Daily Brief

CISA has directed U.S. federal agencies to patch a critical Oracle Identity Manager vulnerability, CVE-2025-61757, by December 12, following signs of active exploitation. The flaw allows unauthenticated attackers with network access to completely compromise Oracle Identity Manager, posing significant security risks. Searchlight Cyber researchers have detailed the vulnerability, describing it as "trivial" to exploit, involving a single HTTP request to bypass authentication. Evidence suggests the vulnerability was exploited as a zero-day, with attack logs indicating activity from August 30 to September 9, prior to Oracle's patch release. Oracle's October advisory rated the issue as critical but did not confirm zero-day exploitation, raising concerns over the transparency of their vulnerability disclosures. The urgency of the patch is compounded by Oracle's previous security challenges, including a major breach by the Clop ransomware group earlier this year. Federal agencies face compliance consequences if the patch is not applied by the deadline, emphasizing the critical need for timely updates and robust security practices.

Microsoft announced the removal of Windows Internet Name Service (WINS) from Windows Server releases following the 2025 version, urging IT administrators to plan for this change. WINS, deprecated since Windows Server 2022, will no longer be supported after November 2034, marking a shift towards modern Domain Name System (DNS)-based solutions. The decision is driven by DNS's superior scalability and security features, including DNSSEC, which protects against cache poisoning and spoofing attacks. Organizations relying on WINS are advised to audit their systems and transition to DNS, using conditional forwarders or split-brain DNS to ensure continuity. Microsoft cautions against using static host files as a workaround, citing scalability and sustainability issues in enterprise environments. The removal of WINS affects the server role, management console, automation APIs, and related interfaces, necessitating a comprehensive migration strategy. Businesses are encouraged to begin migration planning immediately to prevent operational disruptions and align with modern internet standards.

CrowdStrike research reveals DeepSeek-R1 AI model generates insecure code when prompts include politically sensitive topics like Tibet and Uyghurs, increasing security vulnerability likelihood by up to 50%. The model's coding flaws include hard-coded secrets, insecure data handling, and invalid code, posing significant cybersecurity risks for businesses using this AI technology. Taiwan's National Security Bureau warns against Chinese-made generative AI models, citing potential pro-China biases, historical narrative distortion, and disinformation risks. DeepSeek-R1's vulnerability issues arise from geopolitical modifiers in prompts, with significant deviations observed in code security for politically sensitive topics. CrowdStrike discovered an "intrinsic kill switch" in DeepSeek-R1, preventing code generation on banned topics like Falun Gong, indicating possible compliance with Chinese regulations. The findings stress the need for caution when using AI models in sensitive contexts, highlighting the importance of robust security measures and thorough testing. Broader implications include potential regulatory challenges and the necessity for international standards to govern AI model training and deployment to prevent misuse.

The UK cyber team participated in the European Cyber Security Challenge 2025 in Poland, securing a commendable 22nd place among Europe's top young cyber talents. The team, selected from 30 of the UK's brightest cyber enthusiasts, demonstrated exceptional skills, collaboration, and resilience throughout the competition. The ECSC, known as the Olympics of cyber security, featured events like Jeopardy and Attack and Defend, testing participants' technical skills and strategic thinking. Despite initial training hurdles, the team excelled under pressure, showcasing remarkable teamwork and problem-solving abilities during the competition. Coaching focused on instilling core values such as teamwork, resilience, and empowerment, drawing inspiration from sports leadership philosophies. The experience fostered international collaboration and networking, with team members forming connections across borders, enhancing future cyber defense capabilities. The event highlighted the importance of nurturing young talent and the need for ongoing support and sponsorship to advance the UK's cyber security expertise.

A critical vulnerability, CVE-2025-59287, in Microsoft Windows Server Update Services (WSUS) is being actively exploited by attackers to distribute ShadowPad malware. The flaw allows remote code execution with system privileges, posing significant risks to organizations using WSUS for updates. Threat actors have utilized PowerCat to gain system shell access and employed tools like certutil and curl to download ShadowPad. ShadowPad, a modular backdoor linked to Chinese state-sponsored groups, is known for its sophisticated anti-detection and persistence capabilities. The attack involves DLL side-loading, using legitimate binaries to execute malicious payloads, enhancing stealth and effectiveness. Microsoft has patched the vulnerability, yet the release of proof-of-concept exploit code has spurred widespread exploitation efforts. Organizations are urged to apply the latest security updates and monitor WSUS configurations to mitigate potential threats.

