Daily Brief

Ofcom's 2025 survey reveals a decline in young Brits' perception of the internet, with only a third believing it benefits society, down from 42% in 2024. The survey indicates a shift in mental health perceptions, as 35% of young adults now disagree that the internet positively affects their emotional wellbeing, reversing last year's sentiment. Despite negative views, young adults spend over six hours daily online, surpassing older age groups, who average four and a half hours. Potentially harmful online encounters are more frequent among young adults, particularly on platforms like Instagram and TikTok, compared to older users. The survey coincides with increased scrutiny on internet safety, following the UK's Online Safety Act and global efforts to protect younger users. Young adults are more proactive in managing their online presence, yet less likely to report harmful content, citing a lack of perceived severity. The findings suggest a growing concern among young people about the internet's impact, despite their continued high engagement levels.

Nigerian police, in collaboration with Microsoft and the FBI, arrested three suspects linked to the RaccoonO365 phishing operation targeting Microsoft 365 users. Okitipi Samuel, identified as the main developer, allegedly sold phishing links via Telegram, accepting cryptocurrency for fraudulent login portals hosted on Cloudflare. The operation led to the theft of over 5,000 Microsoft credentials across 94 countries since July 2024, affecting corporate, financial, and educational sectors. Microsoft, tracking the group as Storm-2246, previously seized 338 domains used by the phishing scheme in partnership with Cloudflare. The phishing attacks resulted in business email compromise, data breaches, and financial losses, with unauthorized access incidents reported from January to September 2025. A civil lawsuit by Microsoft and Health-ISAC accuses multiple defendants of distributing the phishing kit, facilitating further cybercrimes like financial fraud and ransomware. The arrests and ongoing legal actions reflect increased efforts to dismantle global phishing-as-a-service operations impacting major organizations.

WatchGuard has identified a critical remote code execution vulnerability, CVE-2025-14733, in its Firebox firewalls, actively exploited in the wild, necessitating immediate patching by users. The flaw affects Fireware OS versions 11.x and later, allowing unauthenticated attackers to execute malicious code if devices are configured with IKEv2 VPN. Even after removing vulnerable configurations, devices may remain at risk if branch office VPNs to static gateway peers are still active. WatchGuard has released a temporary workaround for organizations unable to patch immediately, involving disabling dynamic peer BOVPNs and modifying firewall policies. Indicators of compromise have been shared to help users detect potential breaches, with recommendations to rotate locally stored secrets if malicious activity is found. A similar vulnerability, CVE-2025-9242, was patched in September, with over 75,000 devices found vulnerable soon after, prompting action from CISA. WatchGuard's extensive network of over 17,000 partners underscores the widespread impact, affecting more than 250,000 small and mid-sized businesses globally.

A recent webinar hosted by The Register explored the dual role of AI in enhancing cybersecurity and the need to secure AI technologies within enterprises. Panelists from Google Cloud, Deloitte, and IDC discussed the evolving security landscape as AI shifts from experimental to mainstream enterprise use. The integration of AI in cybersecurity is driving organizations to reevaluate operations amid increasing ransomware threats and nation state-sponsored activities. AI tools are being leveraged to reduce analyst fatigue by summarizing alerts and prioritizing critical threats, enhancing operational efficiency. The discussion addressed the challenges of securing AI assets, including models and sensitive data, emphasizing the importance of robust access control and governance. The concept of "shadow AI" was identified as both a cultural and technological challenge, requiring attention from security leaders. The session provided practical insights for aligning security strategies with AI adoption, focusing on risk management and operational resilience. Executives are encouraged to view the on-demand webinar to gain actionable strategies for integrating AI into their cybersecurity frameworks.

A new vulnerability affects ASRock, ASUS, GIGABYTE, and MSI motherboards, enabling early-boot DMA attacks due to improper UEFI and IOMMU configurations. This flaw allows malicious PCIe devices with physical access to manipulate or inspect system memory before operating system safeguards activate. Discovered by researchers from Riot Games, the issue involves a failure to enable IOMMU during the critical boot phase, despite firmware indicating active DMA protection. Attackers could exploit this to access sensitive data or modify system memory, compromising system integrity before the operating system loads. Impacted vendors are releasing firmware updates to correct the IOMMU initialization sequence, emphasizing the need for prompt patch application. CERT Coordination Center advises immediate patching and adherence to security best practices, especially in environments where physical access cannot be controlled. The flaw's implications extend to virtualized and cloud environments, underscoring the necessity for correct firmware configurations to maintain security integrity.

