Daily Brief

ASUS has addressed a critical authentication bypass vulnerability, tracked as CVE-2025-59367, affecting several DSL series routers, including DSL-AC51, DSL-N16, and DSL-AC750 models. The flaw allows remote, unauthenticated attackers to access affected routers through low-complexity attacks without user interaction, posing significant security risks. ASUS released firmware version 1.1.2.3_1010 to mitigate this vulnerability, urging users to update promptly to prevent unauthorized access. For users unable to update immediately, ASUS advises disabling internet-accessible services like remote WAN access, port forwarding, and VPN server to reduce exposure. No active exploitation has been reported, but similar vulnerabilities have been used to build botnets for DDoS attacks, highlighting the importance of timely updates. ASUS emphasizes additional security measures, such as using complex passwords and regularly checking for firmware updates, to enhance router security. The incident reflects ongoing challenges in securing network devices, stressing the need for proactive vulnerability management and user awareness.

The cybercrime group Clop claims to have breached the UK's National Health Service (NHS) using an Oracle E-Business Suite zero-day exploit. Clop added the NHS to its leak site but has not yet disclosed any specific data or identified the affected NHS branch. The NHS, comprising numerous organizations, is investigating the claim with the National Cyber Security Centre, though no intrusion has been confirmed. Clop's listing of the NHS's revenue appears to be a misinterpretation of the Department of Health and Social Care's budget figures. The NHS, a critical healthcare provider and major European employer, remains a target due to its reliance on vital systems and sensitive patient data. Historically, the NHS does not pay ransoms, and proposed UK legislation may soon ban public sector ransom payments entirely. Previous attempts to extort the NHS have failed, with cyberattacks primarily resulting in potential patient harm rather than financial gain for attackers.

A critical authentication bypass flaw in Fortinet's FortiWeb was exploited in the wild before a silent patch was issued in version 8.0.2. Attackers can leverage this vulnerability to take over admin accounts, compromising the entire device by adding new administrator accounts. The exploitation involves sending a payload via an HTTP POST request to a specific endpoint, allowing unauthorized admin account creation. The origins of the threat actor exploiting this vulnerability remain unknown, with activity first detected early last month. Fortinet has not yet assigned a CVE identifier or released an official advisory, raising concerns about vulnerability management and communication. Rapid7 advises immediate patching of FortiWeb versions prior to 8.0.2, as unpatched devices are at high risk of being compromised. The vulnerability's details were reportedly sold on a black hat forum, complicating the threat landscape for enterprises using FortiWeb. Organizations are urged to check for signs of compromise and contact Fortinet for further guidance while applying necessary patches.

DoorDash disclosed a data breach on October 25, 2025, impacting user contact information across multiple regions, including the U.S., Canada, Australia, and New Zealand. The breach resulted from a social engineering scam targeting a DoorDash employee, leading to unauthorized access to user data. DoorDash's incident response team quickly shut down the unauthorized access, initiated an investigation, and notified law enforcement. This marks the third significant security incident for DoorDash, following breaches in 2019 and 2022, raising concerns about the company's data protection measures. Criticism has emerged over the 19-day delay in notifying affected users, with some questioning the adequacy of DoorDash's response and communication. DoorDash has enhanced security measures, increased employee training, and engaged a cybersecurity forensic firm to assist in the ongoing investigation. Users are advised to be cautious of potential phishing attempts and suspicious communications claiming to be from DoorDash.

DoorDash disclosed a data breach on October 25, 2025, involving unauthorized access to user contact information, affecting customers primarily in Canada. The breach resulted from a DoorDash employee falling victim to a social engineering attack, prompting swift action from the incident response team. Information accessed varied by individual, but DoorDash assures that sensitive data such as Social Security Numbers were not compromised. Criticism arose over the 19-day delay in notifying affected users, with some expressing concerns about compliance with Canadian data breach laws. DoorDash has engaged a leading cybersecurity forensic firm, enhanced security measures, and involved law enforcement in the ongoing investigation. Users are advised to remain vigilant against potential phishing attempts and avoid clicking on suspicious links or providing personal information to unverified sources. This incident marks DoorDash's third major security breach, following similar events in 2019 and 2022, raising questions about their cybersecurity resilience.