The International Association for Cryptologic Research (IACR) will re-run its board election after losing a critical encryption key needed to count votes. The initial election, conducted via the Helios electronic voting system, faced a technical issue when a trustee lost their portion of the cryptographic key. IACR's bylaws require three trustees to hold parts of the key to ensure election integrity, preventing any two from colluding. The key loss incident led to the resignation of the responsible trustee and the decision to void the election and start anew. The association plans to implement a two-out-of-three threshold for key management to prevent future issues, alongside clear procedural guidelines. The re-run election will occur from November 21 to December 20, with the same candidates and electoral roll. This incident highlights the importance of robust key management practices in maintaining the integrity of electronic voting systems.

Researchers from PT Security identified China-linked APT 31, also known as Violet Typhoon, targeting Russian IT companies and government contractors in 2024 and 2025. The attacks were strategically timed to coincide with weekends and holidays, indicating a deep understanding of the targets' operational processes. APT 31 utilized a combination of common malware and proprietary tools to maintain persistent access to Russian networks, focusing on credential theft. The attackers leveraged Russian cloud services, including Yandex and Microsoft OneDrive, for command and control operations, complicating attribution and response efforts. This activity raises questions about the sincerity of the declared "limitless" partnership between China and Russia, as other reports also indicate ongoing cyber operations by China against Russian interests. The persistence of APT 31 in targeting Russian assets suggests continued geopolitical tensions and the need for robust cybersecurity measures to protect critical infrastructure.

Security researchers identified a significant remote code execution vulnerability in the Glob CLI tool, affecting versions v10.2.0 through v11.0.3. The flaw resides in the tool's –c flag, which executes commands on matching files, posing risks when filenames contain shell metacharacters. This vulnerability impacts systems using POSIX, including Linux and macOS, where malicious filenames can execute arbitrary code. Despite over ten million weekly downloads, the CLI tool's infrequent use contributed to the flaw's prolonged existence. Users operating in environments processing untrusted files are urged to update to Glob versions v10.5.0, v11.1.0, or v12.0.0 immediately. The discovery emphasizes the need for rigorous security assessments of widely used libraries and tools in software development environments.

As MCP becomes the standard for linking LLMs to tools and data, security teams are prioritizing robust protection measures to safeguard these integrations. The cheat sheet provides seven actionable security best practices designed to enhance the security posture of organizations implementing MCP. Key recommendations include regular security audits, implementing access controls, and ensuring encrypted data transmissions to prevent unauthorized access and data breaches. Organizations are advised to maintain a proactive approach in monitoring and updating MCP-related systems to address emerging threats and vulnerabilities. The guidance aims to assist security teams in mitigating risks associated with the rapid adoption of MCP, ensuring secure and efficient operations. Adoption of these practices is crucial for organizations to protect sensitive data and maintain trust while leveraging the capabilities of LLMs.

Google has launched interoperability between Android Quick Share and Apple AirDrop, initially supporting Pixel 10-series devices, allowing seamless file sharing with iPhones. This development marks a significant step in bridging the gap between Android and iOS ecosystems, enhancing user convenience and flexibility in file sharing. The new feature supports secure file sharing through Bluetooth and Wi-Fi Direct, adhering to stringent security protocols, including threat modeling and penetration testing. An independent audit by NetSPI confirmed the robustness of the system, ensuring no data leakages and reinforcing user trust in the new feature. Google's implementation leverages Rust programming language to eliminate memory-safety vulnerabilities, enhancing the security of wireless data parsing. The current mode allows direct device-to-device connections without server intermediaries, requiring users to manually verify device authenticity to prevent accidental data sharing. Future updates, in collaboration with Apple, aim to introduce a "Contacts Only" mode, further enhancing interoperability between Android and iOS devices.

