Daily Brief

The FCC has rescinded a ruling mandating enhanced cybersecurity measures for U.S. telecom carriers, initially introduced after the Salt Typhoon cyberattacks linked to Chinese espionage. Salt Typhoon targeted major telecom companies, potentially compromising sensitive communications, including government wiretapping systems, raising national security concerns. The rollback follows telecom industry lobbying, with firms citing the previous framework as overly burdensome and operationally taxing. FCC's decision has faced criticism, particularly from Commissioner Anna M. Gomez, who argues it weakens national cybersecurity defenses against ongoing state-sponsored threats. Despite the rollback, telecom providers have committed to independently improving their cybersecurity measures to mitigate risks. Senators Maria Cantwell and Gary Peters opposed the FCC's decision, urging the agency to maintain stringent cybersecurity safeguards to protect national interests. The situation underscores the tension between regulatory measures and industry pressures in safeguarding critical national infrastructure from sophisticated cyber threats.

Grafana has issued patches to fix a critical vulnerability in its SCIM component, identified as CVE-2025-41115, which could lead to privilege escalation or user impersonation. The flaw, scoring a maximum CVSS of 10.0, affects Grafana Enterprise versions 12.0.0 to 12.2.1 where SCIM provisioning is enabled and configured. Exploitation occurs when a malicious SCIM client provisions a user with a numeric externalId, potentially overriding internal user IDs. This vulnerability was discovered internally by Grafana on November 4, 2025, during routine audits and testing of their systems. Grafana urges users to apply the released patches immediately to prevent exploitation, given the high severity and potential impact. The issue stems from the SCIM externalId mapping directly to internal user IDs, which can lead to impersonation of critical accounts like Admin. Organizations using affected versions should review their SCIM configurations and update to the patched versions to secure their environments.

Two British teenagers, linked to the Scattered Spider group, have pleaded not guilty to charges related to a cyberattack on Transport for London (TfL) in August 2024. The attack, which disrupted TfL's online services and internal systems, initially appeared to spare customer data but later confirmed exposure of personal information. The breach resulted in millions of pounds in damage, impacting TfL's operations, including its ability to process refunds for affected customers. The defendants face charges of computer misuse and fraud, with allegations of causing or risking serious damage to human welfare. Beyond the TfL incident, one defendant is accused of conspiring to attack U.S. healthcare networks, while the other faces charges of withholding passwords from authorities. The U.S. Department of Justice has charged one of the teenagers with conspiracy, money laundering, and wire fraud in connection with over 120 network breaches. The Scattered Spider group has been linked to ransom payments exceeding $115 million, targeting critical infrastructure and major retailers in the UK and U.S. The case highlights the growing threat from cybercriminals in English-speaking countries, as noted by the UK National Crime Agency.

Avast has introduced Scam Guardian, a free AI-powered tool integrated into its Avast Free Antivirus, aimed at enhancing scam protection globally. Cybercriminals are increasingly using AI to create sophisticated scams, making it crucial for users to have advanced protective measures. Scam Guardian Pro, an enhanced version, is available through Avast Premium Security, offering additional layers of protection against email scams. The Q1/2025 Gen Threat Report indicates a 186% surge in breached records, exposing sensitive personal information to potential exploitation. Phishing scams have increased by 466% in the first quarter of 2025, now constituting nearly a third of all scam reports. Scam Guardian uses AI trained on Gen Threat Labs data to detect malicious URLs and analyze context and language for deceptive intent. The tool also identifies hidden threats in website code, neutralizing them to ensure safer online browsing and shopping experiences.

U.S. authorities have charged four individuals for allegedly smuggling restricted Nvidia AI chips into China, bypassing export controls through shell companies and falsified documentation. The defendants, based in Florida, Alabama, and California, are accused of using front companies and covert routes via Malaysia and Thailand to export the GPUs. The operation reportedly involved at least four export attempts, with two successful shipments moving 400 Nvidia A100 GPUs to China between October 2024 and January 2025. Law enforcement disrupted two further attempts, including a shipment of ten HPE supercomputers and 50 Nvidia H200 GPUs, preventing additional unauthorized exports. The defendants allegedly received over $3.89 million in wire transfers from China to finance the illegal exports, without obtaining the necessary export licenses. The Department of Justice aims to dismantle black-market channels for advanced U.S. AI technology, emphasizing accountability for those involved in such illicit trade. This case is part of a broader initiative to enforce export controls, following revelations of significant unauthorized transfers of Nvidia technology to China. The defendants face multiple charges, including conspiracy and export-control violations, with potential sentences of up to 20 years in prison if convicted.

