Main Menu
Main Menu
Guillermo SánchezEthan Grammer / / 3 minutes of reading

Recent Breaches/Incidents

1. SonicWall Cloud Backup Exposure Incident ​

https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330

Description: 
SonicWall has confirmed that an unauthorized party gained access to firewall configuration backups stored via the MySonicWall cloud backup service. These backups contain encrypted credentials and full configuration data for firewalls whose settings were backed up to the cloud. While the files are protected via encryption, SonicWall warns that possession of them still elevates risk — especially for devices accessible over the internet. 

Any customer using MySonicWall cloud backup of firewall settings is potentially impacted. SonicWall has published lists of impacted serial numbers in the MySonicWall portal under Product Management > Issue List, categorized by priority (Active-High, Active-Lower, Inactive). 

Configuration backup files include full snapshots of firewall settings, including secrets and credentials. SonicWall states that although data is encrypted in the cloud, internal parts of these files may be decoded or partially exposed. Attackers with these files gain a valuable foothold in planning targeted attacks, because they know the internal architecture, rules, and possible weak points. 

You should Log into MySonicWall and check whether your firewalls appear in the impacted list. If your device is flagged: prioritize remediation for those in the “Active – High Priority” category and follow SonicWall’s Essential Credential Reset and Remediation Playbook steps. 

Advisories/ Vulnerabilities/Alerts

2.  Beware of Microsoft Teams Impersonation Scams
https://cybersecuritynews.com/hackers-exploit-microsoft-teams/


Description:
A new phishing campaign has surfaced in which threat actors are leveraging Microsoft Teams to impersonate IT helpdesk personnel. By exploiting external communication settings (often enabled by default in Microsoft 365), attackers are initiating voice calls and chats to trick users into sharing their screen or granting remote access, with the goal of gaining unauthorized control over computers. 

How It Works 

  • Attackers use compromised or fake Microsoft accounts (including ones with “*.onmicrosoft.com” domains) to pose as internal IT support staff. 
  • They often reach out via one-on-one Teams chats or calls. Voice calls are especially dangerous because users usually don’t get the same warning pop-ups or suspects tags. 
  • Once trust is established, the fraudster will request screen sharing and then try to either escalate privileges or guide the user to install or allow remote control features. They might ask you to execute the QuickAssist.exe tool. 

Why It’s Dangerous 

  • These attacks bypass email security filters, since the channel of attack is Teams rather than traditional email phishing. 
  • The impersonation is believable as attackers provide company-details to gain trust. 
  • If a user agrees to screen sharing or remote control, it can lead to a full compromise of their machine or data. 

Recommended Actions: 

  • Be cautious of any unexpected Teams calls claiming to be IT support. 
  • Do not share your screen or allow remote access unless you’ve verified the request through an official channel. 
  • Check the caller’s email/domain. External users are often marked in Teams. 
  • Report suspicious calls immediately to the Service Desk (include screenshots or the caller’s details). 
  • Stay vigilant. Other similar callers may appear even after some are blocked. 
  • Security awareness training for your organization. 

2.     Cisco ASA & FTD Zero-Day Exploits in the Wild.

Source Advisory URL: https://www.bleepingcomputer.com/news/security/cisco-warns-of-asa-firewall-zero-days-exploited-in-attacks/

Description: 

Cisco has issued a warning about actively exploited zero-day vulnerabilities in its ASA and Firepower Threat Defense (FTD) firewall platforms affecting unpatched system. 

The two key vulnerabilities are: 

  • CVE-2025-20333 allows authenticated remote attackers to execute arbitrary code. 
  • CVE-2025-20362 enables unauthenticated attackers to access restricted URL endpoints without proper authorization. 
  • These flaws are being actively targeted in the wild. 

Recommended Actions: 

  • Patch immediately. Update ASA and FTD devices to the latest recommended software versions as per Cisco’s advisory. 
  • Disable unused services, minimize open ports, and enforce strong access controls. 
  • Ensure that SSL VPN / AnyConnect components are hardened and monitored. 
  • Watch for suspicious connection attempts or abnormal behavior related to ASA/FTD. 
  • Limit access to ASA/FTD devices to trusted management networks only.