Daily Brief

Crisis24 confirmed a cyberattack on its OnSolve CodeRED platform, disrupting emergency alert systems used by U.S. state and local governments, police, and fire agencies. The attack led to the decommissioning of the legacy CodeRED environment, affecting emergency notifications, weather alerts, and other critical warnings nationwide. Crisis24's investigation revealed that data, including names, addresses, and passwords, was stolen, though there is no evidence of it being publicly posted. The INC Ransomware gang claimed responsibility, publishing screenshots of customer data and offering stolen information for sale after a failed ransom demand. Crisis24 is rebuilding its service using backups from March 31, 2025, but this may result in missing accounts and further operational challenges. Impacted customers are advised to reset any reused passwords due to the exposure of clear-text credentials in the breach. The incident highlights the vulnerabilities in emergency notification systems and the need for robust cybersecurity measures to protect critical infrastructure.

Black Friday 2025 offers significant discounts on cybersecurity software, VPNs, antivirus products, and online courses, providing cost-effective opportunities for enhancing security infrastructure. Password managers like Passwork, LastPass, and Dashlane offer up to 60% discounts, facilitating better password management at reduced costs. VPN services such as NordVPN, SurfShark, and ProtonVPN are available with discounts up to 88%, promoting enhanced privacy and secure internet access. Antivirus software from leading providers like Malwarebytes, Avast, and ESET is discounted up to 70%, allowing businesses to strengthen malware defenses affordably. Discounts on IT and security courses from platforms like Udemy and ISC2 provide a chance for professionals to upskill and prepare for certifications at lower prices. The deals are time-sensitive, with varying expiration dates, urging quick decision-making to capitalize on these offers. These promotions reflect a strategic opportunity for organizations to invest in cybersecurity tools and training, aligning with budget planning for 2026.

Cato Networks discovered the "HashJack" attack, exploiting AI browser assistants by embedding malicious prompts in URL fragments, effectively bypassing traditional network and server defenses. The attack manipulates AI browsers like Copilot, Gemini, and Comet, turning legitimate websites into vectors for data exfiltration, phishing, and misinformation. HashJack's method involves adding a "#" to URLs, followed by malicious instructions, which AI browsers process without detection, increasing the risk of successful attacks. Cato's research indicates AI browsers are particularly susceptible to indirect prompt injections, as they misinterpret hidden commands as user inputs. Google classified the issue as low severity, while Microsoft and Perplexity AI have implemented fixes to counteract the vulnerability in their AI browsers. The discovery signals a shift in threat landscapes, emphasizing the need for layered defenses, AI governance, and client-side monitoring to protect against such attacks. Organizations are urged to reconsider security strategies, focusing on how AI browsers handle hidden context, as these tools become more mainstream.

The FBI reports cybercriminals have stolen over $262 million since January 2025 by impersonating bank support teams in account takeover fraud schemes. More than 5,100 complaints were filed with the FBI's Internet Crime Complaint Center, affecting individuals, businesses, and organizations across various sectors. Criminals use social engineering and fraudulent websites to access online bank, payroll, or health savings accounts, then transfer funds to cryptocurrency wallets. The FBI advises using unique passwords, enabling multi-factor authentication, and visiting banking sites via bookmarks to prevent unauthorized access. Victims should contact their financial institution immediately to request fund recalls and file complaints with detailed information at ic3.gov. Attackers often impersonate bank staff or law enforcement via texts, calls, or emails to obtain login credentials, including multi-factor authentication codes. Phishing websites mimic legitimate financial institutions, with some using SEO poisoning to appear in top search results, further complicating detection and prevention.

Tor has introduced the Counter Galois Onion (CGO) algorithm to replace the outdated tor1 encryption, improving resilience against traffic-interception attacks and enhancing user anonymity. The Tor network, crucial for privacy-conscious users, relies on onion routing through multiple relays, with each hop adding a layer of encryption to protect data. The previous tor1 algorithm had vulnerabilities, including malleable relay encryption and partial forward secrecy, which could be exploited by adversaries for traffic modification. CGO addresses these issues with modern cryptographic standards, offering tagging resistance, immediate forward secrecy, and longer authentication tags without significant bandwidth impact. The new system is based on the UIV+ construction, verified for security requirements, and aims to ensure robust encryption and authentication for Tor users. Implementation of CGO in the C Tor and Rust-based Arti clients is underway, with users benefiting automatically once fully deployed, although a timeline for default adoption is not yet specified. This upgrade reflects Tor's commitment to maintaining a secure platform for users, including activists, journalists, and others requiring privacy and anonymity online.

