Daily Brief

The OpenInfra Foundation is focusing on resilience, driven by geopolitical tensions and market dynamics, to ensure independence and control over infrastructure. Thierry Carrez, OpenInfra's general manager, cited the impact of VMware's price hikes under Broadcom and geopolitical uncertainties as catalysts for renewed interest in OpenStack. The OpenInfra Summit in Paris showcased VMware migration strategies, emphasizing the need for independence from major hyperscale providers, particularly in Europe. Open source licensing changes, like Redis's shift to a less permissive license, have prompted organizations to reassess their infrastructure dependencies. Jonathan Bryce, OpenInfra's executive director, highlighted AI as a key theme, noting the strategic interest from CEOs and boards in AI infrastructure development. Concerns about a potential AI bubble were discussed, with industry leaders advocating a cautious approach to avoid oversupply issues in the cloud market. OpenStack's history of adapting to changing contributor landscapes was presented as evidence of its resilience and ability to navigate industry challenges.

Managed Service Providers (MSPs) face increasing client demands for robust cybersecurity and compliance, presenting a significant opportunity for growth in the market. Clients are seeking comprehensive security solutions without managing the complexities themselves, driving MSPs to enhance their service offerings. Transitioning from basic IT services to strategic cybersecurity requires a clear service strategy and the ability to articulate security value in business terms. The guide "Turn Security Into Growth: Is Your MSP Ready to Expand?" provides a checklist for MSPs to evaluate strategic mindset and operational readiness. A security-first mindset is crucial, focusing on risk management, compliance, and resilience as part of the client's business strategy. Operational readiness involves assessing capabilities to scale security services effectively, identifying strengths, and addressing gaps. MSPs with strong foundations in mindset and operations can scale services confidently, delivering measurable value and unlocking new revenue streams. The guide aims to help MSPs avoid reactive service pitfalls and gain a competitive advantage by strategically expanding their cybersecurity offerings.

A Chinese state-backed group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day to target European diplomats, focusing initially on Hungary and Belgium. The attack begins with spearphishing emails containing malicious LNK files themed around diplomatic events, exploiting a Windows LNK vulnerability (CVE-2025-9491). The campaign deploys the PlugX remote access trojan, enabling persistent access to compromised systems for espionage activities. The scope of attacks has expanded to include Serbian, Italian, and Dutch diplomatic entities, indicating a broadening of targets. Researchers from Arctic Wolf Labs and StrikeReady have confirmed attribution to UNC6384 based on malware analysis and infrastructure overlaps. CVE-2025-9491 allows remote code execution via LNK files, requiring user interaction to exploit, and remains unpatched by Microsoft. Network defenders are advised to restrict or block Windows .LNK files and monitor for connections to identified command-and-control infrastructure.

Oleksii Oleksiyovych Lytvynenko, a Ukrainian national, has been extradited to the U.S. from Ireland on charges related to the Conti ransomware operation. Lytvynenko is accused of managing stolen data and sending ransom notes in double extortion attacks from 2020 to June 2022. Arrested in July 2023 by Irish authorities, Lytvynenko faces up to 25 years in prison if convicted on charges of wire fraud and computer fraud conspiracy. The Conti ransomware group, originating in Russia, is linked to over 1,000 global victims and has extorted more than $150 million in ransom payments. Conti's operations have targeted critical infrastructure more than any other ransomware, posing significant threats to global security. The U.S. and U.K. have sanctioned multiple Russian nationals associated with Conti and TrickBot, highlighting international efforts to dismantle these cybercrime networks. The extradition and legal actions underscore ongoing international collaboration to combat ransomware and cybercrime syndicates.

CISA and NSA, with partners from Australia and Canada, issued guidance to secure Microsoft Exchange Servers against ongoing cyber threats, emphasizing administrative access restrictions and multi-factor authentication. The advisory stresses transitioning from end-of-life on-premises Exchange servers to Microsoft 365 to maintain communication integrity and confidentiality. CISA updated its alert on CVE-2025-59287, a security flaw in WSUS, following reports of exploitation by threat actors to exfiltrate sensitive data from U.S. organizations. Exploitation of CVE-2025-59287 involves running Base64-encoded PowerShell commands on vulnerable WSUS servers, with data exfiltration observed to a specific endpoint. Organizations are urged to apply Microsoft's out-of-band security update and investigate potential threat activity to mitigate risks associated with this vulnerability. Sophos identified initial exploitation attempts as reconnaissance, with at least 50 potential victims, indicating attackers' swift adaptation to exploit this flaw. Security experts discovered an alternate attack chain using Microsoft's Management Console, highlighting the complexity and depth of CVE-2025-59287. Organizations must ensure their systems are patched and WSUS servers securely configured to prevent further exploitation and safeguard sensitive data.