The UK's National Crime Agency (NCA) dismantled a Russian-linked network using a Kyrgyzstan bank to launder cybercrime profits and support Moscow's war economy. Operation Destabilise traced illicit cash flows through 28 UK towns, converting proceeds from drugs and firearms into cryptocurrency for cross-border transfers. The network acquired a controlling stake in Keremet Bank, facilitating payments for Promsvyazbank, a Russian state-owned lender tied to military financing. Key figures in the laundering operation, including leaders of the Smart and TGR networks, have been sanctioned by the US Treasury and face legal actions. Intelligence led to the seizure of over $24 million overseas and £25 million in the UK, disrupting the network's financial operations significantly. The NCA's crackdown has increased laundering costs in London, with over 120 arrests and enhanced international cooperation from agencies like the FBI and DEA. The operation underscores the complex links between street-level crime, organized cybercriminals, and state-sponsored activities, posing ongoing challenges to global financial integrity.

Google has updated Quick Share for Pixel 10 devices, enabling cross-platform file sharing with Apple's AirDrop, enhancing interoperability between Android and Apple devices. The enhancement requires iPhone users to adjust discoverability settings for file transfers, while Android users must modify Quick Share visibility or be in Receive mode. Quick Share's security is bolstered by Rust, a memory-safe programming language, reducing memory safety vulnerabilities and enhancing resilience against attacks. An independent assessment by NetSPI confirmed the security of Google's implementation, noting it is stronger and does not leak information, unlike other manufacturers' versions. A low-severity vulnerability was identified, allowing potential access to image thumbnails and SHA256 hashes, but Google has addressed this issue. Google is piloting features in India to combat app-related financial fraud, including alerts for screen sharing during calls, enhancing user protection. The company is also developing Enhanced Phone Number Verification (ePNV) to replace SMS OTP with SIM-based verification, aiming to improve sign-in security on Android devices.

Samsung Galaxy devices incorporate Samsung Knox at the manufacturing stage, providing a robust security foundation that integrates seamlessly with existing enterprise security infrastructures. The Knox Suite supports Zero Trust principles, enforcing strict access controls to mitigate mobile threats without complicating device management for IT teams. IT administrators gain enhanced security, deeper insights, and improved control over devices, all while maintaining existing workflows and minimizing operational disruptions. Knox Suite is compatible with most enterprise mobility management (EMM) tools, amplifying their capabilities and ensuring comprehensive device security and management. By leveraging Samsung's Knox Suite, enterprises can enhance their mobility strategies, protecting sensitive data and maintaining productivity without additional complexity. Samsung's approach positions it as a trusted partner for IT teams, offering a balanced solution that addresses both current security challenges and future threats. The integration of Knox Suite into Samsung devices allows enterprises to confidently embrace mobile technology while safeguarding critical data and maintaining their reputation.

APT24, linked to China, has deployed BADAUDIO malware in a prolonged espionage campaign affecting over 1,000 domains, primarily targeting Taiwan's digital infrastructure. The campaign, active since November 2022, uses sophisticated methods including watering holes, supply chain compromises, and spear-phishing to infiltrate networks. BADAUDIO, a C++ malware, employs control flow flattening for obfuscation and acts as a downloader for AES-encrypted payloads from hard-coded command and control servers. Recent tactics involve injecting malicious JavaScript into a widely used library, compromising a regional digital marketing firm to hijack over 1,000 domains. The malware leverages DLL Search Order Hijacking for execution, using encrypted archives containing DLLs, VBS, BAT, and LNK files to evade detection. APT24's campaign includes targeted phishing attacks using social engineering tactics, such as animal rescue lures, to deliver malware via cloud services like Google Drive and OneDrive. The operation demonstrates APT24's advanced capabilities in persistent espionage and adaptive attack strategies, presenting significant risks to targeted sectors.

ZTE introduced the ZXCSec MAF security solution, designed to protect large AI models from various security threats at MWC Shanghai 2025. The solution addresses critical vulnerabilities such as adversarial threats, data leakage, API abuse, and content risks affecting large-model applications. ZXCSec MAF employs a multi-layered framework to secure model, data, application, and content domains, enhancing overall system integrity. It supports both ZTE's Nebula models and third-party models like Llama, Qwen, and DeepSeek, ensuring broad applicability across industries. By mitigating risks associated with AI deployment, ZXCSec MAF enhances operational efficiency and safeguards AI systems in production environments. The launch underscores ZTE's commitment to developing technologies that tackle real-world security challenges faced by enterprises globally.

