Daily Brief

Kraken ransomware targets Windows and Linux/VMware ESXi systems, benchmarking them to optimize encryption speed and efficiency while avoiding detection. Originating from the HelloKitty operation, Kraken engages in high-profile attacks with data theft for double extortion, impacting victims in the US, UK, Canada, and more. The ransomware's attack chain begins with exploiting SMB vulnerabilities, followed by credential extraction and lateral movement using Cloudflared and SSHFS tools. Kraken's encryption process involves a unique performance benchmark, deciding between full or partial encryption based on system capabilities to maximize damage. Before encryption, Kraken deletes shadow volumes and backup services, ensuring minimal recovery options for the victim. The ransomware appends a '.zpsc' extension to encrypted files and demands ransoms, with one observed demand reaching $1 million in Bitcoin. Cisco Talos researchers have published indicators of compromise (IoCs) on GitHub to assist organizations in detecting and mitigating Kraken ransomware threats.

U.S. government agencies have issued a warning about Akira ransomware encrypting Nutanix AHV virtual machines, marking an expansion from its previous targets like VMware ESXi and Hyper-V. The advisory, updated with new indicators of compromise, stems from FBI investigations and third-party reports as recent as November 2025. Akira's Linux encryptors target the .qcow2 file extension used by Nutanix AHV, but unlike VMware ESXi, it does not utilize AHV's native commands to shut down VMs before encryption. To infiltrate networks, Akira affiliates exploit stolen VPN and SSH credentials and SonicWall vulnerabilities, further compromising systems by exploiting unpatched Veeam Backup & Replication servers. Akira's post-compromise tactics include disabling endpoint detection, creating new admin accounts, and using tools like AnyDesk and LogMeIn for lateral movement and persistence. The ransomware group has been able to exfiltrate data rapidly, sometimes within two hours, using tools like Ngrok for encrypted command-and-control channels. Organizations are urged to follow updated guidance, including regular offline backups, enforcing multifactor authentication, and promptly patching known vulnerabilities.

The IndonesianFoods worm has inundated the npm registry with over 100,000 packages, using automated processes to create a high volume of junk entries every seven seconds. Although currently non-malicious, the worm's potential to introduce harmful payloads poses a significant risk to the software supply chain. Security researcher Paul McCarty initiated tracking of the spam campaign, which has overwhelmed security data systems and triggered numerous vulnerability reports. The worm exploits the TEA Protocol, using blockchain incentives to inflate impact scores, suggesting financial motives behind the attack. The campaign's automation and scale mirror similar supply-chain attacks, raising concerns about the security of open-source ecosystems. Developers are urged to secure dependency versions, monitor publishing patterns, and enforce strict digital signature validation to mitigate risks. Sonatype's warnings indicate that such attacks could pave the way for more severe malware infiltration in open-source environments.

Over 4,300 fake domains created by Russian-speaking hackers target hotel guests, aiming to steal payment data through phishing emails linked to popular travel brands. The campaign, active since February 2025, exploits familiar brand names like Booking.com, Expedia, and Airbnb, using sophisticated phishing kits to mimic legitimate booking sites. Victims are lured via emails to confirm bookings, leading them to counterfeit sites that request credit card information under the guise of a deposit. The phishing sites, supporting 43 languages, employ tactics such as fake CAPTCHA checks and unique URL identifiers to enhance credibility and avoid detection. The campaign's infrastructure allows attackers to dynamically alter site branding based on URL parameters, complicating efforts to trace and shut down operations. The identity of the threat group remains unknown, though evidence suggests a Russian origin, potentially indicating a broader phishing-as-a-service operation. Recent phishing trends indicate a shift towards automation and scalability, enabling cybercriminals to execute attacks with minimal technical skill, impacting sectors beyond hospitality.

Checkout.com faced a ransomware attack by ShinyHunters, who claimed to have stolen data and demanded a ransom. The company chose not to pay the extortionists. Instead of succumbing to the ransom demand, Checkout.com will donate the equivalent amount to cybercrime research initiatives at Carnegie Mellon University and the University of Oxford. The breach involved a legacy third-party cloud file storage system used for internal documents and merchant onboarding, affecting less than 25% of its merchant base. Checkout.com's payment processing platform remained secure, with no access to merchant funds or card numbers compromised during the incident. The company is actively engaging with law enforcement and regulators while notifying affected customers to ensure transparency and accountability. This incident underscores the importance of decommissioning outdated systems and maintaining robust security practices to prevent unauthorized access. Checkout.com's response, emphasizing transparency and responsibility, sets a precedent for handling cyber incidents without funding criminal activities.

