Daily Brief

Crisis24's CodeRED emergency alert system was compromised by the INC ransomware group, affecting municipalities across the United States. The attack resulted in the theft of sensitive data, including names, addresses, email addresses, phone numbers, and passwords of CodeRED users. Douglas County, Colorado, terminated its contract with CodeRED, while other regions are transitioning to a new, secure platform. Crisis24 assured customers that the new platform is hosted on a separate, uncompromised environment with enhanced security measures. In response, affected areas are using alternative communication methods, such as social media and door-to-door notifications, to disseminate emergency alerts. INC ransomware group initially demanded a $950,000 ransom, later reducing it to $450,000, but Crisis24's counteroffers were rejected. The group has threatened to sell the stolen data after releasing a snippet online, increasing pressure on Crisis24 to meet their demands. Crisis24 has not confirmed any online data leaks but warns customers to change passwords and remain vigilant against potential misuse.

Qilin ransomware targeted South Korea's financial sector via a sophisticated supply chain attack, compromising a Managed Service Provider (MSP) to access multiple victims. The attack, dubbed "Korean Leaks," affected 28 victims, resulting in the theft of over 1 million files and 2 TB of data. The campaign unfolded in three waves, initially framing the leaks as a public service exposing corruption, later shifting to financial extortion. Qilin's Ransomware-as-a-Service model involves recruiting affiliates, including North Korean actor Moonstone Sleet, to execute attacks. The breach of GJTec led to ransomware infections across more than 20 asset management companies, highlighting vulnerabilities in MSP security. The Qilin group, likely of Russian origin, claims to be politically motivated, using propaganda to pressure victims and influence public perception. Organizations are urged to adopt Multi-Factor Authentication, apply the Principle of Least Privilege, and segment critical systems to mitigate similar risks. The attack underscores the importance of securing supply chains, as exploiting MSPs offers ransomware groups a practical means to target clustered victims.

The US Navy has decided to terminate the Constellation-class frigate program, limiting production to two ships due to delays and redesign challenges. Secretary of the Navy John Phelan announced the decision, emphasizing the need for faster fleet expansion to address emerging threats. Originally intended for rapid delivery, the Constellation class experienced significant redesigns, resulting in only 15% commonality with the initial design. The program's cancellation affects the Navy's anti-submarine capabilities, as these frigates were to feature advanced sonar systems. Construction of the first two ships will continue to maintain employment at the Fincantieri Marinette Marine facility, though their future remains uncertain. The Navy is exploring alternatives, including autonomous vessels like the Large Unmanned Surface Vehicle, to meet operational needs swiftly. This decision reflects broader challenges in balancing rapid procurement with complex design and capability requirements in naval shipbuilding.

Microsoft is set to bolster Entra ID's security by implementing a robust Content Security Policy to counter script injection attacks starting October 2026. The new policy restricts script execution to Microsoft-trusted domains, aiming to prevent cross-site scripting attacks that could compromise user credentials. This security enhancement applies exclusively to browser-based sign-ins at login.microsoftonline.com, leaving Microsoft Entra External ID unaffected. Organizations are advised to test their sign-in scenarios before the policy takes effect to mitigate potential issues with code-injection dependencies. IT administrators can identify impacted scripts through the browser developer console, where violations will be highlighted in red text. Microsoft recommends discontinuing the use of browser extensions and tools that inject scripts into sign-in pages, as these will be unsupported post-update. This initiative is part of Microsoft's broader Secure Future Initiative, launched to address security culture improvements following a critical review by the U.S. Department of Homeland Security.

Recent analysis reveals that enterprises often underfund their Security Operations Centers (SOCs), despite significant investments in detection tools, leading to potential security gaps. A case study showed that SOCs successfully intercepted a sophisticated phishing campaign targeting C-suite executives, which bypassed eight different email security tools. The disparity between detection tools and SOC funding can overwhelm SOCs, making it difficult to manage the volume of alerts and identify nuanced threats. Detection tools operate rapidly, focusing on immediate threats, whereas SOCs provide broader context and time for thorough investigation. Organizations are increasingly turning to AI SOC platforms, such as Radiant Security, to automate alert triage and reduce false positives by over 90%. AI SOC platforms enable small teams to maintain 24/7 coverage efficiently, eliminating the need for extensive staffing or outsourcing. The case study emphasizes the importance of a balanced investment strategy to maximize the return on existing detection tools and enhance overall security posture.

