Daily Brief

OpenAI disclosed a data breach affecting some ChatGPT API customers due to a security incident at Mixpanel, its third-party analytics provider. The breach involved limited analytics data, impacting only API users, with no compromise of chat logs, credentials, or sensitive user information. Mixpanel's breach resulted from a smishing attack detected on November 8, affecting a small subset of its customers, including OpenAI. OpenAI has removed Mixpanel from its production services and is notifying affected users, advising vigilance against potential phishing attempts. The company recommends enabling two-factor authentication and cautions against sharing sensitive information via unsecured channels. Mixpanel has contacted affected customers, secured accounts, and implemented new security measures to mitigate future risks. OpenAI's proactive response includes an internal investigation to assess the incident's full impact and ongoing communication with stakeholders.

The ShadowV2 botnet, based on Mirai, targeted IoT devices globally during an AWS outage in October 2025, exploiting multiple vulnerabilities to expand its network. Fortinet suggests this campaign was likely a test for future attacks, highlighting the ongoing threat posed by IoT device vulnerabilities. The botnet exploited several CVEs, including those affecting D-Link, DigiEver, and TP-Link devices, to recruit compromised devices into a DDoS-capable network. Following successful exploitation, a downloader shell script installs ShadowV2 malware, preparing devices for potential DDoS attacks. The incident underscores the critical need for improved IoT security measures to prevent such devices from being used in large-scale cyber attacks. Another botnet, RondoDox, also based on Mirai, has been observed using similar tactics, indicating a broader trend of targeting IoT environments. Organizations are advised to patch known vulnerabilities and enhance monitoring of IoT devices to mitigate risks associated with these evolving threats.

Gainsight has expanded the list of customers impacted by a security incident linked to its Salesforce applications, following initial reports of suspicious activity. The breach has been associated with the cybercrime group ShinyHunters, prompting Gainsight to revoke access and refresh tokens for affected applications. Companies like Zendesk, Gong.io, and HubSpot have temporarily suspended Gainsight integrations, while Google has disabled certain OAuth clients to mitigate risks. Salesforce and Gainsight have released indicators of compromise, including specific user agent strings and IP addresses, to aid in identifying unauthorized access. The incident coincides with the emergence of ShinySp1d3r, a new ransomware-as-a-service platform developed by ShinyHunters and associated groups. ShinySp1d3r features advanced capabilities, such as disabling Windows Event Viewer logging and encrypting open network shares, posing significant threats to organizations. Gainsight and affected partners are actively investigating the breach, while urging customers to implement recommended security measures to protect their environments.

Fortinet's FortiGuard Labs identified the ShadowV2 botnet, leveraging Mirai-based malware, targeting IoT devices during an AWS outage, potentially as a test run. ShadowV2 exploits at least eight known vulnerabilities in IoT products, including a critical command injection flaw in end-of-life D-Link devices. The botnet targeted routers, NAS devices, and DVRs across seven sectors globally, affecting regions such as North and South America, Europe, Africa, Asia, and Australia. ShadowV2 supports DDoS attacks using UDP, TCP, and HTTP protocols, with its command-and-control infrastructure triggering these attacks. Fortinet researchers provided technical details and indicators of compromise (IoCs) to aid in identifying and mitigating the threat. D-Link issued advisories warning users that outdated devices will not receive security updates, stressing the importance of maintaining firmware currency. The exact operators and monetization strategy behind ShadowV2 remain unknown, but typical DDoS botnets monetize through extortion or renting attack capabilities.

Gainsight CEO minimized the breach impact, claiming only a few customers were affected, contradicting reports of over 200 impacted Salesforce instances. Google's Threat Intelligence Group linked the breach to ShinyHunters, a known extortion group, which later confirmed involvement. Salesforce discovered suspicious activity on November 19, leading to the revocation of all access and refresh tokens for Gainsight applications. Gainsight's forensic investigation is ongoing, with Salesforce integration still disabled and no timeline for restoration provided. Gainsight is addressing login issues for some customers using GSuite for SSO, indicating broader operational disruptions. Other CRM platforms, including Zendesk and HubSpot, have also revoked access to Gainsight, reflecting the breach's wider impact. Salesforce issued a security advisory listing indicators of compromise related to ShinyHunters, urging network defenders to review them. Gainsight is actively communicating with affected customers through town halls and support teams to manage the situation.

