Daily Brief

The Government Accountability Office (GAO) identified significant lapses in the Department of Defense's (DoD) training and guidance on preventing sensitive information leaks through social media channels. Auditors acting as threat actors discovered exploitable data from military personnel and their families online, posing risks to operational security and personal safety. Public social media posts and official press releases were found to inadvertently disclose sensitive details, potentially endangering military operations and personnel. The GAO's investigation revealed that 10 DoD components lacked comprehensive training and threat assessment protocols, particularly in areas beyond traditional operational security. The GAO issued 12 recommendations to the DoD, which agreed to implement all but one, citing limitations in controlling personal digital activities of personnel and their families. The report underscores the need for improved digital awareness and training to mitigate risks posed by the digital footprints of service members and their families. The DoD's partial acceptance of recommendations highlights ongoing challenges in balancing operational security with personal freedoms in the digital age.

Eurofiber France reported a data breach affecting its ticket management system, where hackers exploited a vulnerability to access and exfiltrate sensitive information. The breach impacts the French division of Eurofiber Group, including its cloud division and regional sub-brands, but does not affect critical data or the broader Eurofiber network. The company quickly enhanced security measures, patched the vulnerability, and implemented additional protections to prevent further data leaks. A threat actor, 'ByteToBreach', claims to have stolen data from 10,000 businesses and government entities, including VPN configurations and SQL backup files. Eurofiber France has notified relevant authorities, including CNIL and ANSSI, and filed a report for extortion as the threat actor demands payment to avoid data exposure. The incident follows previous breaches in the French telecommunications sector, indicating a persistent threat landscape for service providers. Eurofiber France is in the process of notifying affected customers, though specific details on the types of data stolen remain undisclosed.

Security researcher Jonathan Clark claims Coinbase was aware of a December 2024 breach months before its official disclosure in May 2025. Clark reported the breach to Coinbase on January 7, 2025, after scammers attempted to defraud him using detailed personal information. The breach involved unauthorized access to nearly 70,000 customers' private and financial data, including Social Security numbers and transaction history. Despite an initial acknowledgment from Coinbase's Head of Trust and Safety, Clark received no further communication after multiple follow-ups. Coinbase disclosed the breach to the SEC in May, stating the attack occurred on December 26, 2024, and was discovered on May 11, 2025. The attackers also attempted to extort Coinbase for $20 million, raising concerns about the company's incident response and communication practices. This incident underscores the critical importance of timely breach disclosures and robust communication with affected parties to maintain trust.

Princeton University experienced a data breach on November 10, impacting alumni, donors, faculty, and students' personal information stored in a fundraising database. Threat actors accessed the database through a phishing attack targeting a university employee, compromising names, emails, and addresses. The compromised database did not include sensitive financial information, Social Security numbers, or detailed student records protected by privacy laws. University officials have blocked the attackers' access and confirmed no further systems were compromised. Affected individuals are advised to verify any communication from the university before sharing sensitive information to avoid potential phishing scams. The incident follows a similar breach at the University of Pennsylvania, though Princeton reports no evidence linking the two events. The breach underscores the importance of robust phishing defenses and employee awareness training to protect sensitive institutional data.

Dutch authorities seized 250 servers from a bulletproof hosting service, used by cybercriminals for anonymity since 2022, impacting over 80 cybercrime investigations globally. The hosting service facilitated ransomware, botnet, phishing activities, and child abuse content distribution, exploiting its no-KYC and no-logs policies. The operation, part of "Operation Endgame," also targeted malware like Rhadamanthys, VenomRAT, and Elysium, with no arrests announced yet. Thousands of virtual servers were taken offline, disrupting services for clients who relied on the provider for anonymous operations. Investigators are conducting forensic analyses on the seized servers to identify operators and clientele involved in illicit activities. The service, speculated to be CrazyRDP, is now offline, causing concerns among users about potential exit scams and unresolved technical issues. This action underscores the ongoing efforts to dismantle infrastructure supporting cybercriminal activities and enhance global cybersecurity.

