Daily Brief

Google has updated Quick Share for Pixel 10 devices, enabling cross-platform file sharing with Apple's AirDrop, enhancing interoperability between Android and Apple devices. The enhancement requires iPhone users to adjust discoverability settings for file transfers, while Android users must modify Quick Share visibility or be in Receive mode. Quick Share's security is bolstered by Rust, a memory-safe programming language, reducing memory safety vulnerabilities and enhancing resilience against attacks. An independent assessment by NetSPI confirmed the security of Google's implementation, noting it is stronger and does not leak information, unlike other manufacturers' versions. A low-severity vulnerability was identified, allowing potential access to image thumbnails and SHA256 hashes, but Google has addressed this issue. Google is piloting features in India to combat app-related financial fraud, including alerts for screen sharing during calls, enhancing user protection. The company is also developing Enhanced Phone Number Verification (ePNV) to replace SMS OTP with SIM-based verification, aiming to improve sign-in security on Android devices.

Samsung Galaxy devices incorporate Samsung Knox at the manufacturing stage, providing a robust security foundation that integrates seamlessly with existing enterprise security infrastructures. The Knox Suite supports Zero Trust principles, enforcing strict access controls to mitigate mobile threats without complicating device management for IT teams. IT administrators gain enhanced security, deeper insights, and improved control over devices, all while maintaining existing workflows and minimizing operational disruptions. Knox Suite is compatible with most enterprise mobility management (EMM) tools, amplifying their capabilities and ensuring comprehensive device security and management. By leveraging Samsung's Knox Suite, enterprises can enhance their mobility strategies, protecting sensitive data and maintaining productivity without additional complexity. Samsung's approach positions it as a trusted partner for IT teams, offering a balanced solution that addresses both current security challenges and future threats. The integration of Knox Suite into Samsung devices allows enterprises to confidently embrace mobile technology while safeguarding critical data and maintaining their reputation.

APT24, linked to China, has deployed BADAUDIO malware in a prolonged espionage campaign affecting over 1,000 domains, primarily targeting Taiwan's digital infrastructure. The campaign, active since November 2022, uses sophisticated methods including watering holes, supply chain compromises, and spear-phishing to infiltrate networks. BADAUDIO, a C++ malware, employs control flow flattening for obfuscation and acts as a downloader for AES-encrypted payloads from hard-coded command and control servers. Recent tactics involve injecting malicious JavaScript into a widely used library, compromising a regional digital marketing firm to hijack over 1,000 domains. The malware leverages DLL Search Order Hijacking for execution, using encrypted archives containing DLLs, VBS, BAT, and LNK files to evade detection. APT24's campaign includes targeted phishing attacks using social engineering tactics, such as animal rescue lures, to deliver malware via cloud services like Google Drive and OneDrive. The operation demonstrates APT24's advanced capabilities in persistent espionage and adaptive attack strategies, presenting significant risks to targeted sectors.

ZTE introduced the ZXCSec MAF security solution, designed to protect large AI models from various security threats at MWC Shanghai 2025. The solution addresses critical vulnerabilities such as adversarial threats, data leakage, API abuse, and content risks affecting large-model applications. ZXCSec MAF employs a multi-layered framework to secure model, data, application, and content domains, enhancing overall system integrity. It supports both ZTE's Nebula models and third-party models like Llama, Qwen, and DeepSeek, ensuring broad applicability across industries. By mitigating risks associated with AI deployment, ZXCSec MAF enhances operational efficiency and safeguards AI systems in production environments. The launch underscores ZTE's commitment to developing technologies that tackle real-world security challenges faced by enterprises globally.

The SEC has dropped its lawsuit against SolarWinds and its CISO, Timothy G. Brown, regarding allegations of misleading investors about cybersecurity practices linked to the 2020 supply chain attack. The joint motion for dismissal was filed on November 20, 2025, with the SEC clarifying that this decision does not indicate its stance on other cases. Initially accused in October 2023, SolarWinds faced claims of fraud and internal control failures, including overstating cybersecurity measures and ignoring known risks. The 2020 supply chain attack, attributed to Russian APT29, revealed significant vulnerabilities in SolarWinds' cybersecurity framework, affecting numerous organizations globally. In July 2024, the U.S. District Court for the Southern District of New York dismissed several allegations, citing lack of actionable deficiencies and reliance on hindsight. The SEC has also charged other companies, including Avaya and Check Point, for misleading disclosures related to the SolarWinds incident. SolarWinds CEO Sudhakar Ramakrishna stated that the resolution marks a significant turning point, with the company now more secure and better prepared for future challenges.

