Daily Security Briefing 014

September 18, 2025 | Read Online

TOCTOU attacks targeting LLM agents, SonicWall backup breach spurs urgent password resets, Russian ransomware ‘CountLoader’ expands toolkit…

Executive Summary

Today’s cybersecurity headlines highlight emerging threats in AI and cloud environments, underscoring evolving risks for enterprises worldwide. Research reveals novel time-of-check to time-of-use (TOCTOU) attack vectors against large language model (LLM)-enabled agents, exposing a new class of vulnerabilities in AI-driven systems. Meanwhile, SonicWall confirms a breach of backup firewall configurations affecting a small subset of customers, prompting widespread password reset advisories. On the ransomware front, Russian cybercriminals are enhancing their capabilities with a new malware loader dubbed CountLoader, signaling more sophisticated post-compromise operations. Additionally, the continued targeting of Microsoft 365 environments and exploitation of VPS systems by botnets highlight the broad attack surface organizations must defend today.

Top Articles

Time-of-Check Time-of-Use Attacks Against LLMs
New research explores a largely overlooked vulnerability in LLM-enabled agents involving TOCTOU (Time-of-Check to Time-of-Use) attacks. These attacks exploit timing discrepancies between verifying data and using it, raising concerns for AI systems relying on prompt and data integrity. While traditional prompt injections and data exfiltration tactics are known, this research opens discussion on securing LLM agents against emerging attack vectors.
Schneier

SonicWall Tells Customers to Change Passwords After MySonicWall Backup Files Leak
SonicWall has confirmed threat actors accessed backup configuration files from its MySonicWall cloud service, affecting fewer than 5% of customers. Leaked backups contained sensitive encrypted credentials and VPN keys, risking unauthorized access to firewall environments. The company urges immediate password resets and enhanced vigilance to prevent persistent compromise.
CyberPress | TheHackerNews | DarkReading

CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader
Researchers have identified CountLoader, a new malware loader employed by Russian ransomware groups that delivers advanced post-exploit tools such as Cobalt Strike and PureHVNC RAT. Serving both initial access brokers and ransomware affiliates linked to LockBit, CountLoader enhances attacker capabilities for lateral movement and remote control. This development signals increasing sophistication in ransomware supply chains.
TheHackerNews

Target-rich environment: Why Microsoft 365 has become the biggest risk
Microsoft 365’s widespread adoption and deep integration across organizations have created a large, complex attack surface targeted by cyber adversaries. The platform’s backup blind spots and ease for lateral movement necessitate stronger defenses to mitigate risk, as highlighted by security experts from Acronis TRU. Organizations must address these vulnerabilities to protect critical resources housed in Microsoft’s cloud ecosystem.
BleepingComputer

SystemBC malware turns infected VPS systems into proxy highway
The SystemBC proxy botnet operators exploit vulnerable commercial VPS servers to maintain a network of around 1,500 bots daily, proxying malicious traffic globally. This abuse of VPS infrastructure facilitates actor anonymity and complicates detection, amplifying threat actor capabilities for cyber attacks and command-and-control communications.
BleepingComputer

Splunk Detects and Prevents Remote Employment Fraud Across Large Distributed Workforces Worldwide
Splunk has introduced advanced detection methods targeting Remote Employment Fraud (REF), where malicious actors infiltrate organizations through legitimate hiring processes. Their new security research documents techniques to identify fraudulent employees early in onboarding, helping enterprises safeguard against insider threats and operational disruption caused by REF.
CyberPress

Top 10 Best Security Orchestration, Automation, And Response (SOAR) Tools in 2025
As cyber threats grow in complexity, SOAR tools have become essential for automating incident response and streamlining security operations. This comprehensive guide reviews the top SOAR platforms in 2025, emphasizing their capabilities to reduce alert fatigue, enhance cross-environment compliance, and accelerate threat mitigation for security teams.
GBHackers

Top 10 Best NGFW (Next‑Generation Firewall) Providers in 2025
Next-Generation Firewalls remain vital for enterprise network security, integrating advanced threat intelligence, cloud capabilities, and deep packet inspection. This article details the leading NGFW providers in 2025, offering insights into features important to defending against sophisticated and persistent cyber threats.
GBHackers

Check Point Celebrates Partner Excellence at the 2025 Asia Pacific Partner Conference
Check Point Software Technologies recently honored top-performing cybersecurity partners in the Asia Pacific region at its annual partner conference in Hanoi. The event highlighted collaborative efforts to combat rising AI-driven cyber threats and advance regional network security resilience.
CheckPoint

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.