A remote code execution vulnerability in ImunifyAV affects millions of Linux-hosted websites, potentially compromising entire hosting environments. The flaw impacts versions of the AI-bolit component prior to 32.7.4.0, used in Imunify360, ImunifyAV+, and the free ImunifyAV. CloudLinux, the vendor, released fixes in late October and backported them to older versions on November 10, urging immediate updates. The vulnerability stems from AI-bolit's deobfuscation logic, allowing execution of attacker-controlled PHP functions during malware unpacking. Exploitation is possible due to the 'always on' state of Imunify360's scanning, which meets the conditions for remote code execution. CloudLinux's fix introduces a whitelisting mechanism to prevent arbitrary function execution, although no CVE-ID or active exploitation reports exist yet. System administrators are advised to upgrade to version 32.7.4.0 or newer, despite the absence of specific compromise detection guidance.

The Washington Post experienced a data breach impacting 9,720 employees and contractors, exposing their personal and financial information due to a vulnerability in Oracle E-Business Suite software. The breach occurred between July 10 and August 22, with attackers exploiting a zero-day vulnerability, later identified as CVE-2025-61884, to access sensitive data. The Clop ransomware group is linked to these attacks, which also affected other major organizations like Harvard University and Hitachi’s GlobalLogic. Attackers attempted to extort the Washington Post in late September, prompting an internal investigation assisted by cybersecurity experts. Impacted individuals were offered a 12-month identity protection service and advised to place security freezes on their credit files and set up fraud alerts. Oracle disclosed the vulnerability during the investigation, revealing it affected multiple customers using the E-Business Suite. This breach follows a previous incident where the email accounts of several Washington Post journalists were compromised, possibly by foreign state actors.

Ubuntu 25.10 identified and swiftly patched two vulnerabilities in its new Rust-based "sudo-rs" command, ensuring continued security for its users. The vulnerabilities, labeled as "password timeout issue" and "timestamp auth issue," were deemed low to moderate in severity, with limited exploitation potential. The "password timeout issue" could potentially reveal user input if a password entry timed out, posing a social engineering risk. The "timestamp auth issue" affected a configuration setting, but had no impact on default installations and required privileged user access to exploit. The fixes were backported to Debian "stable," facilitating easier updates for downstream packagers and maintaining system integrity. The incident underscores the importance of interim releases in identifying and resolving unforeseen issues in new software components. Ubuntu's proactive approach in addressing these vulnerabilities reflects a commitment to robust security practices and open-source collaboration.

Kerberoasting attacks exploit Microsoft Active Directory's Kerberos protocol, allowing attackers to escalate privileges by targeting service accounts with high-level permissions. Attackers utilize open-source tools to identify and request service tickets, which are then taken offline to crack the password hashes, gaining unauthorized access. The complexity and encryption strength of passwords are critical in preventing Kerberoasting; weak passwords are a primary vulnerability. Regular audits of domain account passwords and the use of Group Managed Service Accounts (gMSAs) enhance security by automating complex password management. Implementing AES encryption over weaker algorithms like RC4 significantly reduces the risk of password cracking by attackers. Multi-factor authentication and robust password policies are essential defenses against initial user account compromises that lead to Kerberoasting. Organizations are encouraged to use tools like Specops Password Auditor to identify password vulnerabilities and enforce compliance with security best practices.

The Washington Post confirmed a data breach affecting nearly 10,000 employees and contractors due to a Clop ransomware attack exploiting an Oracle E-Business Suite vulnerability. Sensitive personal data, including names, bank account details, Social Security numbers, and tax IDs, were exfiltrated between July 10 and August 22. The breach was linked to an unknown vulnerability in Oracle EBS, which has impacted multiple organizations worldwide, prompting Oracle to release emergency patches in late October. Affected individuals have been offered complimentary identity-protection services, and the Post has reinforced its security measures and applied Oracle's patches promptly. The Clop group has listed numerous victims from various sectors on its leak site, indicating a widespread exploitation campaign. Other organizations, including GlobalLogic and Allianz UK, have also reported similar breaches, suggesting the vulnerability was used at scale. The incident highlights the critical need for organizations to monitor and secure enterprise software environments against emerging threats.

