Daily Brief

Microsoft and Cloudflare collaborated to dismantle RaccoonO365, a phishing network responsible for stealing over 5,000 Microsoft 365 credentials across 94 countries since July 2024. The operation involved seizing 338 domains through a court order from the Southern District of New York, effectively disrupting the network's technical infrastructure. RaccoonO365, marketed as a phishing-as-a-service toolkit, allowed cybercriminals to conduct large-scale credential harvesting with minimal technical expertise, offering subscription plans starting at $355. The takedown, initiated on September 2, 2025, included banning domains, deploying warning pages, and suspending user accounts, with actions completed by September 8. The phishing campaigns targeted over 2,300 U.S. organizations, including healthcare entities, often bypassing multi-factor authentication to gain persistent access to systems. The network's operators, led by Joshua Ogundipe from Nigeria, are believed to have received over $100,000 in cryptocurrency payments, with law enforcement referrals initiated. Cloudflare's strategy marks a shift towards proactive, large-scale disruptions to deter future abuse of its infrastructure by malicious actors. The group behind RaccoonO365 announced plans to scrap legacy links and compensate affected customers, indicating continued attempts to adapt and persist.

Australia's eSafety commissioner mandates social media platforms implement age assurance techniques to prevent under-16s from accessing their services starting December 10th. Platforms such as Facebook, Instagram, and TikTok must employ multiple overlapping age verification methods, despite the technology's current imperfections. The policy aims to protect children from potential harm, though it has faced criticism due to the lack of a comprehensive assessment of age assurance technologies. Social media companies must avoid relying solely on user-provided age data and instead use a "waterfall approach" with various independent verification methods. Failure to comply with these regulations could result in substantial fines for social media platforms not taking reasonable steps to restrict access. The Australian government acknowledges the limitations of this approach, emphasizing the importance of kindness and communication when managing underage accounts. Companies are encouraged to offer options for underage users to suspend accounts and preserve data until they reach the age of 16.

Conor Brian Fitzpatrick, known as "Pompompurin," was resentenced to three years in prison for operating the BreachForums hacking platform. The U.S. Court of Appeals for the Fourth Circuit found his initial sentence of time served and 20 years of supervised release insufficient. Fitzpatrick pleaded guilty to conspiracy to commit access device fraud, solicitation for offering access devices, and possession of child pornography. BreachForums was a major hub for trading stolen data, with over 330,000 members, impacting sectors like telecom, healthcare, and government. Despite restrictions, Fitzpatrick violated pretrial conditions by using unmonitored devices and VPN services to conceal internet activities. The FBI seized BreachForums following a significant breach involving D.C. Health Link, leading to Fitzpatrick's arrest. This case underscores the ongoing challenges in curbing cybercrime forums and the legal system's role in addressing such threats.

Microsoft and Cloudflare collaborated to seize 338 domains linked to RaccoonO365, a major phishing operation targeting Microsoft 365 credentials worldwide. The operation, led by Joshua Ogundipe, sold phishing kits via a private Telegram channel, amassing over $100,000 in cryptocurrency from stolen credentials. RaccoonO365 allowed cybercriminals to bypass multi-factor authentication and input up to 9,000 target emails daily, posing significant risks to global organizations. Microsoft filed a lawsuit against Ogundipe and associates, securing a court order to dismantle the phishing infrastructure and impose restraining orders. Despite legal actions, Ogundipe remains at large in Nigeria, with international law enforcement notified for potential further action. Cloudflare's takedown included banning domains, placing warning pages, and suspending accounts to prevent re-registration and further criminal activity. The phishing kits targeted over 2,300 US organizations, including healthcare entities, prompting involvement from the Health-ISAC in legal proceedings. An operational security lapse by the threat actors revealed a secret cryptocurrency wallet, aiding Microsoft's attribution and understanding of the criminal network.

Google identified and disabled a fraudulent account in its Law Enforcement Request System (LERS), preventing unauthorized access to user data by cybercriminals. The breach attempt is linked to the Scattered Lapsus$ Hunters, a group comprising members from Scattered Spider, ShinyHunters, and Lapsus$. No data requests were made using the fraudulent account, ensuring no user information was compromised during the incident. The group also claimed access to the FBI's National Instant Criminal Background Check System, though the FBI has not commented on these assertions. Scattered Lapsus$ Hunters announced their supposed retirement, yet experts suggest this may be a tactic to evade law enforcement scrutiny. The group's history includes high-profile attacks on companies such as Jaguar, M&S, Co-op, and Harrods, indicating a pattern of targeting major organizations. Security experts believe the group might be restructuring rather than disbanding, adapting to increased pressure from global law enforcement agencies. The incident underscores the necessity for robust security measures in systems handling sensitive law enforcement and government data requests.

