Daily Brief

The Crypto24 ransomware group has targeted large organizations across the U.S., Europe, and Asia, focusing on sectors like finance, manufacturing, entertainment, and technology. Trend Micro researchers suggest that Crypto24 may include former members of defunct ransomware groups, indicating a high level of expertise and operational knowledge. After initial access, the group uses administrative accounts on Windows systems to maintain persistent access, employing custom batch files for reconnaissance. Crypto24 deploys a customized RealBlindingEDR tool to disable security solutions by targeting kernel drivers, effectively evading detection by multiple vendors. The group exploits legitimate tools like Trend Micro's XBCUninstaller.exe to remove security agents, facilitating the deployment of keyloggers and ransomware payloads. Data exfiltration is conducted via Google Drive using a custom tool, while ransomware execution follows the deletion of volume shadow copies to hinder recovery efforts. Trend Micro has released indicators of compromise to assist cybersecurity teams in detecting and mitigating Crypto24 attacks at early stages.

Researchers discovered a design flaw in HTTP/2, named 'MadeYouReset', allowing attackers to execute massive Denial of Service (DoS) attacks by bypassing built-in concurrency limits. Over 100 vendors, including major names like Google, Microsoft, and IBM, were notified due to the widespread implementation of HTTP/2 across the web. The vulnerability, identified as CVE-2025-8671, builds on the previous CVE-2023-44487 'Rapid Reset' flaw, which remains partially unresolved. Attackers can exploit this flaw to create unbounded concurrent requests, potentially causing servers to crash due to out-of-memory errors. Companies such as Apache Tomcat, Fastly, and Varnish Software have released patches, while other organizations are investigating potential impacts and remediation strategies. Mitigation strategies include stricter protocol validation, enhanced stream state tracking, and deploying anomaly detection systems to prevent exploitation. Organizations using HTTP/2 should verify with vendors about patch availability and implement recommended security measures to protect their infrastructure.

CISA has issued new guidance urging organizations to strengthen cybersecurity measures for operational technology (OT) environments, which are increasingly targeted by cyberattacks. OT systems, integral to industries like manufacturing, energy, and transportation, face rising threats due to their growing connectivity to the internet. Security firm Dragos reported an 87% increase in cyberattacks on industrial companies in the US in 2024, highlighting the vulnerability of OT systems. CISA's foundational guidance recommends creating a comprehensive OT asset inventory using a taxonomy-based approach to improve risk management and incident response. The joint effort includes contributions from global cybersecurity agencies, emphasizing the critical role of OT systems in national security and daily life. The guidance provides industry-specific examples and suggests maintaining detailed records of OT assets, including communication protocols and system updates. Organizations are encouraged to adopt these practices to mitigate risks and ensure the continuity of essential services.

Turkish cryptocurrency exchange BtcTurk suspended deposits and withdrawals after detecting unusual activity in its hot wallets on August 14, 2025. The exchange confirmed a significant compromise, with losses estimated at $49 million across various tokens, while trading activities remain unaffected. BtcTurk reassured users that most assets are stored securely in cold wallets, minimizing the impact on customer funds. Blockchain security firm PeckShield suspects a private key leak, complicating efforts to trace and recover the stolen assets. The attacker has reportedly begun converting stolen tokens to Ethereum, further hindering recovery efforts by obfuscating the transaction trail. BtcTurk, with over 6 million users, is working with experts to investigate and negotiate potential recovery, though chances are deemed low. The incident underscores ongoing vulnerabilities in crypto exchanges, with attackers frequently targeting hot wallets due to their internet connectivity.

The Norwegian Police Security Service attributes a cyberattack on a dam's control systems to pro-Russian hackers, who manipulated outflow valves in April. The incident served as a demonstration of Russia's cyber capabilities rather than an attempt to cause physical damage, according to Norwegian authorities. Hackers managed to release over 7.2 million liters of water before dam operators corrected the system settings after four hours. Videos posted by Russian hacktivists on Telegram showcased the dam's control panel, confirming their involvement and linking the attack to a pro-Russian group. The attack is part of a broader pattern of hybrid operations aimed at creating fear and uncertainty in Western nations, as noted by Norway’s Intelligence Chief. This marks the second cyber incident linked to Russia targeting Norway, following a previous DDoS attack on state services. Norway's intelligence highlights Russia as the most significant threat, utilizing cyber tactics to maintain geopolitical tension.

