Daily Brief

A ransomware attack on IT supplier Miljödata disrupted services for 200 of Sweden's 290 municipalities, affecting HR and incident reporting systems crucial for local governance. The attackers demanded 1.5 Bitcoin, approximately $168,000, significantly lower than typical ransomware demands, suggesting a strategy to encourage quick payment. Affected municipalities, including Gotland and Halland, experienced significant operational disruptions, with staff unable to access essential systems over the weekend. Concerns arose over potential data breaches, particularly involving sensitive employee information, though Miljödata claims no evidence of data theft has been found. Swedish police and CERT-SE have been engaged to investigate and mitigate the attack's impact, while government officials consider new cybersecurity legislation. This incident emphasizes the risks associated with centralized IT service providers, highlighting the potential for widespread disruption from a single point of failure. The attack serves as a reminder of the vulnerabilities in supply chain security, prompting a reevaluation of risk management strategies for critical service providers.

As businesses face rising data breach costs, averaging $4.44 million globally, app security flaws remain a significant contributor to these financial impacts. Code-to-cloud visibility is emerging as a critical strategy, enabling teams to detect and address vulnerabilities from development to deployment. Inefficient vulnerability handling is a primary concern for 32% of organizations, with 97% encountering security issues related to AI tools. Upcoming webinar on September 18, 2025, will provide actionable insights on integrating code-to-cloud visibility into app security programs. Gartner predicts 40% of companies will adopt application security posture management (ASPM) tools by 2026 to enhance risk management. The webinar aims to offer practical steps for improving security posture, reducing confusion, and fostering better team collaboration. Recent high-profile breaches underscore the urgency for adopting comprehensive visibility solutions to preemptively secure applications.

A failure in PayPal's fraud-detection system led to unauthorized direct debits, freezing billions in transactions across Germany. The incident affected shoppers and merchants significantly, with banks halting PayPal transactions, impacting around €10 billion. The German Savings Banks Association confirmed the issue, stating PayPal assured them the problem was resolved by Tuesday morning. PayPal is informing affected customers directly and has resumed normal operations, though reputational concerns remain. No similar issues were reported outside Germany, with Austrian banks unaffected by the glitch. The incident coincides with unverified claims of PayPal credentials being exposed, prompting security advisories for users to change passwords. PayPal's popularity in Germany, attributed to its payment protection, faces scrutiny due to recent security concerns.

A London law firm inadvertently exposed the email addresses of 194 individuals connected to the Church of England abuse redress scheme due to human error. The breach involved a mass mailing error, revealing sensitive information of victims and associated law firms to all recipients. Kennedys Law has issued an apology, attempted partial email recalls, and reported the incident to relevant regulatory bodies. An internal investigation is underway at Kennedys to identify the cause and implement immediate corrective measures. The Church of England, though not the data controller, expressed deep concern and is collaborating with Kennedys to prevent future incidents. This incident adds to a series of email-related data breaches affecting vulnerable individuals, prompting regulatory reminders on email security practices. The breach coincides with the opening of the redress scheme for abuse victims, aiming to provide financial and emotional support.

A 2024 incident exposed private data of over 15 million Trello users on a hacker forum, illustrating the vulnerability of project management tools. Businesses heavily rely on platforms like Trello and Asana, with 95% using them for task organization, collaboration, and milestone tracking. Human errors, such as accidental deletions and misconfigured permissions, account for 52% of security breaches, surpassing cyberattacks and natural disasters. Cyber threats like phishing and ransomware increasingly target cloud-based project management tools, risking significant business disruption. Built-in security features of SaaS tools may not fully protect against human errors, necessitating additional security measures. Third-party cloud backup solutions, such as FluentPro Backup, enhance data protection by automating end-to-end data backup and minimizing loss from errors or integration failures. Organizations should adopt proactive security strategies, including third-party backups, to safeguard project data and maintain operational continuity.

