Infosec In brief A flaw in Meta’s WhatsApp app “may have been exploited in a sophisticated attack against specific targeted users.”
Meta made that alarming admission last week in a security advisory that disclosed CVE-2025-55177, which it described as allowing “Incomplete authorization of linked device synchronization messages in WhatsApp [which] could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.”
The security team at Zuck’s messaging app also name-checked the zero-click vulnerability Apple patched last week – CVE-2025-43300 – because they feel their own CVE and Apple’s flaw “may have been exploited in a sophisticated attack against specific targeted users.”
Donncha Ó Cearbhaill, the head of Amnesty International’s security lab, suggested attackers used the flaws in a highly specialized attack, which from past experience suggests that a commercial surveillanceware vendor is using it in highly targeted attacks against specific individuals.
Surveillanceware is supposed to be used against state criminals but is also used against journalists, human rights campaigners, and anyone else certain governments don’t like.
It looks like that $1 million bounty for a zero-click WhatsApp flaw might be worth the price.
Microsoft calls time on lack of MFA for Azure
From October 1, Microsoft will begin requiring multi-factor authentication on Azure systems for everything but read-only access.
Redmond’s advisory states that “MFA enforcement will gradually begin for accounts that sign in to Azure CLI, Azure PowerShell, Azure mobile app, IaC tools, and REST API endpoints to perform any Create, Update, or Delete operation. Read operations won’t require MFA.”
There are special cases that could get a deadline extension, however. Those who can show they are having to deal with “complex environments or technical barriers” can get an extension until July 1 next year, Microsoft added.
Some customers may use a user account in Microsoft Entra ID as a service account. It’s recommended to migrate these user-based service accounts to secure cloud-based service accounts with workload identities.
But, frankly, MFA should be standard for Azure users anyway. It has proven to be – if not a silver bullet – highly effective at stopping hacking attacks.
Nissan confirms car design studio hit by Qilin ransomware
Japanese automaker Nissan has confirmed that its design subsidiary Creative Box Inc was hit by the infamous Qilin ransomware group.
“Currently, a detailed investigation is underway, and it has been confirmed that some design data has been leaked,” Nissan said in a statement. “Nissan and CBI will continue the investigation and take appropriate measures as needed.”
Qilin is a vicious ransomware gang linked to actual deaths, and known for offering criminals using its ransomware legal advice to assist with negotiations, an increasingly complex field.
Baltimore procurement mess sent $1.5m to crims
The city of Baltimore has admitted it has paid $1.5 million from much-needed city funds in a procurement scam.
The City’s Office of the Inspector General last week published a report [PDF] that last week explained a fraudster attacked a vendor that does business with the city government, accessed its Workday account and changed the financial institution listed for payments to its own account.
When Baltimore paid its bills, it therefore sent money to the account controlled by the fraudster. The city managed to retrieve almost half the funds, but its insurers have refused to pay out for the rest, showing the increasingly hard line financial institutions are taking over lax security policy.
Still, it could be worse. Nevada is still recovering from a state-wide ransomware attack that has left the Silver State crippled.
Critical flaw under exploitation in FreePBX telco software
If you’re using the open source FreePBX project to run your comms networks, you may want to prioritize a recently-issued emergency patch.
On August 21 persons unknown were spotted frolicking through the software using a flaw that allowed them to manipulate database information and perform remote code execution. The flaw, given the CVSS scoring system’s highest 10 ranking, has now been patched, but too late it seems for some customers.
“Users should upgrade to the latest supported versions of FreePBX (currently 15, 16, and 17) and confirm that the installed ‘endpoint’ module meets the minimum patched versions,” it warned.
“Systems not configured for automatic updates, or those wishing to manually update, can do so via the Administrator Control Panel menu Admin -> Module Admin or via generic command line method of updating all modules.”
Those running the code are warned to watch out for suspicious ampuser accounts in the code that are used in the hack. End-of-life versions of the code base are also vulnerable and there’s no patch for them, so it would be a good time to upgrade. And the US Cybersecurity and Infrastructure Security Agency agrees. ®
Source link
