Critical Zero-Days & AI Threats: Cybersecurity News October 16-17, 2025

The past two days have exposed critical vulnerabilities in our digital infrastructure while highlighting how rapidly AI is reshaping attack and defense strategies. I've been tracking several significant developments that should concern anyone responsible for cybersecurity or implementing AI systems. Here's what you need to know.

North Korean Hackers Evolve Their Tactics

North Korean threat actors behind the "Contagious Interview" campaign merge the functionality of their malware programs in sophisticated new ways. Cisco Talos researchers discovered that the hacking group—tracked under multiple names, including CL-STA-0240, DeceptiveDevelopment, and Void Dokkaebi—is combining capabilities from two of its key tools: BeaverTail and OtterCookie.

What makes this particularly troubling is that OtterCookie has been fitted with a new module for keylogging and screenshots. This isn't just incremental improvement—it shows an organized effort to refine and consolidate their toolset for maximum effectiveness.

The really clever part? Google Threat Intelligence Group and Mandiant revealed these actors are now using a stealthy technique called "EtherHiding" to fetch next-stage payloads from the BNB Smart Chain blockchain. By hiding malicious code on the blockchain, they're making detection and takedown significantly harder.

This campaign primarily targets developers through fake job interviews, making it especially relevant for tech companies. The sophistication level here suggests state-sponsored operations with substantial resources behind them.

Critical Zero-Day Exploits Hit Networking Infrastructure

On October 16, researchers disclosed that threat actors are actively exploiting CVE-2025-20352, a critical zero-day vulnerability in Cisco networking devices. This stack overflow flaw in the Simple Network Management Protocol (SNMP) subsystem allows authenticated remote attackers to execute arbitrary code by sending crafted SNMP packets.

The operation, dubbed "Operation Zero Disco" by Trend Micro, has primarily impacted Cisco 9400, 9300, and legacy 3750G series devices. What's particularly concerning is that attackers are also attempting to exploit a modified Telnet vulnerability based on CVE-2017-3881 to enable memory access.

Cisco patched this vulnerability late last month, but the exploitation was already underway before the fix became available. This is precisely the kind of supply chain vulnerability that can cascade across thousands of organizations. If you're running affected Cisco devices, this needs to be at the top of your patching priority list.

New Linux Rootkit Discovered in AWS Infrastructure

An investigation into compromised Amazon Web Services infrastructure has uncovered a sophisticated new GNU/Linux rootkit called LinkPro. French cybersecurity firm Synacktiv discovered this backdoor, which uses two eBPF (extended Berkeley Packet Filter) modules—one to conceal itself and another to be remotely activated upon receiving a "magic packet."

The infection chain is instructive: attackers exploited an exposed Jenkins server vulnerable to CVE-2024-23897 (CVSS score: 9.8), then deployed a malicious Docker Hub image on several Kubernetes clusters. This image contained a Kali Linux base with scripts to start SSH services and execute the rootkit.

What strikes me about this attack is how it leverages legitimate cloud infrastructure components—Jenkins, Docker, Kubernetes—to establish persistence. It's a reminder that cloud security isn't just about configuring AWS properly; it's about securing every component in your CI/CD pipeline.

WatchGuard Firewall Vulnerability Demands Attention

Cybersecurity researchers disclosed details of CVE-2025-9242, a critical out-of-bounds write vulnerability in WatchGuard Fireware OS with a CVSS score of 9.3. This flaw affects both mobile user VPN with IKEv2 and branch office VPN using IKEv2 when configured with a dynamic gateway peer.

An unauthenticated remote attacker could exploit this to execute arbitrary code. WatchGuard patched this in September, but the disclosure of details means exploit code will likely emerge soon if it hasn't already. Organizations running WatchGuard firewalls should verify they're on patched versions immediately.

Volkswagen France Hit by Qilin Ransomware

On October 16, the Qilin ransomware gang claimed responsibility for attacking Volkswagen France. While details are still emerging, this continues the trend of major automotive manufacturers being targeted by sophisticated ransomware operations.

The automotive industry has become increasingly attractive to ransomware groups due to the high value of intellectual property, the criticality of manufacturing operations, and the interconnected nature of supply chains. A successful attack can disrupt not just one company but ripple through entire ecosystems of suppliers and dealers.

AI: The Double-Edged Sword in Cybersecurity

While these attacks were unfolding, I've been reflecting on the role AI is playing in both offensive and defensive cybersecurity. The World Economic Forum's Global Cybersecurity Outlook 2025 highlights a troubling reality: generative AI is being employed for advanced phishing, identity theft, and zero-day exploits targeting unknown security flaws.

Anthropic, creator of the Claude chatbot, has warned that hackers are "weaponizing" AI, which has been used to develop malicious code affecting at least 17 organizations. This isn't hypothetical—it's happening right now.

The flip side is that organizations are ramping up AI use to bolster cyber defenses. With cybersecurity budgets growing only 4% in 2025 (down from 17% in 2022) despite increasing threats, AI represents a force multiplier that many organizations desperately need.

But here's the challenge: only 14% of organizations have the right cybersecurity talent, according to the Forum's report. This talent scarcity means that even as threats grow more sophisticated, our capacity to defend against them isn't keeping pace.

The Transparency Problem

Perhaps the most disturbing trend I've noticed is captured in Bitdefender's 2025 Cybersecurity Assessment Report: 58% of security professionals were told to keep a breach confidential, even when they believed disclosure was necessary. That's a 38% increase since 2023.

