Brief #131: Sturnus Trojan Bypasses WhatsApp Encryption, ServiceNow AI Agents Exploited, CISO Pay Up 6.7%

Happy Sunday!

In this week's brief:

• OWASP's 2025 Top 10 introduces Software Supply Chain Failures as a new #3 category, while social engineering attacks jumped 1,450% in the first half of 2025
• ChatGPT vulnerabilities are enabling attackers to steal private data from hundreds of millions of users through 0-click attacks and memory poisoning techniques
• The "two million cybersecurity jobs" narrative gets debunked with real data showing only 514,000 actual openings, explaining why qualified professionals struggle to find work

A quick note before we dive in.

A Quick note

Is Security Blocking Your Next Enterprise Deal?

Let's discuss how fractional CISO services can unlock your pipeline without the full-time overhead.

Book a Free Discovery Call

Industry News

Sturnus Banking Trojan Bypasses WhatsApp, Telegram and Signal Encryption

• Security researchers discovered Sturnus, an Android banking trojan that bypasses end-to-end encryption by capturing content directly from device screens after decryption, allowing attackers to monitor communications on WhatsApp, Telegram, and Signal in real-time.

• The malware provides extensive remote control capabilities including full device takeover, credential harvesting through fake banking app overlays, and the ability to black out screens while executing fraudulent transactions without victim knowledge.

• Currently in development phase with limited deployment, Sturnus targets financial institutions across Southern and Central Europe and uses advanced techniques including AES encryption for C2 communications, VNC protocol for remote sessions, and Android Accessibility Service abuse for comprehensive device monitoring.

Sneaky2FA Phishing Kit Adds Browser-in-the-Browser Attack Capability

• Push Security researchers discovered that the Sneaky2FA phishing-as-a-service kit has integrated Browser-in-the-Browser (BITB) techniques, creating fake Microsoft login pop-ups that mask the actual phishing URL while using reverse-proxy technology to steal credentials and bypass MFA.

• The attack chain begins with Cloudflare Turnstile bot protection, followed by a fake Adobe Acrobat document prompt that loads a convincing Microsoft login form in an embedded browser window that adapts to the victim's operating system and browser type.

• Sneaky2FA employs multiple evasion techniques including conditional loading to block security vendors, heavily obfuscated HTML/JavaScript code, domain rotation with randomized 150-character URLs, and anti-analysis methods that disable browser developer tools.

Azure Neutralizes Record-Breaking 15 Tbps DDoS Attack

• Azure DDoS Protection automatically detected and mitigated a massive 15.72 Tbps attack on October 24, 2025, targeting a single endpoint in Australia while maintaining uninterrupted service availability for customer workloads.

• The attack originated from the Aisuru botnet, a Turbo Mirai-class IoT botnet that exploited compromised home routers and cameras across residential ISPs in the United States and other countries.

• The multi-vector assault involved extremely high-rate UDP floods launched from over 500,000 source IPs with minimal source spoofing and random source ports, making it the largest DDoS attack ever observed in the cloud.