Daily Brief

AMD is addressing a high-severity vulnerability, CVE-2025-62626, affecting cryptographic security in Zen 5 Ryzen and Epyc CPUs, potentially compromising data encryption. The flaw involves the RDSEED function, which may return zero instead of random numbers, weakening cryptographic keys and allowing potential data decryption. Exploiting this vulnerability requires local privileges, indicating attackers would need significant system access to leverage the flaw. AMD has released patches for Epyc 9005 series chips, with additional updates for other affected processors expected by January. Users can mitigate risks by using the unaffected 64-bit RDSEED version or disabling the function in system configurations. The issue was initially identified by Gregory Price, a Linux kernel engineer at Meta, and communicated via the Linux kernel mailing list. AMD's proactive patching efforts aim to maintain trust and security for users relying on their processor architectures.

Google's Threat Intelligence Group identified a shift towards AI-driven malware, with adversaries using large language models for dynamic malware execution and adaptation. The PromptFlux malware dropper and PromptSteal data miner exemplify this trend, utilizing AI for script generation and obfuscation to evade detection. PromptFlux uses Google's LLM Gemini to periodically update its code, aiming to create a constantly evolving "metamorphic script" for antivirus evasion. Google has disabled PromptFlux's access to the Gemini API and removed associated assets, although attribution to a specific threat actor remains unclear. Other AI-powered threats include FruitShell, a PowerShell reverse shell, and QuietVault, a JavaScript credential stealer targeting GitHub/NPM tokens. AI-powered cybercrime tools are gaining traction on underground forums, lowering the technical barrier for sophisticated attacks and offering multifunctional capabilities. Google emphasizes the need for responsible AI development with robust safety measures to prevent misuse and bolster security against AI-enhanced threats.

Organizations face challenges in maintaining real-time cybersecurity due to rapid changes and manual update lags, leading to potential vulnerabilities. Common security gaps include undocumented cloud instances, interrupted vulnerability scans, overwhelming threat intelligence, and endpoint coverage gaps. Point solutions often increase complexity, as analysts manage multiple tools and data formats, leading to inefficiencies and alert fatigue. Outpost24 introduces CompassDRP, combining External Attack Surface Management (EASM) with Digital Risk Protection (DRP) to provide a comprehensive view of digital risk. EASM offers visibility into internet-facing assets, while DRP monitors for leaked credentials and sensitive data exposures across various web layers. The integrated solution allows security teams to prioritize fixes based on real-world threat potential, reducing risk efficiently. By consolidating EASM and DRP, organizations can transition from reactive measures to proactive risk management, enhancing overall cybersecurity posture.

Google Threat Intelligence Group reports nation-state actors leveraging Gemini AI to develop innovative malware and data processing agents for espionage and cyber operations. APT42, linked to Iran's IRGC, experimented with AI to convert natural language requests into SQL queries, analyzing personal data for insights on asset ownership and behavior. New malware, PromptFlux, utilizes large language models (LLMs) to generate malicious scripts dynamically, enhancing obfuscation and evasion capabilities against traditional detection tools. While PromptFlux is not yet operational, its development indicates a shift towards AI-driven malware, with potential future impacts on network security. APT28, associated with Russia's GRU, deployed PromptSteal malware in Ukraine, using LLMs for real-time command generation, marking a novel application in live cyber operations. Google's intervention has disabled accounts linked to these AI-driven malware activities, mitigating immediate threats while highlighting the evolving landscape of AI in cyber warfare. The report underscores the need for enhanced defenses against AI-enabled threats, as adversaries continue to innovate and integrate AI into cyber strategies.

Cybersecurity researchers have discovered seven vulnerabilities in OpenAI's ChatGPT models, GPT-4o and GPT-5, which could be exploited to extract personal data from users. These vulnerabilities enable indirect prompt injection attacks, allowing attackers to manipulate large language models into performing unintended actions. Some vulnerabilities have been addressed by OpenAI, but systemic fixes for prompt injection issues remain elusive, posing ongoing risks. The research highlights the expanded attack surface when AI chatbots interact with external tools, increasing opportunities for threat actors. Studies suggest that training AI models on "junk data" can lead to degradation, while poisoning attacks on training data are more feasible than previously assumed. The findings emphasize the need for robust safety mechanisms to prevent prompt injection and mitigate potential damage. Concerns arise over market-driven optimization of AI models, which may compromise safety for competitive advantage, risking deceptive practices.

