Daily Brief

Checkout.com faced a ransomware attack by ShinyHunters, who claimed to have stolen data and demanded a ransom. The company chose not to pay the extortionists. Instead of succumbing to the ransom demand, Checkout.com will donate the equivalent amount to cybercrime research initiatives at Carnegie Mellon University and the University of Oxford. The breach involved a legacy third-party cloud file storage system used for internal documents and merchant onboarding, affecting less than 25% of its merchant base. Checkout.com's payment processing platform remained secure, with no access to merchant funds or card numbers compromised during the incident. The company is actively engaging with law enforcement and regulators while notifying affected customers to ensure transparency and accountability. This incident underscores the importance of decommissioning outdated systems and maintaining robust security practices to prevent unauthorized access. Checkout.com's response, emphasizing transparency and responsibility, sets a precedent for handling cyber incidents without funding criminal activities.

A remote code execution vulnerability in ImunifyAV affects millions of Linux-hosted websites, potentially compromising entire hosting environments. The flaw impacts versions of the AI-bolit component prior to 32.7.4.0, used in Imunify360, ImunifyAV+, and the free ImunifyAV. CloudLinux, the vendor, released fixes in late October and backported them to older versions on November 10, urging immediate updates. The vulnerability stems from AI-bolit's deobfuscation logic, allowing execution of attacker-controlled PHP functions during malware unpacking. Exploitation is possible due to the 'always on' state of Imunify360's scanning, which meets the conditions for remote code execution. CloudLinux's fix introduces a whitelisting mechanism to prevent arbitrary function execution, although no CVE-ID or active exploitation reports exist yet. System administrators are advised to upgrade to version 32.7.4.0 or newer, despite the absence of specific compromise detection guidance.

The Washington Post experienced a data breach impacting 9,720 employees and contractors, exposing their personal and financial information due to a vulnerability in Oracle E-Business Suite software. The breach occurred between July 10 and August 22, with attackers exploiting a zero-day vulnerability, later identified as CVE-2025-61884, to access sensitive data. The Clop ransomware group is linked to these attacks, which also affected other major organizations like Harvard University and Hitachi’s GlobalLogic. Attackers attempted to extort the Washington Post in late September, prompting an internal investigation assisted by cybersecurity experts. Impacted individuals were offered a 12-month identity protection service and advised to place security freezes on their credit files and set up fraud alerts. Oracle disclosed the vulnerability during the investigation, revealing it affected multiple customers using the E-Business Suite. This breach follows a previous incident where the email accounts of several Washington Post journalists were compromised, possibly by foreign state actors.

Ubuntu 25.10 identified and swiftly patched two vulnerabilities in its new Rust-based "sudo-rs" command, ensuring continued security for its users. The vulnerabilities, labeled as "password timeout issue" and "timestamp auth issue," were deemed low to moderate in severity, with limited exploitation potential. The "password timeout issue" could potentially reveal user input if a password entry timed out, posing a social engineering risk. The "timestamp auth issue" affected a configuration setting, but had no impact on default installations and required privileged user access to exploit. The fixes were backported to Debian "stable," facilitating easier updates for downstream packagers and maintaining system integrity. The incident underscores the importance of interim releases in identifying and resolving unforeseen issues in new software components. Ubuntu's proactive approach in addressing these vulnerabilities reflects a commitment to robust security practices and open-source collaboration.

Kerberoasting attacks exploit Microsoft Active Directory's Kerberos protocol, allowing attackers to escalate privileges by targeting service accounts with high-level permissions. Attackers utilize open-source tools to identify and request service tickets, which are then taken offline to crack the password hashes, gaining unauthorized access. The complexity and encryption strength of passwords are critical in preventing Kerberoasting; weak passwords are a primary vulnerability. Regular audits of domain account passwords and the use of Group Managed Service Accounts (gMSAs) enhance security by automating complex password management. Implementing AES encryption over weaker algorithms like RC4 significantly reduces the risk of password cracking by attackers. Multi-factor authentication and robust password policies are essential defenses against initial user account compromises that lead to Kerberoasting. Organizations are encouraged to use tools like Specops Password Auditor to identify password vulnerabilities and enforce compliance with security best practices.

