Daily Cyber Briefing
The Daily Cyber Briefing delivers concise, no-fluff updates on the latest cybersecurity threats, breaches, and regulatory changes. Each episode equips listeners with actionable insights to stay ahead of emerging risks in today’s fast-moving digital landscape.
Daily Cyber Briefing
Rootkits, State Spies, and the $14 Billion Bitcoin Bust
Today, we dive into Operation ZeroDisco, where threat actors deployed rootkits onto older Cisco routers by exploiting a recent zero-day. We also analyze the consequences of the Discord breach, F5's revelation of a nation-state attack that stole source code, and the massive crypto "pig butchering" scam that led to the seizure of over $14 billion in Bitcoin.
Welcome back to Cyber Scoops & Digital Shenanigans, the podcast where we break down the biggest stories shaking the foundation of digital security. I’m your host, Mike Housch, and we have a packed docket this week, covering everything from sneaky rootkits hidden deep inside your network gear to state-sponsored theft and a crypto fraud scheme so large, the seized Bitcoin alone is worth over $14 billion. Let's jump right into the bits and bytes.
Segment 1: Cisco’s ZeroDisco Disaster
Our first scoop hits hard at network security, specifically targeting older Cisco devices. Trend Micro has reported a campaign dubbed Operation ZeroDisco, exploiting a recently patched Cisco zero-day, CVE-2025-20352.
This vulnerability is described as a stack overflow issue residing in the Simple Network Management Protocol, or SNMP, of IOS and IOS XE devices. It carries a CVSS score of 7.7. While low-privileged attackers could cause a denial-of-service condition (DoS), high-privileged attackers can exploit this bug for remote code execution, or RCE.
Now, the real shenanigans here involve the payload. Threat actors are leveraging this zero-day to deploy a rootkit on vulnerable, older devices, specifically naming the Cisco 9400, 9300, and legacy 3750G series.
For 64-bit systems, the attackers used the SNMP exploit to deploy the rootkit, then logged in using a universal password and deployed a fileless backdoor. This rootkit is sophisticated: it monitors UDP packets sent to any device port, even closed ones, which enables attackers to configure or trigger backdoor functions. Furthermore, it modifies the IOSd memory to set up that universal password, which works across most authentication methods.
And where does the name ‘ZeroDisco’ come from? The malware sets a universal password containing the word ‘disco’—just a one-letter change from ‘Cisco’.
The rootkit is designed for deep concealment. It hides running-config items in memory, allows the bypass of ACLs applied to VTY interfaces—which are used for remote access—can disable log history, and resets running-config write timestamps to obscure any changes. Trend Micro warns that there is currently no universal automated tool that can reliably determine if a switch has been compromised by the ZeroDisco operation. If compromise is suspected, the immediate recommendation is to contact Cisco TAC for assistance with a low-level investigation of firmware/ROM/boot regions.
This campaign also uses a modified exploit for CVE-2017-3881, a Telnet flaw leading to RCE that grants memory read/write capabilities. This is a potent cocktail of old and new vulnerabilities leading to persistent, hidden access.
Segment 2: Nation-State Espionage and F5 Source Code
Moving from network devices to network security vendors, F5 recently disclosed a major security incident involving state-sponsored threat actors. F5, a provider of security and application delivery solutions, revealed via an SEC filing that hackers had maintained long-term and persistent access to some of its systems.
These compromised systems included those associated with the development of F5’s flagship platform, BIG-IP. The outcome? Attackers successfully exfiltrated files containing BIG-IP source code and information regarding undisclosed vulnerabilities.
While F5 stated they have no evidence of modification to their software supply chain or the NGINX source code, they did confirm that the attack profile points squarely to China as the potential threat actor. Chinese state-sponsored hackers are notoriously known for targeting major software companies specifically to hunt for undisclosed zero-day vulnerabilities. The incident was detected back in August, but F5 was granted permission by the US Justice Department to delay the public disclosure.
This attack serves as a stark reminder of the risks associated with supply chain security and the relentless efforts by nation-states to steal intellectual property and vulnerability intelligence.
Segment 3: The Discord Data Breach and the Blame Game
Next up, let's talk about the fallout from the Discord data breach. Discord, the popular communication platform, first informed users in early October about a cybersecurity incident tied to a third-party customer service system. The exposed information was significant, including user names, email addresses, IP addresses, messages exchanged with customer service agents, limited billing information, and a small number of government-ID images.
Roughly a week later, Discord updated its users, stressing that its own systems were not breached, and placed the blame squarely on 5CA, a customer service company that supports Discord’s efforts.
