Daily Brief

Australian police arrested 55 individuals using evidence from the AN0M app, part of a long-term sting operation targeting organized crime. The AN0M app, developed by the FBI and Australian Federal Police, was designed to intercept criminal communications through a backdoor. Since its inception in 2018, AN0M has facilitated numerous arrests by providing authorities access to encrypted messages without users' knowledge. Australia's High Court recently upheld the legality of AN0M, ruling it a closed system exempt from telecommunications network regulations. Recent raids in South Australia led to the seizure of assets valued at AUD$25.8 million, including luxury items linked to organized crime. The operation, known as "Operation Ironside," continues to impact global criminal networks by leveraging intercepted communications. Despite AN0M's success, authorities emphasize the need for "accountable encryption" to manage the volume of evidence generated and enhance security efforts.

MIT Sloan retracted a working paper claiming 80% of ransomware attacks are AI-driven after significant criticism from cybersecurity experts. Security researchers, including Kevin Beaumont, challenged the paper's validity, citing lack of evidence and outdated references. The controversial paper, co-authored by MIT Sloan and Safe Security, was initially published in April and widely cited. Critics argue the paper misrepresents the role of AI in ransomware, potentially misleading industry professionals and stakeholders. MIT Sloan has acknowledged the feedback and is revising the paper, indicating an updated version will be released. The incident raises concerns about the integrity of cybersecurity research and the influence of corporate interests in academic publications. The broader cybersecurity community emphasizes the need for accurate, evidence-based research to inform effective defenses against evolving threats.

Two cybersecurity professionals and an accomplice have been indicted for executing ransomware attacks against multiple U.S. companies between May and November 2023. The suspects, Ryan Clifford Goldberg and Kevin Tyler Martin, were employed by reputable cybersecurity firms, Sygnia Cybersecurity Services and DigitalMint, respectively. They allegedly used ALPHV/BlackCat ransomware to encrypt data and demanded multi-million dollar ransoms, targeting sectors including medical, pharmaceutical, and engineering. A Florida medical device company paid approximately $1.27 million in virtual currency to the attackers, fearing financial repercussions from data theft and encryption. DigitalMint and Sygnia have cooperated with law enforcement, clarifying that the criminal activities occurred outside their infrastructure and systems. The incident raises concerns about insider threats within cybersecurity firms and the potential misuse of privileged access by trusted employees. The investigation continues, with both firms distancing themselves from the accused individuals and maintaining no involvement in the criminal acts.

A malicious VSCode extension, SleepyDuck, masquerades as a Solidity tool on Open VSX, targeting developers with over 53,000 downloads. SleepyDuck employs an Ethereum smart contract to maintain communication with attackers, ensuring persistence even if primary servers are disabled. Initially harmless, the extension gained malicious capabilities a day after its release, exploiting its early download momentum. Upon activation, SleepyDuck collects system data and establishes a command execution sandbox, posing a significant threat to developers. Open VSX has implemented security measures like automated scans and credential revocation to counteract such threats. Developers are advised to download extensions only from trusted sources and remain vigilant against suspicious activities. This incident emphasizes the need for robust security practices within developer environments to prevent future compromises.

AWS, Nvidia, and CrowdStrike are spearheading a Cybersecurity Startup Accelerator, inviting early-stage firms to apply by November 15 for the 2023–2024 cohort. The program offers startups access to resources from AWS, Nvidia, and CrowdStrike, including cloud, compute, and threat intelligence capabilities. This year's focus is on cloud and application security, identity, agentic security, and data security, particularly in the context of AI integration. Participants gain mentorship and the opportunity to pitch to investors at AWS' Demo Day during the RSA Conference in San Francisco. Successful startups may receive funding from CrowdStrike's Falcon Fund, with past graduates collectively raising over $730 million. The accelerator has expanded globally, aiming to attract innovative cybersecurity solutions from around the world to address evolving industry challenges. Notable past participants include Remedio, which secured a $65 million funding round and counts AWS and Check Point among its clients.

