Daily Brief

The SEC has charged several companies for orchestrating a cryptocurrency scam that defrauded retail investors of over $14 million using fake AI-generated investment tips. Companies involved include Morocoin Tech Corp., Berge Blockchain Technology Co., Ltd., and Cirkor Inc., alongside investment clubs such as AI Wealth Inc. and Lane Wealth Inc. Fraudsters used social media ads and WhatsApp group chats to pose as financial professionals, promising returns from AI-generated signals to lure investors. The scam involved fake cryptocurrency trading platforms and non-existent Security Token Offerings, falsely claiming government licenses and legitimate business backing. Investors faced additional losses when attempting withdrawals, as platforms demanded advance fees before cutting off access entirely. The ill-gotten gains were funneled overseas through a network of bank accounts and crypto wallets, with significant transfers to China, Hong Kong, and Indonesia. The SEC seeks permanent injunctions, civil penalties, and repayment with interest, emphasizing the need for vigilance against investment scams targeting retail investors.

Italy's antitrust authority fined Apple €98.6 million, citing App Tracking Transparency (ATT) rules that limit App Store competition and impose burdens on third-party developers. The investigation, initiated in May 2023, found that Apple's dominant market position allowed it to enforce ATT rules unilaterally, disadvantaging developers. Developers must navigate both ATT and GDPR consent prompts, complicating data processing for personalized ads, while Apple's apps require only a single consent tap. The Italian authority argues that the double consent requirement harms developers reliant on advertising revenue, suggesting a unified consent prompt could suffice. Apple plans to appeal the decision, asserting that its privacy rules apply equally to all developers, including its own services. This case is part of a broader trend, with Apple facing similar regulatory challenges in France, Poland, and Romania regarding its ATT framework. Germany's antitrust body is evaluating Apple's proposed changes to ATT, aiming to simplify consent processes and ensure compliance with data protection laws.

Microsoft plans to replace its entire C and C++ codebase with Rust by 2030, leveraging AI and algorithms to facilitate the transition. The initiative is led by Galen Hunt, a distinguished engineer at Microsoft, who envisions translating millions of lines of code efficiently. Rust, a memory-safe language, is favored for its ability to prevent vulnerabilities like out-of-bounds reads and use-after-free errors. Microsoft has developed a robust code processing infrastructure to support this transition, utilizing scalable graphs and AI agents for code modifications. The move aligns with global calls for adopting memory-safe languages to enhance software security, reflecting a significant shift in industry standards. A new Principal Software Engineer role is open to drive this effort, focusing on evolving Microsoft's infrastructure to support the code translation. This ambitious project underscores Microsoft's commitment to reducing technical debt and improving security across its extensive product portfolio.

ServiceNow announced a $7.75 billion acquisition of cybersecurity firm Armis, aiming to integrate real-time security intelligence into its platform by 2026. The acquisition will merge ServiceNow's Configuration Management Database with Armis’ data discovery tools, enabling customers to identify and prioritize vulnerabilities more effectively. This strategic move is expected to triple ServiceNow’s current $1 billion annual security revenue by streamlining cybersecurity operations and reducing reliance on disparate software solutions. Armis, recognized as a leader in the Gartner Magic Quadrant, brings substantial data capabilities that will significantly enhance ServiceNow’s IT asset management and security offerings. The acquisition is part of a broader strategy, including recent purchases of Veza and Data.World, to bolster ServiceNow’s data management and AI capabilities. Industry analysts view this as a major expansion of ServiceNow’s capabilities, positioning the company well ahead of competitors like Salesforce in IT service management. Successful integration of Armis and other acquisitions will be crucial for ServiceNow to deliver seamless and enhanced cybersecurity solutions to its customers.

Microsoft introduces hardware-accelerated BitLocker in Windows 11, leveraging system-on-a-chip (SoC) capabilities to address performance and security concerns in data encryption processes. This update targets performance impacts on gaming and video editing, where BitLocker's cryptographic operations previously slowed down system performance. By offloading cryptographic tasks to SoC components with hardware security modules, the new BitLocker reduces CPU usage and enhances system efficiency. The hardware-accelerated BitLocker employs the XTS-AES-256 algorithm, providing automatic device encryption and improved security through hardware-protected keys. Initial support is available on Intel vPro systems with Intel Core Ultra Series 3 processors, with plans to expand to other SoC vendors. Users can verify the mode of BitLocker operation by using the command 'manage-bde -status' to check for hardware acceleration. Microsoft’s enhancement aims to eliminate BitLocker keys from CPU and memory, reducing exposure to cyberattacks and bolstering security.