Apple released a security update for older devices to fix CVE-2025-43300, an out-of-bounds write issue in the ImageIO framework, affecting devices as old as the iPhone 8. The vulnerability could lead to memory corruption when processing malicious image files, potentially exploited in sophisticated attacks against specific targets. Meta also issued a security advisory, indicating that attackers may have combined a WhatsApp bug with Apple's OS-level flaw for targeted surveillance. Amnesty International's Security Lab is investigating a zero-click exploit impacting both iPhone and Android users, including civil society members. Samsung addressed a similar vulnerability in Android devices, CVE-2025-21043, which allowed remote code execution via a parsing library flaw. The incidents suggest involvement of commercial surveillanceware vendors, often used by governments and law enforcement for espionage on adversaries and activists. This wave of vulnerabilities underscores the need for timely patching and vigilance against sophisticated cyber threats targeting specific individuals.

Google eliminated 224 Android apps involved in a global ad fraud operation named "SlopAds," generating 2.3 billion ad requests daily. HUMAN's Satori Threat Intelligence team discovered the operation, revealing the apps were downloaded over 38 million times across 228 countries. The campaign primarily targeted the United States, India, and Brazil, with the U.S. accounting for 30% of ad impressions. SlopAds used advanced evasion techniques, including obfuscation and steganography, to bypass Google's app review and security processes. Malicious apps employed Firebase Remote Config to download encrypted configurations, enabling ad fraud through concealed WebViews and fraudulent domains. Google has removed the apps from the Play Store, and Google Play Protect now alerts users to uninstall any remaining SlopAds apps. Despite the takedown, the campaign's sophistication suggests threat actors may attempt similar operations in the future.

Security researchers identified a significant supply chain attack affecting 187 npm packages, employing a self-propagating payload to compromise additional packages. The attack, named 'Shai-Hulud,' began with the @ctrl/tinycolor package, which has over 2 million weekly downloads, and extended to include packages under CrowdStrike's npm namespace. The malware uses a script to modify package files, enabling automatic trojanization of downstream packages, and leverages TruffleHog to exfiltrate sensitive information like API keys and tokens. CrowdStrike responded by removing malicious packages from the npm registry and rotating keys, ensuring their Falcon sensor platform remains unaffected. The incident is part of a broader trend of supply chain vulnerabilities, following recent attacks like 's1ngularity,' highlighting the fragility of modern software ecosystems. Affected organizations are advised to audit their environments for signs of compromise, rotate secrets, and review dependency trees to mitigate risks. This event emphasizes the critical need for developers to enhance security measures in software builds and pipelines, including pinning dependencies to trusted releases.

Researchers identified multiple critical vulnerabilities in Chaos Mesh, posing a risk of full Kubernetes cluster takeover if exploited by attackers with minimal in-cluster access. The vulnerabilities, known as Chaotic Deputy, include CVE-2025-59359, CVE-2025-59360, CVE-2025-59361, and CVE-2025-59358, allowing remote code execution across clusters. Insufficient authentication in the Chaos Controller Manager's GraphQL server enables unauthenticated command execution on the Chaos Daemon. Exploitation could lead to data exfiltration, service disruption, and lateral movement within the cluster, escalating potential damage. Chaos Mesh addressed these vulnerabilities with the release of version 2.7.3 on August 21, following responsible disclosure in May 2025. Users are urged to update to the latest version promptly; if not feasible, restrict network traffic to the Chaos Mesh daemon and API server. Organizations should avoid deploying Chaos Mesh in open or poorly secured environments to mitigate risks.

A new supply chain attack on the npm platform has compromised 187 packages, with attackers embedding a self-propagating worm to steal sensitive information. The attack mirrors a previous campaign targeting Nx, with developers' credentials exposed on public GitHub pages, indicating a likely connection between the incidents. Attackers have enhanced their tactics, using a worm to automate the spread of malicious payloads, affecting packages from major entities like CrowdStrike. The malware scans for sensitive data such as AWS keys, cloud service credentials, and GitHub tokens, then exploits these to further infiltrate and compromise systems. Each compromised repository is labeled "Shai-Hulud," a reference to the Dune series, suggesting a deliberate thematic choice by the attackers. Affected npm packages include high-profile ones like @ctrl/tinycolor, with significant download volumes, amplifying the potential impact across numerous projects. Security experts recommend uninstalling compromised packages, pinning safe versions, rotating tokens, and monitoring logs to mitigate further risk. The number of affected packages is expected to rise, necessitating ongoing vigilance and swift response actions from developers and security teams.