The Eclipse Foundation revoked several leaked tokens from Visual Studio Code extensions, following a report by cloud security firm Wiz. The leaked tokens, found in public repositories, could have allowed attackers to distribute malware and compromise the extension supply chain. Investigations confirmed the leaks resulted from developer errors, not a breach of the Open VSX infrastructure. A new token prefix format, "ovsxp_", has been introduced to facilitate easier detection of exposed tokens. The foundation removed flagged extensions linked to the "GlassWorm" campaign, which required stolen developer credentials for malware distribution. Download counts of affected extensions were inflated by bots, overstating the number of impacted users. Enhanced security measures are being enforced to strengthen the ecosystem's resilience against supply chain attacks. The incident underscores the importance of shared responsibility in maintaining supply chain security among publishers and registry maintainers.

NHS hospitals encounter obstacles upgrading to Windows 11 due to some suppliers not updating medical devices for compatibility, affecting about 2% of their systems. The Rotherham NHS Foundation Trust reported a £25,000 upgrade cost for a three-year-old device, highlighting financial and operational challenges. Microsoft's support for Windows 10 ended on October 14, leaving non-upgraded devices without critical security patches, raising cybersecurity concerns. NHS England mandates upgrades to Windows 11 to safeguard patient data and maintain system security, despite the option for Extended Security Updates. Outdated devices have been quarantined to mitigate cyber risks, but this action could disrupt patient care, such as hindering pacemaker communications. Historical delays in upgrading systems exposed the NHS to attacks like WannaCry in 2017, emphasizing the importance of timely system updates. The situation reflects broader challenges in healthcare IT, where outdated technology can pose significant risks to patient safety and operational continuity.

CISA added a critical VMware vulnerability, CVE-2025-41244, to its Known Exploited Vulnerabilities catalog due to active exploitation by China-linked threat actors. The flaw, with a CVSS score of 7.8, allows attackers to gain root level privileges on affected systems, posing significant security risks. Exploitation involves local privilege escalation, enabling unprivileged users to execute code in privileged contexts, such as root access. Broadcom-owned VMware addressed the vulnerability, but it was already exploited as a zero-day by threat group UNC5174 since October 2024. NVISO Labs discovered the vulnerability during an incident response, describing it as easy to exploit, though details of the payload remain undisclosed. Federal agencies must implement mitigations by November 20, 2025, to protect against potential threats exploiting this and other vulnerabilities. The inclusion of a critical XWiki vulnerability in the KEV catalog indicates ongoing efforts to secure networks from diverse attack vectors.

The European Central Bank (ECB) announced plans to introduce a Digital Euro by 2029, aiming to modernize currency and enhance payment sovereignty within the Eurozone. ECB President Christine Lagarde emphasized the importance of digital currency as a public good, aligning with the evolving financial landscape where physical banknotes are less favored. Currently, two-thirds of digital payments in the Euro area are processed by non-European companies, highlighting a dependency the ECB seeks to reduce through this initiative. The Digital Euro will provide a standardized infrastructure, enabling European banks to compete more effectively across the continent and potentially increase their market share in digital payments. A pilot program is scheduled for 2027, with the ECB investing €1.3 billion in development and projecting annual operating costs of €320 million. Concerns about privacy and security are prevalent, as critics warn that digital currencies could lead to increased surveillance and potential restrictions on consumer freedoms. The ECB aims to address these challenges by ensuring robust security measures and transparent policies to protect user data and maintain public trust.

ThreatLocker has introduced Defense Against Configurations (DAC) for macOS, aimed at identifying and mitigating configuration vulnerabilities that often go unnoticed. The tool scans macOS devices up to four times daily, identifying risky settings and providing remediation guidance aligned with frameworks like CIS, NIST, and ISO 27001. Configuration oversights, such as outdated protocols and permissive settings, pose significant risks, especially in creative industries heavily reliant on Mac devices. The DAC tool extends the security visibility that Windows users enjoy to macOS, helping organizations close security gaps before they are exploited. By integrating with existing ThreatLocker policies, DAC aids in aligning security practices with compliance requirements and insurance standards. The Beta version focuses on high-value controls, ensuring a streamlined path from discovery to remediation without overwhelming IT teams with alerts. This initiative underscores the importance of configuration management as a critical component of cybersecurity posture, particularly for organizations using diverse operating systems.

