Daily Brief

The EU's Cyber Resilience Act (CRA) initially raised concerns among open source developers about potential liabilities and compliance burdens. Greg Kroah-Hartman, a Linux kernel maintainer, reassures that the CRA will have minimal impact on individual open source contributors. The CRA mandates companies to document and secure their software supply chains, including generating a Software Bill of Materials (SBOM). Non-commercial open source developers face minimal requirements, such as providing a security contact in a basic "readme" file. Commercial entities integrating open source code must comply with detailed documentation and incident response requirements. The CRA's scope extends globally, affecting any software accessible in the EU market, impacting U.S. and Japanese vendors. The Act is expected to increase demand for open source software as companies seek greater control over code compared to proprietary options. Foundations and large projects are collaborating with the EU to develop compliance resources, ensuring clarity between commercial and non-commercial obligations.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical vulnerability in the Sudo utility, impacting Linux and Unix systems, now listed in the Known Exploited Vulnerabilities catalog. The flaw, CVE-2025-32463, carries a CVSS score of 9.3 and affects Sudo versions before 1.9.17p1, posing significant security risks. Discovered by Stratascale's Rich Mirch, the vulnerability allows local attackers to execute arbitrary commands as root, bypassing sudoers file restrictions. CISA advises Federal Civilian Executive Branch agencies to implement mitigations by October 20, 2025, to protect their systems from potential exploitation. While active exploitation is confirmed, details on attack methods and responsible parties remain unclear, necessitating heightened vigilance. This incident underscores the critical need for timely patching and system updates to mitigate vulnerabilities in widely used software components. Organizations using affected systems should prioritize patch deployment and review security protocols to prevent unauthorized access.

The Cybersecurity and Infrastructure Security Agency (CISA) will terminate its funding agreement with the Center for Internet Security (CIS) on September 30, 2025, impacting local government cybersecurity support. CISA aims to transition to a new model providing grant funding, no-cost tools, and cybersecurity expertise to state, local, tribal, and territorial partners. The cessation of funding affects the Multi-State Information Sharing and Analysis Center (MS-ISAC), which has facilitated threat intelligence sharing since 2003, leading to a shift towards a fee-based model. Concerns have arisen regarding the ability of state and local governments to maintain cybersecurity resilience and effective threat information sharing without federal support. The Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) also faces challenges due to prior funding cuts, prompting exploration of alternative support mechanisms. The broader budget and staff reductions at CISA raise questions about the continuity of election security and rapid threat communication across states. The potential lapse of the 2015 Cybersecurity Information Sharing Act adds to the uncertainty surrounding federal support for local cybersecurity initiatives.

The Metropolitan Police achieved a conviction in the world's largest cryptocurrency seizure, valued over £5.5 billion ($7.3 billion), involving Zhimin Qian, also known as "Bitcoin Queen." Qian orchestrated a fraudulent Bitcoin scheme, defrauding over 128,000 victims in China from 2014 to 2017, raising 40 billion yuan by promising high returns. Following the scheme's collapse, Qian fled to the UK, converting proceeds into Bitcoin and attempting to launder funds through property purchases. The Met's investigation began in 2018, leading to the seizure of 61,000 Bitcoin, initially worth hundreds of millions but now valued at £5.5 billion. The operation required extensive international cooperation, particularly with Chinese law enforcement, to gather evidence of the criminal origins of the assets. The case sets a new record in cryptocurrency seizures, surpassing the U.S. Justice Department's 2022 confiscation related to the Bitfinex hack. Jian Wen, an associate of Qian, was sentenced to over six years in prison for her involvement in the laundering scheme. This conviction underscores the effectiveness of cross-border collaboration in tackling complex financial cybercrimes.

A fake npm package impersonating Postmark's MCP server secretly copied thousands of emails daily to an attacker-controlled address, affecting potentially numerous organizations. The malicious package, "postmark-mcp," was downloaded approximately 1,500 times in a week, integrating into hundreds of developer workflows before being removed. Sensitive information, including password resets, MFA codes, invoices, and confidential documents, was exposed, posing significant risks to affected entities. Postmark has advised users to remove the fake package, review email logs for suspicious activity, and rotate credentials sent via email to mitigate potential damage. The incident underscores vulnerabilities within the MCP ecosystem, highlighting the risks of granting extensive permissions to unverified tools. GitHub, which manages the npm registry, is enhancing security measures by reducing security token lifetimes and enforcing two-factor authentication for local publishing. This breach serves as a cautionary tale about the ease of poisoning open-source repositories, emphasizing the need for robust supply chain security practices.

