Daily Brief

Coupang, South Korea's leading e-commerce platform, reported a data breach affecting 33.7 million customer accounts, marking the largest e-commerce security incident in the country's history. The breach involved unauthorized access to user names, phone numbers, email addresses, delivery addresses, and purchase details, undetected for nearly five months. A former Coupang employee is suspected of exploiting retained access keys to facilitate the breach, highlighting insider threat risks. The incident may result in fines up to $900 million, as South Korea's data protection laws allow penalties up to 3% of annual revenue. The breach underscores the need for robust encryption practices, even for data not legally required to be encrypted under current regulations. Penta Security's D.AMO platform offers comprehensive encryption solutions, demonstrating the importance of proactive data protection measures. The event has sparked public outcry and class action movements, with over 200,000 individuals joining related forums within days of the breach disclosure. Companies are urged to adopt advanced encryption and key management systems to safeguard sensitive information and maintain customer trust.

A ransomware attack compromised around 1,000 systems at Romania's water management agency, affecting servers, workstations, and communication platforms. Despite the attack, Romanian Waters maintained operational capabilities, with on-site staff ensuring hydrotechnical operations continued unaffected. The attack spread to ten of Romania's 11 river basin management organizations, impacting regional IT infrastructure. Attackers exploited Windows BitLocker to encrypt files, leaving ransom notes demanding negotiations within seven days. Romanian cybersecurity authorities advised against negotiating with attackers, focusing on restoring IT services instead. Romanian Waters' network was not part of the country's critical infrastructure protection system, but integration efforts are now underway. The incident highlights the vulnerability of water management systems to cyber threats, echoing similar attacks in Canada, the UK, and the US.

Recent attacks have targeted vulnerabilities in network security products from Fortinet, SonicWall, Cisco, and WatchGuard, affecting a wide range of organizations globally. Cisco reported a critical flaw, CVE-2025-20393, in AsyncOS exploited by a China-linked APT group, UAT-9686, to deploy various malware strains. SonicWall's Secure Mobile Access appliances were compromised using CVE-2025-40602, allowing attackers to execute remote code with root privileges. These vulnerabilities provide attackers with deep access into network traffic and connected systems, posing significant risks to data integrity and confidentiality. The vulnerabilities remain unpatched, emphasizing the urgent need for organizations to monitor and mitigate potential threats proactively. The ongoing exploitation of these flaws underscores the importance of maintaining up-to-date security protocols and swift patch management. Organizations are advised to enhance their security posture by implementing robust monitoring and incident response strategies to counteract such threats.

As internet usage rises, its environmental impact grows, driven by data centers and resource-heavy browsing, prompting the need for sustainable digital practices. Wave Browser offers an eco-friendly browsing experience, integrating efficient technology with environmental initiatives to reduce digital waste and energy consumption. Key features include built-in ad blocking and memory-saving tools, minimizing the need for multiple extensions and reducing system strain. Users can contribute to ocean cleanup efforts through a partnership with 4ocean, supporting trash removal simply by using Wave Browser. The browser maintains a user-friendly interface, ensuring that eco-conscious browsing does not disrupt the typical online experience. Wave Browser aims to remove 300,000 pounds of ocean trash by 2028, linking everyday browsing to measurable environmental action. This approach highlights the potential for digital tools to foster sustainability without requiring significant changes in user behavior.

CVE-2025-59374 concerns a past supply-chain attack on ASUS Live Update, not a new threat, despite its recent addition to CISA's Known Exploited Vulnerabilities catalog. The vulnerability relates to the 2018-2019 "ShadowHammer" attack, where compromised ASUS binaries were delivered to select systems under specific conditions. The affected ASUS Live Update software reached End-of-Support in October 2021, and no current devices are impacted by this vulnerability. Recent updates to ASUS's FAQ page are for documentation purposes, not indicative of a new risk or exploitation of the vulnerability. CISA's inclusion of the CVE in the KEV catalog is part of a retrospective effort to document historical vulnerabilities, not due to active exploitation. Security teams should critically assess CISA-linked CVEs, especially for unsupported software, to avoid unnecessary urgency in response efforts. Organizations are advised to maintain updated software versions to mitigate risks, though this specific CVE does not necessitate immediate action.

