Sotheby's suffers cyberattack, Cisco "Zero Disco' attacks, Microsoft revokes ransomware certificates

A

From the CISO series, it's Cybersecurity Headlines.

B

These are the cybersecurity headlines for Friday, October 17, 2025. I'm Steve Prentice. Sotheby's Suffers Cyberattack the world famous auction house says the breach occurred on July 24, resulting in the theft of, quote, an unspecified amount of data, including Social Security numbers and financial account information. End Qu Spokespeople said the company is not aware of who was behind the attack, but added that the attackers broke in despite the company having layered defenses, strict access controls, secure connections and advanced threat protections, along with regularly patched systems, testing of internal incident response plans, backups, critical services, vetted vendors and a security trained workforce. Hackers exploit Cisco SNMP flaw in Zero Disco attacks Researchers at Trend Micro are warning of a campaign codenamed Operation Zero Disco that has exploited a security flaw that impacts Cisco iOS software and iOS XE software to deploy Linux rootkits on older unprotected systems. This flaw, which was patched by Cisco last month, has a CVE number and a CVSS score of 7.7. It is a stack overflow vulnerability in the Simple Network Management Protocol subsystem that is snmp. The intrusions have not been attributed to any known threat actor or group. Microsoft revokes more than 200 certificates to disrupt ransomware campaign A campaign is being run by Vanilla Tempest, also known as Vice Spider and Vice Society, with the goal of deploying Ryseda ransomware. The group has been in operation since 2021 and chiefly performs ransomware attacks on the education and healthcare sectors. Microsoft says it disrupted the group's campaign in early October by revoking more than 200 certificates that the group used to sign their malware. Victims were attracted to installer websites through SEO poisoning. LastPass says it has not been hacked amidst phishing email scam, a phishing campaign used the subject line we have been hacked. Update your LastPass desktop app to maintain vault security and this was sent from email addresses that included the word lastpass as part of their domain. The link in this fake warning email purports to take potential victims to a new desktop app site, but instead goes to a phishing site. While LastPass works to have the domain taken down, Cloudflare has posted warning pages in front of the site advising visitors that these sites are phishing pages. Huge thanks to our sponsor vanta. What's your 2am Security worry? Is it do I have the right controls in place or are my vendors secure? Or the really scary one? How do I get out from under these old tools and manual processes. Enter Vanta. Vanta automates manual work so that you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security. At scale, Vanta also fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and get back to sleep. Get started at vanta.com headlines that is v a n t a dot com headlines Windows 11 updates break local host HTTP 2 connections the October Windows 11 updates from Microsoft appear to have broken the localhost functionality, making applications that connect back to 127.0.0.1 over HTTP 2 no longer function properly. Developers commonly use localhost to test websites or debug applications, but it can also be used by applications that need to connect to a locally running service to perform some action or query. After having installed Tuesday's patch, some users are no longer able to complete HTTP connections to the local host. This impacts applications such as visual studio debugging, SSMSentra ID authentication and the Duo desktop app, which verifies device security posture and requires connections back to web servers running on the local host Dairy Farmers of America Confirms June Breach the organization stated that cybercriminals from the Play Ransomware group gained access to the information of employees and members of the cooperative during their June attack, which involved numerous manufacturing plants within its network. A breach notification filed with regulators in Maine said that the personal information of more than 4,500 people was exposed, including PII, driver's license or state issued ID numbers and bank account numbers. The organization said in a letter to victims that the gang gained access through a sophisticated social engineering campaign. Microsoft warns of a 32% surge in identity hacks from stolen passwords in its 85 page Digital Defense Report 2025, Microsoft points to the continued success of password attacks that allow hackers to take over victim accounts. It says that hackers are increasingly using stolen identities to breach organizations, impersonating employees or contractors before stealing data and launching ransomware. This according to new research, end quote. The 32% surge means that 97% of identity attacks are password attacks. Amy Hogan Burney, a corporate vice president at Microsoft, added that the vast majority of malicious sign in attempts an organization might receive are via large scale password guessing attempts. Attackers get usernames and passwords for these bulk attacks by and large from credential leaks. CISA adds Adobe Experience Manager Forms flaw to its KEV catalog. This flaw has a CVE number and a CVSS score of 10.0. Adobe Experience Manager Forms is a component of Adobe Experience Manager designed to help organizations create, manage and automate digital forms and document based processes. It is commonly used in industries like banking, insurance, government and healthcare where collecting and processing customer data securely and efficiently is critical, impacting versions 6.5.23. The flaw, which was addressed by Adobe in August, could allow an attacker to bypass security mechanisms and execute code Remember to join us later today for our last episode of our Week in Review podcast. That's right, we're sunsetting the Week in Review and rebooting it as the Department of Knowledge. This show will stream live every Monday at 4pm Eastern time, helping you kick off the week in cybersecurity. We will still have on our favorite CISO guests, discuss the biggest news from the last week and try to help you get your week started the best way we know how. The show will still be in your podcast feed, but after today, we would love for you to join us live at 4pm Eastern on our YouTube channel for the streams on Monday. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentice reporting for the CISO series.

A

Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.