NordVPN has launched its 2025 Black Friday promotion, offering up to 77% off on VPN plans, appealing to both individual and corporate users seeking enhanced online security. The promotion includes discounts on NordVPN's Basic, Plus, and Ultimate plans, with additional features such as Threat Protection Pro and identity theft insurance for U.S. residents. This deal positions NordVPN as a cost-effective choice for comprehensive online security, including VPN services, password management, and encrypted cloud storage. NordVPN's infrastructure supports fast connection speeds and access to global streaming services, making it ideal for users prioritizing privacy and entertainment needs. The company emphasizes the importance of online security during the holiday shopping season, a period of heightened cybercriminal activity. NordVPN's headquarters in Panama allows it to maintain a strict no-logs policy, enhancing user privacy by avoiding data retention laws. This promotion runs from October 16 through December 10, 2025, providing an extended window for securing these significant savings.

A high-severity vulnerability, CVE-2025-12816, in the node-forge JavaScript library allowed bypassing of signature verifications through crafted data. The flaw originated from the ASN.1 validation mechanism, permitting malformed data to pass as valid, impacting cryptographic protocol integrity. Discovered by Hunter Wodzenski of Palo Alto Networks, the vulnerability was responsibly reported and demonstrated with a proof-of-concept. Carnegie Mellon CERT-CC warns of potential impacts such as authentication bypass and signed data tampering, especially in trust-critical environments. Node-forge, with nearly 26 million weekly downloads, is essential for projects needing cryptographic functions, amplifying the flaw's potential reach. A fix has been issued in version 1.3.2, urging developers to update immediately to mitigate risks associated with the vulnerability. Persistent flaws in open-source projects can endure post-disclosure due to environmental complexity and testing requirements, necessitating prompt patch adoption.

The ShadowV2 botnet, a Mirai variant, emerged during an AWS outage, infecting IoT devices across 28 countries, indicating a potential test for future large-scale attacks. Fortinet's FortiGuard Labs reported that ShadowV2 exploited vulnerabilities in devices from multiple vendors, including D-Link and TP-Link, to form a network capable of DDoS attacks. The botnet's activity coincided with the AWS outage, affecting sectors such as technology, retail, government, and education, but ceased once the outage ended. Attackers used a downloader script to deploy ShadowV2, connecting to a command-and-control server to execute DDoS operations, similar to the LZRD Mirai variant. The incident underscores the critical need for securing IoT devices, updating firmware, and monitoring network traffic to prevent exploitation by malicious actors. Fortinet provided a list of indicators of compromise to aid in threat detection and mitigation efforts for organizations potentially impacted by ShadowV2. Shortly after ShadowV2's activity, Microsoft's Azure faced a record-breaking DDoS attack from the Aisuru botnet, which was successfully mitigated without service disruptions.

Comcast agreed to a $1.5 million settlement with the FCC over a vendor data breach that compromised personal information of nearly 275,000 customers. The breach originated from Financial Business and Consumer Solutions (FBCS), a former debt collector for Comcast, impacting 4.2 million individuals overall. Attackers accessed sensitive data including names, addresses, Social Security numbers, and Comcast account details between February 14 and February 26, 2024. Comcast's compliance plan includes enhanced vendor oversight, regular risk assessments, and mandatory reporting of any security violations to the FCC. Despite the settlement, Comcast maintains it was not responsible for the breach, as its network was not directly compromised. The incident underscores the critical need for robust vendor management and security compliance to protect customer data. Comcast, a leading telecommunications firm, continues to focus on safeguarding customer privacy while navigating complex vendor relationships.

The Shai-Hulud v2 campaign has expanded from npm to Maven, compromising over 830 npm packages and affecting thousands of developers worldwide. Attackers targeted Maven Central with compromised packages, embedding malicious components that exfiltrate sensitive data like API keys and cloud credentials. The campaign leverages CI misconfigurations in GitHub Actions, exploiting vulnerabilities in workflows to execute malicious code and compromise projects. Over 28,000 repositories have been impacted, with attackers using stealthy techniques to hide core logic and increase infection scale. The attack's self-replicating nature allows a single infected account to escalate the threat quickly, affecting multiple downstream applications. Security firms advise rotating tokens, auditing dependencies, and enhancing CI/CD environment security to mitigate future risks. The incident highlights vulnerabilities in software distribution pathways, emphasizing the need for improved security measures in open-source ecosystems.

