Daily Brief

Phishing attacks are increasingly targeting LinkedIn, with one-third of such attacks now occurring outside traditional email channels, impacting enterprises in financial and technology sectors. Attackers leverage LinkedIn's messaging system, bypassing traditional email security tools, making detection and prevention more challenging for security teams. The lack of multi-factor authentication on social media accounts facilitates account takeovers, providing attackers with credible platforms for launching phishing campaigns. LinkedIn's professional networking environment allows attackers easy access to high-value targets, enhancing the effectiveness of spear-phishing tactics. Phishing on LinkedIn can lead to significant breaches, allowing attackers access to core business functions and datasets through compromised accounts. Organizations are urged to adopt comprehensive solutions that detect and block phishing across all communication channels, beyond just email. The 2023 Okta breach exemplifies the risks of personal device compromise leading to corporate account vulnerabilities, emphasizing the need for robust security measures.

Dragon Breath, also known as APT-Q-27, is targeting Chinese-speaking users with a multi-stage malware campaign using RONINGLOADER to deploy a modified Gh0st RAT. The campaign uses trojanized NSIS installers disguised as legitimate software like Google Chrome and Microsoft Teams to initiate the infection chain. RONINGLOADER employs sophisticated evasion techniques, including tampering with Microsoft Defender and using Protected Process Light (PPL) abuse to disable endpoint security tools. The loader attempts to elevate privileges and terminate processes related to popular Chinese security solutions, such as Qihoo 360 Total Security and Tencent PC Manager. The final payload, Gh0st RAT, allows remote control of infected systems, including keystroke logging, clipboard monitoring, and executing commands via cmd.exe. Parallel campaigns identified by Palo Alto Networks Unit 42 involve large-scale brand impersonation to distribute Gh0st RAT, targeting over 2,000 domains and using complex infection chains. These campaigns demonstrate a strategic use of both old and new infrastructures, suggesting ongoing A/B testing of tactics, techniques, and procedures (TTPs) for effective targeting.

Google announced a reduction in Android memory safety vulnerabilities to below 20% due to adopting the Rust programming language, enhancing security and efficiency. Rust's implementation resulted in a 1000x reduction in memory safety vulnerability density compared to Android's previous C and C++ codebases. The transition to Rust has improved software delivery, with changes experiencing a 4x lower rollback rate and 25% less time in code review. Google plans to extend Rust's security benefits to other Android components, including kernel, firmware, and critical apps like Nearby Presence and Chromium. A memory safety vulnerability (CVE-2025-48530) in an unsafe Rust implementation was patched before public release, demonstrating Rust's robust safety features. The incident underscores the importance of layered defense strategies, combining Rust's built-in safety with other security mechanisms like Scudo. Despite Rust's advantages, Google acknowledges that C and C++ will continue to play roles in Android's development, emphasizing a balanced approach to security.

Tata Motors, owner of Jaguar Land Rover, reported a cyberattack that significantly disrupted UK production, resulting in a financial impact of approximately $2.4 billion. The cyber incident led to exceptional costs of $258 million, with a notable revenue decline from $8.5 billion to $6.4 billion year-over-year. Despite the setback, Tata Motors experienced sales growth in India, which partially mitigated the financial damage from the cyberattack. CFO Richard Molyneux acknowledged the growing prevalence of such cyber incidents affecting businesses globally, emphasizing the need for enhanced cybersecurity measures. The attack serves as a reminder of the vulnerability of manufacturing operations to cyber threats, highlighting the importance of robust incident response strategies. The incident underscores the potential for significant operational and financial disruption due to cybersecurity breaches, urging companies to prioritize resilience planning.

Logitech reported a zero-day attack leading to data exfiltration, affecting both employee and customer information, though sensitive personal data was not compromised. The zero-day vulnerability was patched by Logitech after the software platform vendor released a fix, demonstrating swift response to the breach. DoorDash experienced its third data breach, attributed to a social engineering scam targeting an employee, compromising user information like names and contact details. DoorDash has not found evidence of fraud or identity theft from the breach but advises customers to remain vigilant against phishing attempts. The repeated breaches at DoorDash raise concerns about the company's cybersecurity measures and highlight the ongoing threat of social engineering tactics. These incidents emphasize the need for robust cybersecurity strategies and employee training to mitigate risks from zero-day vulnerabilities and social engineering attacks.

