Daily Brief

Cybercriminal group ShinyHunters alleges theft of over 14 million records from Panera Bread, including personal data such as names, emails, and account details. CarMax and Edmunds were also reportedly breached, with ShinyHunters claiming access to millions of records, including PII and corporate data, via earlier intrusions. The group exploited Microsoft Entra SSO vulnerabilities to access Panera's systems, while CarMax and Edmunds breaches were linked to previous Salesforce compromises. ShinyHunters' tactics involve voice-phishing campaigns to steal single-sign-on codes, bypassing multi-factor authentication through social engineering techniques. Recent warnings from Okta indicate a surge in cybercriminals targeting SSO credentials from major providers like Microsoft and Google. Silent Push researchers have identified approximately 100 organizations targeted by ShinyHunters' credential-stealing efforts in the past month. Companies affected by these breaches have yet to publicly respond, raising concerns about data security and the effectiveness of current protective measures. Mandiant Consulting is actively tracking this ongoing campaign, emphasizing the need for enhanced vigilance against sophisticated phishing attacks.

The CVE-2025-8088 vulnerability in WinRAR is being exploited by both state-sponsored and financially motivated threat actors for initial access and malware delivery. This security flaw involves a path traversal technique using Alternate Data Streams (ADS) to place malicious files in arbitrary locations, including the Windows Startup folder. ESET researchers discovered the vulnerability, with exploitation traced back to July 18, 2025, and reported ongoing activity by Google Threat Intelligence Group. The exploit chain involves embedding malicious payloads in ADS of decoy files, often leading to execution of LNK, HTA, BAT, CMD, or script files upon user login. State-sponsored actors and cybercriminals have been observed using this flaw to distribute remote access tools and information stealers like XWorm and AsyncRAT. Exploits are reportedly sourced from specialized suppliers, such as "zeroplayer," who markets high-value exploits, indicating a thriving market for such vulnerabilities. This trend underscores the commoditization of exploit development, enabling attackers to efficiently target unpatched systems and reducing the complexity of cyberattacks.

Meta announced a new security feature, Strict Account Settings, for WhatsApp, targeting individuals at risk of advanced cyber attacks, such as journalists and public figures. This mode restricts account settings, blocks unknown attachments, and silences calls from unfamiliar contacts, enhancing user protection against sophisticated spyware. The feature mirrors security measures like Apple's Lockdown Mode and Android's Advanced Protection, focusing on trading some app functionality for heightened security. Users can activate this feature through the app's Privacy settings, with a gradual rollout planned over the coming weeks to ensure broad accessibility. In addition to the new security mode, WhatsApp is adopting Rust programming language for its media sharing, marking a significant global deployment to improve memory safety. The Rust-based library, "wamedia," aims to secure media sharing across devices, supporting WhatsApp's defense-in-depth strategy against potential spyware threats. Meta's multi-faceted approach includes implementing safer buffer handling and hardened memory allocators, reinforcing its commitment to user security and data protection.

Zscaler ThreatLabz identified two cyber campaigns, Gopher Strike and Sheet Attack, targeting Indian government entities, potentially linked to a new Pakistan-based threat actor subgroup. Sheet Attack utilizes legitimate services like Google Sheets and Firebase for command-and-control operations, complicating detection and attribution efforts. Gopher Strike employs phishing emails to deliver malicious PDF documents, tricking users into downloading a harmful ISO image disguised as an Adobe Acrobat Reader update. The ISO image contains a Golang-based downloader, GOGITTER, which establishes persistence and communicates with command servers every 30 seconds. GOGITTER's attack chain includes downloading a ZIP file from a private GitHub repository, signaling infection via HTTP GET requests to a specific domain. The campaign uses a lightweight backdoor, GITSHELLPAD, which interacts with GitHub repositories to execute commands and upload results, ensuring covert communication. Attackers deploy additional tools post-compromise, including GOSHELL, a loader for Cobalt Strike Beacon, employing tactics to evade antivirus detection. These campaigns highlight the evolving sophistication of state-linked cyber threats and the importance of robust defenses against advanced persistent threats.

Nike is probing a potential data breach after the World Leaks ransomware group claimed to have stolen 1.4 TB of corporate data. The extortion group added Nike to its dark web leak site, alleging theft of nearly 190,000 files detailing business operations. World Leaks removed Nike from its site, hinting at possible negotiations or ransom payment, though Nike has not confirmed any ransom activity. World Leaks, a rebrand of Hunters International, shifted from file encryption to data theft and extortion-only attacks in early 2025. The group has been linked to breaches involving major organizations, including the U.S. Marshals Service and Tata Technologies. Nike's response emphasizes its commitment to consumer privacy and data security as it actively assesses the situation. The incident underscores the evolving tactics of ransomware groups, focusing on data theft over encryption due to profitability concerns.