Artem Aleksandrovych Stryzhak, a Ukrainian national, pleaded guilty to conducting Nefilim ransomware attacks targeting high-revenue businesses across multiple countries, including the U.S. and Europe. Arrested in Spain and extradited to the U.S., Stryzhak faces up to 10 years in prison for computer fraud conspiracy, with sentencing scheduled for May 2026. Stryzhak joined the Nefilim operation in 2021, receiving 20% of ransom payments in exchange for access to the ransomware code, targeting companies with revenues over $100 million. The group used customized malware and threatened to leak stolen data on "Corporate Leaks" websites to pressure victims into paying ransoms. U.S. authorities offer up to $11 million for information leading to the arrest of co-conspirator Volodymyr Tymoshchuk, who remains at large and is involved in multiple ransomware operations. Tymoshchuk is charged with administering LockerGoga, MegaCortex, and Nefilim ransomware, linked to breaches of hundreds of companies worldwide, causing significant financial damages. The case underscores the ongoing threat of ransomware and the importance of international cooperation in apprehending cybercriminals.

Over 115,000 WatchGuard Firebox devices are exposed online with an unpatched RCE vulnerability, CVE-2025-14733, which is actively exploited in the wild. This flaw affects Firebox firewalls running Fireware OS versions 11.x, 12.x, and 2025.1, allowing unauthenticated attackers to execute arbitrary code remotely. Devices configured for IKEv2 VPN are particularly vulnerable, even if certain configurations are removed, due to the risk from Branch Office VPNs. WatchGuard advises customers to identify compromised devices using shared indicators of compromise and to rotate all locally stored secrets on vulnerable firewalls. A temporary workaround involves disabling dynamic peer BOVPNs and modifying firewall policies for those unable to patch immediately. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to patch affected Firebox firewalls by December 26th under BOD 22-01. Shadowserver reported over 124,658 unpatched Firebox instances online, emphasizing the widespread nature of the vulnerability. This vulnerability follows a similar RCE flaw patched in September, with past incidents showing a pattern of exploitation in North America and Europe.

Cybercriminals are deploying Android malware in Uzbekistan, leveraging dropper apps disguised as legitimate applications to deliver the SMS stealer Wonderland, targeting financial data and communications. Wonderland enables real-time command-and-control communication, allowing attackers to intercept SMS messages and one-time passwords, facilitating unauthorized financial transactions. The malware is distributed via fake Google Play Store pages, social media ads, and messaging apps, exploiting stolen Telegram sessions for further propagation. Users are tricked into enabling installations from unknown sources, which allows the malware to gain access to SMS and contacts, and send messages from infected devices. The operation involves a hierarchical structure with roles including developers and card validators, indicating a mature financial fraud enterprise. Other emerging malware like Cellik and Frogblight demonstrate similar advanced capabilities, targeting users in different regions, including Turkey and India, through phishing and app overlays. These campaigns reflect a trend towards more sophisticated Android malware, with tools available for purchase on dark web markets, enabling large-scale attacks with minimal technical expertise. The use of dynamic infrastructure and obfuscation techniques complicates detection and takedown efforts, posing significant challenges for cybersecurity defenses.

South Korea mandates facial recognition for SIM purchases to curb mobile phone scams, following significant data breaches affecting millions. SK Telecom, LG Uplus, and Korea Telecom will use the "PASS" app to store and verify facial biometric data for new customers. The policy aims to prevent criminals from using stolen data to register fraudulent mobile accounts, addressing a prevalent issue in the country. SK Telecom faced a $1.55 billion penalty for inadequate security practices, including unencrypted storage of user credentials. Recent data breaches impacted over half of South Korea's population, with SK Telecom and Coupang being major contributors. The Consumer Dispute Mediation Commission ordered SK Telecom to compensate affected customers, highlighting the financial repercussions of poor cybersecurity. Mobile Virtual Network Operators were responsible for 92% of counterfeit phone registrations, prompting stricter identity verification measures.

Asahi's President admitted a cyberattack and data leak in October were due to management's lack of focus on security measures, highlighting governance issues in information security. The company utilized the NIST Cybersecurity Framework and engaged third-party experts for attack simulations, yet still faced vulnerabilities due to incomplete implementation. Asahi's leadership acknowledged that establishing a zero-trust environment earlier might have mitigated the attack's impact, indicating a need for proactive security strategies. The incident serves as a reminder for businesses to prioritize cybersecurity at the executive level to prevent similar breaches. The breach has prompted Asahi to reassess its security posture and governance structures, reflecting on the importance of comprehensive security frameworks. This case underscores the critical role of executive oversight in cybersecurity and the potential consequences of neglecting such responsibilities.

