Daily Brief

Microsoft 365, with over 400 million users, is increasingly targeted by cybercriminals due to its widespread adoption in business environments, creating a significant risk landscape. The integration of services like Outlook, SharePoint, Teams, and OneDrive expands the attack surface, enabling attackers to exploit interconnected vulnerabilities for broader access. Recent zero-day vulnerabilities in SharePoint, such as CVE-2025-53770, were actively exploited, affecting over 75 servers, demonstrating the cascading risks within Microsoft 365. Backup and recovery systems within Microsoft 365 are often inadequate, potentially preserving malicious content, with 40% of scanned email backups containing phishing links. Organizations must implement robust security measures, including zero trust architecture and multifactor authentication, while maintaining productivity benefits. Regular assessments of Microsoft 365 configurations and third-party integrations are essential to mitigate persistent security gaps and protect against sophisticated threats. Proactive hardening of defenses tailored to cloud collaboration threats provides a competitive advantage and protects sensitive assets from potential cyberattacks.

Cybersecurity researchers have identified CountLoader, a new malware loader employed by Russian ransomware groups, facilitating the delivery of tools like Cobalt Strike and PureHVNC RAT. CountLoader is used by Initial Access Brokers or ransomware affiliates linked to LockBit, Black Basta, and Qilin, targeting Ukrainian individuals through PDF-based phishing attacks. The malware exists in .NET, PowerShell, and JavaScript versions, with the JavaScript variant offering extensive file downloading and execution methods. CountLoader's PowerShell version was previously distributed using DeepSeek-related decoys, tricking users into installation and enabling network traffic manipulation. The malware establishes persistence by creating a scheduled task mimicking a Google Chrome update, allowing for continuous exploitation and data collection. Infrastructure supporting CountLoader includes over 20 unique domains, acting as a conduit for various post-exploitation tools and remote access trojans. The interconnected nature of the Russian ransomware ecosystem reveals operational overlaps, with threat actors prioritizing human capital over specific malware strains.

The Python Software Foundation invalidated PyPI tokens stolen in the GhostAction attack, preventing potential misuse for malware distribution. The attack involved malicious GitHub Actions workflows attempting to exfiltrate PyPI tokens to remote servers, impacting over 570 repositories. GitGuardian played a crucial role in identifying the attack, though initial response was delayed due to communication issues. Over 3,300 secrets, including API tokens and access keys, were stolen across multiple ecosystems such as npm, DockerHub, and Cloudflare. PyPI advised maintainers to switch to short-lived Trusted Publishers tokens and review security logs for suspicious activity. Despite the breach, no PyPI repositories were compromised, and project owners were contacted to secure their accounts. The incident underscores the importance of robust token management and timely communication in mitigating supply chain vulnerabilities.

Two teenagers, Owen Flowers and Thalha Jubair, face charges for a cyberattack on Transport for London (TfL) in August 2024, causing significant disruption and financial losses. The National Crime Agency (NCA) and City of London Police led the investigation, resulting in charges under the Computer Misuse Act for conspiracy to commit unauthorized acts. The attack affected TfL's operations, disabling back-office functions and ticketing systems, and exposing sensitive customer data, including refund and bank information of 5,000 Oyster cardholders. Flowers is also charged with attacks on U.S. healthcare organizations, SSM Health Care Corporation and Sutter Health, indicating a broader pattern of cybercriminal activity. The NCA aims to disrupt the activities of the alleged cybercrime group, Scattered Spider, to which the teenagers are reportedly linked, reflecting a growing threat from UK-based cybercriminals. The incident underscores the importance of robust cybersecurity measures for critical infrastructure, with TfL committing to ongoing system monitoring and protective actions. The case illustrates the complexity of attributing cyberattacks to individuals and groups, highlighting the challenges faced by law enforcement in pursuing cybercriminals.

Cloudflare experienced an API outage on September 12 due to a coding error involving a React useEffect hook, impacting the platform's dashboard and multiple APIs for over an hour. The outage stemmed from repeated, unnecessary calls to the Tenant Service API, which is integral to API request authorization, resulting in an overload. Troubleshooting was challenging as the problem appeared to be with API availability, masking the dashboard's role in causing the overload. The core issue was a React useEffect hook with a problematic object in its dependency array, leading to excessive API calls during a single dashboard render. Community discussions emerged about the useEffect hook, with opinions varying on its necessity and potential for misuse in React applications. Cloudflare has increased the Tenant Service's capacity and enhanced monitoring to better handle similar load spikes in the future. Additional information has been added to API calls to help distinguish retries from new requests, aiding in quicker issue identification.

