Daily Brief

Sedgwick's subsidiary, Sedgwick Government Solutions, experienced a security breach, impacting its isolated file transfer system but not the parent company's network or broader operations. The breach affected a subsidiary serving over 20 U.S. government agencies, including DHS, CISA, and USCIS, raising concerns about potential exposure of sensitive information. Sedgwick has engaged external cybersecurity experts and notified law enforcement to investigate the breach and assess its impact on the subsidiary's operations. The TridentLocker ransomware group claimed responsibility, alleging theft of 3.39 GB of documents, with some data reportedly published on their Tor leak site. Despite the breach, Sedgwick Government Solutions maintains operational capability, with no evidence of compromised claims management servers or client service disruptions. This incident underscores the importance of robust cybersecurity measures and incident response protocols, especially for contractors handling sensitive government data.

Generative AI has significantly enhanced the speed and efficiency of password attacks on Active Directory, making them accessible to less-skilled attackers. Tools like PassGAN leverage AI to predict passwords by learning patterns, cracking 51% of common passwords in under a minute. The availability of powerful consumer hardware has lowered the cost and increased the speed of password cracking, challenging traditional security measures. Traditional password policies are inadequate against AI-driven attacks, as they exploit predictable patterns in complexity requirements. Organizations are advised to adopt longer passphrases and monitor for compromised passwords to mitigate AI-enhanced attack risks. Specops Password Policy offers solutions by blocking over 4 billion compromised passwords and updating protections based on real-world attack data. Understanding current password vulnerabilities is crucial; tools like Specops Password Auditor can help identify weaknesses without altering existing environments.

Securonix researchers identified a cyber campaign, PHALT#BLYX, targeting European hotels using fake Windows BSODs to deploy malware. Attackers impersonate Booking.com, sending phishing emails about reservation cancellations with fraudulent euro charges to lure victims. The phishing link leads to a fake verification screen, prompting users to execute a malicious PowerShell command, bypassing security controls. Once executed, the malware installs a remote access trojan, granting attackers ongoing control of compromised systems for espionage and further attacks. The campaign has evolved to use MSBuild-based execution, complicating detection by traditional antivirus solutions. Indicators suggest Russian involvement, with the use of Russian-language artifacts and DCRat malware commonly found on Russian forums. The timing targets the hospitality sector during the busy holiday season, indicating a strategic focus on European businesses.

Ledger confirmed a data breach at its ecommerce partner Global-e, exposing customer names, contact information, and order details, increasing the risk of phishing attacks. No financial data, cryptocurrencies, passwords, or Ledger recovery phrases were compromised, ensuring funds remain secure if recovery phrases are not shared. Global-e has begun notifying affected customers, advising vigilance against phishing attempts via emails, phone calls, and text messages impersonating trusted brands. Cybercriminals have already exploited the breach, sending phishing emails under the guise of "E-Global" to Ledger users, urging caution against unsolicited communications. Ledger emphasized that it will never send unsolicited physical items or request recovery phrases, advising customers to verify devices with the Ledger Genuine Check. The breach potentially affects other brands using Global-e's services, which include high-profile clients like Burberry, Hugo Boss, and Netflix, though none have confirmed impact. Ledger and Global-e are collaborating to notify impacted users, underscoring the importance of maintaining vigilance against phishing and verifying communications authenticity.

A new campaign, PHALT#BLYX, has been identified targeting the European hospitality sector, using fake Booking.com emails to deliver the DCRat remote access trojan. Attackers initiate the campaign with phishing emails mimicking Booking.com, leading victims to a fake website that impersonates the legitimate service. Victims are tricked into executing malicious PowerShell commands, which download and execute a payload that deploys the DCRat malware. The attack uses living-off-the-land techniques, leveraging trusted system binaries like MSBuild.exe to evade detection and maintain persistence. DCRat, also known as Dark Crystal RAT, is capable of data theft, keystroke logging, and executing arbitrary commands, posing significant risks to targeted organizations. The campaign includes sophisticated evasion tactics, such as modifying Microsoft Defender Antivirus settings and exploiting User Account Control prompts. Evidence of Russian language in the attack's MSBuild file suggests potential links to Russian threat actors. The campaign's focus on European targets, indicated by the use of Euros in phishing emails, underscores the need for heightened vigilance in the region.

