Daily Brief

Japanese e-tailer Askul resumed partial online sales 45 days post-ransomware attack, impacting its e-commerce and logistics services, including brands like Muji and Lohaco. The ransomware incident led to a significant data breach, with customer names and contact details leaked, some of which appeared online. Askul implemented a temporary fax ordering system, initially offering limited products to specific sectors such as medical institutions. The company refrained from disclosing detailed information about the ransomware, focusing on log analysis and monitoring for anomalies. Restoration of the Warehouse Management System with enhanced security measures allowed Askul to restart its B2B services, albeit with longer delivery times. Askul's inability to compile quarterly results on schedule reflects the severe operational and financial impact of the attack. The incident draws parallels to the costly ransomware attack on British retailer Marks & Spencer, suggesting a potentially significant financial toll for Askul.

India's Civil Aviation Minister reported GPS spoofing incidents at eight major airports, including Delhi, Mumbai, and Bangalore, impacting aviation navigation systems. Spoofing and jamming disrupt GPS signals, forcing pilots to rely on manual navigation, which poses significant safety risks. The Airports Authority of India is collaborating with the Wireless Monitoring Organization to trace the source of these interferences. The reported incidents have not resulted in any harm, but they underscore the critical need for enhanced cybersecurity measures in aviation. Advanced cybersecurity solutions are being implemented to protect IT networks and infrastructure against evolving threats like ransomware and malware. Continuous upgrades to cybersecurity protocols are essential as the aviation sector faces increasing global threats. The incidents highlight the vulnerabilities in aviation navigation systems and the importance of robust cybersecurity defenses.

The Korean National Police arrested four individuals for hacking over 120,000 IP cameras, selling footage to a foreign adult website, and compromising user privacy. The suspects targeted cameras in private homes and commercial facilities, highlighting significant privacy and security vulnerabilities in IP camera systems. Authorities are collaborating internationally to pursue the operators of the illegal website and have already arrested three individuals who purchased the illicit content. Investigations revealed that 62% of the website's uploads last year originated from two of the suspects, indicating a substantial contribution to the site's illegal content. Victims have been notified, with 58 affected locations identified, and advised to reset passwords and submit takedown requests to mitigate further exposure. The police emphasize the seriousness of viewing or possessing illegal content, promising active investigations and aggressive responses to secondary harm. Users are advised to enhance IP camera security by changing default passwords, disabling unnecessary remote access, and keeping firmware updated.

The FTC has ordered Illuminate Education to delete unnecessary student data and enhance security to resolve a 2021 incident exposing 10 million students' information. Illuminate, a cloud-based provider for K-12 schools, faced allegations of inadequate security, including poor access controls and plain-text data storage. The breach occurred when a hacker accessed systems using credentials from a former employee, compromising databases hosted on a third-party cloud provider. Illuminate failed to act on warnings about security flaws and continued to misrepresent its data protection measures to schools. The company delayed notifying affected school districts for two years, increasing the risk of phishing attacks on exposed users. As part of the settlement, Illuminate must improve its data security program, adhere to a public data-retention schedule, and notify the FTC of future breaches. Violations of the settlement terms could result in civil penalties of up to $51,744 per case.

The Shai-Hulud 2.0 malware attack compromised over 800 NPM packages, exposing approximately 400,000 developer secrets across 30,000 GitHub repositories. While only about 10,000 secrets were confirmed as valid, over 60% of NPM tokens remain active, posing a significant risk for further supply chain attacks. The malware utilized TruffleHog to identify account tokens, embedding malicious scripts into packages and publishing them on the NPM platform. A destructive mechanism was included, potentially wiping victims' home directories under specific conditions, increasing the attack's severity. Analysis revealed most infections occurred on Linux systems, with 76% impacting container environments, primarily via GitHub Actions. Key infected packages, such as @postman/tunnel-agent and @asyncapi/specs, accounted for over 60% of infections, suggesting targeted mitigation could have reduced impact. The ongoing validity of many credentials indicates a continued threat, with expectations of future attack waves leveraging the stolen data.