The Washington Post confirmed a data breach affecting nearly 10,000 employees and contractors due to a Clop ransomware attack exploiting an Oracle E-Business Suite vulnerability. Sensitive personal data, including names, bank account details, Social Security numbers, and tax IDs, were exfiltrated between July 10 and August 22. The breach was linked to an unknown vulnerability in Oracle EBS, which has impacted multiple organizations worldwide, prompting Oracle to release emergency patches in late October. Affected individuals have been offered complimentary identity-protection services, and the Post has reinforced its security measures and applied Oracle's patches promptly. The Clop group has listed numerous victims from various sectors on its leak site, indicating a widespread exploitation campaign. Other organizations, including GlobalLogic and Allianz UK, have also reported similar breaches, suggesting the vulnerability was used at scale. The incident highlights the critical need for organizations to monitor and secure enterprise software environments against emerging threats.

Microsoft is launching a "Prevent screen capture" feature for Teams Premium, aiming to protect sensitive meeting content by blocking screenshots and recordings on Windows and Android devices. Initially announced in May 2025, the rollout was delayed to early November 2025, with the feature set to be available by late November. The feature is disabled by default and must be manually activated per meeting by organizers or co-organizers through Meeting Options. Microsoft 365 admins can manage device enrollment and Teams Premium licensing using Entra ID, ensuring streamlined implementation across organizations. Despite the feature, sensitive information remains vulnerable to capture via external methods, such as photographing the screen during meetings. This initiative aligns with Microsoft's broader efforts to enhance security in Teams, including protection against malicious file types and flagged URLs. The introduction of this feature reflects growing demand for privacy and security in digital communication tools, particularly for enterprise users.

A Chrome extension named "Safery: Ethereum Wallet" has been identified as malicious, designed to steal Ethereum wallet seed phrases via the Sui blockchain. The extension masquerades as a secure Ethereum wallet, but encodes seed phrases into Sui addresses, using microtransactions to exfiltrate data. The malware avoids traditional command-and-control servers by embedding seed phrases in blockchain transactions, complicating detection. Once transactions are executed, attackers decode the recipient addresses to reconstruct seed phrases and access victims' cryptocurrency assets. Users are advised to use only trusted wallet extensions and to scrutinize extensions for mnemonic encoders and synthetic address generators. Security teams should monitor for unexpected blockchain RPC calls and block extensions that write on the chain during wallet import or creation. The extension was uploaded to the Chrome Web Store on September 29, 2025, and remains available, posing an ongoing risk to users.

Quokka's security assessment reveals Uhale digital photo frames download malware at boot, with connections to Mezmess and Vo1d malware families. The malware is delivered from China-based servers, exploiting the device's automatic update process to install malicious payloads. Devices are vulnerable due to disabled SELinux security, default rooting, and use of AOSP test-keys, facilitating malware execution. Despite multiple notifications since May, ZEASN, the company behind Uhale, has not responded to security concerns raised by researchers. The Uhale app, with over 500,000 downloads on Google Play, poses a significant risk due to its widespread use across various brands. Quokka identified 17 security vulnerabilities in the Uhale platform, with 11 assigned CVE-IDs, complicating the potential impact assessment. Consumers are advised to purchase electronic devices from reputable brands with official Android images and robust security measures.

CISA has issued an urgent directive for U.S. federal agencies to patch two critical vulnerabilities in Cisco ASA and Firepower devices, identified as CVE-2025-20362 and CVE-2025-20333. These vulnerabilities allow remote attackers to access restricted endpoints and execute code, potentially leading to full control of unpatched devices if exploited together. The flaws were initially exploited as zero-days, specifically targeting Cisco 5500-X Series devices with VPN web services enabled, linked to the ArcaneDoor campaign. Despite initial patching efforts, CISA reports that some federal agencies have not fully updated their systems, leaving them vulnerable to ongoing attacks. Shadowserver's monitoring indicates a reduction in vulnerable Cisco devices from 45,000 to 30,000, but significant risks remain for unpatched systems. CISA has released new guidance to ensure agencies apply the correct updates and comply with Emergency Directive 25-03 to mitigate breach risks effectively. The directive also includes patching requirements for Samsung and WatchGuard devices to address other critical vulnerabilities exploited in recent attacks.

