Daily Brief

Synced passkeys, while enhancing usability, pose significant security risks for enterprises, according to recent advisories from the FIDO Alliance and Yubico. These vulnerabilities are primarily due to the reliance on cloud accounts and recovery workflows, which expand the attack surface. Proofpoint researchers identified a downgrade attack on Microsoft Entra ID, exploiting browser and OS compatibility issues to bypass WebAuthn security. Attackers can leverage compromised browser environments to hijack WebAuthn calls, using malicious extensions or XSS bugs to manipulate passkey processes. Device-bound passkeys are recommended for enterprises, as they are tied to specific devices with secure hardware components, offering better security assurances. Enterprises are advised to implement robust identity security systems focusing on policy, browser and extension posture, and device hygiene. Upcoming webinars will further explore these vulnerabilities and provide insights on mitigating risks, featuring case studies from Snowflake and Cornell University.

Capita faced a £14 million penalty from the UK's ICO after a cyberattack exposed 6.6 million individuals' data, impacting 325 organizations relying on Capita's services. The breach involved sensitive data, including bank details, biometrics, and passport information, resulting from a 58-hour delay in response to the attack. Attackers exploited a malicious JavaScript download, installing Qakbot malware and Cobalt Strike, leading to significant network infiltration and data exfiltration. Capita's security operations center failed to act on alerts promptly, allowing attackers to establish a foothold and move laterally across networks. Despite prior penetration tests identifying vulnerabilities, Capita did not address these issues, contributing to the breach's severity. Following the incident, Capita implemented security improvements and cooperated with authorities, which reduced the initial proposed fine from £45 million. The breach underscores the critical need for timely incident response and robust security measures to protect sensitive data and maintain public trust.

Microsoft addressed 183 security flaws, including two critical zero-days, as part of its latest patch release, coinciding with the end of support for Windows 10 without Extended Security Updates. The two actively exploited zero-days, CVE-2025-24990 and CVE-2025-59230, involve elevation of privilege vulnerabilities, affecting all Windows versions, potentially allowing attackers to gain administrator access. CVE-2025-24990 is rooted in a legacy driver present in all Windows systems, with Microsoft planning to remove the driver entirely to mitigate the risk. CVE-2025-59230 represents the first zero-day exploitation in the RasMan component, highlighting ongoing vulnerabilities despite numerous patches since 2022. A Secure Boot bypass vulnerability in IGEL OS (CVE-2025-47827) could enable kernel-level rootkit deployment, posing significant risks to virtual desktops, especially during physical access attacks. All three vulnerabilities have been added to CISA's Known Exploited Vulnerabilities catalog, mandating federal agencies to apply patches by November 4, 2025. Other critical vulnerabilities include a remote code execution flaw in Windows Server Update Service (CVE-2025-59287) and a privilege escalation issue in Microsoft Graphics Component (CVE-2025-49708). Organizations are urged to prioritize patching these vulnerabilities to maintain system integrity and prevent potential exploitation, particularly in virtualized environments.

Two critical vulnerabilities, CVE-2023-40151 and CVE-2023-42770, in Red Lion Sixnet RTUs could allow attackers to execute commands with root privileges. These flaws are rated 10.0 on the CVSS scale, indicating the highest level of severity and potential impact. Affected devices include SixTRAK and VersaTRAK RTUs, widely used in energy, water treatment, transportation, and manufacturing sectors. Exploiting these vulnerabilities could enable attackers to bypass authentication and achieve remote code execution, risking significant operational disruption. Red Lion has advised users to apply patches immediately and enable user authentication to mitigate these risks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert, emphasizing the critical nature of these vulnerabilities. Organizations are urged to block TCP access to the affected RTUs to prevent unauthorized command execution and potential system compromise.

A critical vulnerability, CVE-2025-2611, in ICTBroadcast software allows unauthenticated remote code execution, impacting versions 7.4 and below. The flaw arises from improper input validation, enabling attackers to inject shell commands via session cookies. Approximately 200 online instances of ICTBroadcast are exposed to this vulnerability, with active exploitation detected since October 11. Attackers use a two-phase approach: initial time-based exploit checks followed by reverse shell setup attempts. Overlaps with known malicious infrastructure suggest possible shared tooling with previous email campaigns in Europe. The vulnerability's patch status remains unknown, raising concerns over continued exploitation risks. Organizations using ICTBroadcast should urgently review security measures and monitor for suspicious activity.

