Daily Brief

TryHackMe is addressing criticism for an all-male lineup in its Advent of Cyber event, a 24-day beginner-level cyber training program. The company is collaborating with Eva Benn from Microsoft to recruit female cybersecurity professionals to join the event's helper list. The initial absence of women was attributed to scheduling conflicts and non-responses from female creators, not a lack of effort. Ethical hacker Katie Paxton-Fear confirmed she was approached but unable to participate due to prior commitments. The situation has sparked broader discussions about gender diversity and representation in the cybersecurity industry. Influencers like Caitlin Sarian and Lesley Carhart have criticized the event, pointing to deeper issues of sexism and influencer culture. TryHackMe is actively expanding its roster to include more women, acknowledging the need for better communication and representation.

The Office for Budget Responsibility (OBR) inadvertently uploaded its Economic and Fiscal Outlook online before the official announcement, leading to an unintended early disclosure of budget details. Reporters accessed the document by guessing its URL, which closely resembled previous official document links, exposing significant procedural oversight. OBR Chair Richard Hughes expressed regret over the incident, labeling it a "serious error" and committing to prevent future occurrences. Former NCSC chief Ciaran Martin has been appointed to lead an investigation, supported by Treasury IT and security experts, to identify the breach's root cause. The investigation aims to establish how the early access occurred, evaluate the publication process, and propose corrective actions to safeguard future releases. The findings of the investigation are set for publication by December 1, with recommendations expected to enhance OBR's document management protocols. This incident underscores the importance of robust digital security practices, even in seemingly low-risk environments, to prevent unauthorized access and information leaks.

The UK government has announced a £1.8 billion cost for its digital ID initiative, aimed at providing digital identities to all legal residents by August 2029. The Office for Budget Responsibility (OBR) reports an annual cost of £600 million for the scheme, with no identified savings to offset expenses. Funding for the digital ID project will be sourced from existing departmental expenditure limits, divided between capital and resource spending. The digital IDs are initially intended to verify eligibility to work, with potential expansion to streamline access to key services for citizens. Concerns arise regarding the lack of specific funding, as the scheme's costs may impact other departmental priorities and obligations. The initiative is a priority for the UK government, with the Government Digital Service tasked with system development under Cabinet Office oversight. The project reflects ongoing debates over budget allocations and departmental negotiations, as highlighted by discussions in the House of Commons.

Organizations are increasingly adopting Remote Privileged Access Management (RPAM) to secure critical systems in distributed and hybrid work environments, addressing the limitations of traditional Privileged Access Management (PAM) solutions. RPAM provides secure access for IT administrators, contractors, and third-party vendors from any location, supporting zero-trust principles and eliminating reliance on VPNs. Unlike traditional PAM, RPAM extends granular access controls beyond corporate perimeters, ensuring least-privilege access and detailed session monitoring without exposing credentials. The shift to remote work has amplified the need for robust access controls, with RPAM offering Just-in-Time access to mitigate risks associated with standing privileges. Cybercriminals frequently exploit weak remote access points; RPAM counters this by enforcing Multi-Factor Authentication and eliminating shared credentials, reducing potential attack surfaces. Compliance with regulatory frameworks like ISO 27001 and HIPAA is enhanced through RPAM's automated session logging and detailed audit trails, streamlining audits and ensuring transparency. As IT environments evolve, RPAM solutions are positioned as the future of privileged access management, offering AI-driven threat detection and zero-trust architectures to preemptively address potential breaches.

Cybersecurity researchers identified a vulnerability in Microsoft Teams where guest access can bypass Microsoft Defender protections, posing a significant security risk for organizations. When users join external tenants as guests, they are subject to the host tenant's security policies, potentially leaving them unprotected. The new Teams feature allows users to chat with anyone via email, increasing collaboration but also expanding potential security threats. Attackers can exploit this by creating tenants without Defender protections, allowing them to send phishing links or malware to unsuspecting guests. Security controls such as SPF, DKIM, and DMARC checks are bypassed since emails originate from Microsoft's infrastructure, reducing detection chances. Organizations are advised to restrict B2B collaboration to trusted domains and educate users on identifying unsolicited Teams invitations. Microsoft has been approached for comments regarding this vulnerability, with updates pending.