A hacker breached Almaviva, an IT services provider for FS Italiane Group, leaking 2.3 terabytes of sensitive data on a dark web forum. The compromised data includes confidential documents, technical documentation, HR archives, and contracts, indicating significant exposure of internal operations. Almaviva, a global IT services firm with a $1.4 billion turnover, confirmed the breach and activated security protocols to mitigate further risks. FS Italiane Group, a state-owned entity with $18 billion in annual revenue, is among the affected, though the full impact on passenger data remains unclear. The incident is under investigation by Italian authorities, including the national cybersecurity agency, with Almaviva pledging transparency in updates. The breach's structure aligns with tactics used by ransomware groups, emphasizing the need for robust cybersecurity measures in critical infrastructure sectors. The situation highlights vulnerabilities in third-party IT service providers, urging businesses to reassess their cybersecurity strategies and vendor management practices.

Salesforce detected unusual activity linked to Gainsight applications, potentially allowing unauthorized access to some customers' data through OAuth connections. In response, Salesforce revoked all active access and refresh tokens associated with Gainsight apps and temporarily removed them from the AppExchange. The issue appears unrelated to any Salesforce platform vulnerabilities, focusing instead on external app connections. Gainsight apps have also been pulled from HubSpot Marketplace as a precaution, though no suspicious activity has been noted there. Threat actors from the ShinyHunters group are believed to be behind this campaign, following similar attacks on Salesloft Drift instances. Nearly 1,000 organizations reportedly had data accessed, including business contact details and product licensing information. Organizations are advised to audit third-party apps connected to Salesforce, revoke unused tokens, and rotate credentials if anomalies are detected.

Google has enabled file sharing between Android's Quick Share and Apple's AirDrop, initially limited to its Pixel 10 smartphones, aiming to enhance cross-platform connectivity. This integration allows Android users to share files with iOS devices, requiring iOS users to activate the "Everyone for 10 minutes" mode, potentially exposing them to unsolicited file transfers. Security experts express concerns over the possibility of malicious files being sent during this open sharing window, posing risks to users. Google has implemented the feature using Rust, a programming language known for reducing memory-safety vulnerabilities, and engaged independent security experts for assessment. Despite Google's security measures, businesses remain cautious, often using mobile device management tools to disable such features due to potential security threats. The initiative underscores the ongoing challenge of balancing user convenience with security, especially in cross-platform environments. Apple's non-involvement in this integration reflects its history of prioritizing user privacy, as seen in past decisions that impacted third-party data tracking.

The SEC has decided to dismiss its lawsuit against SolarWinds and its Chief Information Security Officer, relating to alleged misleading of investors about security practices. The lawsuit stemmed from the 2020 SUNBURST attack, where Russian hackers compromised SolarWinds' Orion software, affecting major corporations and U.S. government departments. SolarWinds expressed satisfaction with the SEC's decision, viewing it as a vindication of their security team's actions during the incident. The SEC clarified that the dismissal is discretionary and does not set a precedent for other cases, maintaining flexibility for future actions. The SUNBURST attack led SolarWinds to implement its "Secure by Design" initiative, aiming to enhance software security industry-wide. The case has been a focal point for CISOs concerned about regulatory pressures and potential impacts on their roles following cyber incidents. A judge had previously dismissed most of the SEC's allegations, potentially influencing the decision to drop the case entirely.

Google Threat Intelligence Group (GTIG) exposed APT24's use of the BadAudio malware in a three-year campaign, targeting Windows systems through sophisticated attack methods. The malware was delivered via spearphishing, supply-chain compromises, and watering hole attacks, impacting over 1,000 domains by compromising a digital marketing firm in Taiwan. APT24 utilized malicious JavaScript injected into legitimate websites and libraries, employing techniques like DLL search order hijacking and control flow flattening to evade detection. BadAudio collects and encrypts system details, sending them to a command-and-control server, and can execute further payloads in memory, including the Cobalt Strike Beacon. Despite its long-term use, BadAudio remained largely undetected, with only two of eight samples flagged as malicious by more than 25 antivirus engines. Google notes APT24's shift towards stealthier tactics, demonstrating their persistent and adaptive capabilities in espionage activities. The campaign's evolution reveals the importance of robust cybersecurity measures and continuous monitoring to detect and mitigate advanced persistent threats.