Cybersecurity researchers identified two malicious PyPI packages, sisaws and secmeasure, designed to deliver the SilentSync RAT to Windows systems, targeting Python developers. SilentSync enables remote command execution, file exfiltration, and screen capturing, while also extracting web browser data, including credentials and cookies. The packages mimicked legitimate libraries, with sisaws impersonating Argentina's SISA health system package, using a function to download additional malware. Both packages have been removed from PyPI, but they demonstrated the potential for supply chain attacks through typosquatting and impersonation tactics. SilentSync is primarily aimed at Windows but includes capabilities for Linux and macOS, such as modifying system settings to ensure persistence. The malware communicates with a hard-coded endpoint to execute Python code directly in memory, enabling data theft and evasion of detection. This incident underscores the importance of vigilance in monitoring software repositories and implementing robust security measures to protect against supply chain threats.

CISOs face the challenge of balancing AI innovation with security, requiring dynamic governance systems that adapt to rapid technological changes and organizational needs. Rigid AI policies often fail; a flexible, real-world approach is necessary to manage risks like data leaks and shadow AI without stifling innovation. AI governance should include comprehensive inventories, model registries, and cross-functional committees to ensure transparency and shared responsibility across the organization. Policies must evolve with business dynamics, aligning with actual use cases and measurable outcomes to remain relevant and enforceable. Sustainable AI governance involves equipping employees with secure AI tools and promoting positive usage behaviors to prevent reliance on unapproved alternatives. The SANS Institute emphasizes the importance of utilizing AI for cyber defense and protecting AI systems from adversarial threats, as outlined in their Secure AI Blueprint. SANS Cyber Defense Initiative 2025 offers strategic courses for leaders to integrate AI governance with business strategy, enhancing security culture and enabling safe AI adoption.

Insight Partners revealed a ransomware attack in January compromised personal data of over 12,000 individuals, including employees and limited partners. The breach involved data-encrypting malware, initially described as a "sophisticated social engineering attack," targeting HR and finance servers. Attackers exfiltrated sensitive data before encryption began on January 16, 2025, when the breach was detected and halted by Insight's IT team. Stolen data encompassed banking and tax records, information on Insight funds, and personal details of employees and limited partners. Insight Partners, managing over $90 billion in assets, supports major tech and cybersecurity firms like Twitter and SentinelOne. The firm has notified affected parties and offers complimentary credit or identity monitoring services as part of its response. Security measures have been enhanced, including system rebuilds and patching vulnerabilities, to prevent future incidents. Details on the perpetrators, ransom demands, or payments remain undisclosed, with Insight Partners declining further comment.

Proofpoint identified Chinese state-sponsored group TA415, known as APT41, targeting US government, think tanks, and academic institutions with phishing campaigns. The phishing emails impersonated Congressman John Moolenaar, leveraging US-China trade policy themes to entice recipients. Attackers used password-protected archives with a Python loader named WhirlCoil, avoiding traditional malware to maintain stealth. Legitimate cloud services like Google Sheets and Zoho WorkDrive were employed for command-and-control operations, complicating detection efforts. The campaign coincided with critical US-China trade negotiations, aiming to gather intelligence on policy directions and legislative responses. A US indictment links TA415 to Chengdu 404 Network Technology, a contractor for China's cyber-operations apparatus. This activity reflects Beijing's strategic interest in acquiring sensitive economic intelligence as US-China trade discussions intensify.

WatchGuard identified a critical remote code execution flaw, CVE-2025-9242, in its Firebox firewalls, posing a significant risk to affected systems. The vulnerability stems from an out-of-bounds write issue, allowing attackers to execute arbitrary code on compromised devices. Affected systems include Fireware OS versions 11.x, 12.x, and 2025.1, with fixes available in newer updates such as 12.3.1_Update3 and 12.11.4. Firebox devices using IKEv2 VPN configurations are particularly vulnerable, even if previous configurations have been deleted but static gateway peers remain. WatchGuard advises immediate patching and provides a workaround for administrators unable to update, involving firewall policy adjustments and disabling dynamic peer BOVPNs. Although no exploitation has been reported, threat actors are known to target firewalls, emphasizing the urgency for administrators to secure their systems. WatchGuard's network protection spans over 250,000 small and mid-sized businesses globally, underscoring the potential impact of this vulnerability.