A critical vulnerability, CVE-2026-22709, in the vm2 Node.js library allows attackers to escape the sandbox and execute arbitrary code on host systems. The vm2 library, widely used in over 200,000 GitHub projects, provides a secure context for executing untrusted JavaScript code. The vulnerability arises from improper sanitization of Promises, enabling attackers to bypass security measures and escape the isolated environment. The vm2 project was initially discontinued due to repeated vulnerabilities but was revived with version 3.10.0, addressing known issues at the time. Users are urged to upgrade to the latest vm2 version, 3.10.3, which fixes all disclosed vulnerabilities, including CVE-2026-22709. Previous critical sandbox escape flaws in vm2 have been exploited, emphasizing the importance of timely updates and patch management. The ongoing popularity of vm2, with approximately one million downloads weekly, highlights the critical need for secure handling of untrusted code execution.

A Nebraska federal grand jury charged 31 suspects in connection with ATM jackpotting, using Ploutus malware, linked to the Venezuelan gang Tren de Aragua. This indictment follows previous charges against 54 individuals for related offenses, including bank fraud and money laundering, highlighting a broad criminal operation. The gang, designated as a Foreign Terrorist Organization, allegedly used sophisticated malware to compromise ATMs, facilitating large-scale cash theft across the U.S. Suspects reportedly accessed ATM internals to install malware, enabling them to erase evidence and force machines to dispense cash until depleted. The Justice Department has charged a total of 87 members from the gang over six months, with potential sentences ranging from 20 to 335 years. The operation's impact extends beyond financial losses, as it also funds the gang's broader criminal and terrorist activities. The case underscores the need for enhanced ATM security measures and international cooperation in combating transnational cybercrime.

Chinese-linked group Salt Typhoon reportedly accessed phones of senior UK government aides since 2021, targeting communications at the heart of Downing Street. The espionage campaign is believed to have compromised devices of aides to former prime ministers Boris Johnson, Liz Truss, and Rishi Sunak. Attackers exploited telecom networks to gather metadata and potentially access texts and calls, creating comprehensive profiles of communication patterns. The breaches were uncovered in 2024, following US disclosures of Chinese intrusions into global telecommunications, raising significant security concerns. MI5 issued an espionage alert in November, yet details on the full scope and impact of the breaches remain undisclosed. The allegations emerge as UK Prime Minister Keir Starmer prepares for a visit to China, amid criticism of the UK’s diplomatic stance on Beijing. China's foreign ministry has dismissed the allegations, accusing Western nations of politicizing cybersecurity issues. The situation underscores the challenges in detecting and eradicating deeply embedded state-sponsored cyber threats within critical infrastructure.

Ransomware has shifted from simple file encryption to complex extortion campaigns, leveraging data exposure, legal threats, and psychological pressure on a large scale. Fragmentation in the ransomware ecosystem post-2024 takedowns has led to decentralized operations, complicating attribution and disruption while maintaining severe impacts on victims. Modern ransomware tactics include identity abuse and social engineering, with groups like Cl0p exploiting supply chains to exfiltrate data without encryption. Smaller businesses in high-regulation regions are increasingly targeted due to their vulnerability to reputational and legal consequences, amplifying the impact of data leaks. Psychological tactics in ransom notes, such as artificial time pressure and reputational threats, are designed to induce panic and compel swift payment. Security teams must integrate legal, communications, and threat intelligence into incident response plans to effectively mitigate reputational and regulatory risks. Proactive defense now requires continuous monitoring for data exposure, prioritization of vulnerability management, and targeted audits of misconfigurations exploited by ransomware groups.

Cybersecurity researchers have identified a new campaign utilizing ClickFix-style fake CAPTCHAs and Microsoft scripts to distribute the Amatera information stealer. The attack begins with a fake CAPTCHA prompt, tricking users into executing a malicious command via the Windows Run dialog. Instead of directly invoking PowerShell, the attack uses a signed Microsoft App-V script, "SyncAppvPublishingServer.vbs," to proxy execution, evading detection. The campaign targets enterprise systems, leveraging App-V scripts available only on Windows Enterprise and Education editions. Attackers use trusted third-party services like Google Calendar to externalize configuration, allowing rapid infrastructure changes without redeploying earlier stages. The campaign's complexity lies in its multi-stage execution, using legitimate user actions and trusted system tools to avoid detection. ClickFix has evolved with variants like JackFix and CrashFix, increasingly targeting social media content creators and businesses for account takeover. The campaign's sophisticated use of legitimate services and tools poses significant challenges for traditional endpoint defenses and requires advanced detection strategies.