Google released patches for two high-severity Android zero-day vulnerabilities, CVE-2025-48633 and CVE-2025-48572, both affecting the framework component and potentially under targeted exploitation. These vulnerabilities could lead to information disclosure and privilege escalation, posing significant risks to Android users if left unpatched. In total, 107 security issues were addressed in Google's December Android security bulletin, including seven critical-severity vulnerabilities. The most severe vulnerability, CVE-2025-48631, could enable remote denial of service without requiring additional execution privileges. Four critical escalation-of-privilege bugs in the kernel and two critical vulnerabilities in Qualcomm components were also patched, addressing serious security concerns. Users are advised to update their Android devices promptly to mitigate potential exploitation risks from these vulnerabilities. The rapid patching of these vulnerabilities reflects ongoing efforts to protect against commercial spyware and government-sponsored attacks targeting mobile devices.

The University of Pennsylvania reported a data breach involving Clop's exploitation of a zero-day in Oracle's E-Business Suite, affecting over 1,400 individuals. Attackers accessed data related to supplier payments, reimbursements, and other business processes, leveraging a vulnerability identified as CVE-2025-61882. The breach was discovered on November 11, with a notification filed on December 1, impacting 1,488 Maine residents, though the total number of victims remains unspecified. The university has patched its systems following Oracle's release of fixes and is collaborating with federal law enforcement and cybersecurity experts to prevent future incidents. Individuals affected by the breach have been offered two years of Experian credit monitoring services as a precautionary measure. The breach follows a similar incident at Dartmouth College, indicating a pattern of attacks on Oracle EBS customers by the Russia-linked Clop group. There is no current evidence of misuse of the stolen data, but affected parties are advised to monitor financial statements and government correspondence for any suspicious activity.

India's Department of Telecommunications has directed messaging apps to ensure accounts are linked to active SIM cards to prevent scams and cyber fraud. The new rule applies to apps like WhatsApp, Telegram, and Signal, requiring compliance within 90 days to enhance telecom cybersecurity. The directive aims to close security gaps exploited for cross-border fraud, including scams using deactivated or foreign-located SIMs. Mandatory periodic re-authentication will reduce account takeover risks and complicate remote misuse by requiring continuous control verification. Linking accounts to KYC-verified SIMs will aid in tracing numbers involved in phishing, investment, and digital fraud schemes. The policy extends existing banking app security measures to messaging platforms, enhancing digital transaction trust. The move follows plans to establish a Mobile Number Validation platform to curb identity fraud and unverified mobile number linkages.

Europol, in collaboration with German and Swiss authorities, dismantled the Cryptomixer platform, seizing €25 million in Bitcoin and 12TB of data during Operation Olympia. The operation, conducted from November 24-28, targeted the infrastructure supporting cryptocurrency laundering, taking three Swiss servers offline and capturing the cryptomixer.io domain. Cryptomixer facilitated the laundering of over €1.3 billion since 2016, offering services that obscure the origins of cryptocurrency, complicating law enforcement tracking efforts. Cryptocurrency mixing services are often exploited by cybercriminals, including ransomware operators and dark web vendors, to conceal illicit financial activities. The takedown aligns with broader efforts to dismantle cybercrime infrastructure, following similar actions against malware and bulletproof hosting services. Authorities increasingly employ sanctions against entities providing infrastructure support to cybercriminals, targeting those in jurisdictions beyond direct law enforcement reach. Recent sanctions include actions against Media Land, Zservers, and Aeza Group, aiming to disrupt support networks for ransomware and other cybercriminal activities.

Microsoft Defender XDR portal experienced a significant outage, impacting threat hunting alerts and device visibility for several customers over a 10-hour period. The disruption was attributed to a spike in traffic leading to high CPU utilization on critical components of the Defender portal. Microsoft designated the incident as critical, indicating substantial user impact and initiated mitigation measures to restore service functionality. As of the latest update, telemetry data shows recovery for some users, though a few organizations continue to face issues. Microsoft is collaborating with affected customers to gather diagnostics and HTTP Archive traces to address ongoing challenges. The incident underscores the importance of robust infrastructure management to maintain continuity in cybersecurity operations.

