Daily Brief

Varonis has introduced Interceptor, an AI-native email security solution designed to tackle sophisticated phishing and social engineering threats that evade traditional security measures. Interceptor employs a multimodal AI strategy, integrating visual, linguistic, and behavioral analysis to detect and block AI-generated threats with high accuracy. The solution outperforms existing security tools by addressing limitations in natural language processing and incorporating comprehensive threat detection capabilities. Interceptor's phishing sandbox proactively scans new domains and URLs, blocking malicious content 12-24 hours before other market solutions. The platform extends protection beyond email, offering browser security to shield users from phishing sites across various digital channels. By integrating with the Varonis Data Security Platform, Interceptor enhances end-to-end security, enabling early detection and mitigation of data breach attempts. Organizations benefit from reduced false positives and negatives, improving operational efficiency and enhancing user trust in email communications.

Austria's Data Protection Authority ruled Microsoft illegally tracked students using its 365 Education platform, violating GDPR by failing to provide complete data access information. The ruling arose from a complaint during the pandemic, when schools rapidly adopted online learning solutions, spotlighting Microsoft's data handling practices. Microsoft attempted to shift GDPR compliance responsibility to schools and local authorities, which lacked control over student data processing. The authority mandated Microsoft to clarify data usage, including terms like "internal reporting" and "business modelling," and disclose any third-party data transfers. The decision challenges Microsoft's claim that its Irish subsidiary should handle GDPR jurisdiction, asserting instead that Microsoft US is responsible. Microsoft has stated its commitment to GDPR compliance and plans to review the ruling to determine further actions. This case underscores the ongoing tension between tech giants and European data privacy regulations, with potential implications for Microsoft's operations across Europe.

A zero-day vulnerability in Oracle's E-Business Suite (CVE-2025-61882) has been actively exploited since August 9, 2025, impacting numerous organizations globally. The exploitation involves multiple vulnerabilities, with attack chains deploying malware such as GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE, suggesting sophisticated threat actor involvement. Google Threat Intelligence Group and Mandiant linked the activity to tactics associated with the Cl0p ransomware group, indicating potential data exfiltration risks. Oracle has issued updates to address another critical vulnerability (CVE-2025-61884) in the same product, though its active exploitation status remains unconfirmed. The rapid exploitation of these vulnerabilities underscores the critical need for timely patch management and proactive security measures. Organizations are advised to prioritize patching Oracle EBS vulnerabilities and review security protocols to prevent unauthorized access and data breaches. This incident illustrates the evolving threat landscape, where attackers increasingly leverage complex vulnerabilities to infiltrate and compromise systems.

China's State Administration for Market Regulation (SAMR) has initiated an inquiry into Qualcomm's acquisition of Israeli firm Autotalks, citing potential anti-competitive effects. The investigation is part of a broader context of escalating tech trade tensions between the US and China, with recent moves affecting rare earth metal exports. Qualcomm's acquisition of Autotalks, focused on vehicle-to-everything communications, was previously abandoned due to regulatory concerns but resumed this summer. SAMR's probe questions whether Qualcomm failed to notify the regulator of crucial details, potentially leading to more stringent regulatory actions. The investigation coincides with US threats of increased tariffs on Chinese imports, further straining international trade relations. China's strategic use of rare earths in trade negotiations underscores its leverage in the ongoing tech rivalry with the US. Previous actions by SAMR include scrutiny of Nvidia's compliance with competition rules, reflecting China's assertive regulatory stance on foreign tech acquisitions.

The upcoming 2025 holiday season faces risks from unmonitored JavaScript, which can bypass traditional security measures like WAFs and intrusion detection systems. The 2024 attacks on Polyfill.io and Cisco Magecart exploited third-party code vulnerabilities, affecting over 500,000 websites and targeting holiday shoppers. Client-side vulnerabilities, such as e-skimming and shadow scripts, operate within users' browsers, making detection difficult without specialized monitoring tools. Increased transaction volumes and code freeze periods during holidays elevate the risk, with 5% of Cyber Monday 2024 requests flagged as potential attacks. Effective client-side security requires deploying Content Security Policies, Subresource Integrity tags, and real-time monitoring tools to detect malicious JavaScript activity. Organizations need to develop specific incident response procedures for client-side threats, ensuring rapid action during high-traffic periods. Transitioning to comprehensive client-side security strategies is critical for protecting customer data and establishing a resilient security posture beyond the holiday season.

Ofcom fined 4chan £20,000 for failing to protect children from harmful content, marking the first penalty under the UK's Online Safety Act. Additional fines of up to £6,000 may accrue if 4chan does not submit required risk assessments and revenue information to Ofcom. The Online Safety Act mandates platforms to remove illegal content and protect users, with penalties reaching £18 million or 10% of global revenue. Ofcom has initiated 21 investigations since March 2025, targeting platforms failing to comply with content safety regulations. Some platforms, like Krakenfiles and Nippydrive, avoided penalties by geo-blocking UK users, reducing exposure to harmful content. Ofcom's enforcement includes promoting hash-matching technology to prevent the spread of illegal content, with some platforms already adopting these measures. The UK government maintains a stance against banning VPNs, despite their use in bypassing geo-blocks, focusing on platforms that promote such workarounds.