This pressure to remain silent is especially acute for CISOs and CIOs. When organizations prioritize optics over transparency, it undermines the collective defense that cybersecurity depends on. Threat intelligence sharing becomes impossible when everyone is hiding their incidents.

Quantum Computing: The Looming Threat

Looking ahead, I'm increasingly focused on the quantum computing threat to current encryption standards. While the immediate vulnerabilities I've discussed demand attention today, quantum computers represent a severe long-term threat to today's cybersecurity practices.

The "Y2Q" moment—when quantum computers become powerful enough to break current encryption—is approaching. Major tech companies are already transitioning: Apple updated iMessage with quantum-secure encryption, Google implemented new standards in Chrome, and IBM and Microsoft are integrating post-quantum cryptography into their platforms.

Organizations need to start auditing their cryptographic assets now and planning their migration to post-quantum encryption standards. This isn't something you want to address in a panic when quantum computers reach commercial scale.

My Key Takeaways

1. State-sponsored threats are evolving faster than defenses: The North Korean campaign shows how nation-state actors are becoming more sophisticated and more complex to detect.
2. Zero-day exploits remain a critical risk: The Cisco vulnerability demonstrates that even major vendors can have critical flaws exploited before patches are available.
3. Cloud infrastructure is under attack: The LinkPro rootkit shows attackers are successfully targeting cloud environments through CI/CD pipelines.
4. Ransomware isn't going away: High-profile attacks like Volkswagen France remind us that ransomware remains a top threat.
5. AI is reshaping the battlefield: Both attackers and defenders are leveraging AI, creating an arms race in automation.
6. Transparency is declining: Organizations are increasingly hiding breaches, which undermines collective security.
7. Quantum threats require preparation now: Post-quantum cryptography isn't a future concern—it's a present necessity.
8. Talent shortage is critical: With only 14% of organizations having adequate cybersecurity talent, this gap will continue to widen unless addressed.

What Organizations Should Do Now

Immediate Actions:

• Patch Cisco devices affected by CVE-2025-20352
• Update WatchGuard firewalls to the latest versions.
• Review Jenkins and Kubernetes security configurations.
• Audit exposed services for unnecessary internet accessibility

Strategic Initiatives:

• Develop incident response plans that balance transparency with business needs
• Begin inventory of cryptographic assets for eventual quantum-safe migration
• Invest in AI-powered defense tools to combat AI-enhanced threats
• Address cybersecurity talent gaps through training and strategic hiring

Long-term Planning:

• Evaluate the post-quantum cryptography roadmap
• Build threat intelligence sharing relationships
• Develop comprehensive supply chain security programs
• Create budget justifications that reflect actual threat levels, not historical spending

The threat landscape has never been more complex. Success requires not just responding to individual vulnerabilities, but building resilient systems that can adapt as both threats and defenses evolve. The organizations that thrive will be those that view cybersecurity as an ongoing strategic priority rather than a compliance checkbox.

References:

Cybersecurity Threats & Vulnerabilities:

1. The Hacker News - "North Korean Hackers Evolve Contagious Interview Campaign" (October 17, 2025)
   • Source: https://thehackernews.com/ The Hacker News | #1 Trusted Source for Cybersecurity News
2. SecurityWeek - "Threat actors exploiting CVE-2025-20352, Cisco zero-day" (October 16, 2025)
   • Source: https://www.securityweek.com/ Cybersecurity News, Insights and Analysis | SecurityWeek
3. The Hacker News - "New GNU/Linux rootkit LinkPro discovered in AWS infrastructure" (October 16, 2025)
   • Source: https://thehackernews.com/ The Hacker News | #1 Trusted Source for Cybersecurity News
4. The Hacker News - "WatchGuard Fireware CVE-2025-9242 vulnerability disclosed" (October 16, 2025)
   • Source: https://thehackernews.com/ The Hacker News | #1 Trusted Source for Cybersecurity News
5. Cybernews - "Volkswagen France hit by ransomware, Qilin gang claims" (October 16, 2025)
   • Source: https://cybernews.com/ Cyber Security News Today - Latest Updates & Research - Cybernews

AI & Cybersecurity Trends:

1. World Economic Forum - "Cybersecurity awareness: AI threats and cybercrime in 2025" (September 2025)
   • Source: https://www.weforum.org/stories/2025/09/cybersecurity-awareness-month-cybercrime-ai-threats-2025/ Cybersecurity awareness: AI threats and cybercrime in 2025 | World Economic Forum
2. The Hacker News - "2025 Cybersecurity Reality Check: Breaches Hidden, Attack Surfaces Growing" (October 2025)
   • Source: https://thehackernews.com/2025/10/2025-cybersecurity-reality-check.html 2025 Cybersecurity Reality Check: Breaches Hidden, Attack Surfaces Growing, and AI Misperceptions Rising

Quantum Computing & Encryption:

1. Deloitte Insights - "Quantum computing and cybersecurity" (2025)
   • Source: https://www.deloitte.com/us/en/insights/focus/tech-trends/2025/tech-trends-quantum-computing-and-cybersecurity.html Quantum computing and cybersecurity | Deloitte Insights
2. Security Boulevard - "Top 10 Emerging Technology Trends to Watch in 2026 and Beyond" (October 16, 2025)
   • Source: https://securityboulevard.com/2025/10/top-10-emerging-technology-trends-to-watch-in-2026-and-beyond/ Top 10 Emerging Technology Trends to Watch in 2026 and Beyond - Security Boulevard