Daily Brief

Zscaler Internet Access team presents a webinar addressing the challenges posed by attacks that bypass traditional file-based detection methods, focusing on fileless threats. The session emphasizes the need for cloud-native inspection and behavior analysis to identify threats hidden within scripts, remote access tools, and developer workflows. Traditional defenses often miss these threats as they don't involve binaries or trigger conventional alerts, creating significant security blind spots. The webinar aims to equip SOC teams, IT leaders, and security architects with strategies to detect and mitigate these modern attack vectors effectively. Attendees will gain insights into zero-trust design principles that enhance visibility and protection without hindering business operations. This educational session is tailored for professionals seeking actionable solutions to close security gaps in their organizations.

n8n has issued a warning about a critical remote code execution vulnerability, CVE-2026-21877, affecting both self-hosted and cloud versions of its platform. The flaw, with a CVSS score of 10.0, allows authenticated users to execute untrusted code, potentially compromising the entire instance. Security researcher Théo Lelasseux identified the vulnerability, prompting n8n to release a patch in version 1.121.3 in November 2025. Users are strongly advised to upgrade to version 1.121.3 or later to mitigate this severe security risk. For those unable to patch immediately, n8n recommends disabling the Git node and restricting access for untrusted users as interim measures. This disclosure follows previous critical vulnerabilities in n8n, CVE-2025-68613 and CVE-2025-68668, with CVSS scores of 9.9, emphasizing the need for robust security practices. Organizations using n8n should prioritize patch management and review access controls to prevent potential exploitation.

The rise of Artificial Intelligence and cloud automation has led to an increase in Non-Human Identities (NHIs) like bots and AI agents within organizations. According to ConductorOne's 2025 report, 51% of respondents equate the security importance of NHIs to that of human accounts. NHIs often operate outside traditional Identity and Access Management systems, creating new attack surfaces and security risks. Over-permissioned access and static credentials make NHIs attractive targets for cybercriminals, necessitating modern security strategies. Organizations are encouraged to implement zero-trust security, least-privilege access, and automated credential management to mitigate NHI-related risks. Effective governance of NHIs involves treating them as first-class identities, ensuring they are monitored and granted appropriate access. Solutions like KeeperPAM® offer integrated management of secrets and privileged access, enhancing security for both human and non-human users. As automation grows, securing NHIs with zero-trust principles is crucial to prevent them from becoming a major cybersecurity blind spot.

Veeam has issued patches for multiple vulnerabilities in its Backup & Replication software, including a critical remote code execution flaw, tracked as CVE-2025-59470, with a CVSS score of 9.0. The critical flaw allows Backup or Tape Operators to execute remote code as the postgres user by manipulating specific parameters, posing significant security risks. Veeam's security update addresses four vulnerabilities affecting version 13.0.1.180 and earlier, urging users to upgrade to version 13.0.1.1071 to mitigate potential threats. Despite the high CVSS score, Veeam states the exploitation risk is reduced if customers adhere to its Security Guidelines, emphasizing the importance of following best practices. No active exploitation of these vulnerabilities has been reported, but the history of past threats exploiting similar flaws necessitates prompt action from users. Organizations are advised to review their access controls, particularly for highly privileged roles like Backup and Tape Operators, to prevent misuse. The update underscores the critical need for timely patch management to safeguard against potential exploitation by threat actors.

HSBC UK mobile banking app users report being locked out after installing the Bitwarden password manager via F-Droid, an open-source app catalog. The bank's app security measures flagged the sideloaded Bitwarden installation as a potential risk, preventing access to the banking app. Bitwarden is available through official channels like Google Play, but HSBC's app appears to restrict installations from non-official sources. HSBC has not provided a detailed explanation for this restriction, raising concerns among affected customers and cybersecurity experts. Technical workarounds suggested include using banking apps in a separate device profile or reverting to web-based banking solutions. Bitwarden and F-Droid are open to discussions with HSBC to resolve the issue, although no meetings have been arranged. This incident highlights the challenges of balancing app security with user flexibility in managing third-party applications.