Four U.S. citizens and a Ukrainian broker admitted to aiding North Korean IT workers in securing fraudulent employment with American companies. The scheme involved selling identities, leading to unauthorized access to jobs and salaries at over 64 U.S. companies. Participants facilitated remote work setups, allowing North Korean operatives to appear as U.S.-based employees, resulting in $1.28 million in salary fraud. A former U.S. Army soldier was among those involved, earning over $51,000, while others earned significantly less. The Department of Justice emphasized the national security implications, as the fraud supports North Korea's financial and intelligence objectives. The FBI urges companies to enhance vetting processes for remote workers to prevent similar fraudulent activities. Okta and CrowdStrike have identified a growing trend of North Korean-linked scams targeting U.S. businesses for financial gain and intellectual property theft.

Microsoft Azure faced a significant DDoS attack, reaching 15.72 terabits per second, originating from the Aisuru botnet, utilizing over 500,000 IP addresses. The attack targeted a specific public IP in Australia, employing high-rate UDP floods, and achieved nearly 3.64 billion packets per second. Aisuru is a Turbo Mirai-class IoT botnet, exploiting vulnerabilities in home routers and cameras, primarily affecting residential ISPs globally. Cloudflare linked Aisuru to a previous record-breaking 22.2 Tbps attack, demonstrating the botnet's capability to execute large-scale disruptions. The botnet expanded significantly in April 2025 after breaching a TotoLink router firmware server, infecting around 100,000 additional devices. Cloudflare has taken steps to mitigate the botnet's impact by removing related domains from its rankings to prevent manipulation and maintain trust. The incident underscores the growing threat of IoT-based botnets and the need for robust defenses against increasingly sophisticated DDoS attacks.

eSentire has identified the EVALUSION campaign, leveraging ClickFix tactics to distribute Amatera Stealer and NetSupport RAT, posing significant risks to data security. Amatera Stealer, an evolution of the ACR Stealer, is available via subscription and targets crypto-wallets, browsers, and messaging applications, among others. The malware employs advanced evasion techniques, including WoW64 SysCalls, to bypass common security measures like sandboxes and anti-virus solutions. Attackers trick users into executing malicious commands through phishing pages, initiating a process that downloads and executes the malware via PowerShell scripts. The payload, Amatera Stealer DLL, is packed using PureCrypter and injected into the MSBuild.exe process to harvest sensitive data. NetSupport RAT is only downloaded if the victim's machine is part of a domain or contains files of potential value, such as crypto wallets. The campaign is part of a broader trend of phishing attacks using sophisticated obfuscation techniques to evade detection by security tools.

A vulnerability in DoorDash's systems allowed unauthorized sending of branded emails, creating a potential phishing channel until recently patched by the company. The flaw was discovered by a security researcher, who reported it could be exploited for social engineering scams using DoorDash's official email templates. The vulnerability involved manipulating the DoorDash for Business platform to send emails with crafted HTML, bypassing spam filters and appearing legitimate. A dispute arose between the researcher and DoorDash over the handling of the disclosure, with accusations of unethical behavior from both parties. Despite the flaw being patched, the researcher claims it remained exploitable for over 15 months, criticizing DoorDash's delayed response. DoorDash asserts the issue was out of scope for their bug bounty program and accuses the researcher of attempting extortion. The incident highlights the challenges in vulnerability disclosure processes and the need for clear communication and ethical standards between researchers and companies.

The Pennsylvania Attorney General's Office confirmed a data breach following an August 2025 ransomware attack by the INC Ransom group, affecting personal and medical information. The attack led to significant operational disruptions, taking down the office's website, email accounts, and phone lines, causing widespread impact. Personal data compromised includes names, Social Security numbers, and medical information, as per the Office's investigation. The breach exploited vulnerabilities in Citrix NetScaler appliances, specifically CVE-2025-5777, known as Citrix Bleed 2, affecting public-facing systems. INC Ransom claimed responsibility on their dark web site, alleging theft of 5.7TB of data and potential access to an FBI network. The Pennsylvania OAG chose not to pay the ransom, following a precedent set by previous breaches within the state. This incident marks the third ransomware attack on Pennsylvania state entities, highlighting ongoing cybersecurity challenges.

