Daily Cyber Briefing
The Daily Cyber Briefing delivers concise, no-fluff updates on the latest cybersecurity threats, breaches, and regulatory changes. Each episode equips listeners with actionable insights to stay ahead of emerging risks in today’s fast-moving digital landscape.
Daily Cyber Briefing
DELMIA Exploits, Copilot Confusion, and Qilin's Evasive Maneuvers
Today we dive into critical industrial cyber threats as CISA warns of active exploitation in DELMIA factory software. We also examine Google's move to make HTTPS the default for all public sites and review the massive lawsuit alleging Microsoft tricked millions of users into pricey Copilot subscriptions.
Welcome back to Cyber Scoops & Digital Shenanigans, the podcast where we break down the latest, most critical happenings in the digital world. I’m your host, Mike Housch, and we have a packed schedule today, focusing heavily on operational technology risks and some intriguing developments in browser security and consumer protection. Grab your coffee, let's dive in.
First up, let’s talk about industrial cybersecurity, specifically manufacturing. The US cybersecurity agency CISA issued a serious warning recently, alerting organizations that two critical vulnerabilities in DELMIA Apriso factory software have been actively exploited in attacks. DELMIA Apriso is serious stuff; it’s a manufacturing operations management (MOM) and manufacturing execution system (MES) software developed by Dassault Systèmes. It manages the entire manufacturing process, so compromise here is huge.
The two exploited flaws are tracked as CVE-2025-6204 and CVE-2025-6205. These affect DELMIA Apriso from release 2020 through release 2025.
Now, the nasty part is how these are being chained together. CVE-2025-6204 is a code injection bug that permits attackers to execute arbitrary code, and CVE-2025-6205 is a missing authorization issue that allows privileged access to the application. ProjectDiscovery noted that attackers can chain these defects to achieve elevated privileges and then drop executable files, like webshells, into a web-served directory.
Here’s the technical rundown: The product exposes a SOAP-based message processor endpoint that accepts XML payloads for bulk employee or identity provisioning. Attackers can send unauthenticated requests to this SOAP message processor to create an arbitrary account and assign it high privileges. Once that high-privilege account is created, they can authenticate as the new user and drop executables directly into the server’s web root using a file upload API exposed by portal components. That's a clean, two-step process for a total takeover.
Dassault Systèmes released patches for these on August 4th. ProjectDiscovery published technical details on September 23rd. CISA has now added both of these issues to its Known Exploited Vulnerabilities, or KEV list. For federal agencies, this means they are mandated by Binding Operational Directive (BOD) 22-01 to patch the flaws within three weeks. While this directive only applies to federal agencies, all organizations should be reviewing CISA's KEV list and applying these patches immediately.
To hunt for potential compromise, organizations should be scanning directories for executables like webshells and checking for newly created privileged accounts within DELMIA Apriso deployments. This is a massive supply chain security and industrial cybersecurity priority right now.
Shifting gears from factory floors to your everyday browser, Google announced a significant security change coming to Chrome. Google will be changing Chrome’s default settings next year so that the browser will navigate only to websites that support HTTPS.
This feature, known as ‘Always Use Secure Connections,’ was introduced in Chrome in 2022 as an opt-in feature. But starting in October 2026, with the projected arrival of Chrome 154, this setting will be on by default for all users and for all public sites.
Why the shift? Google explained that the use of HTTPS makes the browsing experience more secure because it prevents attackers from hijacking navigation. When links don't use HTTPS, an attacker can force Chrome users to load arbitrary, attacker-controlled resources, exposing the user to malware, targeted exploitation, or social engineering attacks.
If Chrome encounters a public site that does not use a secure connection, it will display a warning and require the user’s explicit permission to navigate to it. The good news is that over 95% of websites already rely on encrypted connections. Google's recent testing showed that the insecure connection warning was displayed for less than 3% of navigations. They expect that warning volume to drop even lower once this feature becomes the default.
