Daily Brief

The Department of Homeland Security (DHS) has proposed a rule to significantly expand biometric data collection for immigration processes, affecting immigrants and some U.S. citizens involved in these cases. The proposed rule mandates biometric data submission from a broad range of individuals linked to immigration applications, including U.S. citizens, nationals, and lawful permanent residents. DHS aims to redefine biometrics to include new technologies like ocular imagery, voice prints, and DNA, broadening the scope of data collected for identity verification and security checks. The rule would allow DHS to collect raw DNA or test results to verify familial relationships or biological sex, potentially impacting benefit eligibility. Critics express concerns over privacy, potential misuse, and errors associated with biometric technologies, particularly regarding facial recognition and AI-spoofable voice records. Public feedback on the proposal is overwhelmingly negative, with concerns about government overreach and potential violations of constitutional rights. DHS is accepting comments on the proposal until January 2, with many submissions likening the initiative to practices in authoritarian regimes.

A critical flaw in the Post SMTP plugin affects over 400,000 WordPress sites, allowing attackers to hijack admin accounts and take control of websites. The vulnerability, identified as CVE-2025-11833, has a severity score of 9.8 and impacts all plugin versions up to 3.6.0. Exploitation is possible due to missing authorization checks in the plugin's email log function, enabling unauthorized access to sensitive information. Wordfence validated the exploit and disclosed it to the vendor on October 15; a patch was released on October 29 as version 3.6.1. Despite the patch, around 210,000 sites remain at risk, as only half of the users have updated their plugins. Active exploitation began on November 1, with Wordfence blocking over 4,500 attempts, emphasizing the urgency for users to update or disable the plugin. A similar flaw, CVE-2025-24000, was identified in July, highlighting ongoing security challenges with the Post SMTP plugin.

The Akira ransomware group claims to have breached Apache OpenOffice, alleging theft of 23 GB of sensitive data, including employee and financial information. Apache Software Foundation disputes the claims, stating they do not possess the types of data allegedly stolen, as OpenOffice is an open-source project with no paid employees. The Foundation is actively investigating the claims but has found no evidence of a breach or any ransom demand directed at their infrastructure. Akira's claims include sensitive employee data and internal documents, yet no such data has been leaked or verified by third parties. Apache OpenOffice operates transparently, with all development discussions public, reducing the likelihood of undisclosed vulnerabilities or data theft. The incident highlights the importance of verifying breach claims and maintaining robust security protocols, even for open-source projects. No law enforcement or cybersecurity experts have been engaged by Apache, given the lack of evidence supporting the ransomware group's assertions.

Zscaler reports over 42 million downloads of malicious Android apps from Google Play between June 2024 and May 2025, indicating a significant threat to mobile security. The report notes a 67% year-over-year increase in mobile malware, with spyware and banking trojans being the most prevalent threats. Cybercriminals are increasingly targeting mobile payments through phishing, smishing, and SIM-swapping, exploiting social engineering tactics as traditional card fraud becomes less effective. Zscaler identified 239 malicious apps on Google Play, a rise from 200 the previous year, with adware now accounting for 69% of all detections. Anatsa, a banking trojan, and Android Void, a backdoor malware, are among the top threats, affecting users in regions including Germany, South Korea, India, and Brazil. The report advises users to apply security updates, trust only reputable publishers, disable unnecessary permissions, and perform regular Play Protect scans to mitigate risks. Organizations are encouraged to adopt zero-trust technology and enhance IoT security by monitoring for anomalies and securing firmware to protect against expanding threats.

Microsoft will remove Defender Application Guard from Office by December 2027, with the process starting in February 2026 for Office version 2602. Defender Application Guard isolates untrusted Office files in a Hyper-V-enabled container, protecting the host system from potential threats. Microsoft suggests alternatives like Defender for Endpoint attack surface reduction rules and Protected View to maintain security after MDAG's removal. Office files will default to Protected View, a read-only mode, to ensure continued protection against malicious documents. The removal aligns with the end of support for Windows 11 version 23H2 and aims to simplify the security experience for users. The phased removal will affect different Office channels, concluding with the Semi-Annual Enterprise Channel by July 2027. IT administrators are advised to implement recommended security measures to maintain robust defenses against threats.

