Daily Brief

UK authorities arrested two teenagers linked to the Scattered Spider group, responsible for extorting over $115 million from more than 100 organizations. Thalha Jubair and Owen Flowers appeared in court for their alleged roles in a cyberattack on Transport for London and other high-profile intrusions. The group employed SIM-swapping and social engineering tactics to infiltrate networks, notably targeting helpdesks to reset passwords and gain unauthorized access. US authorities charged Jubair with computer fraud, wire fraud, and money laundering, citing his involvement in 120 network intrusions, including attacks on the US federal court system. Investigators traced ransom payments to cryptocurrency wallets controlled by Jubair, leading to the seizure of approximately $36 million in digital currency. The arrests highlight the effectiveness of international law enforcement collaboration and public-private partnerships in combating sophisticated cybercrime operations. This operation serves as a warning to cybercriminals that anonymity is not guaranteed, and law enforcement can penetrate even well-concealed activities.

A security researcher discovered a critical flaw in Entra ID, potentially granting access to nearly every tenant worldwide, which Microsoft has since mitigated. The vulnerability involved flawed token validation, allowing unauthorized cross-tenant access through undocumented "Actor tokens" used for service-to-service communication. The flaw was linked to the legacy Azure Active Directory Graph API, which failed to validate the originating tenant of the tokens. This issue could have compromised services using Entra ID for authentication, including SharePoint Online and Exchange Online, posing significant security risks. The vulnerability was rated as "Critical" with a CVE issued on September 4, scoring a base of 10, indicating severe potential impact. Microsoft swiftly addressed the issue, and no abuse was detected in their internal telemetry, ensuring users need not take further action. The researcher provided KQL queries for administrators to check for potential past abuse, despite the lack of logs for the Actor tokens.

Tines introduces an AI-powered workflow to automate alert triage, leveraging over 1,000 pre-built workflows available in its Community Edition. Developed by Michael Tolan and Peter Wrenn, the workflow integrates AI agents to identify and execute Standard Operating Procedures (SOPs) from Confluence. The automation process reduces manual intervention, minimizing human error and ensuring consistent handling of security alerts. Alerts trigger AI analysis, which identifies relevant SOPs and performs remediation, while keeping teams informed via Slack. The solution aims to improve response times and operational efficiency for security teams by streamlining alert management processes. Organizations can customize the workflow to suit their existing technology stack, enhancing flexibility and integration capabilities. The guide provides step-by-step instructions for configuring and testing the workflow, ensuring seamless implementation and operation.

Radware identified a critical flaw in OpenAI's Deep Research tool, known as "ShadowLeak," which allowed attackers to exfiltrate sensitive data from user inboxes without interaction. The vulnerability enabled attackers to embed hidden instructions within emails, prompting ChatGPT to unknowingly send sensitive data to an attacker-controlled server. The attack operated invisibly from OpenAI's infrastructure, bypassing traditional security measures and leaving minimal forensic evidence for incident responders. Potential data at risk included personally identifiable information, internal memos, legal documents, and login credentials, posing significant compliance and regulatory risks. OpenAI addressed the issue with a patch released on September 3, following Radware's disclosure of the vulnerability on June 18. Radware recommends treating AI agents as privileged users, implementing HTML sanitization, and enhancing logging to prevent similar vulnerabilities. Organizations are urged to review AI tool integrations to ensure robust input sanitization and control over data access to mitigate future risks.

UK charities express concerns about Ofcom's enforcement of the Online Safety Act, questioning the effectiveness of current measures in deterring violations by online platforms. The Online Safety Act mandates platforms to implement age assurance systems, but stakeholders argue that Ofcom's enforcement lacks transparency and robustness. Maximum penalties for non-compliance include fines up to £18 million or 10% of annual global revenue, yet enforcement actions remain under scrutiny for their effectiveness. Critics argue that the safe harbor provision may discourage innovation, as platforms adhering strictly to Ofcom's guidelines are shielded from penalties, even if better solutions exist. Newer online threats, such as those posed by Com groups, challenge Ofcom's ability to keep pace with evolving risks, raising concerns about the protection of vulnerable users. Ofcom has initiated investigations into 69 websites and apps suspected of non-compliance, signaling a proactive approach to enforcing online safety regulations. Continuous stakeholder engagement, including upcoming sessions with Ofcom's chief executive, aims to refine and enhance the regulatory framework to better address emerging online harms.

