Daily Brief

UK Prime Minister Keir Starmer avoided discussing the mandatory digital ID scheme during his Labour Party conference speech, despite calls to clarify the policy's details and objectives. The digital ID initiative aims to combat illegal working through mandatory right-to-work checks, but its absence in the speech has led to criticism and concerns about its viability. Campaigners and former advisers warn that without clear communication, opposition to the digital ID scheme is gaining momentum, risking the plan's failure within six months. A petition against the digital ID has garnered over 2.6 million signatures, reflecting significant public opposition and potential challenges for the government. Starmer shifted focus to the benefits of artificial intelligence in healthcare, highlighting AI's role in transforming patient care and improving access to medical services. He emphasized the potential of AI-driven remote consultations to enhance healthcare delivery, particularly for underserved populations such as rural residents and busy parents. The speech also portrayed the UK as a key destination for tech investment, citing interest from global tech companies in contributing to the UK's AI future.

Recent data from Ofqual reveals a rise in cyberattacks on UK schools, with 10% experiencing critical damage, impacting student coursework and operational continuity. Despite increased cybersecurity training for teachers, recovery times have worsened, with only 55% of schools recovering immediately after an incident, down from 63% the previous year. A ransomware attack forced one British high school to temporarily close, highlighting the severe operational impact such attacks can have on educational institutions. Ofqual emphasizes the importance of malware protection and regular data backups to mitigate these threats and ensure faster recovery times. The Information Commissioner's Office reports that over half of school cyberattacks are initiated by students, often using stolen login credentials. Staff practices, such as sending work data to personal devices, contribute to vulnerabilities, indicating a need for enhanced cybersecurity awareness training. As schools increasingly rely on digital platforms, robust cybersecurity measures are crucial to safeguarding educational continuity and students' academic futures.

CERT-UA has identified a cyber attack using CABINETRAT backdoor, targeting Ukrainian entities through Signal-distributed XLL files. The attack, linked to threat cluster UAC-0245, was detected in September 2025, leveraging Excel add-ins for malicious purposes. Attackers used ZIP archives on Signal, disguised as documents about border detentions, to distribute the XLL files. Once executed, the XLL files create executables and modify Windows Registry for persistence, running Excel in hidden mode. CABINETRAT backdoor, written in C, gathers system data, captures screenshots, and allows file manipulation and command execution. Anti-detection measures include checks for virtual environments and system specifications, enhancing evasion capabilities. The attack follows recent warnings from Fortinet about phishing campaigns impersonating Ukrainian authorities to deploy malware.

Palo Alto Networks' Unit 42 identified Phantom Taurus, a China-backed group, using custom malware to target government servers across Asia, Africa, and the Middle East. Phantom Taurus, active since 2022, focuses on diplomatic communications and defense intelligence, aligning with China's strategic interests. The group employs the NET-STAR malware suite, a .NET-based tool targeting Internet Information Services (IIS) web servers, demonstrating advanced evasion techniques. Initially leveraging infrastructure from other China-linked groups, Phantom Taurus now uses its own, indicating increased operational independence. The malware suite includes three backdoors, designed to evade detection, with minimal antivirus flagging, complicating threat detection efforts. Indicators of compromise, such as SHA256 hashes, have been shared to aid in identifying and mitigating threats posed by Phantom Taurus. China's government denies involvement, attributing such accusations to geopolitical tensions and disinformation campaigns.

Okta Threat Intelligence reports North Korean IT workers are increasingly targeting non-tech sectors, with 48% of scams affecting finance, healthcare, and public administration. Over 5,000 companies globally have been targeted since 2021, with 130 identities linked to more than 6,500 job interviews. The scam involves obtaining remote jobs, primarily in software development, to funnel money back to North Korea. Recent trends show a marked increase in interviews within AI-related organizations, posing risks to sensitive intellectual property and proprietary algorithms. Healthcare and medical-tech sectors are also being targeted, with potential access to sensitive personal and clinical data. The scheme's primary goal is financial gain, but it also leads to data theft, extortion, and ransomware activities. The threat is expanding globally, with 27% of targeted companies located outside the United States, including Europe. Organizations must enhance verification processes to mitigate risks from state-sponsored employment scams.

