SonicWall releases patches, The Com warning, Compromised Amazon Q extension - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines – CISO Series Podcast Summary Episode: SonicWall releases patches, The Com warning, Compromised Amazon Q extension
Release Date: July 25, 2025
Host: Steve Prentiss

Introduction

In this episode of Cyber Security Headlines, host Steve Prentiss delves into the latest developments and critical updates in the realm of information security. Covering a range of topics from vulnerability patches to sophisticated cybercriminal organizations, the episode provides listeners with a comprehensive overview of current cybersecurity challenges and responses.

SonicWall Releases Critical Patches for SMA100 Series

Steve Prentiss begins by addressing a significant update from SonicWall. The network security company announced the release of patches for the SMA100 series Secure Access Gateways, addressing a critical vulnerability previously reported.

“This new flaw has a CVE number and a CVSS score of 9.1,” Prentiss notes (00:00), emphasizing the severity of the issue. The vulnerability, identified as an arbitrary file upload weakness in the web management interface, could potentially allow remote code execution by attackers with administrative access. SonicWall urgently recommends that customers apply these patches immediately to mitigate risks posed by recent malware attacks.

FBI Issues Warning About The Com Criminal Organization

The podcast highlights an alarming warning from the FBI regarding The Com, a loosely organized cybercriminal group.

“The com that is T H E C O M is a loosely organized cybercriminal organization that launches cyber attacks to steal money and gain access to sensitive information,” Prentiss shares (00:00). The bureau describes The Com as primarily composed of English-speaking minors, although the group has expanded to include thousands involved in various cybercriminal activities. Over the past four years, The Com has grown in sophistication, employing complex methods to obscure identities, conceal financial transactions, and launder money. The recruitment of minors leverages the fact that younger individuals face less severe penalties, making them attractive to the organization.

Compromised Amazon Q Extension Exploitation

A concerning incident involving Amazon’s Q Extension for Visual Studio Code is discussed next. A hacker successfully compromised the official extension to include a malicious prompt that instructs users to utilize an AI agent to delete their home directories and AWS resources.

“The hacker submitted a pull request to the AWS repository, a random account with no existing access, and was given admin credentials,” explains Prentiss (00:00). Although AWS swiftly removed the unauthorized code and the hacker's credentials, the company has yet to disclose how the breach occurred. This incident underscores the vulnerabilities within widely used development tools and the potential for malicious actors to exploit them.

WordPress MU Plugin Backdoor Discovered

The episode covers a newly discovered backdoor in WordPress Must-Use (MU) plugins. These plugins are automatically activated across all WordPress installations and do not appear in the standard plugins list, making them prime targets for persistent threats.

“A PHP script was discovered by web security company Sucuri,” Prentiss states (00:00). The backdoor allows threat actors to maintain persistent access and perform arbitrary actions on affected WordPress sites. Since MU plugins are stored in the WP-content/mu-plugins directory and can only be disabled by manually removing the plugin files, the presence of such backdoors poses a significant security risk to website administrators.

Brave Blocks Microsoft's Windows Recall Feature

In a move to enhance user privacy, the makers of the Brave browser announced that their software will block Microsoft’s new Windows Recall feature from capturing screenshots of Brave browser windows. This feature will be enabled by default.

“Brave has set the SetInPutScope API to is private for all browser windows,” Prentiss explains (00:00). Despite Microsoft's addition of an opt-out option following widespread criticism, Brave's proactive approach marks a significant step in protecting user privacy by preventing unauthorized screenshotting from the outset.

CISA Updates Known Exploited Vulnerabilities Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its catalog of known exploited vulnerabilities to include several critical flaws.

“This joint action follows a Crush FTP warning of a zero day with a CVSS score of 9.0 that has been exploited since July 18th,” Prentiss reports (00:00). The updates also encompass six Google Chrome vulnerabilities, one of which is actively exploited in the wild, and three flaws from Sysaid. CISA has mandated that federal agencies remediate these vulnerabilities by August 12th, underscoring the urgency of addressing these high-risk issues.

Mitel Alerts of Critical MyVoice MX1 Authentication Bypass Vulnerability

Mitel Networks has issued a security alert regarding a critical authentication bypass vulnerability in its MyVoice MX1 enterprise communications platform.

“Unauthenticated attackers can exploit it in low complexity attacks that do not require user action to gain unauthorized access to administrator accounts,” Prentiss details (00:00). The flaw, resulting from improper access control in the MyVoice MX1 Provisioning Manager component, has yet to receive a CVE identifier. Organizations using this platform are urged to apply the provided security updates to prevent potential breaches.

Fake Dalai Lama Apps Target Tibetan Community

The podcast highlights cyber espionage activities targeting the Tibetan community in anticipation of the Dalai Lama’s 90th birthday. Two campaigns, dubbed Operation Ghost Chat and Operation Phantom Prayers by Zscaler Threat Labs, were utilized to deploy malicious software.

“These campaigns were standard watering hole operations, redirecting users from a legitimate but compromised website to a fraudulent one,” Prentiss explains (00:00). The replica website prompted users to download a secure chat application, which served as a vector for a remote access Trojan (RAT). This sophisticated attack aimed to spy on Tibetan devotees, revealing the targeted and strategic nature of the espionage efforts.

Upcoming Live Streams and Events

Steve Prentiss concludes the episode by announcing upcoming live streams and events:

Super Cyber Friday at 1 PM: Focused on "Hacking the Security Poverty Line," this session will explore the concept of minimum viable security.
Week in Review Show at 3:30 PM Eastern: Featuring Nick Espinoza, host of the Deep Dive Radio show, who will provide expert commentary on the week’s cybersecurity news.

