Daily Brief

Aleksey Olegovich Volkov, a Russian national, will plead guilty to facilitating Yanluowang ransomware attacks on eight U.S. companies between July 2021 and November 2022. Volkov acted as an initial access broker, breaching networks and selling access to the ransomware group, which demanded ransoms between $300,000 and $15 million. FBI investigations revealed Volkov's identity through iCloud data, cryptocurrency exchanges, and social media, linking him to multiple network breaches across the U.S. Evidence from chat logs showed Volkov negotiating with a co-conspirator and receiving a share of the $1.5 million in ransom payments from victims. Volkov faces up to 53 years in prison and must pay over $9.1 million in restitution to the victims of the attacks. The Yanluowang ransomware was first identified in October 2021 and has been involved in targeted attacks globally, including a failed attempt on Cisco's systems. Volkov's arrest in Italy and subsequent extradition to the U.S. highlight international cooperation in combating cybercrime.

The U.S. Senate advanced a short-term funding bill to end the longest federal government shutdown, restoring critical cybersecurity programs that had lapsed. The bill extends the expiration of the Cybersecurity Information Sharing Act and Federal Cybersecurity Enhancement Act, crucial for federal and private sector security. The lapse in these cybersecurity measures was seen as a significant risk, potentially exposing sensitive information to hostile foreign entities. The resolution includes reinstating federal employees affected by the shutdown, including those at the Cybersecurity and Infrastructure Security Agency. Contractors, such as ServiceNow, expressed relief as the shutdown had stalled procurement and modernization projects, impacting their operations. The current resolution only funds these measures until November 21, requiring further congressional action to avoid another shutdown. The political landscape remains unstable, with potential for another shutdown if agreements on healthcare subsidies are not honored by Republicans.

A large-scale phishing campaign targeted over 5,000 businesses using Facebook for advertising, with attackers sending approximately 40,000 emails from the legitimate facebookmail.com domain. Attackers created fake Facebook Business pages and used the Business invitation feature to send deceptive emails, making them appear as legitimate Meta notifications. The phishing emails aimed to steal credentials and sensitive information by redirecting users to fraudulent websites, exploiting trust in Meta's communication channels. Targeted sectors included automotive, education, real estate, hospitality, and finance, with both small and large companies affected, particularly those relying on Meta for customer engagement. Check Point researchers noted the campaign's global reach, affecting businesses in the US, Europe, Canada, and Australia, and emphasized the need for heightened vigilance beyond their customer base. The campaign demonstrates a growing trend of cybercriminals exploiting legitimate services to bypass security controls, posing a significant threat to businesses worldwide. Meta has not yet responded to inquiries about the phishing operation, while Check Point continues to investigate the extent of compromised credentials and data theft.

A critical remote code execution vulnerability, CVE-2025-12735, was identified in the expr-eval JavaScript library, impacting projects with over 800,000 weekly downloads. The flaw allows attackers to execute arbitrary code by exploiting the library's failure to validate inputs in the Parser.evaluate() function. This vulnerability affects both the original expr-eval library and its active fork, expr-eval-fork, used in over 250 projects. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) rated the severity as critical, with a score of 9.8. A security patch is available in expr-eval-fork version 3.0.0, which includes an allowlist for safe functions and improved test coverage. Developers are urged to migrate to the patched version immediately to mitigate potential exploitation risks. The original expr-eval project remains unresponsive, delaying the integration of the fix into a new release. This incident underscores the importance of regular security audits and timely patching in software development practices.

Aleksei Volkov, a Russian national, pleaded guilty to charges linked to his role as an initial access broker for Yanluowang ransomware attacks on U.S. organizations. Volkov facilitated at least seven ransomware incidents, selling access to business networks using employee credentials and profiting from ransom payments. He received significant cuts from ransom payments, including $94,259 from a Philadelphia business and $162,220 from a Michigan company. Volkov was ordered to pay $9.1 million in restitution to six victims, with the Michigan company owed over $7.2 million after negotiating a ransom down from $15 million. Court documents revealed Volkov's collaboration with a co-conspirator, discussing ransomware operations and negotiating his compensation. Investigations suggest Volkov may have been involved in additional attacks, including one targeting a foreign company with a U.S. subsidiary. The FBI's analysis of Volkov's accounts indicates potential connections with other cybercriminal entities, such as LockBit. Volkov faces multiple charges, including access device fraud and money laundering conspiracy, with sentencing pending.