Europol and Eurojust executed coordinated raids, dismantling the Rhadamanthys infostealer network, seizing 1,025 servers, and impacting hundreds of thousands of infected systems globally. The operation, part of the ongoing Operation Endgame, revealed over 86 million stolen credentials and more than 525,000 infections across 226 countries. Five suspects associated with the pay-per-infect scheme were arrested, with some providing intelligence to law enforcement. The takedown disrupted the Rhadamanthys infrastructure, although the malware's administrator and customers remain at large. Rhadamanthys, a credential theft tool since 2022, was distributed via emails, web injects, and malvertising, with access costing $300-500 monthly. Operation Endgame also targeted Elysium and VenomRAT, leading to the arrest of VenomRAT's main suspect in Greece. The operation's success aims to undermine trust within cybercriminal networks and calls for public assistance to identify remaining perpetrators.

Recent reports indicate that 50-61% of new vulnerabilities are exploited within 48 hours of disclosure, challenging traditional defense timelines. Threat actors have automated their response, using AI to rapidly assess and exploit new vulnerabilities, outpacing manual defensive efforts. The traditional quarterly or monthly patching cycles are inadequate, as attackers weaponize vulnerabilities long before organizations can deploy fixes. Automation and orchestration are essential for reducing exposure windows, allowing security teams to respond at machine speed. Organizations must transition from manual patching to automated, policy-driven remediation to maintain operational safety and competitiveness. Security teams are encouraged to adopt accelerated defense strategies, combining automation and controlled rollback to ensure agility and resilience. The future of cybersecurity will depend on the ability to execute rapid, informed actions, as the slowest responder risks immediate compromise.

Europol and Eurojust led a coordinated operation dismantling Rhadamanthys Stealer, Venom RAT, and the Elysium botnet, disrupting significant cybercrime infrastructures. The operation, conducted from November 10 to 13, 2025, resulted in the takedown of over 1,025 servers and seizure of 20 domains. Authorities arrested the primary suspect behind Venom RAT in Greece, marking a significant breakthrough in the fight against cybercrime. The dismantled networks affected hundreds of thousands of computers, with millions of credentials stolen, many victims unaware of their compromised systems. The Rhadamanthys malware was found to have advanced capabilities, including device and browser fingerprinting, enhancing its stealth. The suspect associated with Rhadamanthys had access to 100,000 cryptocurrency wallets, potentially involving millions of euros in stolen funds. Law enforcement agencies from nine countries, including the U.S., Germany, and Australia, collaborated in this extensive international effort.

Synnovis completed an 18-month forensic review of a ransomware attack by the Qilin gang that disrupted pathology services across London in 2024. The attack led to the cancellation of thousands of medical appointments and operations, severely impacting NHS service delivery. Security firm CaseMatrix estimated that data for over 900,000 NHS patients was leaked, though Synnovis has not confirmed this figure. The breach contributed to a patient's death, marking a rare instance where a ransomware attack has been linked to a fatality. Synnovis used specialized platforms to reconstruct compromised data, which was unstructured and fragmented, complicating the investigation. No ransom was paid, as Synnovis and NHS trusts opted against funding cybercriminal activities, despite the Qilin gang's double-extortion tactics. Synnovis is notifying affected NHS organizations, with patient notifications expected to take additional time due to the complexity of the breach. The Qilin group, believed to be of Russian origin, targets entities linked to political elites, employing data exfiltration and encryption in attacks.

Law enforcement from nine countries dismantled over 1,000 servers linked to Rhadamanthys, VenomRAT, and Elysium malware as part of Operation Endgame. Coordinated by Europol and Eurojust, the operation involved private partners like CrowdStrike and Proofpoint, enhancing international collaboration against cybercrime. Searches in Germany, Greece, and the Netherlands led to the seizure of 20 domains and the arrest of a key suspect in Greece associated with VenomRAT. The dismantled infrastructure included hundreds of thousands of infected systems, with millions of stolen credentials and over 100,000 compromised crypto wallets. Europol advises using resources like politie.nl/checkyourhack and haveibeenpwned.com to verify potential infections from these malware operations. The operation follows previous disruptions targeting ransomware and other malware infrastructures, demonstrating ongoing efforts to combat global cyber threats. The Rhadamanthys developer indicated suspicion of German law enforcement involvement due to activity logs showing German IP addresses before server access was lost.