Bitdefender and the Georgian CERT uncovered a new campaign by Curly COMrades, leveraging Microsoft's Hyper-V to create hidden VMs on compromised Windows systems. The attackers deploy a lightweight Alpine Linux-based VM, bypassing traditional endpoint detection and response tools, allowing for prolonged network access. The VM hosts custom malware, CurlyShell and CurlCat, facilitating reverse shell access and reverse proxy tunneling, masking malicious activities as legitimate network traffic. The campaign targets judicial and government entities in Georgia and an energy company in Moldova, indicating a focus on geopolitical interests. Curly COMrades exploit legitimate virtualization technology to evade detection, demonstrating advanced tactics in bypassing conventional security measures. Security experts stress the importance of a multi-layered defense strategy, as reliance solely on endpoint detection proves insufficient against such sophisticated threats. Bitdefender has released indicators of compromise on GitHub, aiding organizations in identifying and mitigating potential threats from this group.

The Office of the Inspector General's audit found the Consumer Financial Protection Bureau's cybersecurity program has regressed from level-4 to level-2 maturity, indicating significant security challenges. Key issues identified include inadequate system authorizations and the absence of effective cybersecurity risk profiles, affecting the bureau's ability to manage and communicate security objectives. The audit revealed 35 systems operating without proper authorizations, with 21 relying solely on risk acceptance memorandums, lacking comprehensive security assessments. Outdated software still in use at the CFPB poses additional risks, with some programs nearing end-of-life, increasing vulnerability to exploitation. The CFPB acknowledged the findings and agreed to implement six recommendations, although it contested some claims regarding risk management practices. Resource constraints, including a significant reduction in contractor support and staff departures, have hampered the bureau's ability to maintain robust cybersecurity operations. The audit underscores the broader impact of federal workforce reductions on cybersecurity capabilities, reflecting similar challenges faced by other agencies.

A new cybercrime collective, Scattered LAPSUS$ Hunters, has formed, merging Scattered Spider, LAPSUS$, and ShinyHunters, creating 16 Telegram channels since August 2025. The group employs an extortion-as-a-service model, allowing affiliates to leverage its brand for financial gain, targeting organizations including Salesforce users. Trustwave reports that the collective operates under a federated structure, collaborating with other clusters like CryptoChameleon and Crimson Collective. Telegram serves as the primary coordination platform, facilitating both internal communication and public dissemination of the group's activities. Members have accused Chinese state actors of exploiting their vulnerabilities and engaged in campaigns against U.S. and U.K. law enforcement. The group hints at developing a custom ransomware, Sh1nySp1d3r, suggesting potential future operations rivaling established threats like LockBit. DragonForce, aligned with Scattered Spider, uses BYOVD attacks to disable security software, partnering with Qilin and LockBit to enhance capabilities. This alliance reflects a sophisticated blend of social engineering, exploit development, and narrative warfare, indicating a mature cybercriminal operation.

Miljödata, a key IT supplier for Swedish municipalities, faced a significant data breach affecting 1.5 million individuals, with attackers demanding a Bitcoin ransom. The breach led to operational disruptions across several Swedish regions, impacting local government services and citizen data security. The Swedish Authority for Privacy Protection (IMY) is investigating potential GDPR violations, focusing on security measures and data handling practices. The stolen data, including sensitive personal information, was published on the dark web by the threat group Datacarry, raising privacy and security concerns. CERT-SE and Swedish police are actively investigating the breach, with an emphasis on preventing future incidents and enhancing cybersecurity measures. The breach has prompted a review of data protection practices in municipalities, particularly concerning vulnerable groups such as children and protected identity subjects. Have I Been Pwned has included the breach in its database, confirming exposure of data for approximately 870,000 individuals, highlighting discrepancies in reported figures.

Nikkei, a major Japanese media corporation, reported a data breach affecting over 17,000 employees and business partners via compromised Slack accounts. The breach was traced back to stolen authentication credentials following malware infection on an employee's computer, leading to unauthorized access. Exposed information includes names, email addresses, and chat histories, though no sensitive journalistic data or confidential sources were compromised. Nikkei implemented immediate security measures, such as mandatory password changes, upon discovering the breach in September. Despite the breach not falling under Japan's Personal Information Protection Law, Nikkei notified the Personal Information Protection Commission, demonstrating a commitment to transparency. The incident stresses the importance of robust cybersecurity practices, particularly in safeguarding communication platforms like Slack. Nikkei's history of cybersecurity incidents, including a 2022 ransomware attack and a 2019 business email compromise, highlights ongoing vulnerabilities.

