacting your third and fourth party SaaS providers. That's right, even fourth party. So you can take action quickly to limit the ripple effects. Learn how Nudge can help you secure your entire SaaS ecosystem@nudgesecurity.com Supply chain cyber law and state grants set to go dark as Congress stalls over funding the Cybersecurity Information Sharing act and the State and Local Cybersecurity Grant Program are both set to expire as Congress fails to reach a funding agreement. CISA 2015 enables legal threat data sharing. While the grant provides $1 billion to states and localities for cyber defenses, some lawmakers are warning that the expiration will reduce threat sharing and weaken cyber protections against nation, state and criminal attacks, especially for smaller jurisdictions and business. Critical My Cloud bug allows remote command injection Western Digital patched a critical bug in multiple My Cloud NAS models that allowed remote command injection via crafted HTTP POST requests. Firmware version 5.31.108 fixes the issue, but end of support devices like my cloud DL2100 and DL4 4100 may not get updates. Exploitation could let attackers access, modify or delete files, change configurations, or execute binaries. Users are urged to update immediately or take devices offline until patched, since unprotected NAS devices have historically been targeted for data theft, botnets and ransomware. Cleopatra Trojan makes bank transfers while you sleep An Android banking trojan called Cleopatra has infected more than 3,000 devices in Italy and Spain, disguising itself as the defunct pirate streaming app Mob Drone. The malware abuses accessibility services to gain full device control, using obfuscation techniques to evade detection. Attackers can reportedly remotely access victims phones at night, unlocking devices, opening banking apps and transferring funds while the screen appears to be off. Cisco firewalls vulnerable to actively exploited flaws nearly 50,000 Cisco, ASA and FTD firewalls exposed online remain vulnerable to actively exploited flaws, which allow remote code execution and access to restricted VPN endpoints without authentication attacks. Deploying the line Viper malware and Ray Initiator bootkit began before patches were available. The US CISA issued an emergency directive requiring federal agencies to secure or disconnect affected devices, while global exposure remains high, particularly in the US uk, Japan, Germany and Russia. If you are going to be in New York City later this month, you need to join the CISO series for a live podcast recording on October 23, we will be recording a show at Mimecast Elevate 25. The show is free to attend, but you do need to register, so head on over to our Events page and@cisoseries.com for more details. We really want to see you there. If you have thoughts on the news from today or about our show in general, be sure to reach out to us@feedbackisoseries.com we'd love to hear from you. I am Sarah Lane, reporting for the CISO series. Stay safe out there and we'll talk to you tomorrow.