Daily Brief

GlobalLogic, owned by Hitachi, reported a data breach affecting over 10,000 current and former employees, linked to Clop ransomware's exploitation of Oracle E-Business Suite vulnerabilities. Exposed data includes sensitive personal information such as Social Security numbers, passport details, and bank account information, raising significant privacy and security concerns. The breach is part of a broader campaign impacting high-profile entities like The Washington Post and Allianz UK, exploiting Oracle EBS vulnerabilities CVE-2025-61882 and CVE-2025-61884. GlobalLogic's investigation indicates unauthorized access began in July 2025, aligning with findings from Google Threat Intelligence Group and Mandiant on suspicious traffic targeting Oracle EBS servers. Oracle released emergency patches in September; however, many organizations were likely compromised before the updates were available, highlighting the need for timely patch management. Clop's strategy focuses on data theft and extortion rather than encryption, using leak sites to pressure victims, which has proven profitable in past incidents. The incident underscores the critical importance of securing enterprise resource planning systems, which are often deeply integrated into corporate operations.

The UK government is examining potential cybersecurity risks in Chinese-made Yutong electric buses, prompted by concerns from Norwegian operator Ruter about remote access vulnerabilities. Ruter's tests revealed that Yutong buses might be remotely accessed for software updates and diagnostics, raising fears of potential operational disruptions. The UK National Cyber Security Centre is collaborating with the Department for Transport to assess and mitigate any identified risks in the 700 Yutong buses operating in the UK. Pelican, the UK importer, asserts that Yutong vehicles comply with international cybersecurity standards, and updates are manually applied by engineers on-site. Yutong claims compliance with UN and ISO cybersecurity regulations, storing EU data in Frankfurt, but questions about remote power management access remain unanswered. The situation highlights the importance of robust cybersecurity measures in procurement processes for critical public infrastructure like electric buses. Industry leaders, including First Bus, emphasize the significance of cybersecurity in procurement, acknowledging the broader industry learning from Ruter's findings.

A malicious npm package, "@acitons/artifact," was discovered targeting GitHub-owned repositories by mimicking the legitimate "@actions/artifact" package. The package aimed to execute scripts during GitHub repository builds to exfiltrate tokens and publish malicious artifacts. Six versions of the package included a post-install hook to download and execute malware, but these versions have been removed by the threat actor. The package, uploaded on October 29, 2025, achieved 47,405 downloads, indicating significant exposure before removal. Another similar package, "8jfiesaf83," was identified but is no longer available; it had been downloaded 1,016 times. The malware used an obfuscated shell script to exfiltrate data from GitHub Actions workflows to a specific subdomain. This attack specifically targeted GitHub's own repositories, suggesting a highly focused campaign against the organization.

AI-enabled supply chain attacks have surged by 156% in the past year, challenging traditional security measures and demanding innovative defensive strategies from organizations. Recent incidents include the NullBulge group's attacks on Hugging Face and GitHub, which leveraged open-source repositories to target AI tools and gaming software. The Solana Web3.js library was compromised through phishing, leading to the theft of up to $190,000 in cryptocurrency by exploiting backdoor code. Wondershare RepairIt vulnerabilities exposed sensitive data through hardcoded cloud credentials, allowing potential supply chain attacks on AI models. The 3CX attack of 2023, affecting 600,000 companies, showcased polymorphic traits of AI-assisted malware, complicating detection efforts. Traditional security approaches, such as signature-based detection, are increasingly ineffective against rapidly mutating AI-generated threats. Regulatory frameworks like the EU AI Act impose stringent requirements on AI supply chain security, with penalties reaching up to 7% of global turnover. Organizations are urged to adopt a new defensive framework, integrating AI-specific controls to gain a competitive advantage in cybersecurity resilience.

Fantasy Hub, a new Android remote access trojan, is marketed on Russian-speaking Telegram channels as a Malware-as-a-Service (MaaS) offering, targeting financial and enterprise mobile users. The malware enables extensive espionage capabilities, including SMS interception, contact extraction, and banking credential theft, posing significant risks to businesses using BYOD policies. Fantasy Hub users can create fake Google Play Store pages to distribute the malware, which masquerades as legitimate apps, enhancing its reach and effectiveness. The service includes a bot-driven subscription model, allowing attackers to customize and deploy trojanized APKs, with prices ranging from $200 weekly to $4,500 annually. The malware abuses default SMS handler roles to gain permissions, using fake overlays to capture banking credentials from Russian institutions like Alfa and Sberbank. Zscaler ThreatLabz reports a 67% increase in Android malware transactions, highlighting the growing threat of sophisticated spyware and banking trojans. CERT Polska warns of Android malware, NGate, targeting Polish banks via NFC relay attacks, emphasizing the need for robust mobile security measures.