WebRAT, an info-stealing backdoor, is now distributed via GitHub repositories posing as proof-of-concept exploits for recent vulnerabilities. Previously spread through pirated software and game cheats, WebRAT targets Steam, Discord, Telegram credentials, and cryptocurrency wallets. Kaspersky identified 15 GitHub repositories distributing WebRAT, using AI-generated text to mimic legitimate vulnerability exploit documentation. The malware achieves persistence through Windows Registry changes, Task Scheduler entries, and system directory injections. Delivered via password-protected ZIP files, WebRAT disables Windows Defender and executes from a hardcoded URL after privilege escalation. Despite the removal of malicious repositories, developers are advised to verify sources and use isolated environments for testing untrusted code. This incident underscores the ongoing threat of using GitHub as a vector for malware distribution, demanding heightened vigilance from the cybersecurity community.

Nissan disclosed a data breach affecting 21,000 customers after unauthorized access to a Red Hat-managed server, marking its third major security incident in three years. Compromised data includes customer names, addresses, phone numbers, partial email addresses, and other sales-related information, though no credit card details were stolen. The breach was detected by Red Hat on September 26 and reported to Nissan on October 3, with potential links to the Crimson Collective and Scattered Lapsus$ Hunters groups. Nissan has advised customers to remain vigilant against potential phishing attacks or fraudulent communications using the stolen data. The automaker plans to enhance monitoring of its subcontractors and strengthen overall information security measures in response to the incident. Previous breaches in 2023 and 2024 involved significant data theft, including employee information and customer data from different global divisions. This incident underscores the ongoing challenges in securing supply chain and third-party vendor environments against sophisticated cyber threats.

Microsoft issued an out-of-band update to fix a Message Queuing bug affecting Windows 10 and Windows Server versions, following issues introduced by the December 2025 update. The bug primarily impacted enterprise environments, disrupting services like Internet Information Services (IIS) and applications reliant on message queues. The issue arose from a change requiring Message Queuing to have write access in areas with administrative restrictions, causing service failures and misleading error logs. Administrators faced challenges as they implemented workarounds, such as modifying permissions or rolling back updates, before the patch was released. Microsoft's swift release of the patch resolved the issue, but the incident raises concerns about the company's quality control and validation processes. The problem affected legacy systems that rely on Message Queuing for communication, highlighting the importance of robust testing for longstanding components. Affected businesses experienced operational disruptions and customer complaints, underscoring the critical nature of timely and effective patch management.

Cybersecurity researchers identified two malicious Chrome extensions masquerading as network speed test tools, designed to intercept traffic and capture user credentials from over 170 websites. Users are misled into subscribing to a seemingly legitimate VPN service, paying between ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD), while the extensions perform malicious operations. The extensions employ man-in-the-middle proxy techniques, using hardcoded credentials to intercept and exfiltrate user data to a command-and-control server. Targeted domains include major developer platforms, cloud services, enterprise solutions, social media, and adult content sites, raising potential risks of blackmail and supply chain attacks. The extensions maintain continuous data theft capabilities, capturing sensitive information such as passwords, credit card numbers, and API keys through a 60-second heartbeat to the C2 server. Indicators suggest a China-based operation, with Chinese language descriptions and integration of Alipay/WeChat Pay for payments, alongside Alibaba Cloud hosting. Users are urged to uninstall the extensions immediately, while security teams should implement extension allowlisting and monitor for suspicious proxy activities.

Two Chrome extensions, named 'Phantom Shuttle', are actively stealing user credentials by hijacking web traffic under the guise of proxy services. These extensions have been available on the Chrome Web Store since 2017, targeting users in China, particularly those involved in foreign trade. The extensions reroute user traffic through proxies controlled by attackers, utilizing hardcoded credentials concealed with a custom encoding scheme. By dynamically reconfiguring Chrome’s proxy settings, the extensions intercept data from over 170 high-value domains, including developer platforms and social media sites. Sensitive information such as credentials, session cookies, and API tokens can be captured, posing significant risks to users' privacy and security. Google has been contacted regarding the extensions, but they remain available for download, highlighting ongoing security challenges in app marketplaces. Users are advised to install extensions from reputable sources, scrutinize user reviews, and carefully consider permissions requested during installation.

La Poste, France's national postal service, experienced a major network incident, affecting digital banking and online services for millions of customers across the country. The disruption impacted La Poste's main website, mobile app, digital identity service, and Digiposte platform, though in-person transactions at service counters remained operational. La Banque Postale confirmed its online and mobile services were down; however, essential banking operations, including ATM withdrawals and in-store card payments, continued to function. Reports indicate a distributed denial-of-service (DDoS) attack caused the outage, severely affecting La Poste's operations and service delivery nationwide. La Poste has not provided a timeline for full service restoration or detailed the incident's nature, leaving customers uncertain about the resolution. This incident follows the recent arrest of a suspect linked to a separate cyberattack on France's Ministry of the Interior, highlighting ongoing cybersecurity challenges. The attack underscores the vulnerability of critical national infrastructure to cyber threats, emphasizing the need for robust security measures and incident response plans.

