SonicWall Urges Urgent Patching After Active Attacks on SMA1000 Appliances
SonicWall has warned customers about an actively exploited security flaw affecting the management interface of its SMA1000 remote access appliances. The weakness allows an attacker who already has some access to gain higher-level control of the system. SonicWall says this flaw was used in real-world attacks before it was publicly known, although the company has not shared details about who carried them out or why. Importantly, SonicWall firewalls are not affected.
According to SonicWall, attackers combined this issue with another previously fixed flaw to fully take over vulnerable systems. That earlier flaw was patched in January 2025, and U.S. cybersecurity authorities have since confirmed it was widely exploited. SonicWall is strongly urging SMA1000 customers to install the latest software updates immediately, as applying the newest hotfix is the best way to protect systems from these attacks.
Cisco Warns of Active Attacks Exploiting Critical Email Security Flaw
Cisco has warned that hackers are actively exploiting a critical, previously unknown security flaw in certain Cisco email security appliances. The issue affects Secure Email Gateway and Secure Email and Web Manager systems that use specific non-standard settings and have a spam-quarantine feature exposed to the internet. Cisco believes a China-linked hacking group is using this weakness to break into systems, gain full control, install long-lasting backdoors, and erase evidence of their activity. The attacks have been ongoing since at least late November, and Cisco has not yet released a fix.
Until an update is available, Cisco is urging customers to reduce their risk by limiting internet access to affected devices, placing them behind firewalls, and allowing connections only from trusted systems. Administrators should closely monitor logs, separate management and email functions, disable unnecessary services, and strengthen login security. Cisco also recommends contacting its support team to check for signs of compromise; if a system has been breached, rebuilding the appliance may be the only way to fully remove the attackers.
v
Defensible Strategies
Learn from those who have been attacked
Microsoft Update Disrupts Messaging on Older Windows Systems
Microsoft has acknowledged a new problem caused by its December 2025 security update that affects some older versions of Windows used mainly in business environments. After installing the update, a long-standing Windows component called Message Queuing (MSMQ) may stop working properly, causing certain websites and business applications to fail. Error messages can be confusing, often suggesting a lack of memory or disk space even when systems are healthy.
Microsoft says the issue is caused by a change in how system permissions work, which prevents MSMQ from saving data where it needs to. The problem mainly affects older Windows 10 and Windows Server systems still widely used by organizations, not most home users. While Microsoft is offering help through its support team, some administrators have chosen to remove the update, at the cost of losing important security protections, highlighting the challenges companies face when running older software.
Phishing Campaign Impersonating Trend Micro Targets Critical Industries
Security researchers have uncovered two phishing campaigns from October and November 2025 that targeted executives and staff in sensitive industries such as energy, defense, cybersecurity, and pharmaceuticals. The attackers used convincing emails designed to look urgent and legitimate, including fake workplace harassment complaints, research surveys, and security alerts pretending to come from Trend Micro. The activity appears linked to a group with suspected ties to Russian interests, though researchers are still gathering evidence and are tracking it under a temporary name, SHADOW-VOID-042.
In the November campaign, attackers impersonated Trend Micro itself, sending emails urging recipients to install a fake security update. Clicking the links led victims through a chain of deceptive websites designed to quietly exploit browser weaknesses and install malicious software. Fortunately, Trend Micro’s own security platform detected and blocked most of these emails and websites early, preventing the attacks from progressing and limiting harm.
While the final goal of the attackers remains unclear, the campaigns share similarities with a well-known hacking group that has shifted in recent years from financially motivated crime to espionage-focused operations. These incidents highlight how attackers increasingly rely on realistic-looking emails and trusted brands to trick people, and how strong email security and early detection can stop even sophisticated threats before serious damage occurs.
AI-Powered Cyberattack Marks First Large-Scale Autonomous Espionage Campaign
In September 2025, a highly sophisticated cyberespionage campaign was detected, marking one of the first major attacks largely carried out by AI rather than humans. The attackers, believed to be a Chinese state-sponsored group, manipulated an AI tool called Claude Code to attempt infiltrations of about thirty organizations worldwide, including major tech firms, financial institutions, chemical manufacturers, and government agencies. While only a few attempts were successful, the campaign demonstrated the unprecedented use of AI to autonomously execute complex cyberattacks.
The attack leveraged modern AI capabilities that were not widely available just a year earlier. These included advanced intelligence to understand context and follow complex instructions, autonomous agency to make decisions and chain tasks with minimal human input, and access to a range of software tools such as password crackers and network scanners. This combination allowed the AI to perform tasks that traditionally required skilled human operators, signaling a new era where AI can be weaponized for highly sophisticated cyber operations.