Microsoft security researchers have uncovered a new backdoor malware, named SesameOp, which exploits the OpenAI Assistants API for covert command-and-control operations. The malware was discovered during a July 2025 cyberattack investigation, revealing its capability to provide attackers with persistent access to compromised environments. SesameOp employs the OpenAI Assistants API to relay encrypted commands, allowing threat actors to manage backdoored devices without dedicated malicious infrastructure. The attack chain utilizes a heavily obfuscated loader and a .NET-based backdoor, injected into Microsoft Visual Studio utilities for long-term espionage. Microsoft confirmed that SesameOp does not exploit any vulnerabilities in OpenAI's platform but misuses its built-in capabilities, with the API scheduled for deprecation in August 2026. Collaboration between Microsoft and OpenAI led to the identification and disabling of the malicious account and API key used in the attacks. To counteract SesameOp, Microsoft advises auditing firewall logs, enabling tamper protection, and monitoring unauthorized connections to external services.

Secure Annex researchers identified a malicious VSX extension, "SleepyDuck," harboring a remote access trojan, targeting Solidity developers with over 14,000 downloads. The extension exploits Ethereum contracts to maintain its command server, updating server details dynamically to evade takedowns. SleepyDuck activates upon opening a code editor window or selecting a .sol file, connecting to "sleepyduck[.]xyz" for command execution. It gathers and exfiltrates system information, including hostname and MAC address, and can execute emergency commands if necessary. The extension's download counts may have been artificially inflated to increase visibility and deceive developers into installation. Microsoft is enhancing marketplace security by conducting periodic scans to detect and remove malicious extensions. Developers are advised to download extensions only from trusted publishers to avoid potential security threats.

Cybercriminals, in collaboration with organized crime groups, target U.S. logistics firms to orchestrate cargo thefts, causing significant supply chain disruptions and financial losses. Proofpoint researchers identified nearly two dozen campaigns leveraging remote monitoring tools to infiltrate logistics companies, facilitating the theft of goods in transit. Attacks begin at broker load boards, where cybercriminals post fake loads to lure logistics companies, embedding malicious links to install legitimate remote management apps. Once access is gained, attackers impersonate brokers to redirect shipments to locations under their control, collaborating with on-ground organized crime groups for theft execution. The stolen goods, ranging from electronics to energy drinks, are sold for profit, with losses reaching millions of dollars and impacting businesses of all sizes. CargoNet reports a significant increase in cargo thefts, with Q3 2025 losses totaling $111.88 million, driven by organized crime targeting high-value items like computer hardware. The National Insurance Crime Bureau estimates annual cargo theft losses at $35 billion, with hotspots in key U.S. states, highlighting the need for enhanced security measures. As cybercriminals refine their tactics, the logistics sector faces growing threats, necessitating vigilance and improved security protocols to safeguard against these sophisticated schemes.

Three former cybersecurity professionals have been indicted for orchestrating BlackCat ransomware attacks on five U.S. companies, including a medical device manufacturer and a pharmaceutical firm. The accused, linked to DigitalMint and Sygnia, allegedly accessed networks, stole data, and deployed encryption malware, demanding ransoms between $300,000 and $10 million. A Tampa medical device company paid $1.27 million after a $10 million ransom demand, highlighting the financial impact and risk associated with such attacks. Charges include conspiracy to interfere with interstate commerce by extortion and intentional damage to protected computers, carrying potential sentences of up to 20 years. The indictment suggests the defendants operated as ALPHV BlackCat affiliates, a group connected to over 60 breaches and $300 million in ransoms until September 2023. This case raises concerns about insider threats within cybersecurity firms and the potential for misuse of expertise in criminal activities. The Department of Justice and FBI have not commented on the connection to previous investigations into ransomware negotiators' involvement with criminal groups.

Cybercriminals are targeting freight brokers and trucking carriers using remote monitoring and management tools (RMMs) to hijack cargo shipments and steal goods. Proofpoint identified nearly two dozen campaigns since August, with attacks primarily affecting North American entities and extending to Brazil, Mexico, India, Germany, Chile, and South Africa. Attackers use compromised accounts to post fraudulent freight listings or breach email accounts, employing social engineering tactics to deceive victims into installing RMM tools. Tools like ScreenConnect, SimpleHelp, and PDQ Connect are used to gain remote control, conduct reconnaissance, and harvest credentials, facilitating cargo rerouting and impersonation of legitimate carriers. The National Insurance Crime Bureau estimates U.S. cargo theft losses at $35 billion annually, with cybercriminals exploiting digital supply chain vulnerabilities. Recommendations for defense include restricting unapproved RMM installations, monitoring network activity, and blocking executable file attachments at email gateways. The attacks suggest potential collaboration with organized crime groups, leveraging insider knowledge of routes and high-value cargo to maximize theft profitability.

