Daily Brief

Cybercrime groups Scattered Spider, ShinyHunters, and Lapsus$ have joined forces on a Telegram channel, sharing breach details and promoting their exploits. The channel, "Scattered LAPSUS$ Hunters," featured claims of attacks on major brands, including Victoria's Secret, Gucci, and Neiman Marcus. Members discussed developing a new ransomware-as-a-service (RaaS) operation, "ShinySpider," boasting high-speed encryption capabilities of 1 GB per second. The collaboration suggests an evolution in cyber extortion tactics, prioritizing chaos and reputation alongside financial gain. ReliaQuest's analysis indicates coordinated efforts between the groups, with Scattered Spider acting as an initial access broker for ShinyHunters. The groups have targeted high-profile organizations using social engineering and phishing tactics, exploiting trusted enterprise applications like Okta and Salesforce. Experts recommend reinforcing identity verification processes and implementing phishing-resistant multifactor authentication to counteract these social-engineering attacks.

Hyundai is charging £49 to UK customers for a security upgrade to prevent car thefts, targeting Ioniq 5 owners vulnerable to theft via electronic bypass devices. The upgrade comes in response to a surge in UK car thefts, with criminals using devices that mimic vehicle key signals to unlock and steal cars. These devices, resembling a Game Boy and costing around £20,000, have been linked to multiple thefts, offering a quick return on investment for thieves. Affected customers, like Elliott Ingram, have expressed dissatisfaction, with some considering legal action against Hyundai for inadequate security measures. The UK government plans to ban keyless repeaters and signal jammers, which contribute to approximately 40% of vehicle thefts in England and Wales. Hyundai's decision to charge for the upgrade has raised questions about the automaker's commitment to customer security, as the upgrade is not offered for free. The incident underscores the need for automakers to continuously enhance security features to protect against evolving theft techniques.

The article explores the security dynamics between Enterprise Browsers and Secure Browser Extensions, focusing on their ability to manage in-session risks within enterprise environments. Nine key areas are analyzed, including data protection, BYOD, productivity, and Zero Trust alignment, offering a comprehensive view of each approach's strengths and limitations. Browsers have become central to enterprise operations, handling sensitive data and GenAI prompts, which introduces unique security challenges and necessitates robust browser security strategies. Enterprise Browser Extensions enhance functionality but increase the attack surface, requiring careful management to balance security with operational efficiency. The guide emphasizes that neither solution replaces existing security measures but addresses specific in-session gaps, providing tailored control and coverage. Practical scenarios are used to evaluate how each model performs under real-world conditions, aiding security teams in making informed decisions based on their unique risk profiles. The decision between adopting Enterprise Browsers or Extensions involves weighing control depth against coverage breadth, considering factors like adoption patterns and long-term manageability.

The Interlock ransomware gang attacked Saint Paul, Minnesota, severely disrupting city systems and services in late July, prompting a National Guard response. Governor Tim Walz activated the Minnesota National Guard to assist with cyber protection as the attack exceeded the city's response capabilities. Despite the attack, emergency services remained operational, while online payments and other services faced temporary disruptions. Mayor Malvin Carter confirmed the city refused to pay the ransom, and no personal or financial data of residents was compromised. Interlock claimed responsibility for stealing 43 GB of data, publishing some on their leak site, though the city continues to collaborate with federal partners on recovery efforts. Interlock has a history of targeting various sectors, including healthcare, and was previously linked to significant breaches at DaVita and Kettering Health. Prior to the attack, CISA and the FBI issued warnings about increased Interlock activity targeting critical infrastructure, advising on mitigation strategies.

The Dutch National Cyber Security Centre (NCSC-NL) has identified active exploitation of a critical Citrix NetScaler vulnerability, CVE-2025-6543, impacting several key organizations in the Netherlands. The vulnerability, with a CVSS score of 9.2, can lead to unintended control flow and denial-of-service when configured as a Gateway or AAA virtual server. Initial exploitation began as a zero-day in early May 2025, two months prior to public disclosure, indicating a sophisticated threat actor's involvement. Malicious web shells were discovered on compromised Citrix devices, providing attackers with remote access and highlighting the need for immediate remediation. Organizations are urged to apply the latest patches, terminate active sessions, and utilize NCSC-NL's shell script to detect potential indicators of compromise. The vulnerability's addition to CISA's Known Exploited Vulnerabilities catalog underscores its critical nature and the importance of swift action. The incident serves as a reminder of the persistent threat posed by unpatched vulnerabilities and the necessity for proactive cybersecurity measures.