INTERPOL's Operation Sentinel led to the arrest of 574 suspects across 19 African countries, targeting cybercrime activities such as business email compromise and ransomware. The operation, conducted over a month, resulted in the recovery of $3 million and dismantling of cyber fraud networks impacting critical sectors like finance and energy. Authorities decrypted six ransomware variants and took down over 6,000 malicious links, though specific ransomware family names remain undisclosed. A significant ransomware attack on a Ghanaian financial institution was thwarted, with suspects arrested for encrypting 100 terabytes of data and stealing $120,000. Ghanaian and Nigerian cyber fraud networks, impersonating fast-food brands, defrauded over 200 victims of $400,000, leading to 10 arrests and seizure of 100 digital devices. Benin law enforcement dismantled 43 malicious domains and over 4,000 social media accounts used for scams, resulting in 106 arrests. The operation is part of the African Joint Operation against Cybercrime, aiming to enhance national law enforcement capabilities and disrupt cybercriminal activities in Africa. Artem Aleksandrovych Stryzhak, a Ukrainian national, pleaded guilty in the U.S. to Nefilim ransomware attacks, targeting companies globally as an affiliate. Stryzhak was extradited from Spain to the U.S. and faces up to 10 years in prison, with sentencing scheduled for May 2026. The Justice Department revealed Stryzhak received access to Nefilim ransomware code in exchange for 20% of ransom proceeds, targeting high-revenue companies. Nefilim operated under a double extortion model, threatening to publish stolen data on a site called Corporate Leaks if victims did not pay. Another Ukrainian, Volodymyr Viktorovich Tymoshchuk, remains at large with a $11 million reward for information leading to his arrest, linked to multiple ransomware operations. Nefilim's victims included entities in the U.S., Germany, and other European nations, showcasing the international reach of the ransomware group. The case underscores ongoing international efforts to combat cybercrime and hold perpetrators accountable across borders.

Passwd is a password management tool designed specifically for Google Workspace, focusing on secure credential storage, controlled sharing, and seamless integration with existing Google tools. The platform employs AES-256 encryption and a zero-knowledge architecture, ensuring only users can access decrypted data, supporting robust data protection. Passwd's compliance with SOC 2 and GDPR standards provides additional security assurance, making it suitable for businesses with regulatory requirements. Audit logs and access tracking features offer visibility into credential usage, aiding compliance efforts and internal security audits. The tool integrates directly with Google Workspace for identity management, simplifying onboarding and administration without the need for new credentials. Passwd's pricing model is attractive for larger teams, eliminating additional fees beyond 301 users, making it cost-effective for enterprise adoption. The platform is highly rated on review platforms, with users appreciating its functionality for both small and large teams within Google Workspace environments.

Italy's competition authority fined Apple €98.6 million for allegedly abusing its market position through the App Tracking Transparency (ATT) framework. The ATT framework, introduced in 2020, requires developers to seek user consent for data tracking, but Apple's own apps are reportedly exempt. The Italian regulator claims Apple's implementation creates a burdensome double-consent process for developers, conflicting with EU privacy laws. Apple plans to appeal the decision, emphasizing its commitment to user privacy and arguing that ATT rules apply equally to all developers. Similar regulatory actions against Apple's ATT practices have emerged in France, with ongoing investigations in Poland and adjustments in Germany. The case underscores the tension between privacy measures and competitive practices in the tech industry, impacting advertising and data tracking norms.

Baker University experienced a data breach affecting over 53,000 individuals, with attackers accessing personal, financial, and health information over a 17-day period in December 2024. The breach involved sensitive data such as names, Social Security numbers, financial and health information, impacting students, staff, and affiliates of the university. Following detection of the breach, Baker University engaged an external cybersecurity firm to assist in response efforts and has since rebuilt compromised platforms. The university is offering free credit monitoring services to those affected and advises vigilance in monitoring financial and credit activities for potential misuse. The breach is part of a wider trend of attacks on U.S. universities, with similar incidents reported at Harvard, Princeton, and the University of Pennsylvania. The Clop ransomware group exploited a zero-day vulnerability in Oracle systems at other universities, highlighting the need for robust security measures in educational institutions. While no fraudulent activity has been confirmed, the breach underscores the ongoing risk to personal data security in higher education environments.