Trend Micro anticipates a significant rise in AI-aided ransomware in 2026, driven by both state-sponsored and cybercriminal groups leveraging agentic AI technologies. Agentic AI, a step beyond generative AI, allows systems to perform actions autonomously, potentially automating cyberattack processes without human intervention. While state-backed groups are early adopters, the technology's success and scalability could soon attract broader cybercriminal use, simplifying complex attacks. The democratization of AI-powered ransomware-as-a-service (RaaS) is expected to lower the skill barrier for launching sophisticated attacks, expanding the threat landscape. The emergence of agentic AI services may create a new underground market, offering these capabilities to less experienced cybercriminals. Security measures must evolve to protect AI agents from compromise, employing least privilege and access management controls akin to human users. Attackers could exploit AI agents indirectly by manipulating surrounding infrastructure, highlighting the need for robust defenses against subtle, sophisticated threats.

Research by watchTowr Labs identified over 80,000 files containing sensitive credentials leaked via JSONFormatter and CodeBeautify, impacting sectors like government, telecoms, and critical infrastructure. The dataset includes usernames, passwords, API keys, and other sensitive information, with five years of historical JSONFormatter data and one year from CodeBeautify. Organizations affected span critical infrastructure, finance, healthcare, and even cybersecurity, revealing widespread reliance on these online tools for code formatting. The tools' functionality allowed saving formatted code as shareable links, which could be easily accessed by bad actors using predictable URL patterns. Examples of leaked data include AWS credentials, Active Directory credentials, and encrypted configuration files from cybersecurity firms, posing significant security risks. JSONFormatter and CodeBeautify have disabled their save functionality, likely in response to the breaches, aiming to improve security measures. The incident underscores the importance of secure handling of sensitive information and the risks of using public online tools for storing credentials.

Researchers identified over 80,000 user pastes exposing credentials and sensitive data from sectors like government, banking, and healthcare via JSONFormatter and CodeBeautify platforms. The data, totaling over 5GB, was accessible through the platforms' Recent Links feature, which lacks proper security measures, allowing public access to sensitive information. Exposed data included encrypted credentials, SSL certificate passwords, and sensitive configuration files from major companies and government entities. A technology company inadvertently leaked a cloud infrastructure configuration file, revealing domain names, email addresses, and credentials for various services. A financial exchange's production AWS credentials were found, posing a significant risk if exploited by threat actors. WatchTowr's honeypot experiment confirmed that threat actors are actively scanning these platforms, with fake AWS keys accessed even after link expiration. Despite notifications, many affected organizations have not addressed the vulnerabilities, leaving their data at risk. Organizations are urged to review their data handling practices on public platforms and implement stronger access controls to prevent similar exposures.

A new cyber campaign named JackFix uses fake Windows update pop-ups on adult sites to deploy stealer malware, targeting unsuspecting users with deceptive security update prompts. The campaign employs ClickFix lures, leveraging malvertising to redirect users to fake adult websites, pressuring them into executing malicious commands disguised as critical updates. Attackers utilize HTML and JavaScript to create convincing Windows Update screens, which hijack the victim's screen and prompt them to execute commands that initiate the malware infection. The malware employs obfuscation techniques, using MSHTA and PowerShell scripts to download and execute multiple payloads, including Rhadamanthys, Vidar Stealer 2.0, and RedLine Stealer. These payloads aim to steal sensitive information such as passwords and crypto wallets, with potential for further escalation by introducing additional malware. The campaign's infrastructure involves domain redirection and steganography to conceal payloads, complicating detection and analysis efforts by cybersecurity teams. Organizations are advised to enhance employee awareness and consider disabling the Windows Run box to mitigate the risk of such social engineering attacks.

As the fiscal year ends, organizations face pressure to allocate remaining cybersecurity budgets effectively to address real risks and support future funding requests. Prioritizing security gaps that pose the highest business risks, such as vulnerabilities in customer-facing systems, is crucial for operational integrity and compliance. Strengthening identity controls, such as implementing robust password policies, can significantly reduce risks associated with weak credentials and excessive access rights. Consolidating overlapping security tools can streamline operations, cut costs, and enhance user experience, while freeing resources for critical incident response and automation. Investing in low-friction continuity controls, like incident response retainers and cloud surge capacity, ensures resilience against DDoS attacks and infrastructure failures during peak periods. Documenting year-end spending decisions can bolster future budget requests by demonstrating measurable security improvements and strategic risk reduction. Organizations are advised to focus on outcome-driven security engagements over unused tools to maximize the impact of their cybersecurity investments.