The Nx build system suffered a supply chain attack, leading to the publication of malicious npm packages that exfiltrated 2,349 GitHub, cloud, and AI credentials. Attackers exploited a vulnerable workflow, utilizing a specially crafted pull request to gain elevated permissions and publish rogue package versions. Malicious packages contained scripts that scanned systems for credentials, sending them to GitHub repositories under compromised user accounts. Affected users are advised to rotate credentials, remove malicious packages, and check for unauthorized changes in system files. The attack marks a novel use of AI tools in supply chain exploitation, with attackers leveraging AI CLI tools to bypass security boundaries. Remedial actions by the Nx team include token rotation, activity audits, and enforcing two-factor authentication for publishing access. The incident underscores the evolving sophistication of supply chain attacks, emphasizing the need for immediate remediation and heightened security measures.

The U.S. Treasury's OFAC sanctioned two individuals and two entities linked to North Korea's IT worker scheme, which funds the regime's weapons programs through fraud and cryptocurrency theft. Key figures include Vitaliy Sergeyevich Andreyev and Kim Ung Sun, who facilitated $600,000 in crypto-to-cash transfers, supporting Chinyong Information Technology Cooperation Company. The scheme involves North Korean IT workers embedding in U.S. companies using fake documents, stealing data, and sometimes deploying malware for extortion. AI tools like Claude are crucial for these workers, aiding in creating professional profiles and executing technical tasks despite limited actual skills. Sanctions expand previous actions against Chinyong, which operates in China, Laos, and Russia, generating over $1 million in profits since 2021. Shenyang Geumpungri Network Technology Co., Ltd., a Chinese front, and Korea Sinjin Trading Corporation are implicated in the revenue generation for North Korea. Recent sanctions follow actions against other North Korean entities and individuals, highlighting ongoing efforts to disrupt these operations.

Thirteen nations have issued a joint alert on China's Salt Typhoon, a cyber-espionage group targeting critical global industries since at least 2019. The campaign has breached telecommunications, government, transportation, lodging, and military networks, impacting over 600 organizations across 80 countries. Salt Typhoon exploits vulnerabilities in backbone routers and leverages compromised devices to maintain long-term network access. The U.S. has sanctioned Sichuan Juxinhe Network Technology, linked to Salt Typhoon, which allegedly supports China's Ministry of State Security. Indicators of compromise and exploited CVEs are detailed in a 37-page advisory, urging network defenders to prioritize patching. Google's Mandiant team and CrowdStrike have been involved in response efforts, highlighting the group's advanced knowledge of telecommunications systems. The alert signifies strong international collaboration and concern over Chinese state-sponsored cyber activities, emphasizing the need for ongoing vigilance.

Harvard researchers identified biases in AI guardrails, affecting response patterns based on user demographics, including sports fandom, gender, and political leanings. The study found ChatGPT more likely to refuse requests from Los Angeles Chargers fans and women, indicating demographic-based response disparities. Guardrails, designed to enforce AI safety policies, may inadvertently introduce bias by interpreting user identity cues as political statements. The research highlights AI models' tendency to adjust responses based on inferred user ideology, impacting the fairness and utility of the interaction. Variations in response refusal were noted across different user personas, with implications for how AI models manage content censorship. The findings suggest the need for transparency in AI guardrail implementation and further investigation into their impact on user experience. Researchers released their code and data publicly, inviting further exploration and validation of their findings.

Storm-0501, active since 2021, shifts from traditional ransomware to cloud-based extortion, focusing on data theft and destruction in Azure environments. The threat actor exploits gaps in Microsoft Defender, leveraging stolen Directory Synchronization Accounts to access Azure resources and escalate privileges. By bypassing multifactor authentication, Storm-0501 gains administrative control, enabling them to impersonate users and disable security defenses. The attackers destroy backups and encrypt data using new Key Vaults, making recovery impossible without paying a ransom. Victims are contacted through compromised Microsoft Teams accounts, where ransom demands are delivered, pressuring organizations to comply. Microsoft provides guidance on protection strategies, emphasizing the importance of robust multifactor authentication and monitoring for unusual activities. The evolution of Storm-0501's tactics signals a potential trend towards cloud-based ransomware, posing new detection and mitigation challenges.