Researchers have identified a new vulnerability, MadeYouReset, affecting multiple HTTP/2 implementations, potentially enabling large-scale denial-of-service (DoS) attacks. MadeYouReset allows attackers to bypass the server-imposed limit of concurrent HTTP/2 requests, leading to potential out-of-memory crashes in some systems. The vulnerability, assigned CVE-2025-8671, impacts several products, including Apache Tomcat, F5 BIG-IP, and Netty, posing a risk to web infrastructure. This flaw builds upon previous vulnerabilities like Rapid Reset, exploiting RST_STREAM frames to trigger protocol violations and induce server resets. CERT Coordination Center warns that MadeYouReset exploits mismatches between HTTP/2 specifications and server architectures, causing resource exhaustion. The discovery emphasizes the need for robust defenses against subtle, spec-compliant attacks on foundational web protocols. Organizations are advised to review and update their HTTP/2 implementations to mitigate potential exploitation and ensure server stability.

Cybercriminals are using the Japanese hiragana character 'ん' to craft deceptive Booking.com phishing URLs that appear legitimate, tricking users into visiting malicious sites. The phishing links redirect victims to a lookalike domain, www-account-booking[.]com, where malware is delivered via a malicious MSI installer. This campaign leverages homoglyphs, characters that visually resemble others, to deceive users, a tactic increasingly used in phishing and homograph attacks. Security measures have been implemented to help users distinguish homoglyphs, but desktop environments remain vulnerable to such visual deceptions. Similar tactics are observed in an Intuit-themed phishing campaign, where 'Lntuit' is used to mimic 'Intuit', exploiting font similarities on mobile devices. Users are advised to verify URLs by hovering over links and checking the actual domain to mitigate risks of falling victim to these phishing strategies. Keeping endpoint security software updated is crucial, as modern phishing kits often deploy malware directly after a link is clicked.

Picus Security's Blue Report 2025 reveals a shift from encryption to data theft in ransomware and infostealer campaigns, affecting organizations' ability to detect and prevent such threats. Over 160 million attack simulations show a concerning decline in data exfiltration prevention rates to 3%, highlighting vulnerabilities in current cybersecurity defenses. Infostealers have evolved into sophisticated tools for credential theft and data exfiltration, often bypassing traditional security measures by mimicking legitimate access. The report emphasizes that backup solutions alone are insufficient against modern ransomware, which now often relies on data theft and public exposure threats. Key vulnerabilities identified include a lack of outbound monitoring, insufficient data loss prevention (DLP) enforcement, and limited behavioral analytics. Organizations are urged to adopt Continuous Threat Exposure Management (CTEM) strategies to prioritize and address high-risk exposures effectively. The findings stress the importance of proactive detection and prevention measures upstream, before data exfiltration occurs and credentials are exploited.

Japan's CERT coordination center (JPCERT/CC) reported the use of CrossC2, extending Cobalt Strike's capabilities to Linux and macOS, observed between September and December 2024. The campaign targeted multiple countries, including Japan, using CrossC2 alongside tools like PsExec, Plink, and a custom malware loader named ReadNimeLoader. ReadNimeLoader, written in Nim, sideloads a legitimate binary to execute shellcode in memory, avoiding disk traces, and employs anti-debugging techniques. The attacks show overlap with BlackSuit/Black Basta ransomware activities, sharing command-and-control domains and file naming conventions. SystemBC backdoor's ELF versions were present, often preceding Cobalt Strike and ransomware deployments, indicating a sophisticated attack chain. The campaign highlights vulnerabilities in Linux servers lacking Endpoint Detection and Response (EDR) systems, emphasizing the need for enhanced security measures. Organizations are advised to strengthen defenses against cross-platform threats and ensure comprehensive monitoring across all operating systems.

The House of Commons of Canada is investigating a data breach following a cyberattack that compromised employee information, including names, job titles, office locations, and email addresses. The breach involved exploitation of a Microsoft vulnerability, affecting databases that manage computers and mobile devices within the House of Commons. Employees and parliamentarians have been warned about potential fraudulent activities using the stolen data, which could lead to impersonation and scams. The House of Commons is working with the Communications Security Establishment (CSE) to assess the breach's impact, though attribution of the attack remains challenging. The Canadian Centre for Cyber Security has alerted IT professionals to secure systems against two Microsoft vulnerabilities, CVE-2025-53770 and CVE-2025-53786, which have been actively exploited. These vulnerabilities have been linked to breaches of high-profile targets globally, including U.S. government entities and European networks. The incident underscores the critical need for timely patch management and robust cybersecurity measures to protect sensitive governmental data.