SAP has released security updates addressing 13 vulnerabilities, including a critical flaw in SAP NetWeaver AS Java with a CVSS score of 10.0, enabling arbitrary command execution. The vulnerability, CVE-2025-42944, involves insecure deserialization, allowing unauthenticated attackers to exploit the system via the RMI-P4 module. Additional security measures include a JVM-wide filter to prevent deserialization of untrusted Java objects, enhancing application confidentiality, integrity, and availability. Another significant flaw, CVE-2025-42937, involves directory traversal in SAP Print Service, allowing unauthorized file overwriting, with a CVSS score of 9.8. SAP also addressed an unrestricted file upload vulnerability in SAP Supplier Relationship Management, CVE-2025-42910, which could lead to malicious file execution. No active exploitation of these vulnerabilities has been reported, but immediate application of patches and mitigations is strongly advised to prevent potential threats. Security experts emphasize the ongoing risk of deserialization vulnerabilities, urging organizations to implement SAP's fixes and enhanced JVM configurations.

A threat actor known as TigerJack targets developers with malicious Visual Studio Code (VSCode) extensions, aiming to steal cryptocurrency and install backdoors. Two compromised extensions, with 17,000 downloads, were removed from VSCode but remain available on OpenVSX, a community-maintained marketplace. TigerJack republished the malicious code under new names, exploiting the open-source nature of these platforms to reach unsuspecting users. Extensions like C++ Playground and HTTP Format can exfiltrate source code and run crypto miners, significantly impacting the host's processing power. Another variant fetches and executes JavaScript from a remote server, allowing dynamic payload deployment, including credential theft and ransomware. Koi Security researchers identified this campaign, noting the sophisticated use of multiple accounts and credible developer personas to evade detection. Despite being reported, OpenVSX has yet to respond, leaving developers vulnerable; caution is advised when downloading extensions from unverified sources.

Researchers unveiled Pixnapping, a side-channel attack on Android devices, enabling unauthorized pixel extraction to steal sensitive data, including two-factor authentication codes, from apps like Signal and Google Authenticator. The attack exploits Android’s intents system and SurfaceFlinger composition process, allowing a malicious app to isolate and reconstruct pixels, effectively capturing screen content without permissions. Demonstrated on Google Pixel and Samsung Galaxy devices, Pixnapping affects Android versions 13 to 16, suggesting widespread vulnerability across older devices and operating systems. Google and Samsung plan to address the flaw by year-end, with a comprehensive patch expected in the December Android security update, following a bypass of the initial September fix. The attack relies on the GPU.zip side-channel, leveraging graphical data compression in GPUs, although no GPU vendors have announced patching plans for this specific vulnerability. Despite the potential for data theft, current checks show no malicious apps exploiting Pixnapping on Google Play, and the attack requires specific device data, resulting in a low success rate. Organizations should remain vigilant, ensuring devices are updated promptly and monitoring for any emerging threats exploiting this vulnerability.

Microsoft released security updates for 172 vulnerabilities, including six zero-day flaws, during October 2025's Patch Tuesday, enhancing defenses across multiple platforms. Critical vulnerabilities addressed involve remote code execution and privilege elevation, affecting systems such as Windows SMB Server and Microsoft SQL Server. Windows 10 reaches the end of free security support, prompting enterprises to consider Extended Security Updates for continued protection. Key zero-day fixes include vulnerabilities in Windows Agere Modem Driver and Windows Remote Access Connection Manager, which allowed unauthorized privilege escalation. A Secure Boot bypass in IGEL OS and a memory integrity issue in AMD EPYC processors were also addressed, improving system security. Microsoft's proactive measures include removing vulnerable drivers and enhancing security protocols in Azure Confidential Computing environments. Organizations are advised to promptly apply these updates to mitigate potential exploitation risks and safeguard their systems.

The U.S. Department of Justice seized $15 billion in bitcoin from the Prince Group, a criminal syndicate involved in cryptocurrency investment scams targeting U.S. victims. The Prince Group, operating since 2015, used social media, dating sites, and messaging apps to lure victims into fraudulent investment schemes, stealing billions in the process. The organization managed over 100 shell companies in more than 30 countries, employing forced labor in Cambodian compounds to execute scams under threats of violence. Chen Zhi, the leader of the Prince Group, remains at large, having orchestrated the scams and bribed officials to evade law enforcement. Advanced money laundering techniques were employed to obscure the origins of the stolen funds, which were spent on luxury items and investments. In collaboration with the UK, the U.S. Treasury sanctioned Chen Zhi and 146 associates, highlighting the international effort to curb such scams. The rise in online investment scams has resulted in significant financial losses, with U.S. victims losing over $16.6 billion in recent years.