ESET researchers identified collaboration between Russian hacking groups Gamaredon and Turla, targeting Ukrainian entities with the Kazuar backdoor, particularly in the defense sector. Gamaredon tools, PteroGraphin and PteroOdd, were used to execute Turla's Kazuar backdoor on Ukrainian systems, indicating coordinated efforts to breach specific targets. The attacks, linked to the Russian Federal Security Service, intensified following Russia's 2022 invasion of Ukraine, underscoring the geopolitical motivations behind the cyber operations. Kazuar malware, updated to version 3, features enhanced capabilities, including new network transport methods and data exfiltration techniques, posing significant risks to compromised systems. Gamaredon's initial access methods remain unclear but historically involve spear-phishing and malicious LNK files, suggesting continued reliance on social engineering tactics. The collaboration reflects a strategic alliance, with Gamaredon providing access and Turla deploying sophisticated malware, demonstrating the evolving threat landscape in cyber warfare. ESET's findings emphasize the need for robust cybersecurity measures and international cooperation to counter state-sponsored cyber threats effectively.

The U.K.'s National Crime Agency arrested two teenagers linked to the Scattered Spider group for the August 2024 cyber attack on Transport for London (TfL). Thalha Jubair, 19, and Owen Flowers, 18, are accused of causing significant disruption and financial losses to TfL, part of the U.K.'s critical infrastructure. Flowers is also charged with targeting U.S. healthcare companies, including SSM Health Care Corporation and Sutter Health, highlighting the group's international reach. Jubair faces charges under the Regulation of Investigatory Powers Act for not surrendering device passwords, complicating the investigation. The U.S. Department of Justice charged Jubair with computer fraud, wire fraud, and money laundering, linked to 120 network intrusions and extortion of 47 U.S. entities. The cyber attacks involved social engineering, unauthorized network access, data theft, and ransom demands, with victims paying at least $115 million. Law enforcement seized cryptocurrency wallets and digital assets worth $36 million, disrupting the group's financial operations. These arrests underscore the growing cybercrime threat from English-speaking countries, as highlighted by the NCA earlier this year.

MI6 has introduced a dark web portal named "Silent Courier" to securely recruit informants worldwide, enhancing its digital tradecraft capabilities. The portal utilizes Tor for anonymity, allowing individuals to share sensitive information about global instability or hostile intelligence activities without exposure. Instructions for potential informants are available in eight languages on MI6's new YouTube channel, emphasizing secure communication practices. Users are advised to use a clean device, incognito browsing, and a commercial VPN trial to access the portal, avoiding identifiable information. The initiative aims to attract genuine informants while potentially exposing malicious actors' tradecraft through their interactions with the site. This move reflects MI6's adaptation to modern intelligence challenges, ensuring secure and anonymous channels for critical information exchange. The portal's launch signifies a strategic shift towards leveraging digital platforms for intelligence gathering in an increasingly interconnected world.

CISA has identified two malware strains exploiting vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM) within an unnamed organization's network. The vulnerabilities, an authentication bypass and remote code execution flaw, were used to execute arbitrary code, allowing attackers to access protected resources without authentication. Attackers leveraged these flaws around May 15, 2025, following the release of a proof-of-concept exploit, enabling system information collection and credential dumping. Malware persistence was achieved by injecting code via malicious Java class listeners, which intercepted HTTP requests to decode and decrypt payloads for execution. To mitigate risks, organizations should update EPMM to the latest version, monitor for suspicious activities, and enforce access restrictions on mobile device management systems. The incident underlines the critical need for timely patch management and vigilant monitoring of network activities to prevent exploitation of known vulnerabilities.

Google has issued an emergency patch for a critical Chrome vulnerability, CVE-2025-10585, already being exploited in the wild, urging users to update their browsers immediately. The flaw is a type confusion issue in the V8 JavaScript and WebAssembly engine, potentially leading to system crashes or arbitrary code execution. Users are advised to update to the latest Chrome versions: 140.0.7339.185/.186 for Windows and macOS, and 140.0.7339.185 for Linux, to mitigate the risk. This marks the sixth Chrome zero-day vulnerability addressed this year, with previous exploits targeting users in Russia and enabling unauthorized code execution. WatchGuard also released a patch for CVE-2025-9242, a critical remote code execution flaw in its Firebox firewalls, affecting VPN configurations with dynamic gateway peers. Google Threat Analysis Group suspects the Chrome vulnerability may have been used by nation-state actors and commercial spyware vendors to target high-value individuals. Organizations should ensure automatic browser updates are enabled, and consider implementing additional security measures to safeguard against potential exploits.