Microsoft reports an increase in phishing attacks exploiting misconfigured email routing and spoof protections, targeting organizations across various industries since May 2025. Threat actors use phishing-as-a-service (PhaaS) platforms, such as Tycoon 2FA, to impersonate internal domains and distribute deceptive emails. Phishing lures include themes like voicemails, HR communications, and password resets, aiming to steal credentials and facilitate business email compromise (BEC). Attackers exploit complex routing configurations, such as MX records pointing to on-premises or third-party services, creating vulnerabilities for spoofed emails. Microsoft blocked over 13 million malicious emails linked to the Tycoon 2FA PhaaS kit in October 2025, highlighting the scale of the threat. Organizations are advised to implement strict DMARC and SPF policies, configure third-party connectors correctly, and disable unnecessary Direct Send functions. The financial impact includes potential scams involving fake invoices and impersonation of services like DocuSign, posing significant risks to businesses.

A critical vulnerability, CVE-2026-0625, in legacy D-Link DSL routers is actively exploited, allowing remote code execution via command injection in the dnscfg.cgi endpoint. The flaw affects models DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B, with exploitation attempts recorded by the Shadowserver Foundation. D-Link has launched an internal investigation to assess the vulnerability's impact and plans to release a comprehensive list of affected models following a firmware review. The vulnerability results from improper sanitization of DNS configuration parameters, enabling attackers to alter DNS settings without authentication. Impacted routers, now end-of-life, pose significant operational risks due to their inability to receive security updates, necessitating urgent device retirement and upgrades. The flaw mirrors mechanisms used in past DNS hijacking campaigns, potentially allowing attackers to redirect or intercept network traffic. Organizations using these legacy devices are advised to transition to supported models to mitigate security risks and ensure regular updates.

Jakub Ciolek reported two denial-of-service vulnerabilities in Argo CD through HackerOne's Internet Bug Bounty program, expecting an $8,500 reward. Despite the vulnerabilities being assigned CVEs and fixed, Ciolek experienced months of silence from HackerOne regarding his reward. The vulnerabilities, CVE-2025-59538 and CVE-2025-59531, could allow unauthenticated remote attackers to crash vulnerable Argo CD instances. HackerOne eventually communicated that the delay was due to a temporary operational backlog, with payouts expected to resume by the end of Q1. The incident raises concerns about trust and transparency in bug bounty programs, which rely heavily on clear communication with researchers. Ciolek emphasizes the importance of bounties in supporting researchers' efforts, especially in open-source projects lacking direct funding. The situation suggests potential challenges in managing increased noise from low-quality or AI-generated submissions on bug bounty platforms.

Taiwan's National Security Bureau reported a dramatic 1,000% increase in cyberattacks on its energy sector by Chinese actors in 2025 compared to the previous year. The report indicates a broader 6% rise in cyber incidents linked to China, with critical infrastructure across nine sectors being targeted. Notable increases were observed in emergency rescue and hospitals (54%) and communications (6.7%), while finance and water resources saw reductions. Attack methods included exploiting hardware and software vulnerabilities, DDoS, social engineering, and supply-chain incidents, with significant focus on industrial control systems. Energy sector attacks involved malware injections during software upgrades, targeting petroleum, electricity, and natural gas companies. Chinese hacker groups such as BlackTech, Flax Typhoon, and APT41 were identified as key perpetrators, with activities often coinciding with political events. Taiwan is collaborating with over 30 countries for intelligence sharing and joint investigations to counter these cyber threats.

Brightspeed is investigating claims of a data breach involving over one million customers’ records, allegedly stolen by the cybercrime group, Crimson Collective. The stolen data reportedly includes sensitive information such as names, emails, phone numbers, billing addresses, and partial credit card details. Crimson Collective has set a price of three bitcoin for the data, threatening to release it publicly if unsold within a week. The attackers claim the breach allowed them to potentially disrupt mobile services, though this has not been independently verified. Brightspeed is actively working to assess the breach's impact and is communicating with customers, employees, and authorities as more details emerge. The breach highlights the ongoing threat of extortion-focused cybercrime groups and the critical need for robust security measures and incident response plans. Crimson Collective has previously been linked to high-profile breaches, including an incident involving Red Hat, indicating a pattern of targeting large organizations.