Dartmouth College reported a data breach involving Clop's exploitation of a zero-day vulnerability in Oracle E-Business Suite, affecting at least 1,494 Maine residents. The breach, occurring between August 9 and August 12, resulted in the theft of names, Social Security Numbers, and financial information. Dartmouth promptly secured its systems, notified law enforcement, and offered one year of credit monitoring to affected individuals. Clop's campaign has targeted widely used enterprise platforms, focusing on data theft rather than encryption, impacting numerous organizations globally. The breach is part of a larger wave affecting nearly 10,000 employees and contractors, including victims like GlobalLogic, Allianz UK, and Cox Enterprises. Oracle users face ongoing threats, with another zero-day vulnerability in Oracle Identity Manager being actively exploited and requiring urgent patching. Dartmouth plans to enhance vendor security oversight and has applied all available Oracle patches, though the full extent of the breach remains uncertain.

Researchers found over 80,000 exposed JSON pastes containing sensitive data from sectors like government, banking, and healthcare on JSONFormatter and CodeBeautify platforms. The data breach involves credentials, authentication keys, and configuration data accessible through the platforms' Recent Links feature, lacking adequate protection. Affected organizations include a cybersecurity firm, government entity, financial exchange, and a managed security service provider, exposing critical infrastructure details. WatchTowr researchers used a honeypot strategy, revealing that attackers accessed fake AWS keys even after link expiration, indicating ongoing threat actor activity. Despite notifications, many affected organizations have yet to remediate the exposure, leaving sensitive data vulnerable on these platforms. The incident stresses the importance of secure data handling practices and the risks associated with using online code-formatting tools without proper security measures. Organizations are advised to review their data-sharing practices and implement stricter controls to safeguard sensitive information from unauthorized access.

CISA has issued an alert regarding state-sponsored actors and cyber-mercenaries exploiting commercial spyware to infiltrate Signal and WhatsApp accounts of "high-value" individuals. Attackers bypass encryption by using phishing, spoofed apps, malicious QR codes, and zero-click exploits, compromising devices and accessing sensitive communications. Targeted individuals include senior government officials, military personnel, and civil society groups across the US, Middle East, and Europe, highlighting a broad geopolitical focus. Google's Threat Intelligence Group reported Russia-aligned groups exploiting Signal's "linked devices" feature, allowing them to eavesdrop on communications by adding attacker-controlled devices. Palo Alto Networks' Unit 42 identified the delivery of LANDFALL spyware to Samsung devices, exploiting a vulnerability and a zero-click WhatsApp exploit to compromise targets. Campaigns such as ProSpy and ToSpy impersonate popular apps to collect chat data and media files, while Zimperium uncovered ClayRat spyware targeting Russian users via counterfeit channels. The US has responded by barring NSO Group from targeting WhatsApp users and banning the app from House staff devices, reflecting increased scrutiny of commercial spyware vendors. These incidents demonstrate the evolving threat landscape, where attackers focus on exploiting app features and device vulnerabilities rather than breaking encryption directly.

ToddyCat, active since 2020, targets organizations in Europe and Asia, employing new tools to access corporate email data and Microsoft 365 tokens. The group uses TCSectorCopy to extract Outlook OST files, bypassing application restrictions by copying files sector by sector. A new PowerShell variant of TomBerBil targets domain controllers, extracting browser data over SMB, and decrypts data using captured encryption keys. ToddyCat exploits OAuth 2.0 tokens via user browsers, enabling access to corporate email beyond compromised networks. The group faced a setback when security software blocked SharpTokenFinder, prompting the use of ProcDump to bypass restrictions and dump Outlook memory. ToddyCat's evolving tactics highlight the persistent threat posed by advanced persistent threat (APT) groups targeting sensitive corporate communications. Organizations are advised to strengthen defenses against such sophisticated attacks, focusing on endpoint security and monitoring for unusual network activities.

Cybersecurity researchers identified a campaign using Blender Foundation files to distribute the StealC V2 information stealer, active for over six months. Attackers embed malicious Python scripts in .blend files on platforms like CGTrader, executing upon file opening when the Auto Run feature is enabled. The campaign shares tactical similarities with previous attacks linked to Russian-speaking threat actors, targeting online gaming communities. The malicious files download a PowerShell script to deploy StealC V2 and a secondary Python-based stealer, compromising host systems. StealC V2 is capable of extracting data from 23 browsers, 100 web plugins, cryptocurrency wallets, messaging services, and more. Blender's documentation warns of the security risks associated with Auto Run, advising users to disable it unless the file source is trusted. The attack leverages Blender's capability to run on physical machines with GPUs, evading sandbox and virtual environment defenses.