Chinese state-affiliated group Flax Typhoon exploited an ArcGIS server, transforming it into a backdoor for over a year, leveraging sophisticated techniques to evade detection. The attack involved modifying a geo-mapping application's Java server object extension (SOE) into a web shell, ensuring deep persistence even through system recoveries. Flax Typhoon employed living-off-the-land strategies, using trusted software components to bypass security and blend in with normal server traffic. The group targeted a public-facing ArcGIS server by compromising an administrator account, deploying a malicious SOE to execute commands via a public portal. They established a covert VPN channel using a renamed SoftEther VPN executable, enabling lateral movement and data exfiltration while appearing as part of the internal network. IT personnel workstations were specifically targeted to obtain credentials, facilitating deeper network infiltration and administrative account control. This incident underscores the need for heightened vigilance against the manipulation of legitimate tools and processes, as attackers increasingly weaponize trusted system functionalities.

FuzzingLabs accuses Gecko Security of replicating its vulnerability disclosures and backdating blog posts to claim credit for CVEs, sparking a public dispute. FuzzingLabs asserts that Gecko copied proofs of concept (PoCs) and resubmitted them, leading to duplicate CVE IDs and questions about research integrity. Gecko Security denies plagiarism, attributing the situation to a misunderstanding over disclosure processes and emphasizing direct coordination with project maintainers. GitHub has updated some advisories to credit FuzzingLabs for original reports, while Gecko has amended blog posts to acknowledge FuzzingLabs' contributions. The incident raises broader concerns about the complexities of credit and coordination in vulnerability disclosure, particularly with potential overlaps in findings. The security community remains divided, with some questioning Gecko's explanation and others noting challenges in managing duplicate vulnerability reports. The situation underscores the importance of clear communication and transparency in the vulnerability disclosure process to maintain trust and integrity.

Oracle addressed a critical zero-day vulnerability (CVE-2025-61884) in its E-Business Suite, exploited by ShinyHunters, with an out-of-band security update over the weekend. The vulnerability allowed unauthenticated remote access to sensitive resources, posing significant risks to affected systems. Despite the active exploitation, Oracle did not publicly disclose the issue's severity or the existence of a publicly leaked exploit. Researchers confirmed the fix addressed a pre-authentication Server-Side Request Forgery (SSRF) flaw, enhancing security against the leaked exploit. Oracle E-Business Suite users are urged to apply the latest patches to mitigate risks from known exploit chains and enhance system security. The Clop ransomware group and ShinyHunters have been linked to exploiting similar vulnerabilities, emphasizing the need for vigilance and timely patching. Security experts recommend implementing additional security measures, such as mod_security rules, to further protect vulnerable endpoints until patches are fully deployed.

FuzzingLabs accuses Gecko Security of replicating its vulnerability disclosures and claiming CVE credits, sparking a public dispute between the two cybersecurity firms. FuzzingLabs alleges Gecko copied proof-of-concepts and backdated blog posts to appear as the original discoverer of vulnerabilities. Gecko Security denies the allegations, attributing the situation to an unfortunate overlap and emphasizing direct coordination with project maintainers. FuzzingLabs claims to possess evidence of plagiarism, including unique identifiers in their exploits, and notes that multiple vulnerabilities on Gecko's site seem copied from other researchers. Gecko has since updated its blog posts to credit FuzzingLabs and adjusted publishing dates, while maintaining that some CVEs were marked as duplicates or invalid. The incident underscores challenges in managing duplicate vulnerability reports and the complexities of crediting in responsible disclosure practices. The broader security community remains divided, with some questioning Gecko's explanation and others highlighting the need for improved coordination in vulnerability reporting.

Asahi Brewer, a major Japanese beer producer, experienced a ransomware attack in September, causing significant operational disruptions and potential data breaches. The Qilin ransomware group claimed responsibility, alleging the theft of 27 GB of sensitive data, including contracts, employee records, and financial information. Initial reports suggested systems failures, but further investigation revealed traces of unauthorized data transfers, raising concerns about personal data exposure. The attack severely impacted Asahi's logistics, delaying shipments and forcing a temporary return to manual processing methods like pen and paper. Asahi postponed its quarterly financial results due to ongoing system outages and challenges in accessing accounting data, with no clear recovery timeline. The company is investigating the extent of the data breach and plans to notify affected individuals in compliance with data protection laws. A National Cyber Security Centre report indicates a 50% rise in ransomware attacks, suggesting a broader trend impacting businesses globally.