Researchers identified over 760 malicious Android apps using NFC relay techniques to steal payment card information across Eastern Europe, with significant activity noted in Poland, Czech Republic, and Russia. This malware exploits Android's Host Card Emulation (HCE) to emulate or capture contactless credit card data, enabling unauthorized transactions without the physical cardholder's presence. Zimperium, a mobile security firm, reported the malware's rapid expansion, supported by over 70 command-and-control servers and distribution hubs, as well as Telegram channels for data exfiltration. The malware often disguises itself as legitimate apps, such as Google Pay or various financial institutions, increasing the risk of unsuspecting users downloading harmful software. Android users are advised to only download apps from trusted sources, regularly use Play Protect for scanning, and disable NFC when not in use to mitigate risks. The ongoing proliferation of NFC relay malware signals a growing threat landscape, necessitating heightened vigilance and robust security measures for mobile users in affected regions.

CISA has directed U.S. federal agencies to patch a critical VMware Tools flaw, CVE-2025-41244, exploited by Chinese hackers to escalate privileges on virtual machines. The vulnerability, affecting VMware Aria Operations and VMware Tools, allows attackers with local access to gain root-level control, posing significant risks to federal systems. Federal agencies have until November 20 to implement patches as per Binding Operational Directive 22-01, with CISA urging all organizations to prioritize remediation. The flaw has been actively exploited since mid-October 2024 by the Chinese state-sponsored group UNC5174, known for targeting U.S. defense contractors and other international entities. UNC5174, identified as a contractor for China's Ministry of State Security, has a history of exploiting various vulnerabilities to breach high-profile targets. Broadcom has released patches for several VMware zero-day vulnerabilities this year, emphasizing the need for timely updates to protect against sophisticated cyber threats. Organizations are advised to apply vendor-recommended mitigations or cease using affected products if solutions are unavailable, to safeguard against potential breaches.

Chinese government-linked group UNC6384 exploited an unpatched Windows vulnerability to target European diplomats, aiming to steal defense and national security information. The espionage campaign utilized social engineering and a Windows shortcut flaw to deploy PlugX malware at diplomatic conferences in September and October 2025. Attackers used phishing emails with European defense-themed lures, delivering weaponized LNK files exploiting CVE-2025-9491, a Windows shortcut vulnerability. The attack chain involved DLL sideloading, leveraging an expired Canon printer utility with a valid digital signature to bypass security tools. PlugX malware, a Remote Access Trojan, enabled remote command execution, keylogging, file transfers, and persistent system access. Microsoft has yet to address the vulnerability, first reported in March, which has been exploited by multiple state-sponsored groups since 2017. This campaign indicates a strategic shift by UNC6384 from Southeast Asia to European targets, demonstrating rapid adoption of disclosed vulnerabilities.

Ribbon Communications, a key telecom services provider, reported a breach by nation-state hackers, impacting its IT network since December 2024. The breach affects Ribbon's global operations, including services to critical infrastructure and government entities like the U.S. Department of Defense. Preliminary investigations indicate unauthorized access to customer files on two laptops, though no material information theft is confirmed. Ribbon is collaborating with cybersecurity experts and federal law enforcement to investigate and mitigate the breach. The company anticipates additional costs in Q4 2025 for breach investigation and network fortification, but these are not expected to be substantial. The attack shares characteristics with previous telecom breaches attributed to China's Salt Typhoon cyber-espionage group. This incident underscores the persistent threat of state-sponsored cyber activities targeting critical infrastructure sectors.

Proton has introduced the Data Breach Observatory, a platform aimed at revealing data breaches that organizations have not publicly disclosed. This service focuses on breaches identified through dark web monitoring, bypassing traditional disclosure methods like GDPR notifications or journalistic investigations. The Observatory initially reports on 794 attacks in 2025, affecting 300 million records, excluding aggregated infostealer dumps to maintain accuracy. Proton's initiative seeks to enhance transparency and assist small and medium businesses in understanding and mitigating data breach risks. The platform employs cross-referencing and metadata analysis, partnering with Constella Intelligence to ensure data accuracy and reliability. By responsibly disclosing breaches, Proton aims to fill the gap left by organizations that delay or avoid breach announcements. The service distinguishes itself by providing near-real-time updates, offering a systematic approach to monitoring criminal sources directly.