Daily Brief

Researchers identified over 80,000 user pastes exposing credentials and sensitive data from sectors like government, banking, and healthcare via JSONFormatter and CodeBeautify platforms. The data, totaling over 5GB, was accessible through the platforms' Recent Links feature, which lacks proper security measures, allowing public access to sensitive information. Exposed data included encrypted credentials, SSL certificate passwords, and sensitive configuration files from major companies and government entities. A technology company inadvertently leaked a cloud infrastructure configuration file, revealing domain names, email addresses, and credentials for various services. A financial exchange's production AWS credentials were found, posing a significant risk if exploited by threat actors. WatchTowr's honeypot experiment confirmed that threat actors are actively scanning these platforms, with fake AWS keys accessed even after link expiration. Despite notifications, many affected organizations have not addressed the vulnerabilities, leaving their data at risk. Organizations are urged to review their data handling practices on public platforms and implement stronger access controls to prevent similar exposures.

A new cyber campaign named JackFix uses fake Windows update pop-ups on adult sites to deploy stealer malware, targeting unsuspecting users with deceptive security update prompts. The campaign employs ClickFix lures, leveraging malvertising to redirect users to fake adult websites, pressuring them into executing malicious commands disguised as critical updates. Attackers utilize HTML and JavaScript to create convincing Windows Update screens, which hijack the victim's screen and prompt them to execute commands that initiate the malware infection. The malware employs obfuscation techniques, using MSHTA and PowerShell scripts to download and execute multiple payloads, including Rhadamanthys, Vidar Stealer 2.0, and RedLine Stealer. These payloads aim to steal sensitive information such as passwords and crypto wallets, with potential for further escalation by introducing additional malware. The campaign's infrastructure involves domain redirection and steganography to conceal payloads, complicating detection and analysis efforts by cybersecurity teams. Organizations are advised to enhance employee awareness and consider disabling the Windows Run box to mitigate the risk of such social engineering attacks.

As the fiscal year ends, organizations face pressure to allocate remaining cybersecurity budgets effectively to address real risks and support future funding requests. Prioritizing security gaps that pose the highest business risks, such as vulnerabilities in customer-facing systems, is crucial for operational integrity and compliance. Strengthening identity controls, such as implementing robust password policies, can significantly reduce risks associated with weak credentials and excessive access rights. Consolidating overlapping security tools can streamline operations, cut costs, and enhance user experience, while freeing resources for critical incident response and automation. Investing in low-friction continuity controls, like incident response retainers and cloud surge capacity, ensures resilience against DDoS attacks and infrastructure failures during peak periods. Documenting year-end spending decisions can bolster future budget requests by demonstrating measurable security improvements and strategic risk reduction. Organizations are advised to focus on outcome-driven security engagements over unused tools to maximize the impact of their cybersecurity investments.

Dartmouth College reported a data breach involving Clop's exploitation of a zero-day vulnerability in Oracle E-Business Suite, affecting at least 1,494 Maine residents. The breach, occurring between August 9 and August 12, resulted in the theft of names, Social Security Numbers, and financial information. Dartmouth promptly secured its systems, notified law enforcement, and offered one year of credit monitoring to affected individuals. Clop's campaign has targeted widely used enterprise platforms, focusing on data theft rather than encryption, impacting numerous organizations globally. The breach is part of a larger wave affecting nearly 10,000 employees and contractors, including victims like GlobalLogic, Allianz UK, and Cox Enterprises. Oracle users face ongoing threats, with another zero-day vulnerability in Oracle Identity Manager being actively exploited and requiring urgent patching. Dartmouth plans to enhance vendor security oversight and has applied all available Oracle patches, though the full extent of the breach remains uncertain.

Researchers found over 80,000 exposed JSON pastes containing sensitive data from sectors like government, banking, and healthcare on JSONFormatter and CodeBeautify platforms. The data breach involves credentials, authentication keys, and configuration data accessible through the platforms' Recent Links feature, lacking adequate protection. Affected organizations include a cybersecurity firm, government entity, financial exchange, and a managed security service provider, exposing critical infrastructure details. WatchTowr researchers used a honeypot strategy, revealing that attackers accessed fake AWS keys even after link expiration, indicating ongoing threat actor activity. Despite notifications, many affected organizations have yet to remediate the exposure, leaving sensitive data vulnerable on these platforms. The incident stresses the importance of secure data handling practices and the risks associated with using online code-formatting tools without proper security measures. Organizations are advised to review their data-sharing practices and implement stricter controls to safeguard sensitive information from unauthorized access.