Europol's Internet Referral Unit conducted a large-scale operation on November 13, targeting extremist content across gaming and related platforms. The operation identified thousands of URLs, including 5,408 links to jihadist content and 1,070 promoting violent right-wing extremism. This initiative marks Europol's first significant action focusing on gaming platforms, which are increasingly exploited for radicalization and extremist recruitment. Extremists use gaming spaces for strategic dissemination of propaganda, employing tactics like re-enacting violent scenes in games to attract young audiences. Europol's action forms part of a coordinated "Referral Action Day," involving multiple countries to combat the misuse of digital platforms. The IRU's efforts align with the EU's Radicalisation Awareness Network, which warns of the strategic use of gaming spaces by extremist groups. Gaming platform operators may face increased pressure to collaborate with law enforcement and swiftly address extremist content. This development serves as a caution to parents and young gamers about the evolving risks within gaming environments.

Immersive's Cyber Workforce Benchmark reveals a gap between confidence and capability, with teams scoring only 22% accuracy in cyber simulations and taking over a day to contain threats. Despite 94% of organizations believing they can effectively handle major incidents, resilience metrics have stagnated since 2023, highlighting a disconnect between perception and actual performance. The report identifies outdated threat scenarios as a key issue, with 60% of training focused on vulnerabilities over two years old, leaving teams unprepared for evolving attacker techniques. Only 41% of organizations involve non-technical roles in simulations, undermining cross-functional communication and collaboration during incidents, despite 90% believing their communication is effective. Organizations frequently use training completion rates as a preparedness measure, which the report criticizes as "false metrics" that obscure real capability gaps. Participation in AI-scenario labs by senior staff has decreased, while non-technical manager involvement has increased, indicating a shift in focus that may impact readiness for novel threats. The report calls for a shift from confidence based on assumptions to evidence-backed readiness, emphasizing continuous improvement across all business levels to ensure true resilience.

Eurofiber confirmed a cyberattack on November 13 compromised data from its French operations, affecting internal systems and regional brands like Eurafibre, FullSave, Netiwan, and Avelia. The attack exploited a vulnerability in Eurofiber's ticket management platform, which has since been patched; no banking or critical data was compromised. Although the attack had a limited business impact, some systems used by indirect sales and wholesale partners were operationally affected. Eurofiber's customer-facing services remained fully operational during the incident, and enhanced security measures were promptly implemented. The company reported the incident to French cybersecurity agencies CNIL and ANSSI, indicating an extortion-related attack but did not confirm if a ransom was paid. Eurofiber's response included notifying affected customers and collaborating with cybersecurity experts to manage the incident's impact. This incident is part of a broader trend of cyberattacks on B2B telcos, with recent attacks also affecting companies like Colt and ICUK.

A vulnerability in Fortinet's FortiWeb WAF, identified as CVE-2025-64446, has been actively exploited since early October 2025, allowing attackers to create malicious administrative accounts. This flaw, with a CVSS score of 9.1, combines path traversal and authentication bypass vulnerabilities, enabling attackers to perform privileged actions without detection. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated Federal Civilian Executive Branch agencies to apply patches by November 21, 2025, to mitigate the risk. The exploitation's origin remains unknown, but the flaw's addition to CISA's Known Exploited Vulnerabilities catalog signals its criticality and widespread threat potential. Organizations using FortiWeb should prioritize patching and review administrative account activities to detect any unauthorized access or changes. This incident emphasizes the importance of timely patch management and continuous monitoring of security advisories to prevent exploitation of known vulnerabilities.

UK prosecutors have seized £4.11 million in cryptocurrency from Joseph James O'Connor, involved in the 2020 Twitter hack targeting high-profile accounts. O'Connor, also known as "PlugwalkJoe," is serving a five-year sentence in the US for conspiracy, wire fraud, and money laundering. The Twitter breach utilized SIM-swapping and social engineering to access accounts of figures like Barack Obama and Bill Gates, netting over $100,000 in Bitcoin. The UK Crown Prosecution Service leveraged civil proceeds-of-crime legislation to seize assets, including Bitcoin and Ethereum, despite O'Connor's conviction occurring abroad. This action underscores the UK's commitment to recovering illicit gains from cybercriminals, regardless of where the crime occurred. O'Connor's activities included accessing private messages and extorting victims, showcasing a broader pattern of cybercriminal behavior. The CPS has recovered nearly £478 million in proceeds-of-crime actions over the past five years, emphasizing its dedication to combating cybercrime.