ASUS has issued new firmware to address nine security vulnerabilities, including a critical authentication bypass flaw affecting routers with AiCloud enabled. The CVE-2025-59366 flaw can be exploited through Samba functionality, allowing unauthorized execution of specific functions via low-complexity attacks. ASUS advises immediate firmware updates to protect devices, particularly for routers using the 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102 firmware series. For end-of-life models, ASUS recommends disabling internet-accessible services and enhancing security with strong passwords to mitigate risks. A previous flaw, CVE-2025-2492, was exploited in Operation WrtHug, targeting outdated ASUS routers globally, potentially for Chinese hacking operations. SecurityScorecard researchers suggest hijacked routers may serve as relay nodes, concealing command-and-control infrastructures. This situation underscores the critical need for timely firmware updates and proactive security measures to safeguard network devices.

The Royal Borough of Kensington and Chelsea and Westminster City Council are investigating a cyber incident affecting shared IT services, impacting phone lines and online access. The London Borough of Hammersmith and Fulham, also using these shared services, is involved in precautionary measures to protect their networks amidst the ongoing investigation. The National Cyber Security Centre is assisting in remediation efforts, focusing on data protection and system restoration, while the affected councils implement business continuity plans. Service disruptions have led to challenges in communication, with residents experiencing delays in accessing essential services such as social care and housing support. Cybersecurity experts suggest the incident bears hallmarks of a serious intrusion, potentially involving lateral movement through shared infrastructure, indicating a possible ransomware attack. The Metropolitan Police's Cyber Crime Unit is conducting inquiries, with no arrests made yet, as they work to determine the attack's origin and impact. Authorities are maintaining transparency with the public, providing updates via social media, and urging patience as they work to resolve the situation.

A Chrome extension named Crypto Copilot was discovered injecting hidden Solana transfer fees into Raydium swaps, diverting funds to an attacker's wallet. The extension, published by "sjclark76," claims to facilitate crypto trading with real-time insights but secretly manipulates transactions. Crypto Copilot has 12 installs and remains available for download, raising concerns about potential user impact and financial loss. The extension uses obfuscated code to append a hidden transfer fee to each swap, charging a minimum of 0.0013 SOL or 0.05% of the trade amount. This malicious activity is concealed through techniques like minification and variable renaming, making detection challenging for users. Communication with backend domains, which host no real product, registers wallets and reports user activity, furthering the attack's reach. The extension leverages legitimate services to appear credible, potentially misleading users into trusting its operations. This incident underscores the importance of scrutinizing browser extensions for hidden malicious behavior to prevent unauthorized fund transfers.

Community-maintained tools like Chocolatey and Winget are widely used for system updates due to their speed and flexibility, but they pose potential security risks. These tools allow anyone to add or update packages, which can lead to vulnerabilities if packages are outdated, lack safety checks, or are maliciously altered. Hackers exploit these vulnerabilities, similar to incidents observed in platforms like NPM and PyPI, highlighting the need for vigilance with Windows tools as well. A free webinar led by Gene Moody, Field CTO at Action1, will provide practical guidance on mitigating these risks while maintaining efficient update processes. Participants will learn to implement safety measures such as source pinning, allow-lists, and hash/signature verification to secure their systems. The session will also cover how to prioritize updates using known vulnerability data and how to safely integrate community tools with direct vendor sources. This webinar targets IT professionals managing software updates, offering actionable insights to enhance security without compromising operational efficiency.

Black Friday 2025 presents a strategic opportunity for IT directors and CISOs to stretch security budgets with significant discounts on critical cybersecurity solutions. Darktrace reports a 692% surge in phishing attacks during Black Friday and Cyber Monday, exploiting the chaos of the shopping season. Offers include up to 60% discounts on solutions like Passwork password manager, CrowdStrike Falcon, Bitdefender Total Security, ESET Internet Security, and Exploit Pack. Passwork offers a 50% discount on its self-hosted, GDPR-compliant password manager, appealing to organizations needing on-premise control and data sovereignty. CrowdStrike Falcon provides substantial discounts on its EDR solutions, with the Enterprise tier offering threat hunting capabilities for sophisticated threat landscapes. Bitdefender and ESET offer proven, lightweight protection with significant discounts, appealing to businesses with diverse device ecosystems and BYOD policies. The article advises careful evaluation of deals to avoid hidden costs and ensure solutions align with actual security needs, emphasizing the importance of trials and demos. Executives are urged to act decisively, as attackers are active during this period, making informed procurement decisions critical to maintaining robust security postures.