A command injection vulnerability, CVE-2026-0625, is actively exploited in several outdated D-Link DSL routers, affecting the dnscfg.cgi endpoint due to improper input sanitization. The vulnerability allows unauthenticated attackers to execute remote commands, posing significant risks to affected systems, particularly those configured for remote administration. VulnCheck reported the flaw to D-Link after The Shadowserver Foundation detected exploitation attempts, though the technique remains undocumented publicly. D-Link confirmed the vulnerability affects models that reached end-of-life in 2020, advising users to replace these devices with supported models for continued security. Identifying all impacted models is challenging due to firmware variations; D-Link is conducting a comprehensive analysis of legacy and current firmware builds. Users are urged to replace end-of-life routers or use them in non-critical, segmented networks with the latest firmware and stringent security settings. The source and targets of current exploitation attempts remain unclear, emphasizing the need for proactive security measures in network management.

The Kimwolf botnet, an Android variant of Aisuru malware, has infected nearly two million devices, primarily targeting internal networks through residential proxy vulnerabilities. Researchers report Kimwolf's increased activity since August, with a focus on exploiting exposed Android Debug Bridge (ADB) services on devices like TV boxes and streaming gadgets. Compromised devices are utilized for DDoS attacks, proxy resale, and monetizing app installations, with the largest attack peaking at 29.7 terabits per second. Synthient's analysis reveals that most affected devices are located in Vietnam, Brazil, India, and Saudi Arabia, with many pre-infected by proxy SDKs before purchase. The botnet's rapid growth is attributed to its abuse of proxy networks, allowing direct interaction with devices on the same internal network as the proxy client. In response, IPIDEA, a major proxy provider, has blocked access to local networks and ports, following Synthient's alerts about vulnerabilities. Synthient recommends using their online scanner tool to detect infections and advises replacing compromised devices with certified alternatives from reputable manufacturers.

Jaguar Land Rover reported a 43% drop in third-quarter wholesale volumes due to a cyberattack in September 2025, severely impacting production and distribution. The attack forced a temporary shutdown of manufacturing operations, with normal production resuming only by mid-November, affecting global vehicle distribution. Financial losses from the cyberattack amounted to £196 million ($220 million) for the quarter, significantly impacting the company's financial health. The Scattered Lapsus$ Hunters, a cybercrime group, claimed responsibility for the attack, which included data theft, further complicating JLR's recovery efforts. The U.K. government approved a £1.5 billion loan guarantee to assist JLR in restoring its supply chain and resuming operations. The incident contributed to a weaker-than-expected U.K. GDP in Q3 2025, as noted by the Bank of England, highlighting the broader economic impact. JLR's market position and financial stability remain challenged, with significant declines in sales across major markets, including a 64% drop in North America.

Cybersecurity researchers identified two malicious Chrome extensions exfiltrating ChatGPT and DeepSeek conversations, affecting over 900,000 users by capturing sensitive data and browsing activity. The extensions impersonate a legitimate tool, misleading users into granting permissions for "anonymous analytics," while secretly collecting complete conversation content and browser tab URLs. Data exfiltrated includes sensitive AI chatbot interactions and web browsing details, posing risks of corporate espionage, identity theft, and targeted phishing. The extensions remain available on the Chrome Web Store, although one has lost its "Featured" badge, highlighting potential gaps in Google's extension vetting process. Threat actors utilize AI-powered platforms to obscure their operations, complicating detection and removal efforts by leveraging legitimate-looking privacy policies and infrastructure. Legitimate extensions like Similarweb have also adopted similar data collection tactics, raising concerns about privacy and the potential misuse of AI tool interactions. Users are advised to uninstall suspicious extensions and avoid downloading from unverified sources, even if they appear to be endorsed by platform features.

CERT Coordination Center disclosed a critical flaw in TOTOLINK EX200, enabling remote attackers to gain full control of the device through an unauthenticated root-level telnet service. The vulnerability, identified as CVE-2025-65606, stems from firmware-upload error-handling logic, inadvertently starting a telnet service that grants attackers root access. Exploitation requires prior authentication to the device's web management interface, where malformed firmware files trigger the vulnerability. TOTOLINK has not released a patch for this flaw, and the EX200 model is no longer actively maintained, with the last firmware update in February 2023. Users are advised to restrict administrative access to trusted networks and monitor for unusual activities to mitigate potential exploitation risks. The lack of ongoing support for the EX200 highlights the importance of upgrading to supported models to ensure device security. This incident emphasizes the critical need for timely patch management and proactive vulnerability assessments in network devices.