Daily Brief

Renault and Dacia UK customers were informed of a data breach involving a third-party provider, compromising sensitive personal information. The breach did not involve banking or financial data, reducing potential direct financial impacts on customers. The affected third-party provider has isolated the incident and removed the threat from its systems, mitigating further risks. Renault has notified the UK Information Commissioner's Office, ensuring regulatory oversight and compliance with data protection laws. Customers are advised to be vigilant against phishing and social engineering attempts, as exposed data could be used in such attacks. The exact number of affected customers remains undisclosed due to contractual limitations with the third-party provider. This incident follows a significant cyberattack on Jaguar Land Rover, highlighting ongoing cybersecurity challenges in the automotive sector.

Red Hat disclosed a breach in its consulting GitLab system, confirming unauthorized access and data exfiltration by a group known as the Crimson Collective. The breach involved the theft of Customer Engagement Reports, potentially containing sensitive information like architecture diagrams and network maps. Red Hat has engaged top security experts and informed law enforcement, emphasizing that core products and services remain unaffected. The Crimson Collective claims to have compromised 28,000 repositories, with potential impacts on major sectors including banking, telecoms, and government. Belgium's national cybersecurity authority has issued a warning, advising organizations to revoke and rotate all tokens and credentials shared with Red Hat. Red Hat has not disclosed whether ransomware or extortion were involved, and the Crimson Collective's credibility remains uncertain. The incident coincides with a critical bug in OpenShift AI, presenting challenging optics for Red Hat as it manages multiple security concerns.

Asahi Group Holdings, Japan's largest beer brewer, confirmed a ransomware attack affecting its IT systems, leading to factory shutdowns and operational disruptions in Japan. The attack forced Asahi to halt system-based order and shipment processes, compelling a switch to manual operations, impacting efficiency and potentially affecting revenue. Initial investigations revealed evidence of data theft, with the company working to determine the full scope of compromised information. No ransomware group has claimed responsibility, suggesting ongoing negotiations or potential ransom payment by Asahi. An Emergency Response Headquarters was established, collaborating with external cybersecurity experts to expedite system restoration. The incident has highlighted vulnerabilities in Asahi's cybersecurity infrastructure, emphasizing the need for enhanced protective measures. While efforts are underway to restore operations, the timeline for full recovery remains uncertain, with impacts currently confined to Japan.

ShinyHunters has launched a data leak site targeting 39 companies, leveraging Salesforce breaches to extort victims by threatening public disclosure of sensitive data. Impacted organizations include high-profile names such as FedEx, Disney, Google, and Marriott, with threats to release stolen data if demands are not met by October 10. The group claims to possess approximately 1 billion records, urging Salesforce to pay a ransom to prevent further data exposure and legal repercussions under GDPR. Attackers used voice phishing to trick employees into linking malicious OAuth apps to Salesforce, facilitating unauthorized access and data theft. Mandiant tracks these incidents under the threat cluster "UNC6395," though formal attribution to ShinyHunters remains unconfirmed. ShinyHunters announced plans to target companies affected by Salesloft Drift attacks, impacting 760 companies and compromising 1.5 billion records. The breaches highlight vulnerabilities in OAuth integrations and the need for enhanced employee training to prevent social engineering attacks.

Researchers from LayerX have identified a vulnerability in the Comet AI browser, termed "CometJacking," which allows malicious actors to exfiltrate sensitive data using crafted URLs. The attack leverages URL parameters to inject hidden instructions into the browser, enabling access to connected services such as email and calendar without user interaction. Tests demonstrated that the attack can encode sensitive data in base64 and transmit it to an external endpoint, bypassing existing security checks. CometJacking can also instruct the AI to perform unauthorized actions, including sending emails or accessing files, posing a significant threat to user data integrity. Despite the findings, Perplexity, the AI browser developer, has dismissed the vulnerability reports, citing no perceived security impact. The vulnerability highlights the need for enhanced security measures in AI-driven applications to prevent unauthorized data access and manipulation. Organizations using AI browsers should review their security protocols and consider additional safeguards to protect against similar vulnerabilities.