Asahi Group Holdings, Japan's largest brewer, has suspended operations due to a cyberattack impacting ordering and shipping activities. The attack has disrupted call center operations and customer service desks, affecting Asahi's ability to serve its clients. Asahi holds a significant share of the Japanese market and generates nearly $20 billion in annual revenue, highlighting the potential economic impact. The cyberattack is currently limited to Japan-based operations, with no confirmed data breaches or personal information leaks reported. Asahi is actively investigating the source of the attack and working to restore affected systems, though no timeline for recovery has been provided. The identity of the threat actor and the method of initial access remain unknown, with no ransom demands reported at this time. The incident underscores the vulnerability of critical business operations to cyber threats, emphasizing the need for robust cybersecurity measures.

Asahi Group Holdings, Japan's largest brewery, faced a cyberattack disrupting its distribution systems, affecting operations solely within Japan. The attack led to the shutdown of Asahi's shipping and call center systems, impacting domestic market operations, which account for half of its profits. No personal or commercial data theft has been reported, and Asahi is actively investigating the incident while working to restore operations. The company has not provided a timeline for recovery, raising concerns about prolonged operational disruptions and financial impacts. European and other international operations remain unaffected, isolating the issue to Japanese facilities. The attack reflects a growing trend of cybercriminals targeting prominent food and beverage companies, with past incidents costing firms millions in lost business. Industry estimates suggest that while some companies pay ransoms, many do not regain access, highlighting the risks of negotiating with cybercriminals.

The Medusa ransomware group approached BBC cybersecurity correspondent Joe Tidy, offering him financial incentives to facilitate a breach of the broadcaster's network. The group proposed using Tidy's laptop to gain access, promising 15% of any ransom paid, with a potential increase to 25% if successful. Medusa, known for double-extortion tactics, has been linked to over 300 attacks on U.S. critical infrastructure, as reported by CISA. The group employs initial access brokers and targets organizations through cybercrime forums and darknet marketplaces. Tidy was targeted with MFA bombing, a tactic to overwhelm users with authentication requests to gain unauthorized access. Upon realizing the threat, Tidy alerted the BBC's information security team, leading to his disconnection from the network as a precaution. The incident highlights the persistent risk of insider threats and the need for robust internal security protocols to counteract such recruitment attempts.

Trend Micro reports the EvilAI campaign uses AI-themed tools to distribute malware across sectors such as manufacturing, government, healthcare, and retail, affecting regions globally including the U.S., Europe, and AMEA. Attackers employ deceptive software that mimics legitimate applications, leveraging valid digital signatures to evade detection by users and security systems. The campaign's primary aim is to conduct reconnaissance, exfiltrate sensitive data, and maintain encrypted communications with command-and-control servers using AES-encrypted channels. Techniques include using newly registered websites, malicious ads, SEO manipulation, and promoted download links to propagate malware. EvilAI acts as a stager, gaining initial access and establishing persistence while evading analysis by mimicking real software and using code-signing certificates. Expel and other cybersecurity firms have identified shared infrastructure and multiple code-signing certificates, indicating a sophisticated operation possibly involving a malware-as-a-service provider. The campaign's evolution includes weaponizing seemingly benign applications and abusing digital code signing, challenging traditional endpoint defenses and exploiting user trust.

Jaguar Land Rover (JLR) suffered a severe cyberattack, disrupting IT systems and halting production across multiple plants, with data reportedly stolen by attackers. The UK Government is providing a £1.5 billion loan guarantee through the Export Development Guarantee program to help JLR restore its supply chain and stabilize operations. The loan guarantee facilitates JLR in securing a substantial commercial bank loan, offering better terms than possible independently, to aid in supply chain recovery. The attack was claimed by a group linked to Scattered Spider, Lapsus$, and ShinyHunters, who allegedly deployed ransomware and leaked internal data. JLR has begun a phased restart of operations, working with cybersecurity experts, the UK’s NCSC, and law enforcement to ensure secure resumption. The incident underscores the vulnerability of critical sectors and the importance of robust cyber insurance, which JLR reportedly lacked at the time of the attack. This event highlights the strategic importance of government support in protecting national industries and safeguarding jobs during cybersecurity crises.

