Daily Brief

A data breach at Knownsec resulted in the exposure of over 12,000 classified documents, revealing sensitive information about Chinese state cyber capabilities. Leaked documents include data on cyber weapons, internal tools, and global target lists, highlighting potential national security implications. The breach also exposed RATs capable of compromising multiple operating systems, including Linux, Windows, and macOS. Sensitive data such as 95GB of immigration records from India and 3TB of call records from South Korea were also leaked. The breach raises concerns about the security practices of vendors handling sensitive government contracts and data. The incident underscores the importance of robust security measures and regular audits for organizations managing critical and classified information.

CISA has issued a warning to government agencies about a critical vulnerability in WatchGuard Firebox firewalls, urging immediate patching to prevent remote code execution attacks. The vulnerability, CVE-2025-9242, affects Fireware OS 11.x, 12.x, and 2025.1, and has been added to the Known Exploited Vulnerabilities catalog. Federal agencies have been given a deadline of December 3 to secure their systems, following the Binding Operational Directive 22-01. WatchGuard released patches on September 17; however, the flaw was only recognized as actively exploited on October 21. Shadowserver reports a decrease in vulnerable Firebox appliances from 75,000 to 54,000 globally, with most located in Europe and North America. Although the directive targets federal agencies, all organizations are advised to prioritize patching due to the attractiveness of firewalls to threat actors. The Akira ransomware gang has been exploiting similar vulnerabilities, highlighting the persistent threat to firewall security.

CISA added a critical vulnerability in WatchGuard Fireware to its Known Exploited Vulnerabilities catalog due to active exploitation, affecting over 54,000 Firebox devices globally. The flaw, identified as CVE-2025-9242 with a CVSS score of 9.3, involves an out-of-bounds write in the OS iked process, allowing unauthenticated remote code execution. A missing length check during the IKE handshake process is the root cause, making the vulnerable code accessible before authentication, as noted by security researcher McCaulay Hudson. More than 18,500 vulnerable devices are located in the U.S., with significant numbers also in Italy, the U.K., Germany, and Canada, according to Shadowserver Foundation data. Federal Civilian Executive Branch agencies are urged to implement WatchGuard's patches by December 3, 2025, to mitigate potential risks. The vulnerability's inclusion in CISA's catalog coincides with the addition of other critical flaws, such as a Windows kernel issue and a Gladinet Triofox access control vulnerability. This development serves as a reminder of the importance of timely patch management to prevent exploitation of known security flaws.

A large-scale spam campaign has flooded the npm registry with over 46,000 fake packages since early 2024, targeting the software supply chain ecosystem. The campaign, dubbed "IndonesianFoods," uses a worm-like propagation mechanism and distinctive naming patterns, including Indonesian names and food terms. These packages masquerade as Next.js projects, remaining dormant until manually executed by users, thus evading automated detection systems. The attack leverages a self-replicating network of dependencies, straining registry bandwidth and creating supply chain risks for developers. The campaign's monetization strategy involves abusing the Tea protocol to earn tokens by artificially inflating impact scores. GitHub has removed the malicious packages and is committed to evolving detection methods to prevent similar threats. This incident underscores the need for enhanced security measures in package registries to address automation and scale threats.

Google has initiated legal action against 25 China-based individuals linked to the Lighthouse phishing scheme, which has reportedly stolen over 115 million credit card numbers in the US. Lighthouse offers a "phishing for dummies" kit, providing criminals with tools to create fraudulent websites mimicking over 400 legitimate entities, including Google services. The operation has generated over 200,000 fake websites in just 20 days, targeting more than one million victims across 121 countries, causing significant financial losses. Google's lawsuit, citing the RICO Act and other legal frameworks, aims to dismantle the Lighthouse operation and recover damages from the cybercriminals involved. Despite the legal efforts, the 25 defendants are unlikely to face a US court due to their location in China, where extradition is rare and local prosecution is improbable. Google is collaborating with US lawmakers to support legislation that tackles foreign cybercrime, endorsing bipartisan bills to enhance law enforcement capabilities and prevent scams. The proposed legislation includes measures to trace cryptocurrency transactions, block foreign robocalls, and sanction international scam operators, aiming to bolster national cybersecurity defenses.