Apple has removed the ICEBlock app from its App Store, responding to safety concerns raised by the U.S. Attorney General and law enforcement agencies. ICEBlock was designed to notify users about the presence of ICE agents, potentially increasing risks to law enforcement personnel. The app's removal follows an incident in Dallas where it was reportedly used by a suspect involved in a shooting at an ICE center. The Justice Department expressed that such apps could endanger ICE agents, prompting Apple's decision to act on safety grounds. This action aligns with Apple's commitment to maintaining a safe and trusted App Store environment, as stated by the company. The decision comes shortly after a meeting between tech leaders and President Trump, emphasizing infrastructure growth and innovation. Apple's CEO acknowledged the Administration's support for American companies, highlighting a significant investment in U.S. manufacturing.

Keep Aware has launched a template to aid CISOs in presenting AI-related risks and governance strategies to boards of directors and AI committees. The resource aims to bridge the gap between technical details and business priorities, fostering clearer communication with leadership. Generative AI's rapid adoption introduces challenges such as data leakage and compliance risks, which the template addresses through structured agenda items. Keep Aware's platform offers full visibility into AI usage, enforcing policies and blocking sensitive data inputs to tools like ChatGPT. By integrating AI monitoring directly into browsers, organizations can prevent data breaches and maintain compliance with governance policies. The template supports CISOs in developing a narrative around risk management and governance, enhancing trust and confidence in AI oversight. Security leaders are encouraged to utilize this tool to ensure responsible and secure AI deployment within their organizations.

Munich Airport experienced a temporary shutdown due to drone sightings, impacting operations and leaving nearly 3,000 passengers stranded overnight. German air traffic control suspended flight operations, affecting 17 departures and diverting 15 incoming flights to alternative airports. The incident coincided with Oktoberfest, adding to security concerns as the festival already faced overcrowding and a bomb scare earlier in the week. Federal Police arrived with drone defense equipment, but the drones had already left the area; reports suggest up to six drones were involved. Drone incidents are increasingly causing disruptions across Europe, with a similar situation recently affecting airports and airbases in Denmark. The potential threat of drones to aircraft safety is significant, prompting immediate grounding of flights to prevent possible collisions. The Munich incident may fuel calls for stricter drone regulations and improved detection technologies to prevent future disruptions. Past incidents, such as the 2018 Gatwick Airport shutdown, highlight the challenges and potential overreactions in managing drone-related threats.

Oracle has identified an extortion campaign linked to Clop ransomware, targeting vulnerabilities in its E-Business Suite, patched in July 2025. Oracle's Chief Security Officer confirmed customers received extortion emails, urging them to apply the latest Critical Patch Updates for protection. The July 2025 update addressed nine security flaws, including three remotely exploitable vulnerabilities without user credentials, posing significant risk. Mandiant and Google's Threat Intelligence Group reported executives received ransom demands to prevent alleged data leaks from Oracle systems. Clop claims responsibility, asserting exploitation of an Oracle bug, continuing their history of targeting zero-day vulnerabilities across various platforms. Despite Clop's claims, there is insufficient evidence of actual data theft, but the threat remains credible given their previous campaigns. The U.S. State Department offers a $10 million reward for information linking Clop attacks to foreign governments, reflecting the severity of the threat.

The UK government is considering a digital ID system, sparking opposition from 2.76 million citizens who signed a petition against it. Prime Minister Keir Starmer announced the initiative, which was not part of his party's election manifesto, raising concerns about public support. Palantir, a tech company previously linked to government projects, has declined involvement due to the lack of electoral mandate. The digital ID aims to streamline access to public and private services, reducing bureaucracy and fraud, and aiding those without physical IDs. Privacy advocates warn that the system could threaten civil liberties by centralizing personal data and enabling extensive state surveillance. The government plans to consult with various stakeholders before legislating, emphasizing privacy and security as core components of the initiative. The digital ID system will be voluntary, and police will not have the authority to demand it during stop-and-search operations.

