CISA warns of actively exploited Linux kernel flaw.

Summary

By the CyberWire staff

CISA warns of actively exploited Linux kernel flaw.

The US Cybersecurity and Infrastructure Security Agency (CISA) warns that ransomware actors are actively exploiting a high-severity privilege escalation vulnerability (CVE-2024-1086) in the Linux kernel, BleepingComputer reports. The flaw, which affects most major Linux distributions, received a patch in early 2024.

Separately, CISA and the National Security Agency (NSA, alongside Australian and Canadian cyber agencies, issued guidance for securing on-premise Microsoft Exchange Servers. The agencies state, "By restricting administrative access, implementing multifactor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles, organizations can significantly bolster their defenses against potential cyberattacks. Additionally, as certain Exchange Server versions have recently become end-of-life (EOL), the authoring agencies strongly encourage organizations to take proactive steps to mitigate risks and prevent malicious activity."

Control what runs in your environment. Reduce your attack surface.

ThreatLocker helps organizations reduce risk by allowing trusted applications to run while limiting their access to only the resources they need. It’s a straightforward, default deny approach that gives you more control and visibility—without slowing down operations. Explore how ThreatLocker can help simplify your security strategy.

Chinese threat actor exploits Windows LNK flaw to deploy malware.

Arctic Wolf warns that the Chinese threat actor UNC6384 is exploiting a high-severity Windows LNK vulnerability (CVE-2025-9491) to deliver PlugX malware via spearphishing emails. The campaign has targeted diplomatic entities in Hungary, Belgium, Serbia, Italy, and the Netherlands, using "malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events." Arctic Wolf explains, "These files exploit the recently disclosed Windows vulnerability to execute obfuscated PowerShell commands that extract and deploy a multi-stage malware chain, culminating in PlugX remote access trojan (RAT) deployment through DLL side-loading of legitimate signed Canon printer assistant utilities."

Former L3 Harris exec pleads guilty to selling exploits to Russia.

A former L3 Harris executive has pleaded guilty to stealing at least eight exploits and selling them to a Russian government contractor, CyberScoop reports. 39-year-old Peter Williams, an Australian national who admitted to stealing the exploits from L3 Harris subsidiary Trenchant, will likely face between seven and nine years in prison. He'll be sentenced in January 2026.

The US Justice Department stated, "[F]rom approximately 2022 through 2025, Williams improperly used his access to the defense contractor’s secure network to steal the cyber exploit components that constituted the trade secrets. Williams resold those components in exchange for the promise of millions of dollars in cryptocurrency."

Notes.

Today's issue includes events affecting Australia, Canada, China, Belgium, Hungary, Italy, the Netherlands, Russia, Serbia, and the United States.

Attacks, Threats, and Vulnerabilities

More than 10 million people impacted by breach of government contractor Conduent (The Record) The government contractor Conduent informed multiple states this week that a cybersecurity incident in January exposed the information of more than 10 million people.

Trends

Organizations That Delay Responding to Email Breaches are 79% More Likely to Suffer a Ransomware Hit (Barracuda) New research shows 78% of respondents experienced an email security breach in the previous 12 months.

Toxic combinations: The hidden cause behind 70% of major breaches (Panaseer) Learn how overlapping cyber risks, known as “toxic combinations,” led to major breaches and lasting damage across global enterprises.

Litigation, Investigation, and Law Enforcement

Coalition calls on FTC to block Meta from using chatbot interactions to target ads, personalize content (The Record) The move comes after Meta announced that starting on December 16 it will target ads and customize content based on users’ engagement with chatbots.

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

ISC2 Security Congress 2025 (Nashville + Virtual, Tennessee, USA, Oct 29 - 31, 2025) Join thousands of cybersecurity experts at ISC2 Security Congress 2025 and help lead the future of our connected world. Gain the insights you need to stay ahead of the evolving digital landscape. From innovative software to new security strategies, ISC2 Security Congress 2025 is designed to ensure you can navigate tomorrow’s threats.

Cyber Innovation Day 2025 | Datatribe (Washington, DC, USA, Nov 4, 2025) If you’re raising a seed or pre-seed round and are building the next category-defining company, we want to hear from you! The DataTribe Challenge is the headline event of the afternoon at Cyber Innovation Day 2025, where five finalists take the stage after weeks of hands-on coaching from seasoned startup operators and investors. These five finalists—along with additional promising startups—will exhibit in the Cyber Innovation Expo Hall, gaining high-impact exposure to top investors, cybersecurity leaders, and strategic partners.

CYBERWARCON (Virtual and Arlington, Virginia, USA, Nov 19, 2025) CYBERWARCON is a one-day conference in Arlington, VA focused on the specter of destruction, disruption, and malicious influence on our society through cyber capabilities. CYBERWARCON is not a hacker conference, or an ICS conference, or an international policy conference. The central purpose of this conference is to identify and explore threats. Participants and attendees come from a spectrum of backgrounds, including the military and government, academia, the media, and the private sector.

AWS re:Invent 2025 (Las Vegas, Nevada, USA, Dec 1 - 5, 2025) AWS re:Invent is a learning conference hosted by AWS for the global cloud computing community. The in-person event features keynote announcements, training and certification opportunities, access to more than 2,000 technical sessions, the Expo, after-hours events, and so much more.

TRUSTECH 2025 (Paris, France, Dec 2 - 4, 2025) This international event is the go-to place for all things payments, digital identity, cybersecurity, and fintech. With over 200 exhibitors, 100+ speakers, innovation awards, networking opportunities, and exclusive content, it’s the perfect place to discover what’s next in trusted technologies.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 10.31.25

Top stories.

CISA warns of actively exploited Linux kernel flaw.

Chinese threat actor exploits Windows LNK flaw to deploy malware.

Former L3 Harris exec pleads guilty to selling exploits to Russia.

Notes.

Attacks, Threats, and Vulnerabilities

Trends

Litigation, Investigation, and Law Enforcement

Events