Google announced plans to flag Android apps on the Play Store that excessively drain battery life, impacting their visibility and user experience. The new policy, effective March 2026, introduces a core metric called "excessive partial wake locks" to monitor app performance. Apps exceeding a "bad behavior threshold" of 5% in user sessions over 28 days may be flagged, prompting developers to optimize resource usage. The system tracks non-exempt wake locks, focusing on background activity that prevents devices from entering sleep mode, across a 28-day window. Developers are encouraged to minimize unnecessary wake locks and monitor external libraries and SDKs to enhance app efficiency. This initiative aims to improve battery performance and technical quality rather than targeting malicious apps like spyware or adware. Google's collaboration with Samsung in developing this metric signifies a strategic effort to enhance user experience across the Android ecosystem.

Microsoft is investigating a bug affecting the installation of the Windows 10 KB5068781 update, causing failures with error code 0x800f0922 on corporate-licensed devices. The issue impacts devices activated via Windows subscription through the Microsoft 365 Admin Center, affecting the rollout of the first Windows 10 extended security update. Reports indicate the update initially appears to install but fails post-restart, leading to a rollback, disrupting business operations reliant on timely security updates. Microsoft acknowledges the problem but has not provided an estimated timeline for a fix or suggested any workarounds, leaving affected users in a temporary bind. Some corporate environments report inconsistencies in update notifications, with licensed devices not recognizing the need for the KB5068781 update. The situation highlights the importance of robust patch management strategies, prompting BleepingComputer to host a webinar on modern patch management solutions. Organizations are encouraged to monitor Microsoft's communications for updates and prepare for potential disruptions in their patching workflows.

Cybercriminals are reviving the outdated Finger protocol to execute remote commands on Windows devices, leveraging it in ClickFix malware campaigns. The Finger command, originally for user information retrieval on Unix and Linux systems, is now exploited to deliver malicious scripts. Recent attacks involve tricking users into executing commands under the guise of a Captcha verification, leading to malware download and execution. Affected systems run commands that download a disguised zip archive, extracting either a Python infostealer or NetSupport Manager RAT. The malware checks for the presence of analysis tools, exiting if detected, indicating an evolution in attack sophistication. Blocking TCP port 79 is recommended to prevent abuse of the Finger protocol in corporate environments. Awareness and user education are critical, as attackers exploit human error to initiate these attacks.

RondoDox botnet targets unpatched XWiki servers, exploiting CVE-2025-24893, a critical vulnerability allowing arbitrary code execution with a CVSS score of 9.8. The vulnerability, an eval injection bug, facilitates remote code execution via the "/bin/get/Main/SolrSearch" endpoint, affecting systems not updated to XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1. VulnCheck observed increased exploitation attempts in November 2025, indicating widespread scanning activity by multiple threat actors. CISA has included this vulnerability in its Known Exploited Vulnerabilities catalog, mandating federal agencies to implement mitigations by November 20, 2025. RondoDox uses this flaw to expand its botnet, executing DDoS attacks through HTTP, UDP, and TCP protocols, while other actors deploy cryptocurrency miners and reverse shells. The situation underscores the critical importance of timely patch management to prevent exploitation and maintain cybersecurity resilience. The rapid adoption of the exploit by various threat actors highlights the need for proactive vulnerability management and monitoring practices.

Jaguar Land Rover reported a cyberattack costing £196 million ($220 million) for the quarter ending September 30, 2025, significantly impacting its financial performance. The attack, claimed by the Scattered Lapsus$ Hunters on Telegram, forced JLR to halt production and send employees home, disrupting operations for weeks. Data theft was confirmed, exacerbating the company's financial strain and affecting its market position and supplier relationships. The UK Government intervened with a £1.5 billion loan guarantee to stabilize JLR's supply chain and facilitate a phased production restart by October 8, 2025. JLR's financial results showed a loss before tax and exceptional items of £485 million for Q2, a stark contrast to previous profits. The cyber incident contributed to a weaker-than-expected UK GDP in Q3 2025, as noted by the Bank of England. Despite disruptions, JLR maintained its planned investment spending, with a commitment of £18 billion over five years from FY24. The company's operations have now stabilized, with logistics and supplier financing fully restored.