International authorities dismantled three credit card fraud networks, affecting over 4.3 million cardholders and resulting in losses exceeding €300 million across 193 countries. The coordinated effort, named "Operation Chargeback," involved law enforcement from Germany, the USA, Canada, and several European nations, leading to 18 arrests. In Germany, authorities executed 29 searches across eight states, seizing assets worth more than €35 million, including luxury vehicles, cryptocurrency, and electronic devices. The fraud networks exploited the infrastructure of four major German payment service providers to process and launder illicit transactions, involving over 19 million fake online subscriptions. Suspects allegedly used shell companies registered in the UK and Cyprus to facilitate fraudulent transactions, minimizing detection risks and chargebacks. The operation underscores the effectiveness of international cooperation in tackling complex financial crimes, leveraging analytical capabilities and cross-border coordination. Europol highlights the success of the operation as a significant step in combating global credit card fraud and money laundering activities.

Marks & Spencer reported a £136 million cost from an April cyberattack, impacting its financial results significantly, as detailed in their recent half-year report. The British retailer incurred £83 million in immediate system recovery expenses, with additional costs for legal and professional services, partially offset by a £100 million cyber insurance claim. The attack contributed to a 55.4% drop in profits, with the company also facing a packaging disposal levy, adding £50 million in expenses. Online sales were severely disrupted, declining by 42.9%, as the company had to disconnect warehouse management systems and resort to manual processes. Despite a 22.1% rise in overall revenues to £7.96 billion, operational challenges led to a reduction in operating profit margin from 12% to 2.7%. The retailer's fashion, home, and beauty sales dropped 16.4%, while food sales increased 7.8%, yet profits were impacted by increased markdowns and waste. CEO Stuart Machin noted the challenges faced but expressed confidence in the company's recovery and future trajectory.

Samsung Knox offers a comprehensive security platform for Samsung Galaxy devices, combining hardware and software protections to enhance data security for enterprises. The platform addresses common security myths about Android, emphasizing proactive, layered defense mechanisms to protect against evolving threats. Samsung Knox's enterprise controls allow IT administrators to manage app approvals and prevent sideloading, reducing risks associated with third-party applications. AI-powered malware defenses are integrated to fortify the Android ecosystem, providing an additional layer of protection for enterprise devices. Human vulnerabilities, such as outdated devices and inadequate IT policies, are identified as significant risks; Samsung Knox helps mitigate these through strong policies and device behavior visibility. The Knox E-FOTA tool enables detailed scheduling and stable deployment of Android updates, transforming mobile updates into a strategic, manageable process. Samsung Knox shifts the perception of Android from a security risk to a robust, enterprise-grade solution, offering government-level protection and centralized management capabilities.

A new threat cluster, UNK_SmudgedSerpent, targeted U.S. policy experts amid Iran-Israel tensions, focusing on academics and foreign policy professionals from June to August 2025. The campaign employed tactics similar to Iranian groups like TA455, TA453, and TA450, using political themes to engage targets and extract credentials. Attackers used phishing emails impersonating U.S. foreign policy figures, leading victims to malicious URLs disguised as Microsoft Teams or OnlyOffice login pages. Over 20 experts from U.S. think tanks, including Brookings Institution and Washington Institute, were targeted, focusing on Iran-related policy issues. Malicious URLs often led to MSI installers deploying legitimate RMM software like PDQ Connect, with potential hands-on-keyboard activity to install additional tools. The operation reflects Iran's strategic focus on Western policy analysis and suggests evolving cooperation between Iranian intelligence and cyber units. The campaign's sophistication and alignment with geopolitical events underscore the persistent threat of state-sponsored cyber espionage.

The U.S. Treasury sanctioned eight individuals and two entities linked to North Korea for laundering $12.7 million via cybercrime and IT worker fraud schemes. Sanctioned actors are accused of generating revenue for North Korea's nuclear weapons program, posing a threat to U.S. and global security. A portion of $5.3 million is tied to a North Korean ransomware actor previously targeting U.S. victims and handling IT worker operation revenues. North Korean cyber actors are reported to have stolen over $3 billion in digital assets over three years using advanced malware and social engineering. The regime employs IT workers globally, who obscure their identities to gain employment and funnel income back to North Korea. Some DPRK IT workers partner with foreign freelancers to execute projects, splitting revenues to evade sanctions. TRM Labs identified cryptocurrency wallet addresses linked to First Credit Bank, showing consistent inbound flows resembling salary payments. These actions form a critical part of North Korea's sanctions-evasion strategy, facilitating the movement of millions through traditional and digital means.