The UK's decade-long effort to weaken end-to-end encryption (E2EE) faces a major obstacle as the US administration expresses strong opposition to such measures. The UK government has attempted to mandate backdoors in encrypted communications, citing national security concerns, but faces backlash from tech companies and privacy advocates. Apple's decision to disable its Advanced Data Protection iCloud feature for UK users reflects the tech industry's resistance to compromising encryption standards. The US administration's stance, likening the UK's approach to Chinese-style policies, poses diplomatic challenges and affects future tech collaborations. Legal experts warn that UK efforts to bypass encryption could lead to human rights conflicts, drawing parallels with past European Court of Human Rights rulings. Privacy advocates argue that any compromise on E2EE would undermine user trust and privacy, with potential risks of surveillance and data misuse. The debate over encryption remains unresolved, with discussions on alternative solutions like client-side scanning and digital IDs continuing amidst political and technical complexities.

Researchers from RSAC Labs and George Mason University identified vulnerabilities in AI-driven IT operations tools, known as AIOps, which can be exploited via manipulated telemetry data. AIOps tools, designed to automate IT operations by analyzing system logs and performance metrics, can be deceived into executing harmful actions due to tainted telemetry inputs. The study demonstrated that adversaries could downgrade software packages to vulnerable versions by feeding bogus telemetry data to AIOps systems. Attacks were tested on applications like SocialNet and HotelReservation, achieving success rates of up to 89.2%, with AI models like GPT-4.1 showing some resistance. Researchers proposed a defense mechanism, AIOpsShield, to sanitize telemetry data, although it may not protect against more sophisticated attacks involving supply chain compromises. The findings suggest a need for enhanced verification processes in AI models to distinguish between genuine and malicious telemetry data inputs. Organizations using AIOps tools should be vigilant about potential telemetry manipulation and consider implementing additional security measures to safeguard IT infrastructure.

North Korean state-sponsored group Kimsuky experienced a data breach, with two hackers leaking sensitive information online for ethical reasons, criticizing the group's political motivations. Hackers 'Saber' and 'cyb0rg' released 8.9GB of Kimsuky's backend data, revealing tools and stolen data, potentially impacting ongoing and future campaigns. The breach, hosted on the 'Distributed Denial of Secrets' website, offers new insights into Kimsuky's operations, interlinking their tools and activities. While the breach may not have a long-term effect on Kimsuky's operations, it could cause short-term operational challenges and disrupt current campaigns. Security researchers are verifying the authenticity and value of the leaked documents, which could provide valuable intelligence on Kimsuky's methods. The incident was publicized in the latest issue of Phrack, distributed at DEF CON 33, highlighting ethical concerns over Kimsuky's hacking activities.

The Netherlands' National Cyber Security Centre (NCSC) has reported breaches in critical organizations due to the Citrix NetScaler vulnerability CVE-2025-6543. This memory overflow bug allows for unintended control flow and denial of service, exploited for remote code execution in recent attacks. Attacks have been ongoing since early May, exploiting the vulnerability as a zero-day for nearly two months before Citrix issued a patch. The Openbaar Ministerie, among others, experienced severe operational disruptions, highlighting the vulnerability's impact on essential services. Organizations are urged to update to specific NetScaler versions to mitigate risks and end all active sessions to prevent further exploitation. The NCSC has released a detection script on GitHub to help identify signs of compromise, such as unusual PHP and XHTML files. These incidents underline the importance of timely patch management and proactive monitoring for potential indicators of compromise.

Russian-affiliated threat actors, including RomCom, exploited a critical WinRAR zero-day vulnerability, CVE-2025-8088, affecting financial, defense, and logistics sectors in Europe and Canada. The vulnerability, a path-traversal flaw with a CVSS score of 8.4, was patched in WinRAR version 7.13, released on July 31, following its initial exploitation. Attackers used spearphishing emails disguised as job applications to deliver malicious RAR archives containing backdoors like SnipBot and RustyClaw, targeting specific organizations. ESET researchers identified the vulnerability, noting RomCom's use of alternate data streams to bypass security, and observed similar exploits by another group, Paper Werewolf. The threat actors conducted reconnaissance to ensure high targeting precision, with malware designed to exit if the target's domain name didn't match predefined criteria. The sale of a WinRAR zero-day exploit for $80,000 on a cybercrime forum suggests potential widespread adoption by other threat actors. This incident highlights the critical need for timely patching and enhanced email security measures to mitigate zero-day vulnerabilities and targeted attacks.