China has activated the China Environment for Network Innovation (CENI), a vast research network aimed at advancing the nation's position in global networking research. CENI successfully transferred 72 terabytes of data in 1.6 hours over a 1,000 km distance, demonstrating near 100 Gbit/s speeds. The network connects 40 Chinese cities with over 55,000 kilometers of optic fiber, supporting 128 heterogeneous networks and 4,096 parallel service tests. CENI's objectives include enhancing national cybersecurity capabilities and fostering networking innovations 5-10 years ahead of industry standards. Chinese tech giants Huawei and Baidu have utilized CENI for testing, significantly boosting AI data processing efficiency. The network aims to position China as a leader in cyberspace competition, akin to historical U.S. research networks like ARPANET and GENI. CENI's capabilities offer China a strategic advantage in developing a domestic AI stack and advancing cybersecurity technologies.

Amazon has thwarted over 1,800 suspected North Korean job applicants since April 2024, aiming to prevent funds from reaching the DPRK regime. The scheme involves North Korean operatives using fake or stolen identities to secure remote jobs at major tech firms, funneling wages back to North Korea. Advanced techniques such as AI-generated resumés, deepfakes, and stolen LinkedIn profiles are employed to enhance credibility during the hiring process. The Lazarus Group has introduced an updated version of BeaverTail malware, featuring sophisticated obfuscation and signature evasion capabilities. BeaverTail targets multiple operating systems and is linked to subgroups like Famous Chollima and Tenacious Pungsan, facilitating data theft and extortion. Amazon employs a combination of AI screening and human verification to detect fraudulent applications, but challenges persist due to increasingly sophisticated tactics. Companies are advised to implement multi-stage identity verification and monitor for unusual technical behavior to mitigate risks from such employment scams.

The Clop ransomware group is targeting Gladinet CentreStack file servers in a new data theft extortion campaign, affecting businesses worldwide. Gladinet CentreStack allows secure file sharing without VPNs and is used by thousands of businesses across 49 countries. Since April, Gladinet has issued security updates to address several vulnerabilities, some exploited as zero-days, but the specific flaw Clop is using remains unidentified. Clop is scanning for Internet-exposed CentreStack servers, leaving ransom notes on compromised systems, with at least 200 potential targets identified. The group has a history of attacking secure file transfer products, previously impacting thousands of organizations globally, including high-profile entities. Clop's recent attacks involved exploiting an Oracle EBS zero-day, affecting multiple organizations and resulting in data leaks on the dark web. The U.S. Department of State offers a $10 million reward for information linking Clop's activities to a foreign government.

The University of Sydney experienced a data breach affecting personal information of over 27,000 staff and students, accessed via an online coding repository. Compromised data includes names, dates of birth, phone numbers, home addresses, and job details, though no misuse or online publication has been confirmed. The breach was confined to a single system, detected last week, and promptly mitigated by blocking unauthorized access and securing the environment. Notifications have been sent to affected individuals, with a dedicated support service established to offer counseling and guidance. The university informed the New South Wales Privacy Commissioner, Australian Cyber Security Centre, and education regulators, ensuring compliance with legal protocols. Affected parties are advised to monitor for suspicious communications, update passwords, and enable multi-factor authentication to enhance security. This incident follows a previous breach in September 2023 involving a third-party service provider, highlighting ongoing challenges in data protection.

Researchers from KU Leuven found that many new devices, including smart TVs and e-readers, ship with outdated embedded browsers, posing significant security risks. The study, conducted between February 2024 and February 2025, evaluated 53 unique products and identified browsers up to three years behind current versions. Devices like the Boox Note Air 3 tablet were found with browsers based on Chromium 85, released in 2020, lacking essential security updates. Embedded browsers in gaming platforms like Steam and AMD Adrenalin showed vulnerabilities, including address bar spoofing and privilege escalation risks. The EU Cyber Resilience Act, effective December 2024, aims to enforce security obligations on vendors by December 2027, but many devices remain non-compliant. Development frameworks like Electron contribute to update challenges, as they require entire framework updates, increasing development costs and complexity. Researchers recommend regulatory measures to ensure vendors maintain security updates for embedded browsers, as voluntary compliance appears insufficient.

