Daily Brief

The FileFix attack masquerades as a Facebook security alert to distribute the StealC infostealer, evolving from a proof-of-concept to a global threat in under two months. Victims are tricked into executing the malware by copying and pasting commands into Windows, exploiting user trust in familiar interfaces like File Explorer. Researchers observed a 517% surge in these social-engineering attacks, now the second most common vector after phishing, indicating a growing threat landscape. Attackers use AI-generated images and BitBucket-hosted payloads to evade detection, embedding PowerShell scripts and encrypted executables within benign-looking files. The final payload, a Go-written loader, checks for virtual environments before deploying StealC, which targets browsers, cryptocurrency wallets, and various applications. The campaign's rapid evolution stresses the need for enhanced anti-phishing training, as traditional methods may not adequately address these sophisticated social-engineering tactics. The widespread geographical impact, with incidents reported across multiple countries, suggests a coordinated effort to exploit global user bases. Security teams are urged to update training programs and detection mechanisms to counteract the innovative techniques employed by such campaigns.

A new FileFix social engineering campaign impersonates Meta account warnings to trick users into installing StealC malware, evolving from the ClickFix family of attacks. The attack involves users pasting malicious PowerShell commands into File Explorer's address bar, disguised as file paths to an "incident report" from Meta. Acronis discovered the campaign's use of steganography to hide malicious scripts within a JPG image, hosted on Bitbucket, to bypass detection. The initial PowerShell command downloads the image, extracts and executes a secondary script, ultimately deploying the StealC infostealer malware. Multiple campaign variants were observed over two weeks, suggesting attackers are refining their techniques and testing infrastructure for future use. Organizations are advised to educate employees on the risks of copying data from websites into system dialogs, as these tactics remain relatively unfamiliar. The campaign's evolution highlights the importance of continuous adaptation in cybersecurity defenses to counter emerging social engineering threats.

Apple has issued backported fixes for CVE-2025-43300, an out-of-bounds write vulnerability in the ImageIO component, actively exploited in sophisticated spyware attacks. This vulnerability, with a CVSS score of 8.8, can lead to memory corruption when processing malicious image files, posing significant security risks. The flaw was part of a targeted attack chain with CVE-2025-55177, impacting less than 200 individuals via WhatsApp on iOS and macOS platforms. Apple initially addressed the issue with updates to iOS 18.6.2, iPadOS 18.6.2, and various macOS versions, and has now extended patches to older systems. The updates also cover additional security vulnerabilities across multiple Apple platforms, including iOS, iPadOS, macOS, tvOS, visionOS, watchOS, Safari, and Xcode. While no other flaws have been exploited in real-world attacks, maintaining up-to-date systems is crucial for optimal security and protection. This incident emphasizes the importance of timely patching and vigilance against potential exploitation in targeted cyber threats.

Jaguar Land Rover (JLR) extends its global production shutdown to nearly four weeks due to ongoing cyberattack remediation efforts, impacting operations in multiple countries. The cyber incident has caused significant disruption, with JLR's UK and international sites in China, India, and Slovakia all ceasing operations temporarily. Suppliers to JLR, including those in the West Midlands, France, and Germany, report temporary layoffs affecting around 6,000 jobs, exacerbating financial strain. The Unite trade union urges the UK government to implement a COVID-style furlough scheme to support workers affected by the supply chain disruptions. JLR faces estimated daily revenue losses between £5-10 million ($6-13 million), with potential total losses reaching £240 million ($327 million) since the shutdown began. The attack, claimed by Scattered Lapsus$ Hunters, follows similar incidents targeting major retailers, raising concerns about the group's ongoing threat to the industry. JLR's incident response includes a forensic investigation and a phased approach to resuming global operations, though recovery timelines remain uncertain.

A webinar hosted by BleepingComputer and SC Media will address the critical security challenges posed by modern web browsers, now a major attack vector for identity and session threats. Browser security experts from Push Security will discuss how attackers exploit browsers to compromise accounts, steal data, and bypass traditional security measures. The session will highlight threats such as malicious extensions, session token theft, OAuth abuse, and emerging dangers like ClickFix and FileFix attacks. Push Security offers a real-time detection and response platform specifically designed to address browser-based identity attacks, providing vital visibility and control. The increasing complexity of browser functions, from authentication to SaaS data handling, has attracted cybercriminals, necessitating advanced security strategies. Traditional endpoint and identity tools often fail to detect these sophisticated browser threats, creating significant vulnerabilities in enterprise defenses. The webinar aims to equip security teams with actionable insights and strategies to mitigate risks and secure the modern web edge effectively.