Popular AI-powered VS Code forks, including Cursor and Google Antigravity, recommended non-existent extensions, posing potential supply chain risks in the Open VSX registry. These IDEs inherit extension recommendations from Microsoft's marketplace, which are absent in Open VSX, allowing attackers to publish malicious packages under those names. Attackers could exploit this gap by uploading rogue extensions, leading to potential data theft, including credentials and source code, when developers install these suggested extensions. Koi's placeholder PostgreSQL extension saw 500 installs, demonstrating developers' reliance on IDE recommendations without verifying the source. In response to the disclosure, Cursor and Google implemented fixes, while the Eclipse Foundation enhanced registry safeguards by removing non-official contributors. The incident underscores the need for developers to verify the authenticity of extensions before installation to prevent security breaches. This situation highlights the increasing focus of threat actors on exploiting vulnerabilities in extension marketplaces and open-source repositories.

Identity management has evolved beyond traditional systems, now fragmented across SaaS, IaaS, PaaS, and shadow applications, creating significant security challenges. This fragmented landscape includes unmanaged identities and permissions, often operating outside corporate governance, posing substantial risks. Non-human identities such as APIs, bots, and service accounts are frequently untraceable, lacking ownership and lifecycle controls. In 2024, 27% of cloud breaches were linked to the misuse of dormant credentials, highlighting the critical need for improved identity governance. Organizations are urged to adopt Identity Observability, shifting from configuration-based IAM to evidence-based governance for continuous visibility. Orchid Security advocates for a unified approach to telemetry, audit, and orchestration, transforming identity dark matter into actionable insights. The Orchid Perspective emphasizes an identity infrastructure that enhances compliance and security through comprehensive observability.

Microsoft has rejected claims that prompt injection issues in its Copilot AI assistant constitute security vulnerabilities, sparking debate within the cybersecurity community. Security engineer John Russell identified four potential vulnerabilities, including a file upload restriction bypass, which Microsoft dismissed as not meeting their criteria for serviceability. The bypass allows users to encode restricted file formats into base64 text strings, circumventing Copilot's upload policy controls, raising concerns about input validation. The security community is divided, with some experts arguing these issues are inherent limitations of large language models, not vulnerabilities. Microsoft maintains its stance, assessing AI flaws against its bug bar, and considers prompt injection issues as expected limitations unless they breach security boundaries. The ongoing discussion reflects differing perspectives on AI risk definitions, which may continue as AI tools become more prevalent in enterprise settings. The OWASP GenAI project suggests system prompt leakage is a risk only when involving sensitive data or security controls, not as standalone vulnerabilities.

Higham Lane School in Warwickshire, England, closed due to a cyberattack, disrupting IT systems, phones, and email, and extending the holiday break for students. The school engaged a Cyber Incident Response Team from the Department for Education and IT experts from the Central England Academy Trust to investigate and resolve the issue. Students and staff have been advised to avoid using school systems, including Google Classroom and SharePoint, until further notice to ensure safety during ongoing investigations. In response, students are directed to external educational resources like BBC Bitesize and Oak National Academy for exam preparation. The school reported the incident to the Information Commissioner's Office, indicating potential concerns over data access and compliance with GDPR regulations. A risk assessment was conducted, prioritizing the safeguarding and wellbeing of students and staff, with plans to reopen depending on recovery progress. This incident highlights the vulnerability of educational institutions to cyber threats and the importance of robust cybersecurity measures.

The UK government has launched a £210 million cyber action plan to enhance cybersecurity across digital public services, aligning them with critical infrastructure standards. A new Government Cyber Unit will be established, led by the UK's Chief Information Security Officer, to improve risk identification and incident response capabilities. The initiative introduces a dedicated Government Cyber Profession, elevating cybersecurity to a standalone discipline within the public sector. The plan follows recent security breaches, including incidents involving Chinese state-sponsored actors and vulnerabilities identified in critical IT systems. The UK aims to save up to £45 billion annually by strengthening public sector cybersecurity, mitigating risks of service disruptions. The Software Security Ambassador Scheme, launched alongside the plan, enlists major tech companies to promote secure development practices and contribute to policy development. The initiative mirrors international efforts like CISA's Secure by Design pledge, focusing on secure code and supply chain security.