Russian-linked cyber actors infiltrated the US federal court's case-management system, accessing sensitive sealed documents and system blueprints over several months. The attack exploited long-standing vulnerabilities in the CM/ECF platform, affecting multiple jurisdictions, including New York City. The breach raises concerns over the security of legal documents and the potential exposure of witness identities and case details. In Norway, suspected Russian operatives took control of a dam's floodgates, holding them open for hours, demonstrating their capability to disrupt critical infrastructure. Norway's domestic intelligence agency attributes the dam incident to pro-Russian cyber actors, viewing it as a tactic to instill fear and chaos. These incidents reflect a strategic shift in Russian cyber activities, targeting less conventional infrastructure to showcase their reach and capabilities. The US and Norwegian authorities are investigating the incidents, but specific Russian groups responsible have yet to be identified. The events highlight the need for strengthened cybersecurity measures across both legal and critical infrastructure systems to prevent future breaches.

Organizations face challenges in managing expansive digital footprints, with forgotten assets like cloud instances and staging servers posing security risks if left unmonitored. External Attack Surface Management (EASM) tools automate the discovery of internet-facing assets, identifying orphaned servers and open ports before they become security incidents. Digital Risk Protection (DRP) solutions monitor external threats, scanning social media and dark web forums for mentions of an organization, providing early alerts on potential risks. EASM and DRP tools enable systematic security practices, ensuring continuous monitoring and proactive management of digital assets and threats. Automated alerts and AI-powered filtering prioritize genuine risks, reducing false positives and focusing attention on critical vulnerabilities. Solutions like Outpost24's CompassDRP integrate EASM and DRP capabilities, offering comprehensive visibility and threat intelligence for effective risk management. Implementing these tools helps organizations maintain a robust cybersecurity posture, preventing costly incidents and ensuring operational resilience.

Italy's digital agency confirms a data breach affecting hotel booking systems, with nearly 100,000 identity documents compromised between June and August. The cybercriminal, known as mydocs, claims responsibility for the breach, listing sensitive documents like passports on a cybercrime forum. AGID verified the authenticity of the stolen data, warning of potential scams, identity theft, and financial fraud targeting affected individuals. The breach impacts at least ten hotels, with the number expected to rise; the Borghese Contemporary Hotel in Rome is among those affected. Italy's data protection authority, GDDP, urges unreported hotels to disclose any irregularities and notify affected guests as per legal requirements. A formal investigation has been launched to determine the breach's extent and the methods used to access the data. The breach poses significant risks, including the creation of false documents and unauthorized bank accounts, highlighting the critical need for enhanced data protection measures.

Cybersecurity researchers have identified a new Android trojan, PhantomCard, which exploits NFC technology to execute relay attacks on banking customers in Brazil. PhantomCard masquerades as legitimate apps on fake Google Play pages, tricking users into installing it by using deceptive positive reviews. Once installed, the app relays NFC data from victims' banking cards to a fraudster's device, allowing unauthorized transactions. The malware is part of a Chinese-origin NFC relay malware-as-a-service, NFU Pay, distributed through underground channels like Telegram. The attack complicates the threat landscape for financial organizations by introducing global threats that bypass regional language and cultural barriers. Similar NFC-enabled fraud has been reported in Southeast Asia, with attackers using tools like Z-NFC and SuperCard X to clone card data. The rise of contactless payments and low-value transaction limits in regions like the Philippines makes these attacks harder to detect and prevent in real-time. Financial institutions are urged to enhance monitoring and adapt security measures to mitigate these evolving threats.

Stock in the Channel (STIC), a UK-based tech stock platform, experienced a ransomware attack, causing significant service disruption and website outage. The attack was executed by a sophisticated criminal group exploiting a zero-day vulnerability in a third-party application. Despite extensive infrastructure damage, STIC reports no evidence of a data breach and has successfully recovered critical data. The company's website remains partially operational, with ongoing efforts to fully restore services; stock and price data may be outdated. STIC's email and phone lines continue to function, maintaining communication channels with its 60,000 users across 22 countries. The incident underscores the importance of securing third-party applications to prevent exploitation by cybercriminals. No customer data compromise is believed to have occurred, but the situation remains under close monitoring.