Google has issued emergency updates for a critical zero-day vulnerability in Chrome, marking the sixth such incident in 2025, highlighting ongoing security challenges. The vulnerability, identified as CVE-2025-10585, stems from a type confusion flaw in the V8 JavaScript engine, posing significant security risks. Google's Threat Analysis Group reported the flaw, often exploited by state-sponsored actors targeting high-risk individuals like dissidents and journalists. The security update, version 140.0.7339.185/.186, is being rolled out for Windows, Mac, and Linux users to mitigate potential exploitation. Users are advised to manually update Chrome via the browser's settings to ensure immediate protection against possible threats. Google maintains restricted access to detailed bug information until the majority of users have implemented the fix, ensuring broader security. This patch follows several others earlier this year, addressing vulnerabilities used in espionage and account hijacking attacks.

Google released security updates for Chrome to fix four vulnerabilities, including CVE-2025-10585, a zero-day actively exploited in the wild. CVE-2025-10585 is a type confusion issue in the V8 JavaScript and WebAssembly engine, potentially allowing arbitrary code execution and program crashes. Google's Threat Analysis Group (TAG) discovered the flaw on September 16, 2025, and promptly reported it to initiate a swift response. Details on the exploitation methods or perpetrators remain undisclosed to prevent further abuse before users can apply the necessary updates. Users are advised to update Chrome to versions 140.0.7339.185/.186 on Windows and macOS, and 140.0.7339.185 on Linux to mitigate the threat. Other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should also implement the fixes as they become available. This marks the sixth zero-day vulnerability in Chrome exploited or demonstrated as a proof-of-concept in 2025, indicating persistent security challenges.

Recorded Future's Insikt Group identified over 200 new fake news sites linked to Russian disinformation efforts, targeting political landscapes in the US, France, Canada, and Norway. The network, known as CopyCop or Storm-1516, reportedly uses AI models based on Meta's Llama 3 to generate misleading political content, aiming to influence public opinion globally. John Mark Dougan, a former Florida deputy sheriff with asylum in Moscow, is alleged to operate these sites with Kremlin support, including funding from the GRU for server infrastructure. The disinformation campaign includes deepfakes and fabricated stories, such as false claims about Ukrainian President Zelensky, designed to manipulate political narratives in various countries. The Insikt Group's findings coincide with reduced US efforts to counter election disinformation, raising concerns about the potential impact on upcoming elections in 2026. US lawmakers have called for intelligence briefings on foreign election threats, amid fears that information on interference may be withheld from the public and policymakers. The expanded network includes sites impersonating local media and fact-checking organizations, with a strategic focus on polarizing political issues and exploiting regional sentiments.

ShinyHunters claimed responsibility for stealing 1.5 billion Salesforce records from 760 companies using compromised OAuth tokens from Salesloft Drift. The breach involved data from Salesforce object tables, including Account, Contact, Case, Opportunity, and User, affecting sensitive customer information. Attackers exploited OAuth tokens found in Salesloft's GitHub repository, utilizing the TruffleHog tool to locate secrets within the source code. Google Threat Intelligence reported that attackers searched the exfiltrated data for secrets like AWS access keys and passwords to facilitate further intrusions. The FBI issued an advisory on this threat, with indicators of compromise to help organizations defend against similar attacks. Despite claims of ceasing operations, the threat group has shifted focus to targeting financial institutions, indicating ongoing risk. Salesforce advises customers to implement multi-factor authentication, least privilege principles, and strict management of connected applications to mitigate such threats.

Scattered Spider, previously thought to have ceased operations, has re-emerged with a cyberattack on a US banking institution, shifting its focus to the financial sector. The group gained initial access by exploiting social engineering tactics to reset an executive's Microsoft Entra ID password, allowing them to infiltrate sensitive areas. Once inside, attackers navigated the bank's Citrix environment and VPN, compromising VMware ESXi infrastructure to extract employee credentials and escalate their network presence. The cybercriminals attempted data exfiltration from platforms like Snowflake and AWS, indicating their intent to steal sensitive information. Despite prior claims of retirement, Scattered Spider's tactics, techniques, and procedures (TTPs) remain active, posing ongoing threats to targeted sectors. The incident underscores the need for robust cybersecurity measures, emphasizing prevention over reliance on the cessation of criminal groups. This attack follows previous high-profile heists, highlighting the persistent threat landscape and the necessity for vigilance in financial cybersecurity defenses.