Researchers identified PromptLock, the first AI-driven ransomware, leveraging Lua scripts to encrypt and steal data across Windows, macOS, and Linux systems. The malware uses OpenAI’s gpt-oss:20b model via the Ollama API, dynamically generating malicious scripts from hard-coded prompts. PromptLock employs the SPECK 128-bit algorithm for encryption, a choice typically seen in RFID applications rather than ransomware. ESET believes PromptLock is currently a proof-of-concept, discovered on VirusTotal, with no telemetry indicating active deployment. The ransomware's development suggests AI's potential in malware, offering cross-platform capabilities and operational flexibility. PromptLock's emergence highlights the evolving threat landscape where AI can lower barriers to entry for cybercriminal activities. Similar AI-powered threats, like LameHug, demonstrate the growing trend of using large language models in malicious operations.

The US Treasury Department sanctioned two Asian companies and two individuals for facilitating North Korean IT workers to fraudulently secure US jobs. Shenyang Geumpungri Network Technology Co and Korea Sinjin Trading Corporation funneled over $1 million through fake IT salaries and thefts. The US, with support from Japan and South Korea, aims to seize funds and hold associated businesses accountable for criminal and civil actions. Sanctioned individuals include a Russia-based North Korean official and a Russian accused of orchestrating the scam. North Korean IT workers leverage remote work trends to infiltrate US companies, stealing data and demanding ransom. The challenge persists as North Koreans use deepfake technology to deceive employers, complicating detection efforts. Mandiant reports widespread acknowledgment of the issue among Fortune 500 CISOs, emphasizing the need for improved verification processes.

Anthropic's report reveals AI tools are increasingly used in cybercrime, facilitating operations such as ransomware and fraud, impacting sectors including government and healthcare. The company disrupted a cybercrime operation utilizing Claude Code for data extortion across 17 organizations, demanding ransoms between $75,000 and $500,000 in Bitcoin. AI models like Claude Code are employed in all attack phases, from reconnaissance to malware creation, demonstrating AI's role in lowering entry barriers for cybercriminals. Anthropic successfully thwarted a North Korean threat actor from using its platform, part of a campaign targeting software developers with malware-laden job offers. Despite implementing account bans and developing classifiers to detect attack patterns, Anthropic acknowledges these measures may only temporarily deter cybercriminals. AI's role in cybercrime extends to employment fraud, with North Korean operatives using AI to secure jobs at major companies, potentially funding weapons programs. The report also notes a Chinese APT group's use of Claude in compromising Vietnamese telecommunications, posing potential national security risks. Anthropic's efforts include sharing threat details with partners, yet the report suggests AI-driven cybercrime will likely persist and evolve.

Sangoma FreePBX Security Team identified a zero-day vulnerability affecting systems with exposed Administrator Control Panels, actively exploited since August 21. FreePBX, an open-source PBX platform, is widely used by businesses and call centers for managing voice communications, making this vulnerability particularly concerning. An EDGE module fix has been released for testing, with a full security update scheduled for later today to protect future installations. Existing systems with the endpoint module installed and exposed ACPs are at risk; users are advised to limit access using the Firewall module. Reports indicate breaches have affected multiple servers, compromising approximately 3,000 SIP extensions and 500 trunks. Sangoma recommends restoring from backups, deploying patched modules, and rotating credentials to mitigate the impact of the exploit. Administrators are urged to review call records for unauthorized activity and secure systems until the official patch is fully deployed.

Storm-0501, a financially motivated threat group, has refined its tactics to exploit cloud environments, focusing on data exfiltration and extortion without traditional malware deployment. The group targets sectors including government, manufacturing, and transportation in the U.S., leveraging cloud-native capabilities to exfiltrate and destroy data, demanding ransom. Attacks involve privilege escalation, lateral movement, and reconnaissance, exploiting unmanaged devices and security gaps in hybrid cloud setups. Initial access is typically achieved through compromised credentials or exploiting known vulnerabilities, facilitated by access brokers like Storm-0249 and Storm-0900. Recent campaigns have seen the group using sophisticated techniques like DCSync Attacks to extract credentials from Active Directory environments. Microsoft has responded by enhancing security in Entra ID, preventing privilege escalation through Directory Synchronization Accounts and supporting Modern Authentication. Organizations are advised to enable Trusted Platform Module (TPM) on Entra Connect Sync servers to secure sensitive credentials and mitigate credential extraction risks.