Phishing attacks are increasingly targeting LinkedIn, with 34% of such attacks now occurring outside traditional email channels, affecting financial services and technology sectors. Attackers exploit LinkedIn's lack of email security tools, making it difficult for organizations to detect and intercept malicious communications on corporate devices. Phishing campaigns leverage hijacked legitimate accounts and AI-powered messages, allowing attackers to scale operations and enhance the credibility of their outreach. LinkedIn's professional networking nature facilitates easy mapping of organizational structures, enabling attackers to identify high-value targets for spear-phishing. The absence of message screening on LinkedIn increases the likelihood of successful attacks, as users often trust and engage with messages from known contacts. Compromised accounts can lead to broader breaches, granting attackers access to enterprise cloud platforms and potentially resulting in significant financial and data losses. Security solutions must evolve to detect and block phishing across all communication channels, including social media, to effectively combat these sophisticated threats.

Curly COMrades, a group linked to Russian interests, used Microsoft's Hyper-V to hide malware in Alpine Linux virtual machines on compromised Windows systems. This technique allows malicious activities to bypass traditional endpoint security tools by running outside the host operating system's visibility. The operation involved deploying CurlyShell and CurlyCat malware, with the campaign observed in July 2025, although specific victims remain unidentified. Attackers leveraged the Windows Deployment Image Servicing and Management tool to enable Hyper-V, while disguising their actions by disabling the graphical interface. The group used PowerShell cmdlets to import and start the virtual machine, which was designed to mimic the Windows Subsystem for Linux, enhancing deception. By using Hyper-V's internal NAT service, malicious communications appeared as legitimate host machine traffic, complicating detection efforts. This case illustrates the increasing sophistication of threat actors in evading detection, emphasizing the need for advanced security measures beyond traditional EDR/XDR solutions.

The Browser Security Report 2025 reveals that browsers have become a central threat surface, with unmanaged extensions and GenAI tools posing significant risks. Traditional security controls like DLP, EDR, and SSE operate below the browser layer, missing critical threats such as data exfiltration via copy/paste activities. GenAI tools are now the leading channel for data exfiltration, with nearly half of employees using them through unmanaged accounts, outside IT oversight. AI browsers, integrating large language models, create new attack surfaces by merging search, chat, and browsing, often bypassing existing enterprise security measures. The report indicates that 99% of enterprise users have at least one browser extension, many with high permissions, forming an unmanaged software supply chain. Over two-thirds of logins occur outside of SSO, with personal credentials often used, complicating identity governance and increasing risks of unauthorized access. Security teams are advised to adopt browser-native controls to regain visibility and manage session-level activities without disrupting user experience. The report emphasizes the need for modern browser security platforms to address these emerging vulnerabilities and prevent future data leaks and identity compromises.

Allianz UK confirmed a data breach affecting 80 current and 670 former customers due to a Clop gang attack on its Oracle E-Business Suite. The breach did not impact Liverpool Victoria (LV) or its systems, despite initial claims by the attackers. Allianz UK has notified affected customers and reported the incident to the Information Commissioner's Office for further investigation. The breach exploited a zero-day vulnerability in Oracle EBS, which is used for managing personal insurance lines like home and car insurance. This incident is part of a broader campaign by Clop, which has targeted multiple organizations using the same vulnerability, including the Washington Post and Envoy Air. Google Threat Intelligence Group suggests the attacks exploiting CVE-2025-61882 began as early as July, affecting potentially dozens of organizations. Clop's previous exploits include the MOVEit MFT software attack, impacting millions and highlighting the growing threat of large-scale zero-day campaigns.

A significant phishing campaign is targeting the hospitality sector, using ClickFix-style pages to deploy PureRAT malware and harvest credentials from hotel management systems. Attackers employ compromised email accounts to send spear-phishing emails impersonating Booking.com, redirecting victims to malicious websites designed to steal credentials. The campaign, active since April 2025, aims to gain unauthorized access to booking platforms like Booking.com and Expedia, selling credentials on cybercrime forums. PureRAT malware, delivered via DLL side-loading, supports remote access, data exfiltration, and persistence mechanisms, complicating detection and removal efforts. Threat actors utilize social engineering tactics, including fake security checks and payment verification requests, to deceive hotel customers into providing sensitive information. Cybercriminals procure administrator information from forums like LolzTeam, outsourcing malware distribution to specialists known as traffers, enhancing the campaign's reach. The campaign's sophistication is increasing, with ClickFix pages incorporating video, countdown timers, and operating system-specific instructions to enhance credibility. The rise of cybercrime services supporting these attacks reflects a professionalization of fraud models, leveraging an "as-a-service" approach to maximize profits and lower entry barriers.