If you absolutely hate the warnings for HTTP sites, users will be able to completely disable them by turning off the ‘Always Use Secure Connections’ setting. But for most of us, this is a very welcome move toward better, automatic security.
Next, we turn our attention to the growing legal scrutiny around artificial intelligence integration. Microsoft is currently facing a lawsuit from the Australian Competition and Consumer Commission, or ACCC. The ACCC is suing Microsoft for allegedly misleading 2.7 million Australians into paying for the Copilot AI assistant in the Microsoft 365 service.
Microsoft 365 is their subscription-based productivity suite. The Copilot AI tool was integrated for Australian customers on October 31, 2024, offering AI assistance in apps for things like drafting text and summarizing reports.
The core issue, according to the ACCC, is that Microsoft concealed the option for existing subscribers to stay on their existing plan without Copilot and at the same price. Subscribers who reached their renewal date or opted for auto-renewal received messages that allegedly did not inform them that they could continue with their existing, non-Copilot tier. The ACCC notes that customers would only see that cheaper option if they went through the service cancellation process—something most users interested in continuing the service wouldn't do.
The result of this alleged deceptive communication? Subscribers on the Microsoft 365 Personal tier faced a 45% price increase for Copilot, and those on the Microsoft 365 Family plan saw a 29% increase.
The ACCC views this as a breach of several sections of the Australian Consumer Law. This includes Section 18 regarding misleading or deceptive conduct, and Section 29, which covers false or misleading representations about the price or the need for goods or services. The ACCC is seeking civil penalties, injunctions to prevent future conduct, and consumer compensation.
Given that Microsoft's communication approach for Copilot's launch on the M365 platform was similar worldwide, it is reasonable to expect similar legal actions might be pursued in other regions. Microsoft, for their part, stated that consumer trust and transparency are top priorities and they are reviewing the ACCC's claim in detail.
Our final scoop today concerns a major evolutionary step in ransomware: evasion using native Windows features. We’re talking about Qilin ransomware, which has been spotted executing Linux encryptors in Windows by abusing the Windows Subsystem for Linux, or WSL.
Qilin, which rebranded from "Agenda" back in 2022, has become one of the most active ransomware operations globally, having attacked over 700 victims across 62 countries this year.
Researchers from Trend Micro observed Qilin affiliates transferring the Linux ELF encryptor to compromised devices. Because this encryptor is an ELF executable, it cannot run natively on Windows. This is where the digital shenanigans come in. The threat actors are utilizing the Windows Subsystem for Linux (WSL) to execute these Linux binaries directly on Windows.
The attackers enable or install WSL using scripts or command-line tools after gaining access, and then they deploy the Linux ransomware payload within that environment.
The critical takeaway here is the evasion technique. Since many Windows Endpoint Detection and Response, or EDR, products focus on traditional Windows PE (Portable Executable) behavior, they fail to detect malicious activity occurring inside the WSL environment. This allows the Linux-based encryptor to bypass many defenses that are specifically focused on traditional Windows malware. This abuse of WSL shows how ransomware operators are adapting their strategies for hybrid Windows and Linux environments to maximize their reach and evade security tools.
The affiliates also employ other highly aggressive tactics, including Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software, using tools like "dark-kill" and "HRSword".
So, to recap the scoops: We have critical manufacturing systems being actively exploited, Microsoft facing a major consumer protection lawsuit over AI integration, and a highly active ransomware group, Qilin, adapting Linux tools to evade Windows security defenses.
As always, keep those patches current, especially if you deal with DELMIA Apriso, and remember that aggressive threats like Qilin are constantly pushing the envelope in evasion techniques. The Picus Blue Report 2025 indicated that password cracking doubled last year, with 46% of environments affected. Stay diligent.
That’s all the time we have for this week's Cyber Scoops & Digital Shenanigans. I’m Mike Housch, reminding you to secure your systems and stay skeptical. We’ll talk next time.