Salesforce disclosed a breach involving Gainsight-published applications, potentially compromising customer data through unauthorized access. The breach was linked to third-party app connections rather than Salesforce platform vulnerabilities. The incident is attributed to ShinyHunters, a group previously involved in similar breaches, including an attack on SalesLoft's Drift application, exploiting OAuth tokens for unauthorized access. In response, Salesforce revoked all active and refresh tokens for Gainsight applications and temporarily removed them from the AppExchange to mitigate further unauthorized access. Google's Mandiant incident response team is collaborating with Salesforce to alert affected organizations and recommend auditing SaaS environments for potential vulnerabilities. Organizations are advised to review third-party applications connected to Salesforce, revoke tokens for unused or suspicious apps, and rotate credentials upon detecting unusual activity. The breach underscores the importance of robust security practices in managing third-party application connections to prevent unauthorized data access.

Netskope Threat Labs investigated whether large language models (LLMs) like GPT-3.5-Turbo and GPT-4 could generate operationally reliable malware, finding current capabilities insufficient for autonomous attacks. Researchers managed to trick LLMs into creating Python scripts for malicious purposes, but these scripts proved unreliable in practical deployment scenarios. Tests revealed moderate success in virtualized environments, with a 50-60% reliability rate, but significant failures in AWS environments, indicating limitations in current LLM-generated code. Preliminary tests with GPT-5 showed improved code quality, achieving a 90% success rate in AWS VDI environments, though bypassing its advanced guardrails remains challenging. Despite advances, LLMs still require human intervention for effective cyber operations, as demonstrated by recent attempts by Chinese cyber spies using AI tools. Google disclosed criminals' experimental use of Gemini for developing self-rewriting malware, yet these efforts remain theoretical without current capability to compromise networks. Continuous monitoring of LLM advancements is crucial for network defenders to preemptively address potential threats as AI capabilities evolve.

A threat actor breached Almaviva, an IT services provider for FS Italiane Group, stealing 2.3TB of data and leaking it on a dark web forum. The compromised data reportedly includes sensitive documents, technical documentation, HR archives, and accounting data, impacting FS Italiane Group's operations. FS Italiane Group, a state-owned railway operator, manages critical infrastructure and transport services, with annual revenues exceeding $18 billion. Almaviva confirmed the breach, stating that security monitoring identified and isolated the attack, and initiated counter-response procedures to protect critical services. Authorities, including the police and national cybersecurity agency, have been informed, and an investigation is underway with government assistance. The breach's full impact remains uncertain, particularly regarding passenger information and the potential effect on other clients. Almaviva has committed to providing transparent updates as the investigation progresses, highlighting the importance of robust incident response protocols.

Oligo Security reports ongoing exploitation of a critical flaw in Ray's AI framework, leading to the creation of a self-replicating cryptomining botnet using NVIDIA GPUs. The attack exploits CVE-2023-48022, a severe vulnerability with a CVSS score of 9.8, leveraging Ray's unauthenticated Job Submission API to hijack computing resources. ShadowRay 2.0 uses GitLab and GitHub for malware distribution, with cybercriminals adapting quickly to takedown efforts by creating new accounts to continue operations. The campaign employs advanced tactics to avoid detection, such as disguising processes and limiting CPU usage, while eliminating rival miners to maximize gains. Anyscale, Ray's developer, has released tools like the "Ray Open Ports Checker" to help secure clusters, alongside recommendations for firewall configurations and dashboard access controls. The botnet's capabilities extend beyond cryptojacking, with compromised clusters potentially used for DDoS attacks against rival mining infrastructure, adding a new monetization avenue. More than 230,500 Ray servers are exposed to the internet, highlighting a significant attack surface due to improper network configurations and lack of authentication measures.

Malicious scanning of Palo Alto Networks GlobalProtect VPN portals surged 40-fold within 24 hours, marking the highest activity in 90 days, as reported by GreyNoise. The activity spike began on November 14, 2025, and aligns with previous campaigns, suggesting a coordinated effort using recurring TCP/JA4t fingerprints and ASNs. GreyNoise identified 2.3 million scan sessions targeting the */global-protect/login.esp URI, with login attempts focused on the United States, Mexico, and Pakistan. The primary ASN involved is AS200373 (3xK Tech GmbH), with most IP addresses geolocated in Germany and Canada, indicating a geographically diverse attack base. Historical data suggests that such scanning spikes often precede the disclosure of new vulnerabilities, with a strong correlation noted for Palo Alto Networks' products. Previous incidents in 2025 included exploitation of vulnerabilities CVE-2025-0108, CVE-2025-0111, and CVE-2024-9474, highlighting ongoing security challenges for Palo Alto Networks. Organizations are advised to actively monitor and block these attempts, treating them as malicious probes rather than disregarding them as failed exploit attempts.