Researchers from Georgia Tech identified several security flaws in Tile Bluetooth trackers, challenging Life360's privacy assurances and revealing potential risks for users concerned about stalking. The study found that Tile trackers transmit identifying data in plaintext, with static MAC addresses and semi-randomized IDs, facilitating unauthorized tracking of individuals. Tile's anti-stalking features are reportedly ineffective, as they require manual scans and do not operate at the OS level, creating detection gaps for users. Life360's partnership with Amazon's Sidewalk network has raised additional concerns about privacy risks, as it may enhance tracking capabilities. Despite researchers offering mitigation strategies, such as MAC address randomization and end-to-end encryption, communication with Life360 ceased without confirmed implementation. Life360 claims to have made unspecified improvements, including transitioning to rotating MAC addresses, but has not provided detailed responses to the vulnerabilities reported. The research suggests users should consider alternative Bluetooth trackers if privacy is a primary concern, given the unresolved security issues with Tile products.

Google introduced an AI tool in Drive for desktop, designed to pause file syncing to mitigate ransomware damage by detecting encryption or corruption attempts. The AI model is trained on millions of ransomware samples, aiming to identify suspicious activities and prevent the spread of ransomware across networks. Users receive email or desktop notifications to restore files easily, with the tool available by default in most Workspace commercial plans at no extra cost. The system continuously analyzes file changes and incorporates threat intelligence from VirusTotal to detect new and evolving malware variants. Administrators can manage detection and restoration settings, receiving alerts for any detected ransomware activity through the Admin console. While this tool adds an important defense layer, it does not entirely prevent ransomware attacks, which continue to cause significant financial impact. The initiative reflects Google's commitment to enhancing cybersecurity measures, acknowledging that ransomware remains a significant threat to organizations globally.

Varonis researchers identified MatrixPDF, a toolkit that transforms PDFs into phishing and malware distribution tools, bypassing email security measures to redirect victims to credential theft or malware sites. MatrixPDF is marketed on cybercrime forums and Telegram, offering features like drag-and-drop PDF import, customizable security overlays, and JavaScript actions for phishing simulations. The toolkit allows attackers to embed malicious features, such as blurred content and fake prompts, enabling phishing attacks by redirecting users to external malicious sites. MatrixPDF's design cleverly bypasses Gmail's phishing filters by excluding malicious binaries and relying on user-initiated actions to trigger external site connections. Despite security alerts from modern PDF viewers, the tool exploits the common use of PDFs in email to deceive users into clicking malicious links. Varonis suggests AI-driven email security solutions to detect and block these sophisticated phishing attempts by analyzing PDF structures and detonating embedded URLs in sandboxes. The toolkit is available in various pricing plans, ranging from $400 monthly to $1,500 annually, indicating its accessibility to cybercriminals.

Researchers from KU Leuven and the University of Birmingham unveiled the Battering RAM vulnerability, affecting Intel and AMD cloud processors by bypassing key security features. The attack uses a low-cost, $50 hardware interposer to manipulate memory paths, compromising Software Guard Extensions (SGX) and Secure Encrypted Virtualization (SEV-SNP). Battering RAM targets systems using DDR4 memory in public cloud environments, potentially allowing unauthorized access to encrypted data. The vulnerability enables attackers to redirect protected memory addresses, leading to potential data corruption or unauthorized access. Intel, AMD, and Arm have acknowledged the issue but noted that physical attacks are currently outside their security scope. Mitigating Battering RAM would require a fundamental redesign of current memory encryption methods, as existing designs lack cryptographic freshness checks. The discovery follows other recent vulnerabilities affecting AMD's SEV-SNP technology, emphasizing ongoing challenges in cloud security. This situation underscores the need for continuous innovation in hardware security to protect sensitive data in cloud environments.

WestJet confirmed a breach compromising customer data, including passports and ID documents, following a cyberattack disclosed in June. The breach affected internal systems and disrupted the WestJet app, impacting customer access and operations. No financial data, such as credit card details or passwords, were compromised during the incident. WestJet is still assessing the full scope of the breach, with initial notifications sent to confirmed affected individuals. The airline is collaborating with the FBI and implementing measures to prevent future incidents. Customers have been offered a free two-year identity theft protection and monitoring service to mitigate potential risks. The breach coincided with a period of increased cyber activity in the aviation sector, linked to the Scattered Spider threat group.