Microsoft is launching a "Prevent screen capture" feature for Teams Premium, aiming to protect sensitive meeting content by blocking screenshots and recordings on Windows and Android devices. Initially announced in May 2025, the rollout was delayed to early November 2025, with the feature set to be available by late November. The feature is disabled by default and must be manually activated per meeting by organizers or co-organizers through Meeting Options. Microsoft 365 admins can manage device enrollment and Teams Premium licensing using Entra ID, ensuring streamlined implementation across organizations. Despite the feature, sensitive information remains vulnerable to capture via external methods, such as photographing the screen during meetings. This initiative aligns with Microsoft's broader efforts to enhance security in Teams, including protection against malicious file types and flagged URLs. The introduction of this feature reflects growing demand for privacy and security in digital communication tools, particularly for enterprise users.

A Chrome extension named "Safery: Ethereum Wallet" has been identified as malicious, designed to steal Ethereum wallet seed phrases via the Sui blockchain. The extension masquerades as a secure Ethereum wallet, but encodes seed phrases into Sui addresses, using microtransactions to exfiltrate data. The malware avoids traditional command-and-control servers by embedding seed phrases in blockchain transactions, complicating detection. Once transactions are executed, attackers decode the recipient addresses to reconstruct seed phrases and access victims' cryptocurrency assets. Users are advised to use only trusted wallet extensions and to scrutinize extensions for mnemonic encoders and synthetic address generators. Security teams should monitor for unexpected blockchain RPC calls and block extensions that write on the chain during wallet import or creation. The extension was uploaded to the Chrome Web Store on September 29, 2025, and remains available, posing an ongoing risk to users.

Quokka's security assessment reveals Uhale digital photo frames download malware at boot, with connections to Mezmess and Vo1d malware families. The malware is delivered from China-based servers, exploiting the device's automatic update process to install malicious payloads. Devices are vulnerable due to disabled SELinux security, default rooting, and use of AOSP test-keys, facilitating malware execution. Despite multiple notifications since May, ZEASN, the company behind Uhale, has not responded to security concerns raised by researchers. The Uhale app, with over 500,000 downloads on Google Play, poses a significant risk due to its widespread use across various brands. Quokka identified 17 security vulnerabilities in the Uhale platform, with 11 assigned CVE-IDs, complicating the potential impact assessment. Consumers are advised to purchase electronic devices from reputable brands with official Android images and robust security measures.

CISA has issued an urgent directive for U.S. federal agencies to patch two critical vulnerabilities in Cisco ASA and Firepower devices, identified as CVE-2025-20362 and CVE-2025-20333. These vulnerabilities allow remote attackers to access restricted endpoints and execute code, potentially leading to full control of unpatched devices if exploited together. The flaws were initially exploited as zero-days, specifically targeting Cisco 5500-X Series devices with VPN web services enabled, linked to the ArcaneDoor campaign. Despite initial patching efforts, CISA reports that some federal agencies have not fully updated their systems, leaving them vulnerable to ongoing attacks. Shadowserver's monitoring indicates a reduction in vulnerable Cisco devices from 45,000 to 30,000, but significant risks remain for unpatched systems. CISA has released new guidance to ensure agencies apply the correct updates and comply with Emergency Directive 25-03 to mitigate breach risks effectively. The directive also includes patching requirements for Samsung and WatchGuard devices to address other critical vulnerabilities exploited in recent attacks.

Europol and Eurojust executed coordinated raids, dismantling the Rhadamanthys infostealer network, seizing 1,025 servers, and impacting hundreds of thousands of infected systems globally. The operation, part of the ongoing Operation Endgame, revealed over 86 million stolen credentials and more than 525,000 infections across 226 countries. Five suspects associated with the pay-per-infect scheme were arrested, with some providing intelligence to law enforcement. The takedown disrupted the Rhadamanthys infrastructure, although the malware's administrator and customers remain at large. Rhadamanthys, a credential theft tool since 2022, was distributed via emails, web injects, and malvertising, with access costing $300-500 monthly. Operation Endgame also targeted Elysium and VenomRAT, leading to the arrest of VenomRAT's main suspect in Greece. The operation's success aims to undermine trust within cybercriminal networks and calls for public assistance to identify remaining perpetrators.