The SlopAds operation involved 224 Android apps, achieving 38 million downloads across 228 countries, generating 2.3 billion daily ad bid requests at its peak. Utilizing steganography, the apps created hidden WebViews to navigate to threat actor-owned sites, producing fraudulent ad impressions and clicks. The apps only activated fraudulent behavior when downloaded via ad clicks, using a mobile marketing attribution SDK to determine download origin. Google's removal of the apps from the Play Store has disrupted the fraudulent operation, significantly reducing its impact. The campaign's sophistication included conditional fraud execution and obfuscation, complicating detection and blending malicious traffic with legitimate data. The FatModule, delivered through concealed PNG files, gathered device information and executed ad fraud, demonstrating advanced threat tactics. HUMAN researchers identified 300 domains associated with SlopAds, with links to a Tier-2 C2 server, revealing the operation's extensive infrastructure. The SlopAds case emphasizes the growing complexity of digital advertising threats, necessitating enhanced detection and prevention measures.

Organizations adopting team-wide VMware certification report improved security, innovation, and operational efficiency, creating a more collaborative and future-ready IT environment. Certified teams experience smoother rollouts, reduced errors, and faster incident response, enhancing overall business outcomes and security posture. VMware certifications cover essential infrastructure products like vSphere, NSX, and VMware Cloud Foundation, equipping teams to deploy securely and at scale. vSphere expertise is critical for virtualization and security, providing built-in tools and practices to strengthen infrastructure against threats. Certification is positioned as a strategic investment in leadership development, fostering confident and capable IT professionals who can build secure infrastructures. Offering VMware certification can be a key talent retention strategy, demonstrating organizational commitment to employee growth and development. VMUG Advantage facilitates affordable scaling of certifications across IT teams, offering group licensing and volume discounts to support widespread professional development.

Jaguar Land Rover (JLR) has prolonged its production shutdown by another week due to a cyberattack that disrupted operations in late August. The attack has significantly impacted JLR's operations, halting production and affecting approximately 39,000 employees worldwide. JLR confirmed data theft during the breach but has not attributed the attack to a specific cybercrime group. A cybercriminal group, "Scattered Lapsus$ Hunters," claims responsibility, alleging ransomware deployment and sharing internal system screenshots. The group is reportedly linked to other extortion entities like Scattered Spider, Lapsus$, and ShinyHunters, known for high-profile data thefts. JLR is conducting a forensic investigation and planning a controlled restart of its global operations, aiming to resume by September 24, 2025. The incident underscores the vulnerability of large enterprises to sophisticated cyber threats and the operational challenges in recovery.

A new campaign employs a variant of the FileFix tactic to distribute StealC malware via a multilingual phishing site mimicking Facebook Security pages. Attackers use advanced obfuscation and anti-analysis methods to evade detection, leveraging Bitbucket to host malicious components disguised as innocuous images. The attack initiates when victims click a phishing link, leading to a fake policy violation appeal process, resulting in the execution of a malicious PowerShell script. The FileFix method exploits a web browser's file upload feature, tricking users into executing commands locally, bypassing typical security measures. The campaign's infrastructure is meticulously crafted to enhance evasion and impact, showcasing significant investment in tradecraft by the adversaries. Doppel researchers identified similar campaigns using fake support portals and clipboard hijacking to deliver additional payloads, including TeamViewer and information stealers. The use of AutoHotkey scripts, originally for automation, has been weaponized since 2019 to create lightweight malware droppers, highlighting the evolving threat landscape.

Apple issued security updates for older iPhones and iPads to address a zero-day vulnerability exploited in sophisticated attacks, tracked as CVE-2025-43300. The flaw, found in the Image I/O framework, involves an out-of-bounds write that could lead to crashes, data corruption, or remote code execution. Devices running iOS 15.8.5 / 16.7.12 and iPadOS 15.8.5 / 16.7.12 received patches with improved bounds checks to mitigate this vulnerability. The zero-day was part of a complex attack chain, also involving a WhatsApp vulnerability, targeting specific individuals with advanced spyware. Amnesty International's Security Lab indicated that WhatsApp warned users of targeted attacks, though detailed information on the attack chain remains undisclosed. This patch is part of Apple's ongoing efforts, having addressed six zero-days exploited in 2025, enhancing device security across multiple platforms. Organizations should prioritize updating affected devices to mitigate potential risks associated with these vulnerabilities and protect sensitive data.