Daily Brief

Microsoft has issued KB5068781, the first extended security update for Windows 10, following the OS reaching its end of support last month. The update addresses a bug that incorrectly indicated Windows 10 LTSC devices had reached end of support, despite support continuing until January 2027. This update includes critical Patch Tuesday security updates, resolving 63 vulnerabilities, including one actively exploited elevation-of-privilege flaw. Consumers and businesses can enroll in the Extended Security Updates (ESU) program, with costs varying by region and account type, to continue receiving security updates. An emergency fix was released to address a bug preventing some devices from enrolling in the ESU program, ensuring continuity of security updates. Windows 10 ESU and Windows 10 Enterprise LTSC 2021 devices will be updated to builds 19045.6575 and 19044.6575, respectively, following this mandatory update. The update is set to install automatically, prompting users to restart their devices upon completion to ensure the latest security measures are applied.

Microsoft released its November 2025 Patch Tuesday update, addressing 63 vulnerabilities, including one zero-day actively exploited in the Windows Kernel. The zero-day, CVE-2025-62215, involves a race condition in the Windows Kernel, allowing attackers to gain SYSTEM privileges through improper synchronization. Four vulnerabilities are classified as "Critical," with two enabling remote code execution, one allowing privilege escalation, and another causing information disclosure. This update marks the first extended security update for Windows 10, urging users to upgrade to Windows 11 or enroll in the ESU program. An out-of-band update was released to resolve enrollment issues in the ESU program, ensuring continued security support for Windows 10 users. Microsoft Threat Intelligence Center and Security Response Center were credited with identifying the zero-day, though exploitation details remain undisclosed. Organizations are encouraged to join webinars and adopt modern patch management strategies to enhance update deployment efficiency and minimize security risks.

A new malware named Maverick, linked to the Coyote banking trojan, has been identified targeting Brazilian banks via WhatsApp, exploiting its web version for propagation. CyberProof reports Maverick and Coyote share code similarities, both written in .NET, targeting specific banking URLs and monitoring applications to steal credentials. Maverick spreads through a self-propagating malware, SORVEPOTEL, which uses WhatsApp Web to deliver a ZIP archive containing the malicious payload. The malware monitors browser tabs for financial institution URLs, contacting a remote server to execute phishing attacks and gather system information. Advanced evasion techniques include disabling Microsoft Defender, using PowerShell scripts, and checking for reverse engineering tools before executing. Targeting is geographically restricted to Brazil, with the malware verifying the victim's location through time zone and language settings. The campaign suggests a significant shift in tactics, leveraging legitimate browser profiles and messaging platforms for stealthier, scalable attacks. The popularity of WhatsApp in Brazil, with over 148 million users, facilitates the widespread nature of this campaign, posing a significant threat to regional financial institutions.

Zhimin Qian, known as the "Bitcoin Queen," received an 11-year prison sentence in London for orchestrating a massive cryptocurrency fraud. The scheme defrauded over 128,000 victims in China from 2014 to 2017, involving the laundering of £5.5 billion ($7.3 billion) in Bitcoin. The Metropolitan Police's Economic Crime team led a seven-year investigation, culminating in the largest cryptocurrency seizure in British history. Qian converted illicit funds into cash, jewelry, and Bitcoin, fleeing to the UK under a false identity before being apprehended. Seng Hok Ling, an accomplice, was sentenced to nearly five years for his role in transferring the fraudulent cryptocurrency. The operation involved collaboration between UK and Chinese law enforcement, highlighting the global nature of cryptocurrency-related crimes. This case demonstrates the challenges and capabilities of law enforcement in tracing and seizing digital assets linked to organized crime.

North Korea's KONNI group misused Google's Find My Device feature to remotely wipe Android devices of South Korean targets, erasing data and evidence of cyber intrusions. This campaign involved stealing Google account credentials via spear-phishing, allowing unauthorized access to the Find My Device platform for executing factory resets. Victims were approached through the KakaoTalk app, with malicious files leading to the installation of Remote Access Trojans (RATs) like RemcosRAT and QuasarRAT. Attackers utilized GPS data to time device wipes when victims were less likely to respond, ensuring prolonged disruption and data loss. The operation signifies an escalation in mobile-focused tactics by North Korean cyber operators, leveraging legitimate cloud services for covert activities. The incident emphasizes the vulnerabilities in "lost device" features, which can be exploited for malicious purposes if account credentials are compromised. Genians advises enabling multifactor or biometric authentication for Find My Device users to mitigate risks from similar threats.