The Association of British Insurers reported a significant increase in cyber insurance payouts in the UK, totaling £197 million ($259 million) in 2024, up from £59 million ($77 million) in 2023. Ransomware and malware incidents accounted for 51% of claims in 2024, a notable rise from 32% in 2023, reflecting growing attack sophistication and impact. Cyber insurance is seen as a critical risk management tool, offering financial support and access to expert advice, threat monitoring, and incident response planning. High-profile companies like Marks & Spencer and Jaguar Land Rover faced substantial financial impacts from cyberattacks, with varying levels of insurance coverage affecting their recovery strategies. The debate continues over whether cyber insurance encourages ransom payments, with some experts advocating for policy changes to prevent incentivizing criminal activities. Industry leaders argue that cyber insurance can drive improved security standards by enforcing minimum requirements on policyholders. The UK's National Cyber Security Centre supports the role of cyber insurance in enhancing organizational security, despite ongoing discussions about its influence on ransom payments.

The UK's Ministry of Defence has declared initial operating capability for the Ajax armored fighting vehicle, despite significant delays and ongoing safety concerns affecting crew health. Originally planned for delivery in 2017, the Ajax program is at least five years behind schedule, with only 165 of the 589 vehicles delivered to date. Technical issues, including excessive noise and vibration, have led to crew injuries, prompting hospital visits and raising questions about the vehicle's fitness for purpose. A House of Commons report criticized the Ministry of Defence and General Dynamics for underestimating the complexity of developing Ajax, which required meeting 1,200 capability requirements. Despite the challenges, the British Army values the advanced situational awareness and control features of Ajax, which represent a significant upgrade over previous armored vehicles. Concerns persist about Ajax's vulnerability to modern drone warfare, as it lacks airburst ammunition, which could enhance its defense against aerial threats. The program's cost has escalated to an estimated £6.3 billion ($8.3 billion), exceeding the initial budget, with further financial implications anticipated.

North Korean group APT37 leverages Google Find Hub to track and reset Android devices, primarily targeting South Korean individuals through KakaoTalk messenger. The campaign, linked to KONNI activity, involves spear-phishing attacks spoofing South Korean agencies, leading to device compromise and data exfiltration. Attackers use remote access trojans, including RemcosRAT and QuasarRAT, to harvest credentials and manipulate security settings on victim devices. The use of Google Find Hub allows attackers to remotely wipe devices, isolating victims and erasing traces of the attack to hinder recovery efforts. Genians' analysis reveals attackers timed GPS tracking and device resets to coincide with victims being less responsive, enhancing attack effectiveness. Recommendations include enabling multi-factor authentication for Google accounts and verifying sender identity before opening files in messaging apps. Genians provides technical analysis and indicators of compromise to assist organizations in identifying and mitigating related threats.

Microsoft researchers discovered a side-channel attack, Whisper Leak, targeting large language models (LLMs) by analyzing packet size and timing patterns to infer encrypted prompt topics. This vulnerability affects models from providers such as Anthropic, AWS, DeepSeek, and Google, posing risks to both personal and enterprise communications. The attack exploits streaming models, which send responses incrementally, making them susceptible to interception and analysis by attackers monitoring encrypted traffic. Microsoft disclosed the flaw to affected vendors, with Mistral, Microsoft, OpenAI, and xAI implementing mitigations, while others remain unresponsive or declined to act. The attack's probabilistic nature means different vendors experience varying impacts, with proof-of-concept tests showing high precision in identifying sensitive topics. Mitigation strategies include adding random text sequences to responses and grouping tokens to obscure size and timing patterns, reducing attack effectiveness. Despite no known active attacks, the potential for offline exploitation remains, emphasizing the need for vigilant monitoring and proactive defenses against such vulnerabilities.

Mozilla has announced Firefox 145 with advanced anti-fingerprinting features aimed at reducing user tracking across web sessions, initially available in Private Browsing and ETP Strict modes. Fingerprinting allows tracking of users through unique digital signatures derived from subtle identifiers like timezone and hardware details, even when cookies are blocked. The new Phase 2 protections reduce unique fingerprinting capability to 20%, down from 35%, by blocking requests for hardware and software details. Mozilla balances privacy with usability, allowing users to disable protections on specific sites to prevent disruption of legitimate website functionalities. Firefox 145 is available for download, marking the first release without a 32-bit Linux version due to decreased demand. These privacy enhancements reflect Mozilla’s ongoing commitment to user privacy while maintaining essential web functionalities.