Cybercrime is increasingly adopting a subscription-based model, offering tools and services akin to legitimate SaaS platforms, making sophisticated attacks accessible to less-skilled individuals. Phishing-as-a-service (PhaaS) platforms now offer comprehensive kits, including AI-enhanced tools like SpamGPT, enabling seamless execution of phishing campaigns with minimal technical expertise. Telegram bots are transforming social engineering into a rentable service, providing capabilities like OTP scams and spoofed calls, with pricing tiers resembling traditional SaaS offerings. Infostealer logs are now aggregated and sold as subscription-based data feeds, allowing criminals to access fresh stolen credentials through user-friendly web interfaces. Initial access brokers commoditize network breaches, selling access to compromised systems, which are validated and categorized, offering a scalable entry point for other cybercriminals. Advanced malware and hacking tools, such as the Atroposia RAT, are available for rent at low monthly fees, reducing the barrier to entry for complex cyberattacks. The evolution of cybercrime into a subscription economy challenges cybersecurity defenses, necessitating scalable and adaptive security measures to counteract these on-demand threats.

Kensington and Chelsea Council confirmed a data breach occurred during a recent IT outage, affecting historical information, though specific data types and quantities remain undisclosed. The breach impacted a shared IT environment with Hammersmith & Fulham and Westminster councils, causing significant service disruptions and a shift to manual processes. External investigators, including the National Cyber Security Centre and the Metropolitan Police, are involved in probing the incident, with no current claims from major ransomware groups. The council advises residents to remain vigilant for potential scams, especially those who purchased services like parking permits, and to monitor financial statements closely. The interconnected IT systems among the councils have complicated recovery efforts, with ongoing delays expected for at least two weeks as services are gradually restored. The breach raises concerns about the security of sensitive data held by councils, including tenancy records and social care notes, which are attractive targets for cybercriminals. Hammersmith & Fulham Council reported no evidence of compromise but has implemented enhanced security measures as a precaution.

GlassWorm has re-emerged, infiltrating Microsoft Visual Studio Marketplace and Open VSX with 24 malicious extensions mimicking popular developer tools such as Flutter and React. The campaign exploits stolen credentials to compromise additional packages, effectively spreading malware and turning developer machines into nodes for further criminal activities. Attackers artificially inflate download counts, making the malicious extensions appear legitimate and deceiving developers into installing them. The latest iteration includes Rust-based implants targeting Windows and macOS, using Solana blockchain and Google Calendar events for command-and-control operations. Despite efforts by Microsoft and Open VSX, the malware continues to evade detection, updating malicious code post-approval and exploiting activation contexts. The campaign's rapid deployment across major repositories poses a significant threat to developers, risking widespread compromise through seemingly trustworthy extensions. Organizations should enhance scrutiny of third-party extensions and implement robust security measures to mitigate risks associated with supply chain attacks.

A joint investigation by BCA LTD, NorthScan, and ANY.RUN revealed a North Korean infiltration scheme involving remote IT workers linked to Lazarus Group's Chollima division. Researchers captured live activity of operators using sandbox environments that mimicked real developer laptops, providing unprecedented insight into their operations. The operation involved impersonating a U.S. developer to engage with a recruiter, "Aaron," who sought full access to sensitive personal information and continuous laptop availability. The ANY.RUN Sandbox created virtual machines with U.S. residential proxy routing, allowing researchers to monitor activities without detection. The scheme focused on identity takeover and remote access, bypassing traditional malware deployment methods, highlighting a shift in tactics. Companies are advised to enhance awareness of remote hiring threats, as attackers can gain access to sensitive data and critical accounts through seemingly legitimate job offers. Proactive internal measures and suspicious activity reporting are crucial to prevent potential compromises from escalating within organizations.

Security researchers uncovered a North Korean operation targeting engineers to rent identities for espionage and fundraising, linked to the Lazarus group's Famous Chollima unit. The scheme involved tricking recruiters to secure jobs at major corporations using stolen identities, deep fake videos, and AI tools to avoid detection. Legitimate engineers were recruited to act as figureheads, receiving a percentage of salaries while DPRK agents used their identities and devices for cover. Researchers Eldritch and García set up a honeypot to study the operation, revealing tactics such as the use of Astrill VPN and AI-powered tools for job applications. The operation involved multiple North Korean agents and highlighted the use of sophisticated techniques to infiltrate companies, posing significant risks to corporate security. Insights from the investigation provide valuable intelligence for organizations to anticipate and defend against similar infiltration attempts. The findings underscore the ongoing threat posed by North Korean cyber activities, emphasizing the need for robust identity and access management strategies.