GootLoader, a JavaScript-based malware loader, has re-emerged, targeting WordPress sites with advanced obfuscation techniques to evade detection and deliver malicious payloads. Recent attacks have leveraged custom WOFF2 fonts to disguise filenames, complicating static analysis and making malware detection more challenging for cybersecurity tools. Huntress reported three GootLoader infections since late October 2025, with two incidents escalating to domain controller compromises within 17 hours of initial infection. The malware exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads, each with unique decryption keys, enhancing its evasive capabilities. GootLoader is linked to Hive0127 and utilizes SEO poisoning and Google Ads to redirect victims to compromised sites, often deploying ransomware and backdoors like Supper. The Supper backdoor, embedded in ZIP archives, facilitates remote control and SOCKS5 proxying, often bypassing automated analysis tools by appearing as harmless files. Cybersecurity teams are advised to enhance monitoring of WordPress sites and employ advanced detection methods to counteract these sophisticated obfuscation strategies.

SAP's November updates address critical vulnerabilities in SQL Anywhere Monitor and Solution Manager, including a maximum severity flaw with a score of 10.0. CVE-2025-42890 involves hardcoded credentials in SQL Anywhere Monitor, posing risks of unauthorized access and arbitrary code execution. The non-GUI version of SQL Anywhere Monitor is often used on unattended systems, increasing potential exposure to attackers. CVE-2025-42887 affects SAP Solution Manager, allowing code injection due to inadequate input validation, risking full system compromise. SAP also patched 15 other vulnerabilities, including a critical flaw in NetWeaver, emphasizing the need for immediate update application. No active exploitation of these vulnerabilities has been reported, but SAP advises prompt patching and adherence to mitigation guidelines. SAP's widespread use in large enterprises makes it a prime target for attackers, underscoring the importance of maintaining updated security measures.

GlobalLogic, a Hitachi group company, notified over 10,000 employees of a data breach involving their personal information stolen via an Oracle E-Business Suite vulnerability. The breach exploited a zero-day flaw, CVE-2025-61882, allowing attackers to access and exfiltrate sensitive HR data including names, addresses, and Social Security Numbers. Initial unauthorized access was detected in July 2025, with exfiltration confirmed by October 9, 2025; the breach was limited to the Oracle platform, sparing other systems. The attack aligns with the Clop ransomware gang's extortion campaign, which has targeted multiple organizations using the same Oracle EBS vulnerability. Clop has not yet listed GlobalLogic on its leak site, indicating potential ongoing negotiations or a possible ransom payment. The U.S. State Department is offering a $10 million reward for information linking Clop's activities to any foreign government, reflecting the severity of these attacks. Organizations using Oracle EBS are advised to apply security patches promptly and review access controls to mitigate similar threats.

Varonis detected a CPU spike on a customer's server, leading to the discovery of a RansomHub ransomware affiliate attack in progress. The attack began with a user executing a malicious JavaScript file disguised as a browser update, initiating automated reconnaissance and command-and-control activities. Advanced threat actors deployed a SOCKS proxy using multi-layer encrypted scripts, enabling direct communication between attacker endpoints and the corporate network. Attackers gained Domain Admin privileges within four hours by exploiting misconfigured Active Directory Certificate Services, highlighting critical security gaps. Varonis intervened, severing malicious access and preventing potential ransomware deployment, ensuring zero business downtime for the customer. The incident underscores the importance of proactive monitoring and swift response to anomalies to prevent severe operational impacts. Organizations are reminded of the necessity to regularly audit and secure Active Directory configurations to mitigate privilege escalation risks.

Privacy advocates criticize the European Commission's proposed reforms to GDPR and AI regulations, alleging favoritism towards Big Tech and potential weakening of privacy protections. The proposed "Digital Omnibus" package aims to amend regulations on AI, cybersecurity, data protection, and privacy, potentially impacting businesses and individuals across Europe. Critics argue that the reforms could introduce loopholes allowing companies more freedom to use personal data commercially, undermining existing GDPR protections. Changes could limit individuals' rights to access, correct, or delete their data, affecting employees, journalists, and researchers' ability to leverage data access in disputes. Proposals may weaken protections for sensitive data, allowing companies to infer personal information without triggering existing safeguards, raising concerns about discrimination risks. The reforms are presented as reducing administrative burdens for small businesses, but privacy groups view this as a strategy to garner public support for the changes. The outcome of these proposals could influence global policymaking, as past EU regulations have inspired similar laws in other regions, including the United States.