A cyberattack has disrupted IT systems of the Royal Borough of Kensington and Chelsea and Westminster City Council, affecting critical services and communication channels. The attack impacted shared IT infrastructure, prompting activation of emergency plans to maintain essential services for 360,000 residents. The London Borough of Hammersmith and Fulham implemented enhanced security measures, resulting in additional business disruptions to safeguard networks. The councils are collaborating with the National Cyber Security Centre and cyber incident experts to protect systems, restore operations, and investigate the attack. Investigations into the perpetrators and potential data compromise are ongoing, with updates to be provided to the public as more information becomes available. The UK Information Commissioner’s Office has been notified, aligning with established protocols for handling such incidents. Security experts suggest a ransomware attack at a shared services provider, though no group has claimed responsibility yet.

The GSMA report indicates fragmented cybersecurity regulations are inflating costs for mobile operators without enhancing network safety. Mobile operators' cybersecurity spending is expected to more than double by 2030 due to evolving threats and complex regulatory demands. The report highlights that operators face overlapping laws and sector-specific policies, leading to increased compliance expenses and resource diversion. Current regulations often require operators to implement additional activities or invest in mandated technologies, increasing operational costs. GSMA advocates for aligning cybersecurity policies with international standards like ISO 27001 and the NIST Cybersecurity Framework. The organization suggests a shift from punitive enforcement to collaborative approaches, emphasizing prevention and long-term investment. Harmonized, risk-based cybersecurity frameworks are recommended to enhance safety across the digital ecosystem while reducing compliance burdens.

Passwork 7 introduces a unified platform for managing both human and machine credentials, enhancing security and operational efficiency for enterprise teams. The new release offers improved usability, security refinements, and workflow efficiency, addressing the complex needs of distributed teams and infrastructure. Passwork 7's flexible vault architecture supports granular access control, allowing organizations to mirror internal structures and maintain compliance. The platform's zero-knowledge encryption ensures maximum security by encrypting data client-side, protecting sensitive credentials from server compromises. Self-hosted deployment options provide complete control over credential data, meeting data residency and regulatory requirements, and eliminating vendor dependency. Integration with existing corporate identity infrastructure through SSO and LDAP simplifies user management and enhances security posture. Automation tools, including a Python connector and CLI, enable seamless integration into DevOps workflows, supporting programmatic credential management. A 50% Black Friday discount and free trial offer provide organizations an opportunity to evaluate and adopt Passwork 7 with financial incentives.

Crisis24's CodeRED emergency alert system was compromised by the INC ransomware group, affecting municipalities across the United States. The attack resulted in the theft of sensitive data, including names, addresses, email addresses, phone numbers, and passwords of CodeRED users. Douglas County, Colorado, terminated its contract with CodeRED, while other regions are transitioning to a new, secure platform. Crisis24 assured customers that the new platform is hosted on a separate, uncompromised environment with enhanced security measures. In response, affected areas are using alternative communication methods, such as social media and door-to-door notifications, to disseminate emergency alerts. INC ransomware group initially demanded a $950,000 ransom, later reducing it to $450,000, but Crisis24's counteroffers were rejected. The group has threatened to sell the stolen data after releasing a snippet online, increasing pressure on Crisis24 to meet their demands. Crisis24 has not confirmed any online data leaks but warns customers to change passwords and remain vigilant against potential misuse.

Qilin ransomware targeted South Korea's financial sector via a sophisticated supply chain attack, compromising a Managed Service Provider (MSP) to access multiple victims. The attack, dubbed "Korean Leaks," affected 28 victims, resulting in the theft of over 1 million files and 2 TB of data. The campaign unfolded in three waves, initially framing the leaks as a public service exposing corruption, later shifting to financial extortion. Qilin's Ransomware-as-a-Service model involves recruiting affiliates, including North Korean actor Moonstone Sleet, to execute attacks. The breach of GJTec led to ransomware infections across more than 20 asset management companies, highlighting vulnerabilities in MSP security. The Qilin group, likely of Russian origin, claims to be politically motivated, using propaganda to pressure victims and influence public perception. Organizations are urged to adopt Multi-Factor Authentication, apply the Principle of Least Privilege, and segment critical systems to mitigate similar risks. The attack underscores the importance of securing supply chains, as exploiting MSPs offers ransomware groups a practical means to target clustered victims.