Europol and Eurojust coordinated a global operation arresting nine individuals involved in a €600 million cryptocurrency fraud network across Cyprus, Spain, and Germany. The operation, conducted between October 27 and 29, included searches leading to the seizure of €800,000 in bank accounts, €415,000 in cryptocurrencies, and €300,000 in cash. The fraudulent network operated dozens of fake cryptocurrency investment platforms, luring victims with promises of high returns through social media ads and fake testimonials. Victims reported being unable to recover their investments, prompting the investigation and subsequent raids that dismantled the network. The operation involved agencies from France, Belgium, Cyprus, Germany, and Spain, showcasing effective international collaboration in tackling transnational cybercrime. Europol noted the increasing sophistication of crypto-related crimes, emphasizing the need for advanced tools and cross-border cooperation to counter these threats. The success of this operation reflects the growing capability of law enforcement and private sector partners in addressing complex cyber fraud and money laundering activities.

European law enforcement arrested nine individuals involved in a €600 million cryptocurrency fraud across Cyprus, Spain, and Germany, targeting victims with fake investment platforms. The fraudsters created platforms mimicking legitimate investment sites, enticing victims with promises of high returns through social media and cold calling. Victims were unable to recover their funds after transferring cryptocurrency, while criminals laundered the stolen assets using sophisticated blockchain tools. Eurojust coordinated the operation, resulting in the seizure of €800,000 in bank accounts, €415,000 in cryptocurrencies, and €300,000 in cash. This operation follows recent arrests in Europe related to similar cryptocurrency fraud schemes, highlighting a growing trend in financial cybercrime. The U.S. Federal Trade Commission reported record losses of $12.5 billion to fraud in 2024, with investment scams being the most costly, emphasizing the need for enhanced security measures. The incidents underline the importance of vigilance and robust regulatory frameworks to combat evolving cryptocurrency fraud tactics.

A recent webinar by Keep Aware addresses the growing vulnerabilities in browser sandboxes, emphasizing the need for enhanced security measures in enterprise environments. Browsers are now the primary tool for accessing sensitive SaaS applications, AI tools, and cloud systems, yet their built-in security measures struggle against sophisticated threats. Attackers exploit browser features like extensions and user inputs to bypass sandbox restrictions, leading to credential theft and lateral movement within networks. Traditional security tools such as CASBs, SWGs, and EDRs have limited visibility into browser-layer threats, creating a significant security blind spot. Keep Aware offers solutions that monitor real-time user behavior and extension activity, providing dynamic policy enforcement and instant threat response directly within the browser. The session is aimed at CISOs and IT security leaders, offering actionable insights to enhance security strategies for SaaS and browser-based environments. Emphasizing the importance of browser-level visibility and control, the webinar provides strategies to mitigate risks associated with modern browser use in the workplace.

A critical vulnerability in the "@react-native-community/cli" npm package, tracked as CVE-2025-11953, allowed remote command execution, posing a major threat to developers. The flaw, with a CVSS score of 9.8, affected package versions 4.8.0 to 20.0.0-alpha.2 and has been patched in version 20.0.0. The vulnerability stemmed from the Metro development server binding to external interfaces and exposing an "/open-url" endpoint vulnerable to OS command injection. Attackers could exploit the flaw by sending crafted POST requests, executing arbitrary OS commands on Windows, and binaries on Linux and macOS. The issue was particularly perilous due to its ease of exploitation, lack of authentication, and wide attack surface, affecting up to 2 million downloads weekly. Developers using React Native without Metro were not impacted, highlighting the importance of understanding dependencies in development environments. The incident stresses the necessity for automated security scanning in software supply chains to identify and mitigate vulnerabilities swiftly.

Check Point discovered four critical vulnerabilities in Microsoft Teams, potentially allowing attackers to impersonate executives, alter messages, and forge caller identities without detection. These flaws, affecting over 320 million monthly users, could disrupt trust-based communication, vital for decision-making and financial transactions. Vulnerabilities exploited Teams' messaging architecture, enabling silent message overwrites, spoofed alerts, and manipulated caller IDs. Microsoft addressed these issues with patches issued throughout 2024, concluding with a fix for the caller identity flaw in October 2025. Check Point's proof of concept demonstrated how these vulnerabilities could be combined for financial fraud, credential theft, or malware delivery. The incident emphasizes the need for enhanced security measures, such as zero-trust access controls and anomaly detection, to protect collaboration platforms. This case illustrates a shift in attack strategies, focusing on manipulating digital trust within collaboration tools rather than traditional system breaches.