The OWASP 2025 report identifies broken access control as the leading application security risk, affecting 3.73% of tested applications, emphasizing its prevalence across web apps, APIs, and digital systems. Security misconfiguration ranks second, driven by a trend towards configuration-based security, particularly impacting cloud and infrastructure environments. Software supply chain failures debut in the top three, attributed to their high exploit potential and impact, despite fewer occurrences. The report introduces a new category, mishandling of exceptional conditions, addressing vulnerabilities from improper error handling and race conditions. Prompt injection is flagged as the top risk for AI applications, where input manipulation can bypass security checks in large language models. OWASP's list, based on extensive data and community feedback, aims to guide organizations in prioritizing security efforts effectively. Developers express concern that despite increased identification of issues, secure coding remains a low priority until incidents occur.

BleepingComputer and SC Media will host a webinar on December 2nd, focusing on modern patch management strategies to address persistent challenges in vulnerability remediation. Gene Moody, Field CTO at Action1, will discuss innovative approaches to overcome delays and risks associated with outdated patching processes. The session will highlight how automation and continuous visibility can help prioritize risks, maintain compliance, and accelerate patching in dynamic IT environments. Action1's cloud-native platform offers a real-time solution, addressing the limitations of legacy tools like Microsoft WSUS, which struggled with scalability and maintenance. Practical advice and real-world examples will be shared, illustrating how organizations can align remediation efforts with business impact, freeing resources through automation. The webinar aims to equip IT and security teams with strategies to bridge the gap between detection and remediation, reducing exposure to breaches from known vulnerabilities. Participants will learn to prioritize patches based on business impact, improve visibility, and implement policy-driven, compliance-aware patching practices.

GlobalLogic, owned by Hitachi, reported a data breach affecting over 10,000 current and former employees, linked to Clop ransomware's exploitation of Oracle E-Business Suite vulnerabilities. Exposed data includes sensitive personal information such as Social Security numbers, passport details, and bank account information, raising significant privacy and security concerns. The breach is part of a broader campaign impacting high-profile entities like The Washington Post and Allianz UK, exploiting Oracle EBS vulnerabilities CVE-2025-61882 and CVE-2025-61884. GlobalLogic's investigation indicates unauthorized access began in July 2025, aligning with findings from Google Threat Intelligence Group and Mandiant on suspicious traffic targeting Oracle EBS servers. Oracle released emergency patches in September; however, many organizations were likely compromised before the updates were available, highlighting the need for timely patch management. Clop's strategy focuses on data theft and extortion rather than encryption, using leak sites to pressure victims, which has proven profitable in past incidents. The incident underscores the critical importance of securing enterprise resource planning systems, which are often deeply integrated into corporate operations.

The UK government is examining potential cybersecurity risks in Chinese-made Yutong electric buses, prompted by concerns from Norwegian operator Ruter about remote access vulnerabilities. Ruter's tests revealed that Yutong buses might be remotely accessed for software updates and diagnostics, raising fears of potential operational disruptions. The UK National Cyber Security Centre is collaborating with the Department for Transport to assess and mitigate any identified risks in the 700 Yutong buses operating in the UK. Pelican, the UK importer, asserts that Yutong vehicles comply with international cybersecurity standards, and updates are manually applied by engineers on-site. Yutong claims compliance with UN and ISO cybersecurity regulations, storing EU data in Frankfurt, but questions about remote power management access remain unanswered. The situation highlights the importance of robust cybersecurity measures in procurement processes for critical public infrastructure like electric buses. Industry leaders, including First Bus, emphasize the significance of cybersecurity in procurement, acknowledging the broader industry learning from Ruter's findings.

A malicious npm package, "@acitons/artifact," was discovered targeting GitHub-owned repositories by mimicking the legitimate "@actions/artifact" package. The package aimed to execute scripts during GitHub repository builds to exfiltrate tokens and publish malicious artifacts. Six versions of the package included a post-install hook to download and execute malware, but these versions have been removed by the threat actor. The package, uploaded on October 29, 2025, achieved 47,405 downloads, indicating significant exposure before removal. Another similar package, "8jfiesaf83," was identified but is no longer available; it had been downloaded 1,016 times. The malware used an obfuscated shell script to exfiltrate data from GitHub Actions workflows to a specific subdomain. This attack specifically targeted GitHub's own repositories, suggesting a highly focused campaign against the organization.