SonicWall confirmed a security breach in its cloud backup service, affecting less than 5% of its firewall installed base, with attackers accessing sensitive configuration data. The breach resulted from brute-force attacks targeting preference files, which, despite encrypted credentials, contained exploitable information for potential firewall compromise. SonicWall swiftly disabled the cloud backup feature, rotated internal keys, and implemented infrastructure and process changes to mitigate further risks. A leading third-party incident response firm has been engaged to validate findings and assist in reviewing affected environments, ensuring comprehensive remediation. Impacted customers are advised to log into MySonicWall, verify device serial numbers, regenerate keys, change admin passwords, and re-import secure configurations. SonicWall has committed to full transparency, providing ongoing updates through its knowledge base while continuing its investigation into the incident. This breach adds to recent challenges for firewall vendors, with SonicWall urging administrators to promptly apply mitigation guidance to secure their environments.

Over 855,000 individuals were impacted by data breaches at three US healthcare providers, exposing sensitive personal and medical information. Goshen Medical Center reported a breach affecting 456,385 individuals, revealing personal data including social security and medical record numbers. Retina Group of Florida disclosed an attack impacting 153,429 individuals, with potential exposure of sensitive health information, as per legal investigations. Medical Associates of Brevard's breach affected 246,711 individuals, compromising data such as names, birthdates, and health insurance details. All affected individuals have been offered credit monitoring and identity protection services, a standard response in such incidents. These incidents underscore the healthcare sector's vulnerability to cyberattacks, with significant implications for data security and patient trust. While these breaches did not disrupt healthcare services, they highlight ongoing risks, as seen in past attacks with severe operational impacts. The global nature of healthcare cyberattacks is evident, with similar incidents causing substantial disruptions and financial losses internationally.

SystemBC malware targets vulnerable commercial VPS systems, maintaining around 1,500 bots daily to facilitate malicious traffic routing and conceal command-and-control activities. Compromised servers are globally dispersed, each with at least one critical vulnerability, and many with multiple security issues, enabling prolonged infections. Researchers from Lumen Technology’s Black Lotus Labs report that SystemBC operates with over 80 command-and-control servers, supporting other criminal proxy networks. SystemBC is leveraged by various threat actors, including ransomware gangs, and has a significant client base, such as Russian web-scraping services and Vietnamese proxy networks. The malware's infrastructure allows for extensive data transfer, with a single IP generating over 16 gigabytes of proxy data in 24 hours, far exceeding typical proxy network activity. Despite law enforcement efforts, including Operation Endgame, SystemBC remains resilient, continuing to evade disruption and providing stable, high-volume traffic for its users. Black Lotus Labs offers detailed technical analysis and indicators of compromise to assist organizations in identifying and mitigating SystemBC-related threats.

Two teenagers, linked to the Scattered Spider hacking group, were arrested in the UK for their roles in the August 2024 cyberattack on Transport for London (TfL). The suspects, Owen Flowers and Thalha Jubair, face charges of computer misuse and fraud, with Jubair also charged in the U.S. for extensive network breaches. The TfL attack disrupted internal systems and online services, impacting refund processing but initially seemed not to compromise customer data. Later updates confirmed data breaches. The National Crime Agency (NCA) found further evidence connecting Flowers to attacks on U.S. healthcare companies, leading to additional charges. The U.S. Department of Justice charged Jubair with conspiracies involving computer fraud and extortion, linked to 120 breaches and $115 million in ransom payments. The incident exemplifies the rising threat from cybercriminals in the UK and other English-speaking regions, as noted by the NCA. TfL, a critical part of the UK’s infrastructure, serves over 8.4 million Londoners, emphasizing the potential impact of such cyberattacks. Previous breaches, including one by the Clop ransomware group, highlight ongoing vulnerabilities in TfL's cybersecurity posture.

SonicWall has detected unauthorized access to firewall configuration backup files stored in the cloud, affecting less than 5% of its MySonicWall customers. The breach involved brute-force attacks targeting cloud backup services, allowing threat actors to access encrypted credentials and other sensitive information. Although the credentials were encrypted, the data could potentially aid attackers in exploiting the associated firewalls. No leaks have been reported thus far. SonicWall is urging affected customers to reset credentials and import updated preference files to secure their systems against potential threats. The incident is not linked to ransomware but coincides with Akira ransomware group activities exploiting a SonicWall vulnerability (CVE-2024-40766). The Akira group has been targeting unpatched SonicWall devices, using recovery codes to bypass multi-factor authentication and disable security defenses. Organizations are advised to handle recovery codes with extreme care, akin to privileged account passwords, to prevent unauthorized access and potential attacks.