Approximately 48,800 Cisco ASA and FTD devices are vulnerable to two critical flaws, CVE-2025-20333 and CVE-2025-20362, allowing remote code execution and unauthorized VPN access. These vulnerabilities are being actively exploited, with no available workarounds, prompting Cisco to recommend hardening measures such as restricting VPN exposure and enhancing monitoring. The Shadowserver Foundation's scans reveal significant exposure, with over 19,200 vulnerable endpoints located in the United States, highlighting a widespread risk to global networks. The U.S. CISA issued an emergency directive mandating Federal agencies to identify and update compromised devices within 24 hours, emphasizing the severity of the threat. The U.K.'s NCSC reported that attackers are deploying malware like 'Line Viper' and 'RayInitiator,' indicating sophisticated exploitation tactics. Organizations are urged to swiftly implement Cisco's patches and recommendations to mitigate the risks associated with these vulnerabilities. The ongoing exploitation and previous warnings indicate a critical need for proactive cybersecurity measures and timely patch management.

Nearly 50,000 Cisco ASA/FTD devices are vulnerable to active exploitation, with over 19,000 located in the United States, as reported by Shadowserver. The vulnerabilities, CVE-2025-20333 and CVE-2025-20362, impact a range of Cisco ASA and FTD software versions, posing significant security risks. National security agencies from the UK, Canada, France, and the Netherlands have issued advisories, emphasizing the threat to organizational security. CISA mandated all federal civilian executive branch agencies to patch the vulnerabilities within 24 hours, indicating a high likelihood of exploitation. The ArcaneDoor attack campaign is suspected of exploiting these vulnerabilities, deploying malware such as RayInitiator and Line Viper to maintain persistent access. The affected devices include 5500-X-series firewalls, many of which are nearing or have reached end-of-life, necessitating urgent upgrades or replacements. Organizations are urged to adhere to Cisco's detection and remediation guidelines and consult the NCSC's malware analysis for further insights. End-of-life technology poses a critical risk; timely migration to updated systems is essential to mitigate vulnerabilities and enhance security resilience.

Phantom Taurus, a newly identified China-aligned threat actor, has targeted government and telecom sectors across Africa, the Middle East, and Asia over the past two-and-a-half years. The group focuses on espionage, targeting ministries of foreign affairs, embassies, and military operations, with operations often coinciding with major geopolitical events. Phantom Taurus employs custom-developed malware, including the NET-STAR suite, targeting Internet Information Services (IIS) web servers, showcasing advanced evasion techniques. The group uses shared infrastructure with other known Chinese threat actors but maintains operational compartmentalization, indicating sophisticated coordination. Initial access vectors remain unclear, but past intrusions exploited vulnerabilities in IIS and Microsoft Exchange servers, such as ProxyLogon and ProxyShell. Recent attacks show a shift from email collection to direct database targeting, using batch scripts to extract data from SQL Server databases. The malware's capabilities, including timestomping, complicate forensic analysis, posing a significant threat to internet-facing servers and highlighting the need for enhanced cybersecurity measures.

Western Digital has issued firmware updates for My Cloud NAS models to address CVE-2025-30247, a critical OS command injection vulnerability. The flaw allows remote attackers to execute arbitrary commands via crafted HTTP POST requests, posing significant security risks. My Cloud devices, popular among small businesses and individuals, could face unauthorized access, file manipulation, and potential ransomware attacks if left unpatched. Firmware version 5.31.108 has been released to mitigate the issue, though updates for end-of-support models like My Cloud DL4100 and DL2100 may not be available. Users are advised to update immediately or take devices offline to prevent exploitation, while ensuring devices remain operational in LAN mode. Automatic update settings should have applied the patch by September 23, 2025, but manual updates are available for those needing to verify their firmware status. This incident highlights the critical need for regular updates and security vigilance, especially for consumer-grade network-attached storage solutions.

Cloud collaboration platforms like Microsoft 365 have transformed workplace productivity but introduced challenges in managing document access and sharing permissions effectively. Oversharing within Microsoft 365 often results in prolonged access beyond business needs, increasing the risk of data exposure and potential security breaches. Uncontrolled access can lead to accidental leaks or intentional data sabotage, especially when former employees retain access to sensitive information. The principle of least privilege is crucial; access should be limited to necessary personnel and for the required duration only to mitigate risks. Built-in Microsoft 365 security features offer limited visibility into unstructured data access, leaving organizations vulnerable to unmanaged sharing. Enhanced cloud governance solutions are needed to provide comprehensive visibility into shared content, ensuring security teams can monitor and control access effectively. Organizations are encouraged to adopt tools that offer detailed insights into access rights, helping prevent unauthorized data exposure and safeguarding sensitive information.