Trend Micro researchers identified SORVEPOTEL, a self-spreading malware targeting Brazilian users via WhatsApp, focusing on rapid propagation rather than data theft or ransomware. The campaign leverages phishing messages with malicious ZIP attachments, requiring users to open them on desktops, indicating a potential focus on enterprise targets. Upon execution, the malware uses WhatsApp Web to distribute itself to all contacts, leading to account suspensions due to excessive spam activity. The attack primarily affects sectors such as government, public service, and manufacturing, with 457 of 477 cases reported in Brazil. The malware employs a PowerShell script to retrieve its main payload, establishing persistence and connecting to a command-and-control server for further instructions. Initial phishing messages originate from compromised WhatsApp contacts, enhancing credibility, while distribution also occurs via seemingly legitimate emails. The SORVEPOTEL incident underscores the growing use of popular communication platforms for large-scale malware dissemination with minimal user interaction.

Oracle has advised E-Business Suite (EBS) users to apply July patches following extortion emails from attackers linked to the Clop ransomware group. Cybercriminals claim to have accessed sensitive data, threatening to leak payroll and financial records unless ransoms are paid. Oracle's blog post reaffirms that previously identified vulnerabilities were addressed in the July 2025 Critical Patch Update. Security firms Mandiant and Google's Threat Intelligence Group report no direct compromise of Oracle's systems, despite ongoing extortion attempts. Halcyon suggests attackers exploit internet-facing Oracle EBS portals, bypassing enterprise SSO controls and exploiting default configurations. Attackers demand up to $50 million, using screenshots and file trees as evidence of their claims. Oracle has not disclosed the number of potentially affected customers, maintaining its standard guidance on the importance of timely patching.

Passwork 7 introduces a revamped interface focused on simplifying credential management, addressing the complexity of storing and sharing passwords and secrets within modern organizations. The platform's hierarchical structure allows businesses to align credential management with internal processes, supporting both departmental separation and cross-functional collaboration. New role-based access control features enable administrators to define granular permissions, ensuring only authorized users access sensitive information and simplifying compliance. Integration capabilities, including SSO and LDAP, streamline user onboarding and management, enhancing operational efficiency and reducing administrative overhead. Comprehensive logging and real-time alerts provide visibility into system changes, supporting rapid incident response and regulatory compliance. The platform supports secrets management alongside password management, offering tools for DevOps integration and reducing tool sprawl within IT environments. Passwork 7's zero-knowledge architecture and AES-256 encryption ensure data security, with options for client-side encryption to meet stricter security requirements. ISO 27001 certification affirms Passwork's commitment to international information security standards, making it a viable solution for regulated industries.

Google has introduced end-to-end encryption for Gmail enterprise users, allowing secure email communication across different email platforms without complex key exchanges. The feature, initially beta-tested in April 2025, is now rolling out to all Enterprise Plus subscribers with the Assured Controls add-on, expected to be fully available in two weeks. Gmail's encryption utilizes client-side encryption (CSE), enabling organizations to manage encryption keys outside Google's servers, enhancing data privacy and regulatory compliance. Non-Gmail recipients can access encrypted emails via a guest Google Workspace account, ensuring secure communication without additional software requirements. This development aims to simplify IT processes while maintaining robust data sovereignty, privacy, and security controls, addressing regulatory needs like HIPAA and data export controls. The CSE feature was previously introduced in other Google Workspace services, such as Google Drive and Google Docs, and reached general availability for enterprise customers in early 2023. By encrypting data on the client-side before transmission, Google ensures that sensitive information remains unreadable to its servers and third parties, bolstering security measures for business communications.

The Cavalry Werewolf group, linked to YoroTrooper, has launched attacks on Russian state agencies using FoalShell and StallionRAT malware. The campaign primarily targeted sectors including energy, mining, and manufacturing, using phishing emails mimicking Kyrgyz government officials. FoalShell and StallionRAT, written in multiple programming languages, allow attackers to execute commands and exfiltrate data via a Telegram bot. BI.ZONE reports Cavalry Werewolf's ties to Kazakhstan, suggesting a nation-state affiliation, with significant overlaps with other threat clusters like Tomiris. The attacks involved compromised legitimate email addresses to distribute malicious RAR archives, enhancing their credibility and effectiveness. The group is expanding its toolkit, indicating a broader targeting scope and increasing sophistication in its attack methods. Analysis of underground forums revealed compromises in over 500 Russian companies, affecting commerce, finance, education, and entertainment sectors. Attackers often used legitimate tools for data extraction, highlighting the need for robust security measures and rapid threat intelligence updates.