A cybercriminal named Zestix exploited infostealer malware to access cloud credentials, affecting approximately 50 global organizations across critical sectors including utilities, aviation, and government infrastructure. Victims include major firms like Pickett and Associates, Sekisui House, and Iberia Airlines, with data sold on the dark web, raising significant security and privacy concerns. The breaches occurred due to the lack of multi-factor authentication (MFA), allowing unauthorized access through compromised credentials without exploiting platform vulnerabilities. Stolen data includes sensitive engineering, military, and personal information, with some datasets being sold for substantial amounts, such as 6.5 bitcoin for utility engineering data. The incident underscores the critical need for robust credential hygiene practices, including enforcing MFA and regularly rotating passwords to prevent unauthorized access. Hudson Rock's investigation revealed that some credentials had been vulnerable for years, highlighting systemic issues in corporate security protocols. The breaches demonstrate a shift in threat tactics, where attackers leverage legitimate credentials instead of exploiting technical vulnerabilities, emphasizing the importance of comprehensive security measures.

A critical vulnerability in the "@adonisjs/bodyparser" npm package, tracked as CVE-2026-21440, allows remote attackers to write arbitrary files on servers, posing significant security risks. The flaw, with a CVSS score of 9.2, is a path traversal issue affecting the multipart file handling mechanism in AdonisJS, a Node.js framework for web app and API server development. Exploitation requires a reachable upload endpoint and involves the "MultipartFile.move()" function, which can be manipulated to write files outside the intended directory. If exploited, attackers could potentially overwrite sensitive files, leading to remote code execution, contingent on filesystem permissions and application behavior. Developers are urged to update the package to the latest version and ensure proper sanitization of filenames to mitigate the risk. This vulnerability was discovered by Hunter Wodzenski and adds to recent concerns with npm packages, including a similar flaw in the jsPDF library. The jsPDF vulnerability, CVE-2025-68428, also a path traversal issue, has been patched, highlighting the need for vigilant security practices in npm package management.

A critical vulnerability in n8n, tracked as CVE-2025-68668, allows authenticated users to execute arbitrary system commands on the host, rated 9.9 on the CVSS scale. The flaw affects n8n versions from 1.0.0 to just before 2.0.0, posing significant security risks for organizations using these versions. The vulnerability arises from a sandbox bypass in the Python Code Node, allowing command execution with the same privileges as the n8n process. Version 2.0.0 of n8n addresses the issue by implementing a task runner-based native Python feature as the default for enhanced security. Users are advised to upgrade to version 2.0.0 or configure environment variables to enable the task runner feature as a workaround. This disclosure follows another critical vulnerability in n8n, CVE-2025-68613, also rated 9.9, emphasizing the need for prompt security updates. Organizations using n8n should review their security protocols and ensure systems are updated to mitigate potential exploitation risks.

Zestix, a cybercriminal group, is selling corporate data stolen from breached ShareFile, Nextcloud, and OwnCloud instances, impacting companies across sectors like aviation, defense, and healthcare. Hudson Rock reports initial access was likely obtained using credentials harvested by info-stealing malware such as RedLine, Lumma, and Vidar, often spread through malvertising and ClickFix attacks. The absence of multi-factor authentication (MFA) on cloud platforms allowed unauthorized access, highlighting a critical security gap in protecting sensitive corporate data. Stolen data includes sensitive documents, such as aircraft maintenance manuals, customer databases, and government contracts, posing significant security and privacy risks. Hudson Rock's analysis indicates systemic security failures, with thousands of infected devices identified at major corporations like Deloitte and Samsung, suggesting widespread vulnerability. The cybersecurity firm has alerted ShareFile and plans to notify Nextcloud and OwnCloud to address the verified exposures and mitigate further risks. The situation emphasizes the need for organizations to enforce robust security practices, including regular credential rotation and MFA implementation, to safeguard against similar threats.

A new ClickFix campaign is deceiving European hospitality firms by using fake Windows Blue Screen of Death (BSOD) screens to deploy malware. Attackers impersonate Booking.com in phishing emails, luring victims to a fake website that mimics the legitimate platform's branding. The attack prompts users to execute malicious PowerShell commands by exploiting social engineering tactics and urgency created by fake reservation cancellations. Once executed, the malware disables Windows Defender, gains admin rights, and establishes persistence, allowing attackers to control infected systems remotely. The deployed malware, DCRAT, is a remote access Trojan enabling keylogging, remote desktop access, and further payload execution. Securonix researchers observed the attackers using the malware to deploy a cryptocurrency miner, indicating financial motives. The campaign highlights the need for enhanced cybersecurity awareness and training within targeted sectors to prevent such social engineering attacks.