Google has initiated legal action against "Lighthouse," a phishing-as-a-service platform, aiming to dismantle its infrastructure used for global smishing attacks. The platform has been linked to over 1 million victims across 120 countries, stealing up to 115 million payment cards in the U.S. alone. Lighthouse provides phishing templates and infrastructure, enabling cybercriminals to impersonate services like USPS and E-ZPass in text message scams. Google's lawsuit cites federal racketeering and fraud statutes, including the Racketeer Influenced and Corrupt Organizations Act and the Computer Fraud and Abuse Act. Researchers have associated Lighthouse with the Chinese threat actor "Wang Duo Yu," who sells smishing kits via Telegram, facilitating toll scam operations in multiple U.S. states. Google is enhancing its AI capabilities to detect scam messages and is supporting U.S. policy initiatives to protect consumers from foreign-based cybercrime. The company is also expanding public education efforts and improving user account recovery processes to combat phishing threats.

Google has initiated legal action to dismantle the "Lighthouse" phishing-as-a-service platform, which has facilitated global SMS phishing scams targeting over 1 million victims across 120 countries. The platform exploited brands like USPS and E-ZPass to steal credit card information, affecting millions of users and compromising up to 115 million payment cards in the U.S. alone. Google's lawsuit leverages federal racketeering and fraud statutes, including the Racketeer Influenced and Corrupt Organizations Act, to target Lighthouse's infrastructure. Lighthouse offered phishing templates and infrastructure to cybercriminals, enabling them to impersonate well-known services and bypass spam filters via iMessage and RCS. Cisco Talos linked Lighthouse to the Chinese threat actor "Wang Duo Yu," who marketed the platform through Telegram, with subscription prices ranging from $88 per week to $1,588 per year. Google's response includes enhancing AI capabilities to detect scams, improving Google Messages security, and supporting U.S. policy initiatives to combat foreign-based cybercrime. The case underscores the growing threat of phishing-as-a-service platforms and the need for robust legal and technical measures to protect consumers globally.

Microsoft has introduced native support for third-party passkey managers in Windows 11, enhancing passwordless authentication with the November 2025 security update. Initial support includes 1Password and Bitwarden, allowing users to manage passkeys more flexibly and securely across platforms. The new passkey system utilizes FIDO2/WebAuthn standards, offering improved security through private-public key cryptography and reducing phishing attack risks. Users can now choose between Microsoft Password Manager, 1Password, or Bitwarden for storing private keys, with authentication facilitated via Windows Hello. This development is part of Microsoft's broader strategy to promote passwordless authentication, aiming to increase convenience and security for users. Bitwarden's integration is currently in beta, suggesting potential functional limitations until further testing and refinement are completed. The initiative reflects a significant step towards eliminating traditional passwords, aligning with industry trends for enhanced digital security.

Advanced attackers exploited zero-day vulnerabilities in Citrix and Cisco systems to deploy custom malware, as detected by Amazon's MadPot honeypot. The Citrix vulnerability, CVE-2025-5777, involves an out-of-bounds read flaw in NetScaler Gateway, enabling remote memory content leaks. Cisco's vulnerability, CVE-2025-20337, allows remote code execution with root privileges due to flawed deserialization logic in Cisco Identity Services Engine. Amazon identified a custom backdoor designed for Cisco ISE environments, featuring advanced evasion techniques and minimal forensic traces. The malware's sophisticated design suggests a threat actor with deep knowledge of Cisco ISE and Java applications, indicating significant resources and capabilities. Despite the critical nature of these vulnerabilities, both Cisco and Citrix have yet to comment on the exploitation incidents. Organizations are urged to apply patches immediately to mitigate risks associated with these high-severity vulnerabilities.

DanaBot, a banking trojan, has re-emerged with a new version after a six-month hiatus following law enforcement disruption. The latest variant, version 669, utilizes Tor domains and “backconnect” nodes for command-and-control infrastructure. Zscaler ThreatLabz identified cryptocurrency addresses linked to DanaBot for receiving stolen funds in multiple cryptocurrencies. Initially disclosed by Proofpoint, DanaBot has evolved into a modular information stealer targeting credentials and cryptocurrency wallets. Despite Operation Endgame's success in degrading DanaBot's operations, the malware's infrastructure has been rebuilt. DanaBot infections typically occur through malicious emails, SEO poisoning, and malvertising, sometimes leading to ransomware. Organizations are advised to update blocklists with new indicators of compromise and enhance security tools to mitigate DanaBot threats.