CISA has issued an alert regarding state-sponsored actors and cyber-mercenaries exploiting commercial spyware to infiltrate Signal and WhatsApp accounts of "high-value" individuals. Attackers bypass encryption by using phishing, spoofed apps, malicious QR codes, and zero-click exploits, compromising devices and accessing sensitive communications. Targeted individuals include senior government officials, military personnel, and civil society groups across the US, Middle East, and Europe, highlighting a broad geopolitical focus. Google's Threat Intelligence Group reported Russia-aligned groups exploiting Signal's "linked devices" feature, allowing them to eavesdrop on communications by adding attacker-controlled devices. Palo Alto Networks' Unit 42 identified the delivery of LANDFALL spyware to Samsung devices, exploiting a vulnerability and a zero-click WhatsApp exploit to compromise targets. Campaigns such as ProSpy and ToSpy impersonate popular apps to collect chat data and media files, while Zimperium uncovered ClayRat spyware targeting Russian users via counterfeit channels. The US has responded by barring NSO Group from targeting WhatsApp users and banning the app from House staff devices, reflecting increased scrutiny of commercial spyware vendors. These incidents demonstrate the evolving threat landscape, where attackers focus on exploiting app features and device vulnerabilities rather than breaking encryption directly.

ToddyCat, active since 2020, targets organizations in Europe and Asia, employing new tools to access corporate email data and Microsoft 365 tokens. The group uses TCSectorCopy to extract Outlook OST files, bypassing application restrictions by copying files sector by sector. A new PowerShell variant of TomBerBil targets domain controllers, extracting browser data over SMB, and decrypts data using captured encryption keys. ToddyCat exploits OAuth 2.0 tokens via user browsers, enabling access to corporate email beyond compromised networks. The group faced a setback when security software blocked SharpTokenFinder, prompting the use of ProcDump to bypass restrictions and dump Outlook memory. ToddyCat's evolving tactics highlight the persistent threat posed by advanced persistent threat (APT) groups targeting sensitive corporate communications. Organizations are advised to strengthen defenses against such sophisticated attacks, focusing on endpoint security and monitoring for unusual network activities.

Cybersecurity researchers identified a campaign using Blender Foundation files to distribute the StealC V2 information stealer, active for over six months. Attackers embed malicious Python scripts in .blend files on platforms like CGTrader, executing upon file opening when the Auto Run feature is enabled. The campaign shares tactical similarities with previous attacks linked to Russian-speaking threat actors, targeting online gaming communities. The malicious files download a PowerShell script to deploy StealC V2 and a secondary Python-based stealer, compromising host systems. StealC V2 is capable of extracting data from 23 browsers, 100 web plugins, cryptocurrency wallets, messaging services, and more. Blender's documentation warns of the security risks associated with Auto Run, advising users to disable it unless the file source is trusted. The attack leverages Blender's capability to run on physical machines with GPUs, evading sandbox and virtual environment defenses.

By 2026, AI will become a primary tool for cybercriminals, enhancing their ability to scale attacks and automate reconnaissance, posing significant challenges for Security Operations Centers (SOCs). SOCs currently face overwhelming alert volumes, averaging 11,000 daily, with only a fraction warranting investigation, leading to analyst burnout and increased turnover. Attackers employ advanced evasion techniques, such as ClickFix campaigns and multi-stage phishing, which traditional sandboxes struggle to detect. ANY.RUN's Interactive Sandbox offers a solution by using machine learning to actively engage with malware, revealing complete attack chains in real time. The platform's threat intelligence capabilities enhance alert triage, providing analysts with deep context and reducing the time to detect and respond to threats. Demonstrating the return on investment for cybersecurity spending remains a challenge, but effective threat intelligence can transform SOCs from cost centers to value-generating assets. As AI reshapes cyber defense, SOCs must adapt by integrating interactive analysis and real-time intelligence to maintain operational efficiency and security effectiveness.