Passwork 7 introduces a unified platform for managing both human and machine credentials, addressing operational complexities in enterprise environments. The update focuses on usability and security enhancements, offering improved workflow efficiency and feature accessibility based on real-world feedback. Key features include a flexible vault architecture, granular access control with RBAC, and secure credential sharing for internal and external users. Passwork's zero-knowledge encryption and self-hosted deployment ensure maximum security and compliance with data residency regulations. The platform supports seamless migration from other password managers, offering a 10% discount for transitioning organizations. Automation capabilities through API, Python connector, CLI, and Docker integration streamline DevOps workflows and credential management. A Black Friday promotion offers up to 50% discounts, encouraging organizations to test and adopt the platform during the trial period.

Iberia, Spain's largest airline, has informed customers of a data breach linked to a third-party supplier, potentially exposing certain customer information. The breach did not compromise Iberia account credentials, passwords, or financial details, according to the airline's security notice. Iberia has implemented enhanced security protocols, including verification codes for email changes, and is monitoring systems for unusual activity. Authorities have been notified, and an ongoing investigation is underway in coordination with the affected supplier. A threat actor claimed online possession of 77 GB of Iberia data, attempting to sell it for $150,000, though its connection to the breach remains unverified. Customers are advised to remain vigilant against potential phishing attempts and report any suspicious communications to Iberia's call center. The incident underscores the importance of robust vendor management and security protocols to protect sensitive data.

Costco introduces a promotion offering a $40 Digital Shop Card with the purchase of a 1-Year Gold Star Membership, priced at $65, targeting new or lapsed members. The offer aims to attract new customers and those whose memberships have been inactive for at least 18 months, enhancing holiday shopping convenience. To qualify, participants must provide a valid email and enroll in auto-renewal using a Visa or Mastercard debit card at sign-up. The Digital Shop Card, redeemable online or in-store, will be emailed within two weeks of successful membership registration and auto-renewal enrollment. This initiative excludes existing members seeking upgrades or renewals, as well as Costco employees, ensuring focus on expanding the member base. The promotion, valid until December 31, 2025, is part of a StackCommerce deal, with BleepingComputer.com earning a commission on sales through their platform. Participants are advised to enter accurate email information to avoid issues with receiving the Digital Shop Card, which cannot be used at Costco Food Courts.

Researchers from the University of Vienna and SBA Research identified a vulnerability in WhatsApp's contact-discovery API, enabling the extraction of 3.5 billion user accounts without rate limiting. The flaw allowed researchers to compile a global list of active WhatsApp accounts, revealing usage patterns even in countries with bans, such as China and Iran. The team used a single server and five sessions to query WhatsApp's servers at a rate of over 100 million numbers per hour, highlighting the lack of adequate safeguards. Additional API endpoints provided access to user profile photos, "about" text, and device information, raising significant privacy concerns. WhatsApp has since implemented rate-limiting measures to prevent future abuse, following the researchers' responsible disclosure of the vulnerability. This incident emphasizes the critical need for robust API security measures, as similar vulnerabilities have led to large-scale data breaches on platforms like Facebook and Twitter. The findings serve as a stark reminder of the potential impact of API misconfigurations on user privacy and data security.

APT31, a China-linked cyber espionage group, targeted the Russian IT sector, focusing on contractors for government agencies, from 2024 to 2025. The group utilized legitimate cloud services like Yandex Cloud for command-and-control operations, aiming to blend in with normal traffic and evade detection. Attacks included spear-phishing emails with RAR archives, deploying the Cobalt Strike loader "CloudyLoader" via DLL side-loading. APT31 employed both publicly available and custom tools, maintaining persistence through scheduled tasks mimicking applications like Yandex Disk and Google Chrome. The group exfiltrated data using cloud storage services, collecting sensitive information such as passwords from victim devices. Russian cybersecurity firms identified overlaps with the EastWind threat cluster and documented these activities, highlighting the group's sophisticated methods. The use of cloud services and social media profiles for staging encrypted commands allowed APT31 to remain undetected for extended periods, posing significant challenges for cybersecurity defenses.