South Korean web giant Naver acquired cryptocurrency exchange Upbit just before it suffered a $30 million cyber theft, raising immediate concerns over the investment's security. Upbit temporarily suspended Solana cryptocurrency withdrawals and deposits, initially citing maintenance, before revealing an abnormal withdrawal incident. The heist involved ₩44.5 billion ($30 million) being illicitly withdrawn, prompting Upbit to enhance security measures and assure customers of loss coverage from its assets. Upbit has been previously targeted by cyber attackers allegedly linked to North Korea, known for targeting cryptocurrency exchanges to fund governmental and military activities. The incident adds to South Korea's history of significant cryptocurrency breaches, spotlighting the ongoing vulnerability of digital asset platforms in the region. Naver's acquisition, valued at $10.27 billion, now faces scrutiny as the company navigates the immediate financial and reputational impacts of the breach. The situation underscores the critical need for robust cybersecurity protocols in cryptocurrency exchanges to prevent similar incidents in the future.

Bloody Wolf, an unidentified cyber group, has expanded its malicious campaign from Kyrgyzstan to Uzbekistan, targeting finance, government, and IT sectors with NetSupport RAT since June 2025. The attackers impersonate Kyrgyzstan's Ministry of Justice using deceptive PDF documents and domain names to distribute malicious Java Archive (JAR) files. The operation employs social engineering tactics, tricking recipients into downloading JAR files that deploy the NetSupport RAT, maintaining a low operational profile. The campaign's Uzbekistan phase introduces geofencing, redirecting non-local requests while delivering malicious payloads to local users through embedded links. The JAR loaders are created using Java 8, and the NetSupport RAT payload is an older version from 2013, showcasing the use of low-cost, accessible tools in cyber operations. This campaign highlights the persistent threat of cybercriminals exploiting trust in government institutions to conduct regionally targeted attacks in Central Asia. Group-IB's collaboration with Kyrgyz authorities underscores the need for regional cooperation in addressing these sophisticated cyber threats.

Palo Alto Networks Unit42 examined WormGPT 4 and KawaiiGPT, large language models (LLMs) designed to facilitate cybercrime, offering tools for ransomware and phishing attacks. WormGPT 4, available for a subscription fee, can generate ransomware scripts using AES-256 encryption, enabling low-skilled attackers to execute complex cyber operations. KawaiiGPT, a community-driven alternative, can automate lateral movement and privilege escalation, though it lacks WormGPT 4's encryption capabilities. Both LLMs are gaining traction in cybercriminal circles, with hundreds of users exchanging tips on dedicated Telegram channels. The models produce sophisticated phishing lures, eliminating common grammatical errors, making them more convincing to potential victims. These tools allow inexperienced hackers to conduct advanced attacks at scale, reducing the time needed for attack preparation and execution. As LLMs become more integrated into cyber operations, security teams are urged to adopt best practices to mitigate emerging threats.

ReliaQuest has identified over 40 phishing domains mimicking Zendesk, part of a campaign by Scattered Lapsus$ Hunters targeting Zendesk users for extortion. The campaign involves typosquatted domains and fake single sign-on pages to harvest credentials and submit fraudulent helpdesk tickets. Attackers are using these tactics to drop remote-access trojans on helpdesk agents' machines, potentially accessing sensitive corporate data. Similarities with a previous campaign against Salesforce suggest the same criminal group is responsible, leveraging identity and trust in SaaS platforms. The group, a coalition of cybercrime specialists, has claimed responsibility for other high-profile breaches, including Salesforce and Gainsight. Zendesk's widespread use in over 100,000 companies makes its compromise particularly concerning, posing a significant risk to enterprise IT infrastructure. The attackers have publicly warned of ongoing campaigns, indicating a strategic focus on support platforms for future operations.

OpenAI's former data analytics provider, Mixpanel, experienced a data breach affecting API users, with no impact on regular ChatGPT users unless they also use the API. The breach involved profile data such as names, email addresses, locations, operating systems, and browser details linked to OpenAI platform accounts. Mixpanel detected the breach on November 9, sharing the affected dataset with OpenAI by November 25, prompting OpenAI to sever ties with the provider. OpenAI is conducting a comprehensive security review of its vendor ecosystem, raising security standards and notifying impacted organizations, administrators, and users directly. The breach has led OpenAI to stress vigilance against phishing attempts, advising users to be cautious of suspicious emails but not requiring password resets. OpenAI remains committed to transparency and has publicly shared its notification details, emphasizing the importance of trust, security, and privacy in its operations. The incident underscores the need for robust vendor management and security practices to safeguard sensitive data and maintain customer trust.