Over 6,000 SmarterMail servers are exposed online, vulnerable to a critical authentication bypass flaw, CVE-2026-23760, allowing attackers to hijack admin accounts and execute remote code. The vulnerability, discovered by watchTowr and fixed by SmarterTools on January 15, was added to the NIST database, highlighting its critical severity due to the potential for full administrative compromise. Shadowserver and other researchers identified thousands of servers, primarily in North America and Asia, at risk of exploitation, with automated attacks already reported in the wild. CISA has mandated U.S. government agencies to secure vulnerable servers by February 16, emphasizing the significant risk posed to federal enterprises by such vulnerabilities. The flaw involves an authentication bypass in the password reset API, permitting anonymous requests to reset admin accounts without verification, leading to potential server control. Cybersecurity firms have provided proof-of-concept exploits, stressing the urgency for organizations to apply patches and mitigate risks immediately. This incident underscores the necessity for robust patch management and proactive vulnerability assessments to protect critical infrastructure from emerging threats.

France has announced the replacement of US videoconferencing tools with a state-developed platform, Visio, to enhance digital sovereignty and data security. The initiative aims to eliminate reliance on foreign platforms like Zoom and Teams, reducing exposure to overseas infrastructure and legal systems. Developed by the Interministerial Directorate for Digital Affairs, Visio is set to become the exclusive video meeting tool for public servants by 2027. Visio has undergone testing by tens of thousands of civil servants and is being scaled for broader use across various government ministries and agencies. The transition is expected to save approximately €1 million annually in license fees by migrating 100,000 users from commercial platforms. Visio promises enhanced security by operating on French-controlled infrastructure and adhering to EU data protection regulations. Despite the strategic move, the platform's name, Visio, may cause confusion with Microsoft's existing software, highlighting potential branding challenges.

The Austrian Data Protection Authority (DSB) ruled that Microsoft unlawfully installed tracking cookies on schoolchildren's devices using Microsoft 365 Education without consent. The ruling followed a complaint by the privacy advocacy group None of Your Business (noyb), which highlighted Microsoft's non-compliance with GDPR transparency requirements. The tracking cookies were used to analyze user behavior, collect browser data, and serve advertising, raising significant privacy concerns. Both the Austrian Ministry of Education and the affected school were unaware of the tracking until noyb's intervention. Microsoft has been given a four-week deadline to cease tracking activities on the complainant's devices and comply with the DSB's directives. The case originates from the COVID-19 pandemic era when schools rapidly adopted digital learning platforms like Microsoft 365 Education. This ruling emphasizes the importance of transparency and compliance with data protection laws, particularly concerning minors.

SoundCloud confirmed a data breach affecting 29.8 million user accounts, exposing email addresses and publicly available profile data. The breach involved unauthorized access to an ancillary service dashboard, leading to data mapping of email addresses to public profiles. SoundCloud activated incident response protocols upon detecting the breach, confirming no sensitive financial or password data was compromised. The ShinyHunters extortion group claimed responsibility, employing email flooding tactics to pressure SoundCloud and its stakeholders. SoundCloud's security notice corroborated reports that the breach impacted approximately 20% of its users, with attempts to extort the company. The breach highlights the ongoing threat of extortion-focused cybercrime, emphasizing the need for robust incident response and communication strategies. ShinyHunters' recent activities also include voice phishing attacks on major corporate platforms, posing broader security risks to SaaS environments.

Continuous Threat Exposure Management (CTEM) integrates threat and vulnerability management, focusing on exploitable exposures to enhance security posture effectively. CTEM emphasizes a continuous cycle of identifying, prioritizing, and remediating exposures, moving beyond isolated threat and vulnerability assessments. The approach unifies various cybersecurity processes, including vulnerability assessment, attack surface management, and simulation, to address real, exploitable risks. Threat intelligence plays a crucial role in CTEM by connecting vulnerabilities to adversary tactics, techniques, and procedures, enabling organizations to prioritize remediation efforts. CTEM requires strategic implementation across security teams, breaking down silos and improving workflows, rather than relying on a single tool or technology. Validation through testing, breach simulations, and exercises is essential to ensure security controls are effective against probable attack paths and vulnerabilities. Effective CTEM answers critical security questions with evidence, focusing on what can harm the organization, how it could occur, and whether it can be prevented.