Security Operations Centers (SOCs) face significant analyst burnout due to alert fatigue and repetitive tasks, impacting overall team performance and security posture. Alert overload is a primary concern, with analysts spending excessive time on incomplete data. Real-time context solutions, like ANY.RUN's sandbox, enhance prioritization and decision-making. Advanced interactive sandboxes demonstrate the entire attack chain in real-time, allowing analysts to quickly identify threats, such as phishing attacks, with increased clarity and efficiency. Automation of routine tasks, such as log collection and report generation, frees analysts to focus on high-value activities, reducing burnout and improving response times. Integrating real-time threat intelligence minimizes outdated data checks and context-switching, allowing analysts to act on current, verified information, enhancing workflow efficiency. SOCs adopting these strategies report higher efficiency and reduced burnout, enabling teams to maintain focus and improve overall security operations. Engaging with experts, such as those from ANY.RUN, can provide tailored solutions to transform SOC operations from fatigue-prone to focused and high-performing.

The U.S. Treasury Department sanctioned two North Korean banks and eight individuals for laundering cryptocurrency linked to cybercrime and fraudulent IT worker schemes. Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company were designated for facilitating sanctions-evasion activities and fraudulent IT operations. Sanctioned individuals include North Korean bankers managing funds tied to ransomware attacks on U.S. victims, revealing extensive financial networks in Russia and China. Over the past three years, North Korean cybercriminals have stolen over $3 billion in cryptocurrency using advanced malware and social engineering techniques. North Korean IT workers globally disguise their identities to earn millions through IT development contracts, posing significant challenges to international security. The sanctions freeze assets under U.S. jurisdiction and warn financial institutions against transacting with these entities, risking secondary sanctions. These measures follow a report identifying North Korea's sophisticated cyber capabilities, threatening global digital economies and violating UN sanctions.

Renowned cryptographer Daniel J. Bernstein has endorsed Fil-C, a new type-safe C/C++ compiler, praising its compatibility and memory safety features. Fil-C, based on Clang and LLVM, aims to address memory safety issues prevalent in C/C++ programming, which contribute to numerous software vulnerabilities. Bernstein's testing revealed that many libraries and applications work seamlessly with Fil-C, enhancing its appeal for developers seeking safer code. While Fil-C improves safety, it introduces performance trade-offs, running slower than traditional C code and lacking full ABI compatibility. The development of Fil-C reflects a broader industry trend towards improving memory safety, with similar efforts like CHERI and OMA gaining attention. Fil-C's ability to trap common C errors offers a compelling alternative for enhancing security in discrete components of large systems. Bernstein's endorsement is significant given his reputation for writing secure C code, adding credibility to Fil-C's potential in mitigating vulnerabilities.

The UK's Defra invested £312 million to upgrade IT infrastructure, replacing 31,500 Windows 7 laptops with Windows 10, which recently lost support. Despite the investment, over 40% of Defra's devices still run Windows 10, raising concerns about future security and operational efficiency. The upgrade addressed 49,000 critical vulnerabilities, migrated 137 legacy applications, and closed one datacenter, with plans for three more closures. Defra's modernization aims to improve efficiency, enhance critical systems' reliability, and reduce cyber risks, but challenges remain with 24,000 devices still needing replacement. The department's strategy includes cloud migration and automation to improve productivity, but the transition may be more complex and costly than anticipated. Questions arise regarding whether the Windows 10 deployment is a temporary solution before a broader shift to cloud-based systems. The success of Defra's future plans hinges on executing its cloud migration and decommissioning strategies to avoid repeating past technical debt issues.

CISA has added vulnerabilities in Gladinet and Control Web Panel (CWP) to its Known Exploited Vulnerabilities catalog, citing active exploitation evidence. Huntress detected exploitation attempts on CVE-2025-11371, with attackers using Base64-encoded payloads for reconnaissance commands like ipconfig /all. CVE-2025-48703 allows remote attackers to execute pre-authenticated arbitrary commands if they know a valid username on a CWP instance. Federal Civilian Executive Branch agencies must implement necessary patches by November 25, 2025, to protect their networks from these vulnerabilities. The vulnerabilities' inclusion in the KEV catalog follows similar reports of critical flaws in WordPress plugins and themes, urging users to update and secure their sites. Organizations are advised to update affected software immediately, strengthen password policies, and conduct thorough audits for signs of compromise. The proactive measures by CISA aim to mitigate risks and enhance the security posture of federal and private sector networks.