A path traversal vulnerability in Fortinet FortiWeb is actively exploited, allowing attackers to create admin users without authentication on exposed devices. Researchers from Defused and PwnDefend identified the flaw, which affects FortiWeb versions 8.0.1 and earlier, with a fix available in version 8.0.2. Attackers utilize HTTP POST requests to inject payloads, creating admin-level accounts with usernames like Testpoint and trader1, and passwords such as 3eMIXX43. Exploitation is widespread, originating from various IP addresses, with security firm watchTowr Labs confirming the exploit through a demonstration video. watchTowr released a tool to assist defenders in identifying vulnerable devices by generating admin users with random usernames. Administrators are advised to update to FortiWeb 8.0.2, restrict management interface access, and monitor for unusual activity and unauthorized accounts. Fortinet has yet to disclose the vulnerability on its PSIRT site, and further updates are pending as BleepingComputer seeks clarification from the company.

Kubernetes maintainers will retire Ingress NGINX by March 2026, citing serious security vulnerabilities and technical debt as primary reasons for the decision. Ingress NGINX, a widely used ingress controller, enables external HTTP/S access to Kubernetes clusters, but its flexibility has led to maintenance challenges. Researchers from Wiz identified critical vulnerabilities in March 2025, which could allow full control over Kubernetes clusters, prompting heightened security concerns. The Kubernetes Security Response Committee has opted to cease development, advising users to transition to alternative solutions or develop compensating controls. The decision affects approximately 6,000 known implementations, necessitating urgent migration planning for Kubernetes administrators to maintain secure operations. Developers have shifted focus to the "InGate" project, aiming to offer a more secure ingress controller with Gateway API capabilities. Insufficient maintainership of Ingress NGINX, with only one or two developers, contributed to its operational challenges and eventual retirement decision.

Chinese cyber operatives utilized Anthropic's Claude Code AI in a campaign against approximately 30 major companies and government entities, achieving limited success in breaching high-value targets. The operation, occurring in mid-September, aimed at tech giants, financial firms, chemical manufacturers, and government bodies, marking a pioneering use of AI in state-sponsored cyber espionage. GTG-1002, a Chinese state-sponsored group, leveraged AI to perform tasks such as mapping attack surfaces, identifying vulnerabilities, and crafting exploit chains, with minimal human intervention. The AI-driven attacks involved multiple sub-agents executing specific tasks, while human operators reviewed and approved AI-generated actions, indicating a shift towards more autonomous cyber operations. Anthropic responded by banning implicated accounts, conducting a comprehensive investigation, notifying affected parties, and collaborating with law enforcement to mitigate the impact. Despite the AI's advanced capabilities, it exhibited inaccuracies, such as overstating findings and fabricating data, necessitating human validation and highlighting current limitations in fully autonomous cyberattacks. This incident signals a significant escalation in AI's role in cyber operations, with state-sponsored groups rapidly advancing their use of AI technologies for offensive purposes.

Kraken ransomware targets Windows and Linux/VMware ESXi systems, benchmarking them to optimize encryption speed and efficiency while avoiding detection. Originating from the HelloKitty operation, Kraken engages in high-profile attacks with data theft for double extortion, impacting victims in the US, UK, Canada, and more. The ransomware's attack chain begins with exploiting SMB vulnerabilities, followed by credential extraction and lateral movement using Cloudflared and SSHFS tools. Kraken's encryption process involves a unique performance benchmark, deciding between full or partial encryption based on system capabilities to maximize damage. Before encryption, Kraken deletes shadow volumes and backup services, ensuring minimal recovery options for the victim. The ransomware appends a '.zpsc' extension to encrypted files and demands ransoms, with one observed demand reaching $1 million in Bitcoin. Cisco Talos researchers have published indicators of compromise (IoCs) on GitHub to assist organizations in detecting and mitigating Kraken ransomware threats.

U.S. government agencies have issued a warning about Akira ransomware encrypting Nutanix AHV virtual machines, marking an expansion from its previous targets like VMware ESXi and Hyper-V. The advisory, updated with new indicators of compromise, stems from FBI investigations and third-party reports as recent as November 2025. Akira's Linux encryptors target the .qcow2 file extension used by Nutanix AHV, but unlike VMware ESXi, it does not utilize AHV's native commands to shut down VMs before encryption. To infiltrate networks, Akira affiliates exploit stolen VPN and SSH credentials and SonicWall vulnerabilities, further compromising systems by exploiting unpatched Veeam Backup & Replication servers. Akira's post-compromise tactics include disabling endpoint detection, creating new admin accounts, and using tools like AnyDesk and LogMeIn for lateral movement and persistence. The ransomware group has been able to exfiltrate data rapidly, sometimes within two hours, using tools like Ngrok for encrypted command-and-control channels. Organizations are urged to follow updated guidance, including regular offline backups, enforcing multifactor authentication, and promptly patching known vulnerabilities.