Baroness Manningham-Buller, ex-MI5 head, suggests the UK is in an undeclared conflict with Russia, citing cyberattacks and intelligence operations as key indicators. Russian cyber activities, including sabotage and espionage, have intensified post-Ukraine invasion, targeting UK infrastructure and allies. The National Cyber Security Centre recently identified a Russian-linked malware campaign aimed at stealing Microsoft credentials, attributed to APT28. APT28, associated with Russia's GRU, has been active against governments and firms supporting Ukraine, reflecting broader geopolitical tensions. Historical tensions between the UK and Russia are underscored by past incidents, including the assassination of Alexander Litvinenko in London. The Baroness dismisses the notion of rivalry between MI5 and MI6, emphasizing a collaborative relationship in addressing these threats. The ongoing cyber hostilities suggest a need for heightened vigilance and strategic cybersecurity measures to protect national interests.

Harrods, a UK luxury retail giant, reported a data breach affecting 430,000 e-commerce customers due to a compromised third-party supplier. The breach exposed names, contact details, and internal marketing tags, but did not include passwords, payment information, or order histories. Harrods proactively notified affected customers and is working with authorities to manage the breach's impact. The incident is separate from a previous attack in May linked to the Scattered Spider group. The threat actor attempted to extort Harrods, but the company refused to engage with them. Customers are advised to be cautious of phishing and social engineering attempts following the breach. Harrods continues to support affected customers and coordinate with relevant authorities to mitigate risks.

Intruder's security team initiated research to determine if AI could expedite the creation of vulnerability checks without compromising quality, addressing the challenge of keeping pace with attackers. Initial tests using large language models to generate Nuclei templates proved inadequate, producing outputs with invalid syntax and weak matchers. Transitioning to an agentic AI approach, which utilizes tools and reference materials, resulted in significantly improved template quality, resembling manual engineer outputs. The AI agent, named GregAI, assists in prioritizing vulnerabilities and generating reports, reducing backlog and freeing engineers for more in-depth research. Successful applications include creating checks for exposed admin panels and unsecured Elasticsearch instances, filling gaps left by major scanners. Challenges persist, such as the agent's occasional need for manual corrections and limitations in output efficiency, necessitating ongoing human oversight. Intruder remains cautious about claims of full automation, viewing AI as a productivity tool that requires expert supervision to ensure high-quality, reliable vulnerability checks.

Cybersecurity agencies have identified active exploitation of two zero-day vulnerabilities affecting Cisco firewalls, enabling attackers to deploy new malware families, RayInitiator and LINE VIPER. The vulnerabilities, CVE-2025-20362 and CVE-2025-20333, allow threat actors to bypass authentication and execute malicious code, posing a critical risk to affected systems. The attack campaign is linked to the ArcaneDoor threat cluster, attributed to a suspected China-linked group, UAT4356, indicating potential nation-state involvement. Organizations using Cisco firewalls are urged to prioritize patching these vulnerabilities to mitigate risks and prevent unauthorized access or data breaches. The sophistication of the new malware families suggests an evolution in tactics, emphasizing the need for enhanced detection and response capabilities. Security teams should review their current defenses, focusing on authentication and access controls, to bolster resilience against similar exploit attempts. This incident illustrates the rapid exploitation of disclosed vulnerabilities, highlighting the importance of timely patch management and proactive threat intelligence.

A recent survey of 282 security leaders reveals that AI adoption in Security Operations Centers (SOCs) has transitioned from experimental to essential due to overwhelming alert volumes. Organizations are processing an average of 960 alerts daily, with large enterprises facing over 3,000, creating an operational crisis where critical threats may go uninvestigated. The survey indicates that 40% of security alerts remain uninvestigated, and 61% of teams have ignored alerts that later became critical incidents, highlighting a significant operational breakdown. AI solutions are increasingly prioritized, with 55% of security teams already using AI for triage and investigation, and 60% planning to evaluate AI-powered SOC solutions within the year. AI is expected to handle 60% of SOC workloads in the next three years, focusing on triage, detection tuning, and threat hunting to enhance operational efficiency and reduce analyst burnout. Barriers to AI implementation include data privacy concerns, integration complexity, and the need for explainability, but momentum towards AI-driven SOCs is evident. The future SOC model envisions AI managing routine tasks, allowing human analysts to concentrate on complex investigations, thereby improving security posture and operational outcomes.