Astrix introduces the AI Agent Control Plane (ACP) to secure AI agents, addressing risks from autonomous operations and unauthorized system access within enterprises. Recent studies indicate 80% of companies have faced unintended AI agent actions, causing unauthorized access and data leaks, highlighting the need for specialized security solutions. Traditional Identity and Access Management (IAM) systems struggle with AI agents due to their speed and reliance on non-human identities, necessitating new security approaches. ACP provides AI agents with short-lived, precisely scoped credentials and just-in-time access, adhering to least privilege principles to mitigate access chaos and compliance risks. The Discover–Secure–Deploy framework within ACP offers comprehensive visibility and security guardrails, enabling safe deployment of AI agents at scale. By implementing ACP, organizations can fully leverage AI agents' capabilities without introducing uncontrolled risks, enhancing operational efficiency and security. Astrix's solution addresses the growing blind spot of AI agents and non-human identities, which significantly outnumber employees and evade traditional IAM systems.

Researchers from ETH Zürich and Google unveiled a new RowHammer attack variant, named Phoenix, targeting DDR5 memory chips from SK Hynix, bypassing advanced protection mechanisms. The Phoenix attack exploits a hardware vulnerability in DRAM chips, causing bit flips in adjacent rows, potentially leading to unauthorized data access or privilege escalation. Despite advanced defenses like Error Correction Code (ECC) and Target Row Refresh (TRR), the attack achieves privilege escalation on DDR5 systems in just 109 seconds. The vulnerability affects all 15 DDR5 memory chips tested, produced between 2021 and 2024, allowing attackers to target RSA-2048 keys and escalate privileges to root. Researchers advise increasing the refresh rate to 3x to prevent the Phoenix attack from triggering bit flips on affected systems. The findings highlight ongoing challenges in DRAM security, as newer chips become more susceptible to RowHammer due to density scaling and reduced activation requirements. The disclosure follows recent reports of other RowHammer attacks, including OneFlip and ECC.fail, which target different DRAM configurations and protections.

From November 1, China's Cyberspace Administration mandates network operators report serious cyber incidents within one hour, with penalties for non-compliance. The new regulations apply to any entity managing or providing network services, covering a broad spectrum of operators. Particularly major incidents, such as data breaches affecting over 100 million citizens or significant economic losses, require reporting within 30 minutes. Initial reports must include comprehensive details such as systems affected, attack timeline, damage assessment, and potential future harm. Failure to report promptly or accurately can lead to severe penalties for both network operators and responsible individuals. The rapid reporting requirement aims to enhance real-time monitoring capabilities and necessitates investment in compliance and response teams. This move follows recent penalties against companies like Dior for data mishandling, signaling China's stringent approach to cybersecurity governance.

A recent supply chain attack targeted the npm registry, affecting over 40 packages maintained by various developers, aiming to steal sensitive credentials from developers' machines. The attack leverages a function to inject malicious JavaScript code, "bundle.js," into packages, which downloads and runs TruffleHog to scan for secrets like GitHub and AWS credentials. Both Windows and Linux systems are vulnerable, with the script exploiting GitHub personal access tokens to create workflows that exfiltrate data to an external server. Developers are advised to audit their environments, rotate exposed tokens, and remove compromised packages to mitigate potential damage. The Rust Security Response Working Group has also identified a phishing campaign targeting crates.io users, using a typosquatted domain to steal GitHub credentials. The phishing emails falsely claim a compromise of crates.io infrastructure, directing users to a fake GitHub login page to capture credentials. Rust's security team is actively monitoring for suspicious activities and working to disable the malicious domain to protect users.

Google confirmed a fraudulent account was created in its Law Enforcement Request System (LERS), used for official data requests, though no data was accessed. The threat actors, known as "Scattered Lapsus$ Hunters," claimed access to both Google's LERS and the FBI's eCheck system, raising significant security concerns. The group, linked to Shiny Hunters, Scattered Spider, and Lapsus$, has been involved in extensive data theft, targeting high-profile companies like Google and Salesforce. Attackers initially used social engineering to exploit Salesforce's Data Loader tool, leading to data theft and extortion of multiple corporations. Further breaches involved accessing Salesloft's GitHub repository, using Trufflehog to find authentication tokens, and conducting additional data theft attacks. Companies impacted by these attacks include major brands such as Adidas, Cisco, and Louis Vuitton, among others. Despite claims of going dark, cybersecurity experts suspect the group will continue its activities discreetly, posing ongoing threats to corporate and governmental entities.