Intruder's 2025 Exposure Management Index analyzes data from over 3,000 small to mid-sized businesses, highlighting significant trends in vulnerability management and response effectiveness. High-severity vulnerabilities have surged by 20 percent, driven by AI-assisted exploit development, increasing the pressure on security teams without additional resources. Despite the rise in vulnerabilities, 89 percent of critical issues are now resolved within 30 days, a notable improvement attributed to heightened boardroom awareness and streamlined processes. Smaller companies continue to address critical vulnerabilities faster than midsize firms, though the gap is narrowing due to improved workflows and ownership in larger organizations. The report underscores the growing complexity of managing diverse systems and legacy applications, yet shows progress in reducing delays in larger enterprises. The index also provides insights into sector-specific differences, regulatory impacts, and the re-weaponization of older CVEs, shaping remediation strategies across industries. As exposure volumes increase, the need for efficient vulnerability management and rapid response remains critical to mitigate potential exploitation by attackers.

Cybersecurity experts have identified GlassWorm malware in three Visual Studio Code extensions, impacting thousands of users by harvesting credentials and targeting cryptocurrency wallets. GlassWorm employs invisible Unicode characters to conceal malicious code, allowing it to self-replicate and spread across the VS Code ecosystem. Despite efforts to remove malicious extensions, the threat has resurfaced, using blockchain-based command-and-control infrastructure to evade detection and maintain persistence. The malware's reach extends globally, affecting victims in the U.S., South America, Europe, and Asia, including a significant government entity in the Middle East. Researchers traced the malware's origin to a Russian-speaking threat actor utilizing the RedExt framework, with evidence suggesting compromised internal networks and proxy infrastructure. Koi Security's findings indicate GlassWorm has expanded its scope to include GitHub, using stolen credentials to inject malicious commits into repositories. Organizations are urged to review their security protocols, rotate credentials, and monitor for unusual activity to mitigate potential impacts from this ongoing threat.

Cisco is developing a new AI model with over 17 billion parameters, doubling its current model's capacity, to enhance threat detection and response recommendations. The new model will incorporate 30 years of data from Cisco's Talos threat intelligence team, aiming to improve both detection and advisory capabilities. This initiative is not a replacement for the existing Foundation-Sec-8B model but a separate effort to advance AI-driven security solutions. Cisco's senior VP, Raj Chopra, announced the model's expected release shortly after the holiday season, alongside other AI initiatives. The model will utilize threat information, incident summaries, and red team playbooks to train its advanced capabilities. Cisco's SecureBERT model has also been updated to enhance its performance, aiding security professionals in their tasks. The development aligns with Cisco's strategy to integrate both generic and organization-specific data for robust AI-driven security defenses. Cisco's AI models are integral to its product offerings, with Splunk tools recommended for optimal data analysis.

Microsoft plans to launch AI agents, termed "agentic users," capable of operating autonomously within enterprise environments, performing tasks like attending meetings and editing documents. These AI agents will be available through the "M365 Agent Store" and integrated with Microsoft Teams, enhancing collaboration capabilities within organizations. Each agent will possess its own identity, including an email address and Teams account, and will be listed in enterprise directories such as Entra ID or Azure AD. The introduction of these agents raises concerns about management, especially regarding potential misuse, data security, and the accuracy of information shared autonomously. Microsoft will introduce these agents with a targeted release, potentially announced at the upcoming Ignite conference, aiming to boost productivity and efficiency. Licensing expert Rich Gibbons expressed concerns about the consumption-based pricing model, which could complicate cost forecasting for organizations. The potential for AI agents to operate independently poses significant challenges in monitoring, preventing misuse, and ensuring compliance with organizational policies.

A significant data breach at Knownsec, a Chinese infosec firm linked to the military, exposed over 12,000 classified documents, including cyber-weapons and global target lists. The breach revealed details on Remote Access Trojans capable of compromising multiple operating systems, including Linux, Windows, macOS, iOS, and Android. Sensitive data extracted includes 95GB of immigration records from India and 3TB of call logs from South Korean telecom LG U Plus. A spreadsheet listing 80 overseas targets successfully attacked by Knownsec was also part of the leaked information. Some of the leaked documents were briefly posted on GitHub before being removed, indicating a rapid response to contain the breach. This incident raises concerns about the security of state-linked cyber operations and the potential misuse of exposed cyber tools. Organizations worldwide should reassess their cybersecurity measures to protect against similar breaches and unauthorized data exposures.