The SEC has dropped its lawsuit against SolarWinds and its CISO, Timothy G. Brown, regarding allegations of misleading investors about cybersecurity practices linked to the 2020 supply chain attack. The joint motion for dismissal was filed on November 20, 2025, with the SEC clarifying that this decision does not indicate its stance on other cases. Initially accused in October 2023, SolarWinds faced claims of fraud and internal control failures, including overstating cybersecurity measures and ignoring known risks. The 2020 supply chain attack, attributed to Russian APT29, revealed significant vulnerabilities in SolarWinds' cybersecurity framework, affecting numerous organizations globally. In July 2024, the U.S. District Court for the Southern District of New York dismissed several allegations, citing lack of actionable deficiencies and reliance on hindsight. The SEC has also charged other companies, including Avaya and Check Point, for misleading disclosures related to the SolarWinds incident. SolarWinds CEO Sudhakar Ramakrishna stated that the resolution marks a significant turning point, with the company now more secure and better prepared for future challenges.

A hacker breached Almaviva, an IT services provider for FS Italiane Group, leaking 2.3 terabytes of sensitive data on a dark web forum. The compromised data includes confidential documents, technical documentation, HR archives, and contracts, indicating significant exposure of internal operations. Almaviva, a global IT services firm with a $1.4 billion turnover, confirmed the breach and activated security protocols to mitigate further risks. FS Italiane Group, a state-owned entity with $18 billion in annual revenue, is among the affected, though the full impact on passenger data remains unclear. The incident is under investigation by Italian authorities, including the national cybersecurity agency, with Almaviva pledging transparency in updates. The breach's structure aligns with tactics used by ransomware groups, emphasizing the need for robust cybersecurity measures in critical infrastructure sectors. The situation highlights vulnerabilities in third-party IT service providers, urging businesses to reassess their cybersecurity strategies and vendor management practices.

Salesforce detected unusual activity linked to Gainsight applications, potentially allowing unauthorized access to some customers' data through OAuth connections. In response, Salesforce revoked all active access and refresh tokens associated with Gainsight apps and temporarily removed them from the AppExchange. The issue appears unrelated to any Salesforce platform vulnerabilities, focusing instead on external app connections. Gainsight apps have also been pulled from HubSpot Marketplace as a precaution, though no suspicious activity has been noted there. Threat actors from the ShinyHunters group are believed to be behind this campaign, following similar attacks on Salesloft Drift instances. Nearly 1,000 organizations reportedly had data accessed, including business contact details and product licensing information. Organizations are advised to audit third-party apps connected to Salesforce, revoke unused tokens, and rotate credentials if anomalies are detected.

Google has enabled file sharing between Android's Quick Share and Apple's AirDrop, initially limited to its Pixel 10 smartphones, aiming to enhance cross-platform connectivity. This integration allows Android users to share files with iOS devices, requiring iOS users to activate the "Everyone for 10 minutes" mode, potentially exposing them to unsolicited file transfers. Security experts express concerns over the possibility of malicious files being sent during this open sharing window, posing risks to users. Google has implemented the feature using Rust, a programming language known for reducing memory-safety vulnerabilities, and engaged independent security experts for assessment. Despite Google's security measures, businesses remain cautious, often using mobile device management tools to disable such features due to potential security threats. The initiative underscores the ongoing challenge of balancing user convenience with security, especially in cross-platform environments. Apple's non-involvement in this integration reflects its history of prioritizing user privacy, as seen in past decisions that impacted third-party data tracking.

The SEC has decided to dismiss its lawsuit against SolarWinds and its Chief Information Security Officer, relating to alleged misleading of investors about security practices. The lawsuit stemmed from the 2020 SUNBURST attack, where Russian hackers compromised SolarWinds' Orion software, affecting major corporations and U.S. government departments. SolarWinds expressed satisfaction with the SEC's decision, viewing it as a vindication of their security team's actions during the incident. The SEC clarified that the dismissal is discretionary and does not set a precedent for other cases, maintaining flexibility for future actions. The SUNBURST attack led SolarWinds to implement its "Secure by Design" initiative, aiming to enhance software security industry-wide. The case has been a focal point for CISOs concerned about regulatory pressures and potential impacts on their roles following cyber incidents. A judge had previously dismissed most of the SEC's allegations, potentially influencing the decision to drop the case entirely.