Google has initiated a lawsuit in the U.S. against Chinese hackers operating the Lighthouse Phishing-as-a-Service platform, responsible for defrauding over 1 million users globally. Lighthouse exploits trusted brands like E-ZPass and USPS through large-scale SMS phishing, stealing financial information via deceptive links. The platform has generated over $1 billion illegally in three years, leveraging Google's trademarks to create fraudulent websites. Google's legal strategy involves dismantling Lighthouse's infrastructure using the RICO Act, Lanham Act, and Computer Fraud and Abuse Act. Lighthouse, part of a broader Chinese cybercrime network, has been linked to over 17,500 phishing domains targeting 316 brands across 74 countries. Phishing templates from Lighthouse are sold on a subscription basis, with prices ranging from $88 to $1,588. Chinese smishing syndicates have potentially compromised millions of payment cards in the U.S., with new tools developed to exploit stolen data. The ongoing threat from platforms like Lighthouse underscores the need for robust defenses against evolving phishing tactics and cybercrime networks.

Organizations adopting AI agents risk expanding their attack surface due to insufficient security frameworks designed for these new technologies. AI agents operate autonomously, making decisions and accessing sensitive data, necessitating a reevaluation of existing security measures. Traditional security models are challenged by AI agents' dynamic access needs, often leading to excessive privileges and lack of accountability. Token Security advocates for integrating AI agents into Zero Trust frameworks, ensuring every access request is authenticated and monitored. The concept of "Excessive Agency" emerges when AI agents have more power than necessary, posing unintended risks to organizational security. Security leaders are urged to implement scalable guardrails that empower innovation while maintaining rigorous oversight of AI activities. CISOs are called to expand identity strategies to include AI agents, ensuring secure and accountable AI integration into business processes.

The UK government has proposed the Cyber Security and Resilience Bill to enhance defenses for critical infrastructure, addressing vulnerabilities in hospitals, energy, water, and transport sectors. This legislation builds on the NIS Regulations 2018, aiming to mitigate cyber threats that have previously disrupted NHS operations and compromised the Ministry of Defence's payroll systems. Managed service providers must now adhere to mandatory security standards, implement effective response plans, and report significant cyber incidents to the NCSC and regulators within strict timelines. Regulators can mandate critical suppliers to meet minimum security standards, tackling supply chain vulnerabilities and ensuring robust protection of essential services. The bill introduces turnover-based penalties for serious breaches, incentivizing compliance over cost-cutting, and extends protections to data centers and smart energy infrastructure. Recent research indicates that significant cyberattacks cost the UK economy approximately £14.7 billion annually, highlighting the financial impact of inadequate cybersecurity measures. The new legislation follows broader UK efforts, including banning ransom payments by critical infrastructure and public sector organizations, to bolster national cybersecurity resilience.

Amazon's threat intelligence team discovered advanced threat actors exploiting zero-day vulnerabilities in Cisco ISE and Citrix NetScaler ADC to deploy custom malware. The vulnerabilities, identified as CVE-2025-5777 and CVE-2025-20337, were actively exploited to deliver a custom web shell disguised as a legitimate Cisco ISE component. The malware operates entirely in memory, using Java reflection for stealth, and employs DES encryption with non-standard Base64 encoding to avoid detection. The attacks were detected through Amazon's MadPot honeypot network, revealing the sophistication and resourcefulness of the threat actor involved. These findings stress the need for organizations to implement defense-in-depth strategies and robust detection mechanisms to identify unusual behavior patterns. The campaign targets critical identity and network access control infrastructure, emphasizing the vulnerability of even well-maintained systems to pre-authentication exploits. Organizations are urged to limit access to management portals through firewalls or layered access to mitigate risks associated with such vulnerabilities.

An advanced threat actor exploited zero-day vulnerabilities in Citrix NetScaler ADC and Cisco Identity Service Engine (ISE) before public disclosure and patch availability. Amazon's MadPot honeypot detected exploitation attempts for Citrix Bleed 2 (CVE-2025-5777), indicating pre-disclosure attacks. The Cisco ISE vulnerability (CVE-2025-20337) allows unauthorized attackers to execute arbitrary code or gain root access, with active exploitation confirmed shortly after disclosure. Hackers deployed a custom web shell, 'IdentityAuditAction,' on Cisco ISE, using advanced techniques to evade detection and maintain persistence. Despite the sophistication of the attack, the targeting was indiscriminate, which is unusual for advanced persistent threat (APT) operations. Amazon shared findings with Cisco, leading to heightened awareness and reissued warnings about active exploitation. Organizations are urged to apply security updates for the identified vulnerabilities and enhance network device security through firewalls and layered defenses.