However, 5CA is denying responsibility. They responded to the accusations, stating that none of their systems were involved and that all their platforms and client data remain secure. 5CA claimed that the incident occurred outside of their systems and that the evidence suggests it may have resulted from human error. Crucially, 5CA also pointed out that they do not handle government IDs for Discord. This contradicts Discord’s disclosure that limited government IDs were compromised.
The sources suggest the hackers targeted a Zendesk instance, which 5CA utilizes. But Zendesk itself confirmed that the incident did not involve a vulnerability in its products or a compromise of its systems.
The hackers involved have claimed to have obtained a massive 1.5 terabytes of photos, specifically more than 2.1 million government-issued IDs submitted for age verification. Discord maintains that only 70,000 users had their government IDs compromised. This situation highlights the complexities and finger-pointing that often occur when third-party vendors are involved in a breach.
Segment 4: Critical Vulnerabilities: CVSS 10.0 and 9.9
Time for a quick security alert, focusing on two incredibly high-scoring vulnerabilities that demand immediate patching.
First, the US cybersecurity agency CISA issued a warning about a recent Adobe vulnerability being exploited in the wild. The flaw, CVE-2025-54253, is a misconfiguration issue in Adobe Experience Manager Forms (AEM Forms), allowing for arbitrary code execution. This vulnerability scores a perfect CVSS 10.0. It combines an authentication bypass with the Struts development mode being left enabled for the admin UI. Adobe patched this critical flaw back in August, but CISA adding it to the Known Exploited Vulnerabilities catalog means organizations, especially federal agencies which must comply with BOD 22-01, need to patch immediately.
Second, Microsoft has just patched an ASP.NET Core vulnerability with a nearly perfect CVSS score of 9.9. Security program manager Barry Dorrans noted this was Microsoft's "highest ever" score for such a flaw. The bug is in the Kestrel web server component and enables security bypass via a technique called request smuggling. Request smuggling allows an extra request to be hidden inside another one. This smuggled request could potentially bypass cross-site request forgery checks, log in as a different user, or perform injection attacks.
While Microsoft states that the risk depends on the application's code and how it’s deployed—often behind a reverse proxy—the cautious approach is to patch as soon as possible. This vulnerability affects all supported versions of ASP.NET Core, including versions 8, 9, and the 10 pre-release.
Segment 5: The $14 Billion Crypto Scam and Forced Labor
Finally, we turn to a massive story combining cybercrime, massive fraud, and shocking human rights abuses. The U.S. government has seized more than $14 billion in Bitcoin and charged the founder of a Cambodian conglomerate in what prosecutors are calling one of the largest investment fraud operations in history.
The founder is Chen Zhi, the chairman of Prince Holding Group, who has been charged with wire fraud conspiracy and money laundering conspiracy. Chen Zhi is accused of being the “mastermind behind a sprawling cyberfraud empire”.
The scheme is a massive "pig butchering" scam. Prosecutors said Chen Zhi bragged that the scam was pulling in $30 million a day at one point. The proceeds were used to purchase yachts, jets, a Picasso painting, and luxury goods.
But the details surrounding how this money was made are horrifying. The indictment alleges that Prince Holding Group built at least 10 compounds in Cambodia where workers—often migrants held against their will—were forced to contact thousands of victims through social media, build rapport, and entice them to transfer cryptocurrency with the promise of big investment returns. In reality, the money was swindled and funneled into Chen Zhi's businesses.
The Treasury Department declared Chen Zhi's company a transnational criminal organization. The compounds functioned as forced labor camps, surrounded by high walls and barbed wire. Workers were held captive, isolated, and sometimes beaten. Photographs included in the indictment showed men with bloody gashes, and one person reported seeing escapees being "beaten until they are barely alive".
Chen Zhi is currently at large. If convicted, he faces up to 40 years in prison, and the seized Bitcoin—127,271 bitcoins—could potentially be used to repay victims. This operation is described as an "essential part of the scaffolding that makes global cyber-scamming possible".
Wrap Up
Whether it’s nation-state espionage stealing source code from F5, rootkits hiding in Cisco routers, or the moral corruption behind massive crypto scams, the cybersecurity landscape remains turbulent. The key takeaways for CISOs this week are clear: patch those 10.0 and 9.9 vulnerabilities immediately, be extremely suspicious of third-party vendor access like the issues seen with Discord and 5CA, and conduct deep, low-level inspections if you suspect networking gear compromise from campaigns like ZeroDisco.
We've got a strategic breakdown of the Cisco and F5 incidents, tailored specifically for cybersecurity leaders, over on thecisolife.com blog. Find the link in the show notes.
That's it for this week's Cyber Scoops & Digital Shenanigans. Stay safe out there, and we'll catch you next time.