The article examines how OAuth 2.0's device code flow can be exploited for phishing attacks, focusing on differences between Microsoft's Azure and Google's implementations. Device code phishing exploits legitimate authentication flows, tricking users into providing access tokens, which attackers use to access resources as the victim. In Azure, attackers can exploit device code phishing to gain powerful access tokens, allowing actions like reading emails and joining rogue devices to a tenant. Google's implementation limits the attack's impact by restricting available scopes, significantly reducing the potential damage compared to Azure. The analysis reveals that while both platforms use the same OAuth feature, Google's approach to limiting scope results in a safer environment against device code phishing. Organizations using Azure should be aware of the potential risks and consider additional safeguards to mitigate phishing threats targeting device code flows.

An out-of-band update, KB5070881, addressing a critical WSUS vulnerability, disrupted hotpatching on Windows Server 2025, affecting systems enrolled for automatic updates. The CVE-2025-59287 remote code execution flaw was actively exploited, prompting urgent patching efforts by Microsoft and cybersecurity agencies. The Netherlands National Cyber Security Centre and CISA highlighted the vulnerability's risk, leading to heightened security measures across U.S. government systems. Microsoft halted the problematic update for hotpatch-enrolled systems, offering a revised patch, KB5070893, to maintain hotpatching functionality without requiring reboots. Over 2,600 WSUS instances were identified with exposed default ports, raising concerns about the vulnerability's potential exploitation scope. Administrators are advised to pause and update their systems with KB5070893 to ensure continued hotpatching and security compliance. Microsoft also addressed other issues, including synchronization error displays and Windows 11 update-related bugs, to improve system stability.

Cybercriminals are targeting logistics companies using remote monitoring and management (RMM) software to infiltrate networks and steal cargo freight, particularly food and beverage products. Proofpoint reports that the threat cluster, active since June 2025, collaborates with organized crime groups to exploit the surface transportation industry for financial gain. Attackers use compromised email accounts to hijack conversations and post fraudulent freight listings, leveraging malicious URLs to deploy RMM tools like ScreenConnect and SimpleHelp. These campaigns resemble previous attacks involving information stealers and remote access trojans but lack evidence of the same threat actor involvement. Once access is gained, attackers perform network reconnaissance and deploy credential harvesting tools, potentially deleting bookings and blocking dispatcher notifications. The use of legitimate RMM software helps attackers evade detection, as these tools are common in enterprise environments and often not flagged by security solutions. The ongoing threat highlights the need for enhanced security measures in logistics and freight operations to protect against cyber-enabled thefts.

London's Metropolitan Police Service reported 962 arrests from 203 live facial recognition deployments between September 2024 and September 2025, citing significant success in identifying offenders. The technology generated 2,077 alerts with 10 false positives, primarily due to image quality issues. None of the false positives resulted in arrests. Concerns persist regarding ethnic biases, with 80% of false positives involving Black individuals, sparking criticism from privacy and human rights groups. The Metropolitan Police maintains that demographic imbalances are not statistically significant and are influenced by deployment locations in crime hotspots. Public support for facial recognition technology is high, with 85% approval among Londoners, though opposition exists among certain demographics, including younger and minority communities. The UK government is considering broader implementation of facial recognition technology, informed by Croydon's permanent camera installations and upcoming guidance literature. The Metropolitan Police emphasizes transparency and community engagement to address concerns and build trust in the technology's use.

A critical vulnerability in Motex Lanscope Endpoint Manager (CVE-2025-61932) has been exploited by the Tick group, a suspected Chinese cyber espionage actor, to deploy the Gokcpdoor backdoor. The flaw, with a CVSS score of 9.3, was quickly leveraged to infiltrate networks, targeting sectors aligned with the group's intelligence objectives, according to Sophos. The exploitation of this vulnerability demonstrates the rapid pace at which attackers can weaponize newly discovered security flaws. Traditional security measures like firewalls and VPNs are increasingly inadequate against AI-powered attacks, prompting a shift towards Zero Trust models. Organizations are urged to prioritize patch management and adopt proactive measures to mitigate risks associated with emerging vulnerabilities. The incident underscores the necessity for continuous monitoring and swift response strategies to protect sensitive data and infrastructure. The cybersecurity landscape is evolving, with attackers using advanced tools and tactics, emphasizing the need for adaptive and resilient defense mechanisms.