A zero-day vulnerability in WinRAR, identified as CVE-2025-8088, was exploited by the Russian RomCom hacking group to distribute malware payloads. RomCom, known for cyberespionage, previously exploited zero-days in Firefox and Microsoft Office, showcasing a pattern of targeting widely-used software. ESET discovered the vulnerability on July 18, 2025, and promptly informed WinRAR, which released a patched version on July 30, 2025. The vulnerability involved path traversal using alternate data streams, allowing malicious files to be extracted into critical system paths. Attack chains delivered known RomCom malware families, with executables placed in temporary directories and shortcuts in startup folders for persistent access. Despite the patch, WinRAR's lack of an auto-update feature requires users to manually update, posing ongoing risks if not addressed. The incident underscores the need for vigilance in software updates and highlights the persistent threat of zero-day vulnerabilities in popular applications.

The US Department of Justice is working to recover over $1 million allegedly stolen by North Korean IT specialists from a New York-based cryptocurrency company. Three IT specialists, secretly linked to North Korea, manipulated vulnerabilities in the company's cryptocurrency wallet, leading to the theft of Tether tokens. The FBI traced the funds through a complex laundering scheme involving multiple blockchains, ultimately seizing the stolen assets in July 2024. The stolen Tether tokens, pegged to the US dollar, are currently valued at approximately $1,008,564.72 and remain under FBI control. The primary suspect, Chang Nam Il, also known as Bong Chee Shen, is implicated in additional thefts in Atlanta and Serbia, using fraudulent identities. The US Rewards for Justice program offers $5 million for information disrupting North Korean financial schemes, highlighting ongoing concerns over state-sponsored cyber activities. The case underscores the persistent threat posed by North Korean cyber operatives utilizing sophisticated methods to fund their government's initiatives.

Cybersecurity researchers identified vulnerabilities in the TETRA radio protocol, affecting its end-to-end encryption, making it susceptible to replay and brute-force attacks. The vulnerabilities, named 2TETRA:2BURST, were disclosed at the Black Hat USA conference, impacting law enforcement, military, and critical infrastructure users. The flaws allow for packet injection attacks, enabling potential interception and manipulation of radio communications, particularly in data-carrying networks. Specific vulnerabilities, such as CVE-2025-52940 and CVE-2025-52941, could lead to confusion among users and compromise communication integrity. While no active exploitation has been reported, patches are limited, with some fixes expected by the third quarter of 2025. ETSI clarified that the E2EE mechanism in TETRA radios is not part of its standard, advising users to consider alternative encryption solutions. The discovery also includes flaws in Sepura SC20 radios, allowing unauthorized code execution, necessitating enhanced key management practices. Organizations using TETRA networks should assess their configurations and implement mitigations to safeguard against these vulnerabilities.

At Black Hat, experts discussed AI's current advantage for cybersecurity defense, though this may shift as attackers advance their AI capabilities. Mikko Hyppönen of WithSecure noted AI's role in discovering vulnerabilities, with two dozen found in 2025, but warned of increasing AI use by hackers. Nicole Perlroth highlighted potential future advantages for offensive AI applications, amid a significant cybersecurity workforce shortage in the US. AI tools are currently used to support human-led red teaming exercises, but their independent effectiveness remains limited and prone to errors. DARPA's AI Cyber Challenge demonstrated AI's potential in vulnerability detection and patching, with 54 vulnerabilities identified and 43 patched by a winning US-South Korean team. AI's proficiency in spotting SQL vulnerabilities offers hope for addressing common security flaws, though its impact on job markets remains debated. Industry leaders emphasize AI as a tool to augment human skills rather than replace them, with human ingenuity still crucial in cybersecurity operations.

Cybercriminals are leveraging Microsoft 365 applications, notably OneNote, to conduct "native phishing" attacks, exploiting trusted tools to bypass traditional security defenses. Attackers utilize compromised Microsoft 365 accounts to distribute malicious links via built-in file-sharing features, making phishing attempts appear legitimate and reducing detection. Recent incidents show attackers using OneNote to embed phishing URLs, leading victims to convincing fake login pages created with AI-powered no-code platforms like Flazio. This method has resulted in a high success rate, as victims often unknowingly enter credentials into fraudulent sites mimicking legitimate company portals. The use of AI and no-code platforms allows threat actors to swiftly create and deploy phishing sites, increasing the efficiency and reach of their campaigns. Organizations are advised to enhance security measures by monitoring user activities and educating employees on identifying phishing attempts to mitigate risks. Varonis offers tools for real-time monitoring and incident response, helping organizations detect and respond to phishing campaigns effectively.