Quantum Route Redirect, a phishing automation platform, is exploiting around 1,000 domains to steal Microsoft 365 credentials, impacting users worldwide, with 76% of attacks targeting the U.S. The platform enables less skilled cybercriminals to execute sophisticated phishing attacks by automating traffic rerouting and victim tracking, increasing the threat landscape. Phishing emails mimic legitimate communications like DocuSign requests or payment notifications, directing victims to credential harvesting sites with URLs following a specific pattern. The platform's built-in filtering mechanism can differentiate between bots and human visitors, redirecting victims to phishing pages while sending automated systems to benign sites. KnowBe4 researchers have identified the platform's extensive use across 90 countries, predicting its growth due to its ability to evade URL scanning technologies. Similar phishing services such as VoidProxy and Darcula have gained traction, but robust URL filtering and account monitoring tools are recommended to mitigate these threats. Organizations are advised to enhance their cybersecurity measures to detect and prevent phishing attempts, safeguarding sensitive user credentials from compromise.

Mandiant Threat Defense identified active exploitation of a critical vulnerability in Triofox, tracked as CVE-2025-12480, allowing unauthorized access and execution of arbitrary payloads. The flaw, with a CVSS score of 9.1, enables attackers to bypass authentication and access Triofox configuration pages, facilitating the upload of malicious files. Threat actor UNC6485 has been exploiting this vulnerability since August 2025, despite a patch released by Gladinet in July 2025. Attackers created a new admin account, leveraging it to execute malicious scripts via Triofox's antivirus feature, inheriting SYSTEM account privileges. Malicious scripts downloaded Zoho UEMS to deploy remote access tools like Zoho Assist and AnyDesk, enabling reconnaissance and privilege escalation. To evade detection, attackers used tools like Plink and PuTTY to establish encrypted tunnels for inbound RDP traffic to a command-and-control server. Triofox users are urged to update to the latest software version, audit admin accounts, and ensure antivirus configurations do not allow unauthorized script execution.

North Korea-affiliated Konni group has launched attacks on Android and Windows devices, targeting data theft and remote control, employing innovative tactics to evade detection. Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware as stress-relief programs, deceiving victims into installing malicious software. The group exploited Google's Find Hub to remotely reset Android devices, leading to unauthorized data deletion, marking a novel use of legitimate management functions for malicious purposes. Initial access was gained through spear-phishing emails mimicking legitimate entities, distributing malware like Lilith RAT and EndRAT to compromise systems and exfiltrate sensitive credentials. The attackers maintained long-term presence on compromised systems, using evasion tactics, and leveraged stolen credentials to initiate remote wipes and conceal activities. The operation included the use of various RATs such as Remcos, Quasar, and RftRAT, indicating a focus on Korea-related targets and a sophisticated approach to cyber espionage. This incident underscores the need for enhanced vigilance and robust cybersecurity measures to protect against evolving tactics of state-sponsored threat actors.

Aleksey Olegovich Volkov, a Russian national, admitted to acting as an initial access broker for Yanluowang ransomware, targeting at least eight U.S. companies from July 2021 to November 2022. Volkov breached corporate networks, selling access to the Yanluowang group, which demanded ransoms between $300,000 and $15 million, payable in Bitcoin. The FBI's investigation involved search warrants, revealing chat logs, stolen data, and network credentials, tracing Volkov's identity through digital footprints including iCloud and cryptocurrency records. Evidence indicated Volkov negotiated with a co-conspirator, receiving a portion of the $1.5 million in ransom payments from victims, with blockchain analysis confirming payment routes. Volkov is linked to breaches affecting various U.S. companies, including engineering firms and banks, with two victims paying significant ransoms. Arrested in Italy and extradited to the U.S., Volkov faces up to 53 years in prison and must pay over $9.1 million in restitution. This case underscores the persistent threat of ransomware and the importance of robust cybersecurity measures to protect corporate networks.

The Cybersecurity and Infrastructure Security Agency (CISA) has directed U.S. federal agencies to patch a critical Samsung vulnerability exploited in zero-day attacks. Tracked as CVE-2025-21042, this flaw in Samsung's libimagecodec.quram.so library allows remote code execution on Android 13 and later devices. The vulnerability has been used to deploy LandFall spyware via malicious DNG images sent through WhatsApp, affecting Samsung Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 models. Unit 42's analysis reveals potential targets in Iraq, Iran, Turkey, and Morocco, with infrastructure patterns similar to UAE-originated Stealth Falcon operations. CISA has added the flaw to its Known Exploited Vulnerabilities catalog, requiring federal agencies to secure devices by December 1 under Binding Operational Directive 22-01. While the directive specifically targets federal agencies, CISA advises all organizations to prioritize patching to mitigate significant risks posed by this vulnerability. Samsung previously addressed another similar vulnerability in September, emphasizing the need for ongoing vigilance against zero-day threats.