RomCom threat actors targeted a U.S.-based civil engineering firm using the SocGholish JavaScript loader to deploy Mythic Agent malware, marking a new distribution method for RomCom payloads. Arctic Wolf Labs attributes this activity to Russia's GRU Unit 29155, with medium-to-high confidence, focusing on entities with historical ties to Ukraine. SocGholish, linked to TA569, acts as an initial access broker, distributing malware via fake browser update alerts on compromised websites. The attack chain exploits poorly secured websites, leveraging known vulnerabilities to inject malicious JavaScript and initiate the infection process. RomCom, associated with both cybercrime and espionage, uses spear-phishing and zero-day exploits to deliver remote access trojans, targeting Ukraine and NATO-related entities. The attack was thwarted before completion, but it underscores the persistent interest of RomCom in targeting Ukraine-linked organizations. The rapid progression from initial access to infection, under 30 minutes, highlights the significant threat posed by SocGholish attacks globally.

The FBI reports cybercriminals have exploited financial institutions, resulting in over $262 million in account takeover (ATO) fraud losses this year, affecting individuals and organizations across various sectors. Attackers gain unauthorized access to accounts using social engineering tactics, such as phishing emails, calls, and fake websites, to deceive victims into revealing login credentials and multi-factor authentication codes. Methods include impersonating financial institution employees and law enforcement to manipulate victims into sharing sensitive information, leading to unauthorized account access and fund transfers. Cybercriminals utilize SEO poisoning and malicious search engine ads to redirect users to counterfeit sites, further facilitating credential theft and account compromise. Stolen funds are often transferred to cryptocurrency wallets, complicating the tracking of illicit transactions and obscuring the money trail. To mitigate risks, the FBI advises vigilance against phishing, using complex passwords, verifying website URLs, and monitoring accounts for irregularities. The rise in AI-driven phishing campaigns and holiday scams, such as Black Friday fraud and QR code scams, poses additional threats, with attackers leveraging AI tools to enhance the credibility of their attacks. Security firms have detected a surge in malicious domains and exploited vulnerabilities in popular e-commerce platforms, emphasizing the need for robust security measures during the holiday season.

Palo Alto Networks' Unit 42 reports WormGPT 4, an AI model designed for cybercrime, is now available for $220 lifetime access, significantly reducing barriers for potential attackers. WormGPT 4 can generate complex malware, including ransomware scripts, capable of encrypting files and demanding ransoms, though it requires human intervention to evade detection. The model's capabilities extend beyond simple phishing, enabling the creation of sophisticated attack scripts, such as those for data exfiltration and lateral movement on compromised systems. KawaiiGPT, another malicious AI tool, is freely accessible on GitHub, offering entry-level cyber offense capabilities and further democratizing access to cybercriminal tools. These AI-driven tools automate critical steps in cyberattacks, such as spear phishing and privilege escalation, posing a growing threat to cybersecurity defenses. The emergence of these models signals a shift in cybercrime, where AI assists in streamlining attack processes, making sophisticated cyber operations accessible to less skilled individuals. Organizations must enhance their security measures to counteract AI-assisted threats, focusing on advanced detection and response strategies to mitigate potential risks.

ReliaQuest identified Akira ransomware affiliates exploiting SonicWall SSL VPN vulnerabilities to infiltrate parent companies during mergers and acquisitions. Acquiring firms often inherit compromised SonicWall devices, leaving critical vulnerabilities exposed and allowing ransomware operators network access. Akira affiliates exploited these vulnerabilities to swiftly access sensitive systems, reaching domain controllers in an average of 9.3 hours. Common security gaps included zombie privileged credentials, default hostnames, and insufficient endpoint protection, facilitating rapid lateral movement. The ransomware attacks typically progressed from lateral movement to deployment in under an hour, highlighting the speed and efficiency of the intrusions. Akira operators targeted unprotected hosts or attempted to disable security measures using DLL sideloading techniques to encrypt systems undetected. Organizations undergoing mergers and acquisitions are advised to thoroughly assess inherited IT assets and close security gaps to prevent such attacks.

Crisis24 confirmed a cyberattack on its OnSolve CodeRED platform, disrupting emergency alert systems used by U.S. state and local governments, police, and fire agencies. The attack led to the decommissioning of the legacy CodeRED environment, affecting emergency notifications, weather alerts, and other critical warnings nationwide. Crisis24's investigation revealed that data, including names, addresses, and passwords, was stolen, though there is no evidence of it being publicly posted. The INC Ransomware gang claimed responsibility, publishing screenshots of customer data and offering stolen information for sale after a failed ransom demand. Crisis24 is rebuilding its service using backups from March 31, 2025, but this may result in missing accounts and further operational challenges. Impacted customers are advised to reset any reused passwords due to the exposure of clear-text credentials in the breach. The incident highlights the vulnerabilities in emergency notification systems and the need for robust cybersecurity measures to protect critical infrastructure.