Cryptocurrency thieves are utilizing compromised AWS credentials to mine digital coins, impacting AWS customers by abusing Elastic Container Service and Elastic Compute Cloud resources. The operation, which began on November 2, involves using IAM credentials with admin-like privileges to deploy mining tools swiftly, within 10 minutes of access. Amazon's GuardDuty detected the cryptomining activity, alerting affected customers, though the exact number of impacted accounts remains undisclosed. Attackers exploited EC2 service quotas and used auto-scaling groups to maximize resource consumption, creating dozens of ECS clusters, sometimes exceeding 50 in a single attack. Persistence was achieved by disabling API termination on AWS instances, complicating the removal process for victims and prolonging unauthorized resource use. To maintain access, attackers deployed an AWS Lambda function with no authentication, exposing it via a public URL. Amazon advises implementing strong identity and access management controls, temporary credentials, and multi-factor authentication to mitigate such threats.

Chainalysis reports North Korean cybercriminals stole over $2 billion in cryptocurrency in 2025, marking a 51% increase from the previous year. The Bybit attack in February alone accounted for $1.5 billion, significantly contributing to North Korea's record-breaking thefts. North Korea's focus shifted towards personal wallets, with 158,000 attacks affecting 80,000 individuals, reflecting a strategic pivot from DeFi protocols. The country executed 76% of attacks on centralized services, utilizing fake IT workers and recruiters to infiltrate and compromise cryptocurrency firms. North Korea's evolving tactics include posing as strategic investors to extract sensitive information from web3 companies, posing new security challenges. Despite fewer known attacks, the increased value stolen suggests North Korea's operations remain highly effective and potentially underestimated. The shift away from DeFi targets indicates improved security in decentralized finance, though challenges persist with ongoing attacks on protocols like Garden and Balancer. As North Korea's cyber capabilities advance, organizations must enhance detection and prevention measures to mitigate future high-impact incidents.

ESET reports LongNosedGoblin, a China-aligned threat cluster, has targeted Southeast Asian and Japanese governmental entities for cyber espionage since September 2023. The group exploits Windows Group Policy to deploy malware across networks, using cloud services like OneDrive and Google Drive for command and control. The attacks involve a custom toolset primarily composed of C#/.NET applications, with initial detection occurring in February 2024. NosyDoor malware, used selectively, suggests a targeted approach; execution guardrails limit its operation to specific machines. LongNosedGoblin employs additional tools, including a reverse SOCKS5 proxy and a Cobalt Strike loader, indicating sophisticated tradecraft. Similarities between NosyDoor and LuckyStrike Agent hint at potential malware licensing or sharing among China-aligned groups. A variant of NosyDoor was identified targeting an EU organization, using Yandex Disk as a command and control server, indicating broader reach.

An automated campaign is targeting VPN platforms, with attacks on Palo Alto Networks GlobalProtect and Cisco SSL VPN observed, focusing on credential-based access attempts. GreyNoise reported a peak of 1.7 million login attempts on GlobalProtect portals within 16 hours, originating from over 10,000 unique IP addresses. The attack traffic primarily came from the 3xK GmbH IP space in Germany, suggesting a centralized cloud infrastructure was used for these operations. Attackers reused common username and password combinations, with a consistent Firefox user agent, indicating scripted credential probing rather than interactive access. On December 12, similar attack patterns were observed against Cisco SSL VPN endpoints, marking the first large-scale use of 3xK-hosted IPs in 12 weeks. Despite the ongoing attacks, there is no evidence linking this activity to the recently disclosed zero-day vulnerability in Cisco AsyncOS. Palo Alto Networks and GreyNoise recommend using strong passwords, enabling multi-factor authentication, auditing network appliances, and blocking known malicious IPs. This incident highlights the need for robust authentication measures and vigilant monitoring of VPN endpoints to prevent unauthorized access.

U.S. law enforcement, with international partners, dismantled E-Note, a cryptocurrency exchange implicated in laundering over $70 million from ransomware and account takeover attacks. The FBI identified E-Note as a key player in transferring illicit proceeds since 2017, involving a network of international "money mules." Authorities seized E-Note's servers, domains, and mobile apps, disrupting a major channel for cybercriminal financial operations. The U.S. Attorney’s Office indicted Mykhalio Petrovich Chudnovets, a Russian national, on charges of money laundering conspiracy, potentially facing a 20-year prison sentence. The confiscation of customer databases and transaction records may aid in identifying additional cybercriminals and users of the E-Note service. This operation demonstrates the effectiveness of international collaboration in targeting and dismantling cybercriminal infrastructure. The case highlights the ongoing challenge of cryptocurrency exchanges being exploited for laundering illicit funds from cybercrime activities.