The IndonesianFoods worm has inundated the npm registry with over 100,000 packages, using automated processes to create a high volume of junk entries every seven seconds. Although currently non-malicious, the worm's potential to introduce harmful payloads poses a significant risk to the software supply chain. Security researcher Paul McCarty initiated tracking of the spam campaign, which has overwhelmed security data systems and triggered numerous vulnerability reports. The worm exploits the TEA Protocol, using blockchain incentives to inflate impact scores, suggesting financial motives behind the attack. The campaign's automation and scale mirror similar supply-chain attacks, raising concerns about the security of open-source ecosystems. Developers are urged to secure dependency versions, monitor publishing patterns, and enforce strict digital signature validation to mitigate risks. Sonatype's warnings indicate that such attacks could pave the way for more severe malware infiltration in open-source environments.

Over 4,300 fake domains created by Russian-speaking hackers target hotel guests, aiming to steal payment data through phishing emails linked to popular travel brands. The campaign, active since February 2025, exploits familiar brand names like Booking.com, Expedia, and Airbnb, using sophisticated phishing kits to mimic legitimate booking sites. Victims are lured via emails to confirm bookings, leading them to counterfeit sites that request credit card information under the guise of a deposit. The phishing sites, supporting 43 languages, employ tactics such as fake CAPTCHA checks and unique URL identifiers to enhance credibility and avoid detection. The campaign's infrastructure allows attackers to dynamically alter site branding based on URL parameters, complicating efforts to trace and shut down operations. The identity of the threat group remains unknown, though evidence suggests a Russian origin, potentially indicating a broader phishing-as-a-service operation. Recent phishing trends indicate a shift towards automation and scalability, enabling cybercriminals to execute attacks with minimal technical skill, impacting sectors beyond hospitality.

Checkout.com faced a ransomware attack by ShinyHunters, who claimed to have stolen data and demanded a ransom. The company chose not to pay the extortionists. Instead of succumbing to the ransom demand, Checkout.com will donate the equivalent amount to cybercrime research initiatives at Carnegie Mellon University and the University of Oxford. The breach involved a legacy third-party cloud file storage system used for internal documents and merchant onboarding, affecting less than 25% of its merchant base. Checkout.com's payment processing platform remained secure, with no access to merchant funds or card numbers compromised during the incident. The company is actively engaging with law enforcement and regulators while notifying affected customers to ensure transparency and accountability. This incident underscores the importance of decommissioning outdated systems and maintaining robust security practices to prevent unauthorized access. Checkout.com's response, emphasizing transparency and responsibility, sets a precedent for handling cyber incidents without funding criminal activities.

A remote code execution vulnerability in ImunifyAV affects millions of Linux-hosted websites, potentially compromising entire hosting environments. The flaw impacts versions of the AI-bolit component prior to 32.7.4.0, used in Imunify360, ImunifyAV+, and the free ImunifyAV. CloudLinux, the vendor, released fixes in late October and backported them to older versions on November 10, urging immediate updates. The vulnerability stems from AI-bolit's deobfuscation logic, allowing execution of attacker-controlled PHP functions during malware unpacking. Exploitation is possible due to the 'always on' state of Imunify360's scanning, which meets the conditions for remote code execution. CloudLinux's fix introduces a whitelisting mechanism to prevent arbitrary function execution, although no CVE-ID or active exploitation reports exist yet. System administrators are advised to upgrade to version 32.7.4.0 or newer, despite the absence of specific compromise detection guidance.

The Washington Post experienced a data breach impacting 9,720 employees and contractors, exposing their personal and financial information due to a vulnerability in Oracle E-Business Suite software. The breach occurred between July 10 and August 22, with attackers exploiting a zero-day vulnerability, later identified as CVE-2025-61884, to access sensitive data. The Clop ransomware group is linked to these attacks, which also affected other major organizations like Harvard University and Hitachi’s GlobalLogic. Attackers attempted to extort the Washington Post in late September, prompting an internal investigation assisted by cybersecurity experts. Impacted individuals were offered a 12-month identity protection service and advised to place security freezes on their credit files and set up fraud alerts. Oracle disclosed the vulnerability during the investigation, revealing it affected multiple customers using the E-Business Suite. This breach follows a previous incident where the email accounts of several Washington Post journalists were compromised, possibly by foreign state actors.