Google confirmed a fraudulent account was created in its Law Enforcement Request System (LERS), used for official data requests, but no data was accessed or requests made. The group "Scattered Lapsus$ Hunters" claimed access to Google's LERS and the FBI's eCheck system, raising concerns about potential impersonation of law enforcement. This group, linked to Shiny Hunters and Lapsus$, has been involved in extensive data theft attacks, notably targeting Salesforce data through social engineering. Their tactics included breaching Salesloft's GitHub repository to extract secrets, enabling further data theft from companies like Google, Cisco, and Qantas. Google Threat Intelligence (Mandiant) has been actively countering these threat actors, initially disclosing their attacks and advising companies to enhance security measures. Despite claims of going silent, cybersecurity experts suspect the group will persist with covert operations, posing ongoing risks to both corporate and governmental entities.

A recent SonicWall breach involved attackers bypassing multi-factor authentication by exploiting recovery codes stored in plaintext on an engineer's desktop. The attackers deployed Akira ransomware, disabled endpoint security tools, and stole credentials to impersonate privileged users within the compromised networks. Huntress, a managed security service provider, identified the breach when suspicious activity was detected in a customer's environment, prompting an investigation. Attackers accessed the Huntress portal using compromised credentials, resolved incident reports, and de-isolated hosts, complicating detection and response efforts. The incident underscores the critical need for encrypting sensitive information and employing robust password management practices to prevent similar breaches. Huntress analysts recommend using encrypted password managers and regularly rotating recovery codes to enhance security posture. The breach highlights the importance of monitoring internal activity logs for unusual behavior, even if it appears to originate from legitimate accounts.

Mustang Panda, a China-aligned threat actor, has been deploying SnakeDisk, a new USB worm, to target devices with Thailand-based IP addresses, dropping the Yokai backdoor. IBM X-Force researchers identified this activity under the cluster name Hive0154, which is associated with several aliases, including Bronze President and RedDelta. The attack chain involves spear-phishing emails that deliver malware like TONESHELL, which downloads further payloads on compromised systems. SnakeDisk uses DLL side-loading to propagate via USB devices, tricking users into executing malicious payloads by disguising it as a USB device file. The Yokai backdoor, delivered by SnakeDisk, establishes a reverse shell for executing arbitrary commands, indicating a focus on Thai targets. TONESHELL variants, TONESHELL8 and TONESHELL9, include features to evade detection, such as junk code from OpenAI's ChatGPT, and support proxy-based C2 communication. Mustang Panda's continued evolution and targeting of Thailand suggest a strategic focus, with implications for regional cybersecurity defenses and threat monitoring.

FinWise Bank reported a data breach involving unauthorized access by a former employee, impacting 689,000 American First Finance customers. The breach involved sensitive customer information, including full names and other personal data, though specific details on the data types remain undisclosed. The incident occurred after the employee's termination, raising concerns about internal security measures and access controls. FinWise has initiated an investigation with external cybersecurity experts to determine the breach's scope and prevent future incidents. In response, the bank has enhanced internal controls and is offering affected individuals 12 months of free credit monitoring and identity theft protection. The breach has led to several class-action lawsuits, highlighting the legal and reputational risks associated with data security lapses. FinWise's recent SEC filing confirms the breach's impact, aligning with figures reported by American First Finance.

Researchers from ETH Zurich and Google have developed the Phoenix attack, a new Rowhammer variant, bypassing DDR5 memory protections from SK Hynix. The Phoenix attack exploits vulnerabilities in DDR5 memory chips, allowing attackers to flip bits and potentially escalate privileges or execute malicious code. By reverse-engineering Hynix's protections, researchers identified gaps in the Target Row Refresh (TRR) mechanism, enabling the Phoenix attack to succeed. Tests revealed that all 15 DDR5 memory chips tested were vulnerable, with attackers gaining root privileges in under two minutes on a standard system. The attack method was effective against page-table entries and RSA-2048 keys, with significant exposure across tested DIMMs, affecting 73% and 33% respectively. Phoenix is tracked as CVE-2025-6202, affecting DIMM RAM modules produced from January 2021 to December 2024, with a high-severity score. Mitigation involves tripling the DRAM refresh interval, though this may lead to system instability and data corruption. The research, including proof-of-concept exploits, will be presented at the IEEE Symposium on Security and Privacy, offering insights into future DDR5 security measures.