Microsoft plans to block unauthorized script injections in Entra ID logins, aiming for a global rollout by October 2026, enhancing security against cross-site scripting (XSS) attacks. The update to Content Security Policy (CSP) will allow only scripts from trusted Microsoft domains, safeguarding the login.microsoftonline.com experience from malicious code. This proactive measure is part of Microsoft's Secure Future Initiative, which focuses on strengthening security in response to increasing cyber threats. Organizations are advised to test their sign-in flows early to ensure seamless transitions and avoid disruptions when the new policy is enforced. Microsoft cautions against using browser extensions that inject scripts into Entra sign-ins, recommending alternative tools that comply with the new security standards. The Secure Future Initiative, launched in 2023, has already introduced over 50 new detections and achieved 99.6% adoption of phishing-resistant multi-factor authentication. The initiative aligns with Zero Trust principles, advocating for automated vulnerability management and real-time security incident visibility across hybrid and cloud environments.

GreyNoise Labs introduced GreyNoise IP Check, a free tool to identify if an IP address is involved in malicious scanning or botnet activities. The tool addresses the growing issue of residential proxy networks turning home connections into exit points for unauthorized traffic. Users can receive a 90-day historical timeline of IP activity, aiding in pinpointing potential infection sources. The tool offers a non-intrusive method to check for malicious activity, supplementing traditional methods like examining device logs and network traffic. GreyNoise also provides a JSON API for more technical users, allowing integration into scripts for automated checks. Users with suspicious results are advised to perform malware scans, update firmware, change admin credentials, and disable unnecessary remote access on devices. This initiative aims to empower users to proactively secure their networks against covert malware installations.

The Federal Communications Commission (FCC) has issued a warning following cyber intrusions that hijacked US radio broadcast systems to transmit fake emergency alerts and offensive content. Attackers exploited unsecured studio-to-transmitter links (STLs), notably targeting devices from Swiss manufacturer Barix, to stream unauthorized audio over legitimate programming. Incidents have been reported in Texas and Virginia, affecting stations like ESPN Houston, which confirmed its broadcast was overtaken with explicit content. The FCC has provided broadcasters with a checklist of best practices, including updating firmware, using strong passwords, and securing equipment behind firewalls or VPNs. Broadcasters are advised to report suspicious activities to the FCC and the FBI's Internet Crime Complaint Center (IC3) to mitigate future risks. The recent incidents echo past compromises of the Emergency Alert System, such as the 2013 "zombie apocalypse" hoax, highlighting ongoing vulnerabilities in broadcast security. The FCC emphasizes the necessity for broadcasters to implement overdue security measures to prevent similar hijacks and protect public trust.

Asahi has confirmed a ransomware attack in September affected nearly 2 million individuals, compromising personal data such as names, addresses, and contact information. The Qilin ransomware group claimed responsibility, reportedly stealing 27 GB of sensitive internal files, including employee records and financial documents. The attack disrupted Asahi's operations, halting order processing, shipments, and customer service, and delaying the company's annual earnings report by over 50 days. Entry was gained through compromised network equipment at a Japanese datacenter, with ransomware deployed on live servers and connected PCs, causing widespread operational suspension. Asahi is notifying affected individuals and restoring systems cautiously, with product shipments resuming in phases as systems are validated for security. The breach has significant implications for Asahi's business continuity, with logistics potentially not fully restored until February, affecting investor and distributor confidence. This incident underscores the critical need for robust cybersecurity measures to protect sensitive data and maintain operational resilience in the face of cyber threats.

Comhairle nan Eilean Siar in Scotland has been rebuilding systems for two years following a ransomware attack in November 2023, with key financial systems still not fully restored. The attack significantly impacted the council's finance department, delaying the publication of 2024 annual accounts and increasing operational workloads across departments. An audit by Scotland's Accounts Commission praised the council's immediate response but noted ongoing cybersecurity gaps, including unimplemented improvements and insufficient staff training. The council's IT infrastructure, primarily locally hosted, was vulnerable, with inadequate backups exacerbating the attack's impact, highlighting the need for robust cybersecurity measures. Direct costs of the attack are estimated at £950,000 ($1.25 million), with the council seeking insurance and government support to cover expenses related to consultancy and cloud services. Staffing shortages and increased workloads have strained council operations and morale, with five of 17 IT positions vacant at the time of the attack. The Accounts Commission urges the council to set realistic timelines for implementing cybersecurity recommendations and to test business continuity plans against severe attack scenarios.