The Royal Cornwall Hospitals Trust inadvertently exposed personal data of thousands of current and former staff through a Freedom of Information Act response. The breach involved electronic records containing "hidden data" related to employee sickness absence, affecting staff from April 2020 to May 2023. The hospital acknowledged the incident and emphasized its commitment to improving data protection processes and maintaining high security standards. This incident adds to the ongoing challenges faced by healthcare institutions in safeguarding sensitive information amidst increasing cyber threats. The breach serves as a reminder of the importance of thorough data review processes before releasing information under FOI requests. Affected individuals have been informed, and the hospital is likely to undertake measures to prevent similar occurrences in the future.

Docker has made over 1,000 Hardened Images available open source, enhancing security for developers under the Apache 2.0 license. These images are designed to minimize attack surfaces and supply-chain risks, being rootless and stripped of unnecessary components. Docker's commitment includes patching new vulnerabilities in DHI components within seven days of disclosure for its commercial tier. The open-source release aims to establish a new industry standard, offering a secure, production-ready foundation for over 26 million developers. While the free tier does not guarantee a patching timeline, the commercial DHI Enterprise tier promises faster fixes, potentially within a day. DHI images maintain high security standards, including SBOM verification and SLSA Build Level 3 provenance, ensuring authenticity and reliability. This strategic move by Docker could significantly impact the container ecosystem by providing accessible and secure development resources.

A power outage in Boulder, Colorado, disrupted NIST's atomic clock operations, affecting its Network Time Protocol (NTP) services crucial for system synchronization. The outage led to a clock drift, causing potential authentication issues and application instability for systems relying on NIST's time services. NIST personnel attempted to disable backup generators to prevent dissemination of incorrect time, but severe weather restricted site access. Xcel Energy attributed the outage to strong winds, with most power expected to be restored within hours, though NIST's Boulder site remained affected. NIST advised users, including telecommunications and aerospace sectors, to utilize alternative time sources to mitigate impact. This incident underscores the importance of specifying multiple NTP servers and having failover mechanisms in place for critical time-dependent operations. Organizations relying solely on NIST's Boulder facility may face challenges, highlighting the need for diversified time synchronization strategies.

The Iranian APT group Infy, also known as Prince of Persia, has re-emerged after nearly five years of inactivity, targeting countries including Iran, Iraq, Turkey, India, Canada, and parts of Europe. Infy employs two primary malware strains: Foudre, a downloader and victim profiler, and Tonnerre, a data extraction implant, both distributed via phishing emails. Recent campaigns have seen a shift from using macro-laced Excel files to embedding executables within documents to install Foudre, enhancing the group's attack methodology. The group's command-and-control infrastructure utilizes a domain generation algorithm and RSA signature verification to ensure domain authenticity, increasing operational resilience. The latest version of Tonnerre includes functionality to connect with a Telegram group for command issuance and data collection, demonstrating advanced communication tactics. SafeBreach's investigation has revealed detailed insights into Infy's C2 infrastructure, including directories for validation, communication logs, and exfiltrated data storage. Despite past perceptions of inactivity, Infy's continued evolution and sophisticated tactics indicate a persistent and adaptable threat presence in the cyber landscape.

RansomHouse, a ransomware-as-a-service group, has upgraded its encryption method, moving from a simple single-phase to a complex multi-layered approach, enhancing speed and reliability. The new encryptor variant, named 'Mario,' employs a two-stage transformation using two distinct keys, complicating data recovery and increasing encryption entropy. RansomHouse's latest strategy includes dynamic chunk sizing for files over 8GB, making static analysis challenging due to its non-linear processing and complex mathematical operations. The upgraded encryptor improves memory layout and buffer organization, employing multiple dedicated buffers for each encryption stage, increasing complexity and hindering reverse engineering efforts. The 'Mario' variant continues to target VMware ESXi hypervisors, renaming encrypted files with a '.emario' extension and deploying ransom notes across affected directories. Palo Alto Networks Unit 42 warns that these advancements indicate a troubling trend in ransomware evolution, focusing on efficiency and evasion over sheer attack volume. RansomHouse's sustained development of sophisticated tools suggests a strategic emphasis on enhancing negotiation leverage through stronger encryption capabilities.