Dartmouth College has confirmed a data breach following an extortion attack by the Clop ransomware gang, affecting its Oracle E-Business Suite servers. The breach involved the exploitation of a zero-day vulnerability, CVE-2025-61882, leading to the theft of personal data from 1,494 individuals. Stolen data includes names, Social Security numbers, and financial account information, with potential broader impacts yet to be fully disclosed. Dartmouth has notified affected individuals and filed a breach notification with Maine's Attorney General but not yet with New Hampshire's authorities. The Clop gang's campaign has targeted multiple high-profile organizations, including Harvard University and The Washington Post, using the same Oracle vulnerability. The breach is part of a larger trend of attacks on Ivy League institutions, which have also faced recent voice phishing attempts targeting sensitive internal systems. Organizations must prioritize patch management and vulnerability assessments to safeguard against similar zero-day exploits in widely used platforms like Oracle EBS.

A two-hour power outage affected Orkney and parts of Caithness, initially sparking theories of Russian espionage due to the presence of a Russian spy ship. The outage coincided with the visit of the Russian vessel Yantar, suspected of mapping subsea cables, which fueled local speculation about sabotage. The Ministry of Defence had recently warned about the ship's activities, heightening local security concerns and prompting inquiries from local officials. Scottish and Southern Electricity Networks (SSEN) identified the actual cause as a malfunction in a network protection system at a Caithness wind farm. SSEN assured the public that corrective measures are in place to prevent future incidents, stating there are no ongoing concerns about network security. The incident underscores the importance of robust infrastructure security and clear communication to prevent misinformation during unexpected outages.

ZTE, China Unicom Liaoning, and Dalian Changhai Airport have launched a 5G-A ISAC private network to enhance low-altitude security and safety at the airport. The network integrates intelligent computing, sensing, and communication to address challenges in managing low-altitude airspace, particularly against drones and bird flocks. Utilizing millimeter-wave ISAC base stations, the network achieves radar-like precision without separate hardware, reconstructing target data with sub-meter accuracy. Intelligent edge computing boards run AI models for real-time classification, distinguishing between various targets such as birds and drones. The private network ensures security through hard isolation, strong authentication, and encrypted transport, with 24/7 governance and rapid response processes. The architecture supports future integration for broader applications, including drone scheduling and data traceability, and offers significant cost and efficiency benefits. Plans are underway to replicate this model in other regional airports and closed-campus environments, enhancing scalability and reducing investment payback periods.

CISA has issued an alert regarding active campaigns using commercial spyware and remote access trojans targeting users of popular messaging apps like Signal and WhatsApp. These campaigns employ advanced targeting and social engineering to infiltrate messaging apps, allowing further malicious payloads to compromise mobile devices. Threat actors utilize various tactics such as device-linking QR codes, zero-click exploits, and fake app versions to achieve unauthorized access. The primary targets include high-value individuals such as government officials, military personnel, and political figures across the U.S., Middle East, and Europe. CISA advises potential targets to implement best practices to mitigate risks, emphasizing the importance of vigilance and adherence to security protocols. The alert serves as a reminder of the persistent threat posed by sophisticated cybercriminals exploiting popular communication platforms.

A surge in ClickFix attacks leverages fake Windows update screens to deceive users into downloading infostealer malware, primarily targeting login credentials. This social engineering tactic has become the most prevalent initial access method for both state-sponsored and criminal cyber actors. Attackers employ steganographic loaders, embedding malicious code in PNG images to evade signature-based detection, complicating traditional defense mechanisms. Recent campaigns use a multi-stage execution chain initiated by deceptive prompts, leading to the deployment of Rhadamanthys malware. Huntress analysts identified ongoing activity with domains hosting these lures, despite recent law enforcement actions targeting associated infrastructure. Organizations are advised to block the Windows Run box, educate employees on ClickFix tactics, and utilize endpoint detection tools to identify suspicious activity. The presence of Russian-language comments in the lure site code hints at potential origins, though the attackers remain unidentified.

AWS has reversed its decision to deprecate Amazon CodeCommit, a service initially launched in 2014, following customer feedback and enterprise needs. CodeCommit was initially met with lukewarm reception due to its less favorable user interface compared to GitHub and GitLab. AWS's revival of CodeCommit includes enhancements such as git-lfs support and regional expansions, addressing enterprise requirements for large file support and compliance. The decision to reinstate CodeCommit reflects AWS's commitment to listening to customer feedback and adapting services to meet enterprise demands. AWS's apology to customers who planned migrations away from CodeCommit marks a rare corporate acknowledgment of missteps outside of service outages. By investing in CodeCommit, AWS aims to provide a native git repository option that integrates deeply with its ecosystem, reducing the auditable surface area for enterprises. The move is seen as a positive step towards maintaining customer trust and adapting to evolving enterprise IT landscapes.