Listeners are encouraged to visit the events page at cisoseries.com to join these live sessions and share their thoughts via feedback@cisoseries.com.

Conclusion This episode of Cyber Security Headlines offers a thorough examination of recent cybersecurity threats, vulnerabilities, and organizational responses. From critical software patches to sophisticated cybercriminal operations, listeners gain valuable insights into the evolving landscape of information security.

For more detailed stories behind these headlines, visit cisoseries.com.

Loading summary

Transcript1 lines

[00:00]
Steve Prentiss
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Friday, July 25, 2025. I'm Steve Prentiss. SonicWall announces SMA100 patches following up on a story we covered last week, network security company Sonicwall announced on Wednesday the release of patches for a critical vulnerability in secure mobile 100 series secure access Gateways. The company recommends that customers take immediate action following the recent overstep malware attacks. This new flaw has a CVE number and a CVSS score of 9.1. It is described as an arbitrary file upload issue in the SMA100's web management interface, which could allow for remote code execution by attackers who already have access to administrative privileges. The FBI warns about the Com, a mass criminal organization. The com that is T H E C O M is a loosely organized cybercriminal organization that launches cyber attacks to steal money and gain access to sensitive information. The bureau says the com is composed primarily of English speaking minors, but has expanded to include thousands of people who engage in a variety of cybercriminal activities. End quote. They add that the group's sophistication has grown over the last four years, with subjects employing increasingly complex methods to mask their identities, hide financial transactions and launder money. Minors are recruited since being underage promises less harsh penalties if caught. Scattered Spider, known for a number of high profile attacks this year, is an affiliate of this group Compromised Amazon Q Extension told AI to delete Everything A hacker whose apparent intent was to expose bad security practices succeeded somewhat by compromising the official Amazon Q extension for Visual Code Studio to add a prompt to use an AI agent to wipe a user's home directory and delete all their AWS resources. According to a report from 404 Media, the hacker submitted a pull request to the AWS repository, a random account with no existing access, and was given admin credentials. They said that AWS then released the compromised package completely oblivious. Amazon quickly removed the unapproved code and the hacker's credentials, but no explanation of how this happened has yet been released. WordPress backdoor hides inside MU plugin A new backdoor has been discovered in WordPress must use plugins, also known as MU plugins, one that will give thread actors persistent access and allow them to perform arbitrary actions. These plugins are automatically activated on all WordPress sites in the installation and are stored in the WP content MU plugins directory. They do not show up in the default list of plugins on the plugins page of WP admin and cannot be disabled except by removing the plugins file from the must use directory. The backdoor itself, a PHP script, was discovered by web security company Sucuri. Huge thanks to our sponsor Nudge Security. Here's the thing, your employers are signing up for new apps, sharing data and connecting tools together, often without anyone knowing. What if you could continuously discover when people start using new apps or sharing data and then prompt them with security guidance right when and where they are working? At Nudge Security, we call that securing the workforce edge. Instead of trying to control everything, which, let's face it, is impossible, we give it and security teams the visibility they need and automation to guide employees toward secure behaviors. The result? Your workforce stays productive, your data stays secure, and you can finally get some sleep at night. Learn more@nudgesecurity.com workforce edge that is nudge security two words together.com workforce edge together as well Brave Blocks Windows Recall from screenshotting Browsing Activity the makers of Brave software says its browser, already well known for privacy features, will block Microsoft's Windows new recall product from capturing screenshots of Brave Windows. The feature will be active by default. Facing up to widespread criticism, Microsoft has added an opt out feature to some Windows packages. But this action from Brave marks a first step in blocking the feature out of the gate by setting the SetInPutScope API to is private for all browser windows. CISA adds Crush FTP, Google Chromium and Sysaid flaws to its known exploited vulnerabilities catalog. This joint action follows a Crush FTP warning of a zero day with a CVSS score of 9.0 that has been exploited since July 18th, along with six Google Chrome flaws, including one actively exploited in the wild and three flaws from Sysaid, I.e. sysaid. CISA orders federal agencies to fix the vulnerabilities by August 12th of this year. Mitel warns of critical MyVoice MX1 authentication bypass flaw Mitel Networks has released security updates to patch a critical severity authentication bypass vulnerability impacting this MyVoice MX1 enterprise communications platform. This is an SIP based communications system that stands for Session Initiation Protocol, which can scale to support hundreds of thousands of users. According to Bleeping Computer, the critical security flaw is due to an improper access control weakness discovered in the MyVoice MX1 Provisioning Manager component and has yet to be assigned a CVE id. Unauthenticated attackers can exploit it in low complexity attacks that do not require user action to gain unauthorized access to administrator accounts on unpatched systems. Fake Dalai Lama Apps spy on Tibetan community Devotees who wanted to send a note of good wishes to the spiritual leader as his 90th birthday approached on July 6 were unwittingly targeted by a China affiliated cyber espionage group using two campaigns named by Zscaler Threat Labs as Operation Ghost Chat and Operation Phantom Prayers. These both were standard watering hole operations, redirecting users from a legitimate but compromised website to a fraudulent one. One of these offered a replica page. This replica page offered the option for well wishers to send an encrypted greeting by downloading a secure chat application, which ultimately was the launch vector for a remote access Trojan. As usual, we've got a busy Friday of live streams today. It starts at 1pm with Super Cyber Friday, where the topic will be hacking the Security Poverty Line. An hour of critical thinking about minimum viable security. Then at 3:30pm Eastern we have our Week in Review show. Nick Espinoza, host of the Deep Dive Radio show, will be our guest, providing his expert commentary on the news of the week. To join us for both, head on over to the events page@cisoseries.com and if you have some thoughts on the news from today or about the show in general, please be sure to reach out to us@feedbacksoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.