Chinese cybercrime group, Cisco CM flaw, CISA faces changes | #cybercrime | #infosec

According to
Proofpoint
, the group, currently tracked as TA4922, “has been escalating activities and expanding to new geographies. It uses social engineering to deliver malware and engage in credential phishing and fraud schemes such as credit card theft.” They do not appear to be involved in espionage, but instead appear to be financially motivated, using HR, payroll tax, and invoicing themes. The group has started to expand beyond its current targets in Japan, Taiwan, Korea, Singapore, and India, to also focus on organizations in the UK, Germany, and Italy, and South Africa, using messaging platforms such as LINE, WhatsApp, or
Microsoft
Teams.

The company has now released security updates to patch a critical-severity Unified Communications Manager (Unified CM) flaw that allows attackers to gain root privileges. Formerly known as
Cisco
CallManager, this product “serves as the central control system for Cisco IP telephony systems, handling device management, call routing, and telephony features.” The vulnerability (tracked as CVE-2026-20230) “can be exploited remotely by threat actors without privileges in low-complexity server-side request forgery (SSRF) attacks.” It has earned a “critical” rating because exploitation of this vulnerability could result in an attacker elevating privileges to root. “Cisco’s Product Security Incident Response Team (PSIRT) says it has yet to find evidence of active exploitation or targeting.”

According to researchers at
Symantec
and
Carbon Black
‘s Threat Hunter Team, a hacker “spent at least five months inside the Outlook mailbox of a senior executive at a major global stock exchange, copying the inbox out in small, repeated batches and routing it through Dropbox and OneDrive so the traffic blended into normal cloud activity.” The researchers say this points to an espionage campaign rather than financial theft or data theft, noting that the executive’s inbox can “hold non-public listing details, enforcement matters, deal terms, market-moving plans, plus the executive’s calendar and contacts,” without needing broad access to other business systems. By the time the first malicious activity showed up on October 10, 2025, “the attacker was already running two binaries as SYSTEM, the highest Windows privilege level, one faking Adobe’s updater and the other faking OneDrive, meaning they had full control of the machine, while how they first got in is still unknown.”

The UK’s
Government Digital Service
(GDS) has opted to work instead with Netherlands-based provider
Adyen
as its processor for many payments made through its GOV.UK Pay service. In a blog post about the contract, awarded last Tuesday, GDS said “it will migrate around 1,000 services to the new supplier.” The change of supplier will “help introduce new options including pay by bank, which transfers money directly between bank accounts using open banking services and avoids the need to type in card details.”

Thanks to our sponsor,
Vanta

This is according to
Cybersecurity and Infrastructure Security Agency
Acting Director

Nick Andersen

, speaking on Wednesday. The Agency “plans to release a directive to federal agencies detailing actions required to carry out the president’s artificial intelligence executive order by the end of the week.” This directive will focus in part on “vulnerability alleviation and vulnerability management,” Andersen said. This latest version of the order “asks companies to voluntarily submit models to the government for testing 30 days before they are released publicly.”

In further CISA news, Homeland Security Secretary
Congressman Markwayne Mullin
said on Wednesday he would revitalize the agency, which has lost roughly one-third of its workforce and seen its $3 billion budget slashed during the current administration. The fiscal 2027 budget would cut more than $700 million from the agency. Mullin said that CISA probably needs “somewhere around” 2,800 employees, despite its ability to hire up to 3,400. He also hinted that the White House “intends to announce a nominee to run the department’s cyber wing, which has been without a Senate-confirmed chief.”

According to
Palo Alto Networks Unit 42
, a macOS malvertising campaign codenamed Operation FlutterBridge is spreading this new backdoor. The cybercrime group behind the two attack chains is being tracked under the moniker CL-CRI-1089. “Built using the Flutter framework, FlutterShell infects targets with adware via malicious desktop applications,” Unit 42 said. “In addition to its adware functionality, the payload possesses backdoor capabilities, including shell command execution and file system manipulation.” These campaigns distribute malicious Google and YouTube advertisements using a network of Google-verified shell companies, with the ads acting as a lure to trick targets into deploying malware that masquerades as legitimate desktop applications.

MI5 and its allies are once again warning that “China is shopping for state secret leakers on popular recruitment platforms, including
LinkedIn
,
Indeed
, and
Upwork
.” This according to a new advisory published Wednesday. It stated Chinese military intelligence officers “specifically target security clearance holders, including those working in defense, security, and foreign affairs, military personnel, and those with indirect access to government information, such as academics, journalists, think tank employees, and others.” The victims pressured to provide ‘non-public’ information for unspecified clients who are associated with the Chinese government.

Spotify, Apple Podcasts, YouTube, RSS link, Amazon Music, add as an Alexa Skill, or search “Cybersecurity Headlines” on your favorite podcast app.