The U.S. Department of Justice announced guilty pleas from five individuals aiding North Korean IT workers in bypassing sanctions to infiltrate 136 U.S. companies. Defendants facilitated the fraudulent use of U.S. identities, allowing IT workers to secure jobs and bypass vetting procedures, impacting numerous American firms. The scheme generated over $2.2 million for North Korea, with funds reportedly supporting the regime's nuclear program through illicit revenue channels. Key figures included Didenko, who managed proxy identities and laptop farms, and Prince, who operated a company supplying "certified" IT workers to U.S. businesses. The FBI seized over $15 million in cryptocurrency linked to APT38 actors, who are accused of laundering funds through various digital currency platforms. These actions are part of broader U.S. efforts to disrupt North Korea's cybercrime operations, which have long targeted Western companies for financial gain. Recent U.S. Treasury sanctions targeted North Korean entities involved in laundering money for cybercrime and IT worker fraud, intensifying pressure on the regime's financial networks.

Logitech has confirmed a data breach following a cyberattack by the Clop extortion gang, impacting employee and customer data. The breach did not affect Logitech's products, business operations, or manufacturing processes, ensuring continuity in its core functions. Initial investigations suggest the breach involved a third-party zero-day vulnerability, which was promptly patched upon detection. Approximately 1.8 TB of data was reportedly stolen, but sensitive information like national ID numbers and credit card details were not compromised. Logitech engaged leading external cybersecurity firms to assist in investigating and responding to the incident, demonstrating a proactive response strategy. The Clop gang has a history of exploiting zero-day vulnerabilities, with other victims including Harvard, Envoy Air, and The Washington Post. Oracle confirmed a zero-day vulnerability in its E-Business Suite, tracked as CVE-2025-61882, which was exploited in the attack, prompting an emergency fix.

Fortinet disclosed a critical path traversal vulnerability in its FortiWeb product, tracked as CVE-2025-64446, which allows attackers to execute administrative commands. The vulnerability was actively exploited before Fortinet issued a security advisory and patch, giving attackers a significant advantage. Fortinet released a patch in version 8.0.2, but exploitation began after a proof-of-concept was shared publicly in early October. The US Cybersecurity and Infrastructure Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities Catalog, emphasizing its severity. WatchTowr and Rapid7 identified widespread exploitation, with attackers creating new administrator accounts for persistence on compromised devices. Approximately 80,000 FortiWeb firewalls are potentially vulnerable, with experts urging immediate patch application to prevent further breaches. Fortinet is actively communicating with affected customers to guide them on remediation steps and ensure security measures are implemented.

The U.S. Department of Justice announced guilty pleas from five individuals aiding North Korea in illicit revenue schemes, including IT worker fraud and cryptocurrency theft. The individuals, four Americans and one Ukrainian, used false identities to enable DPRK agents to secure remote jobs with U.S. firms, funneling earnings to North Korea. These actions impacted 136 companies across the United States, generating over $2.2 million for the North Korean regime. U.S. authorities are seeking the forfeiture of $15 million in cryptocurrency linked to APT38, associated with the Lazarus Group, from multiple cyber-heists. The DOJ's actions include seizing funds from incidents in 2023 targeting cryptocurrency exchanges in Panama, Estonia, and Seychelles, totaling $382 million in stolen assets. APT38 has been laundering these funds through cryptocurrency bridges, mixers, and exchanges, with $15 million already traced and seized by authorities. This case underscores the ongoing threat of state-sponsored cybercrime and the importance of robust identity verification processes in hiring practices.

Anthropic alleges a Chinese state-sponsored group used its Claude AI model for a largely automated cyber-espionage operation targeting 30 high-profile entities. The operation reportedly involved minimal human intervention, with AI autonomously scanning, exploiting, and extracting data from targets. Security experts and AI practitioners express skepticism, citing lack of evidence and potential exaggeration of AI capabilities. Anthropic disrupted the attack in September 2025, banning accounts and enhancing detection capabilities to prevent future AI-driven intrusions. The attack leveraged open-source tools and a Model Context Protocol infrastructure, bypassing the need for bespoke malware. Despite Anthropic's claims, industry experts demand concrete indicators of compromise to validate the incident's scale and automation level. The incident raises questions about the potential and limitations of AI in cybersecurity, prompting calls for improved detection methods.