Daily Briefing for 10.17.25

Top stories.

• Prosper data breach reportedly affected more than 17 million accounts.
• Microsoft revokes certificates used in Rhysida ransomware operation.
• Threat actors exploit Cisco flaw to deploy Linux rootkits.
• Europol disrupts cybercrime-as-a-service operation.

Prosper data breach reportedly affected more than 17 million accounts.

A data breach disclosed last month by financial services company Prosper affected more than 17 million accounts, BleepingComputer reports. Prosper disclosed that the attackers stole Social Security numbers belonging to Prosper customers and loan applicants, but didn't share how many users were impacted. Have I Been Pwned disclosed the alleged scope of the breach yesterday, saying the breach affected 17.6 million unique email addresses, as well as names, dates of birth, government-issued IDs, employment status, credit status, income levels, physical addresses, IP addresses, and browser user agent details.

A Prosper spokesperson told BleepingComputer that the company "is not able to validate" Have I Been Pwned's report, adding, "The investigation to determine what data was affected and to whom it belongs remains ongoing."

Microsoft revokes certificates used in Rhysida ransomware operation.

Microsoft disrupted a Rhysida ransomware operation by revoking more than 200 certificates that were being used to sign malicious Teams installers, SecurityWeek reports. The company attributes the activity to the financially motivated threat actor "Vanilla Tempest."

Microsoft stated, "Running the fake Microsoft Teams setups delivered a loader, which in turn delivered a fraudulently signed Oyster backdoor. Vanilla Tempest has incorporated Oyster into their attacks as early as June 2025, but they started fraudulently signing these backdoors in early September 2025. To fraudulently sign the fake installers and post-compromise tools, Vanilla Tempest was observed using Trusted Signing, as well as SSL[.]com, DigiCert, and GlobalSign code signing services."

Threat actors exploit Cisco flaw to deploy Linux rootkits.

Trend Micro has published a report on the exploitation of a Cisco SNMP vulnerability (CVE-2025-20352) to deploy rootkits on older Linux systems. The researchers have dubbed the operation "Zero Disco" after the universal password used by the malware. The report notes, "Trend Micro telemetry has, as of writing, detected that Cisco 9400 series and 9300 series are affected by this operation. The operation also affected Cisco 3750G devices with no guest shell available, but this type of device has already been phased out."

Trend Micro adds, "Currently there is no universal automated tool that can reliably determine whether a Cisco switch has been successfully compromised by the ZeroDisco operation. If you suspect a switch is affected, we recommend contacting Cisco TAC immediately and asking the vendor to assist with a low-level investigation of firmware/ROM/boot regions."

Europol disrupts cybercrime-as-a-service operation.

A Europol-coordinated operation resulted in the arrest of five Latvians accused of operating a service that sold phone numbers to scammers, according to The Record. Police seized 1,200 SIM box devices and 40,000 active SIM cards. Europol stated, "The online service created by the criminal network offered telephone numbers registered to people from over 80 countries for use in criminal activities. It allowed perpetrators to set up fake accounts for social media and communication platforms, which were subsequently used in cybercrimes while obscuring the perpetrators’ true identity and location."