Harvard University is investigating a data breach linked to a zero-day vulnerability in Oracle's E-Business Suite, exploited by the Clop ransomware group. The breach affects a limited number of parties within a small administrative unit, according to Harvard's IT department. Oracle's zero-day flaw, tracked as CVE-2025-61882, has been patched following its exploitation in these attacks. Clop has threatened to release Harvard's data publicly unless a ransom is paid, continuing its pattern of extortion tactics. Mandiant and Google have identified a broader extortion campaign targeting Oracle E-Business Suite customers. The incident highlights the ongoing risk of zero-day vulnerabilities and the importance of timely patch management. Organizations using Oracle's software are advised to apply the latest security updates and monitor for suspicious activity.

The Dutch government imposed special administrative measures on Nexperia, a Chinese-owned semiconductor firm, citing governance failures that threaten European technological security. The Ministry of Economic Affairs invoked the Goods Availability Act to prevent potential transfer of sensitive chip technology to Nexperia's Chinese parent company, Wingtech Technology. Under these measures, Nexperia’s corporate decisions can be blocked or reversed if they harm Dutch operations or critical supply chains. Wingtech criticized the Dutch intervention as politically motivated and claimed it freezes Nexperia's global operations for a year. This action is part of broader Western efforts to limit Chinese access to strategic semiconductor assets amid rising technological competition. Nexperia previously faced scrutiny in the UK, resulting in the forced sale of Newport Wafer Fab following a national security review. The situation reflects ongoing geopolitical tensions affecting the global semiconductor industry, with significant implications for supply chain security.

The RondoDox botnet is actively exploiting more than 50 vulnerabilities across over 30 vendors, targeting internet-exposed infrastructure such as routers, DVRs, and CCTV systems. Trend Micro detected a RondoDox intrusion attempt in June 2025, exploiting a known flaw in TP-Link Archer routers, highlighting the ongoing risk from previously disclosed vulnerabilities. RondoDox has evolved to use a "loader-as-a-service" model, distributing with Mirai/Morte payloads, complicating detection and increasing the urgency for remediation. The botnet's arsenal includes nearly five dozen security flaws, with 18 lacking CVE identifiers, affecting vendors like D-Link, NETGEAR, Cisco, and Apache. The campaign signifies a shift from single-device attacks to a multivector loader operation, indicating a sophisticated evolution in automated network exploitation. Recent findings indicate the AISURU botnet, built on Mirai, is leveraging compromised IoT devices in the U.S. for large-scale DDoS attacks, involving 300,000 hosts globally. Security efforts must focus on patching vulnerabilities, strengthening credentials, and monitoring for unsanitized inputs to mitigate the growing threat from such botnets.

Microsoft revamped the Internet Explorer mode in Edge following reports that threat actors exploited it to access user devices without authorization. Attackers used social engineering and zero-day exploits in IE's JavaScript engine, Chakra, to gain remote code execution on victim devices. The exploitation involved tricking users into reloading pages in IE mode, bypassing modern security measures in Chromium and Edge. Once inside, attackers could perform post-exploitation activities, including malware deployment and data exfiltration. Microsoft has removed easy access to IE mode by eliminating related toolbar and menu options, enhancing security. Users must now enable IE mode manually, adding a layer of protection against potential attacks. This incident underscores the ongoing challenge of balancing legacy support with modern security needs.

Astaroth banking trojan employs GitHub to maintain operations despite infrastructure takedowns, complicating efforts to neutralize its impact. The malware primarily targets Brazil, with additional focus on several Latin American countries, including Mexico and Argentina. Attackers initiate the infection chain through DocuSign-themed phishing emails, leading to the download of malicious files. Astaroth uses obfuscated JavaScript and AutoIt scripts to install and execute its payload, which includes keylogging capabilities. The trojan monitors browser activities, capturing credentials from banking and cryptocurrency sites, and transmits data via Ngrok. Astaroth incorporates anti-analysis features, shutting down if detection tools are present, and ensures persistence through Windows Startup folder modifications. GitHub-hosted configurations use steganography for resilience, prompting collaboration with Microsoft to remove malicious repositories. The use of legitimate platforms like GitHub for malicious purposes presents ongoing challenges in cybersecurity defense strategies.

eSentire researchers uncovered ChaosBot, a Rust-based backdoor malware, leveraging Discord channels for command-and-control, impacting financial services by executing arbitrary commands on compromised systems. Threat actors used compromised Cisco VPN and Active Directory credentials to deploy ChaosBot via WMI, facilitating remote command execution across networks. ChaosBot uses phishing emails with malicious LNK files, executing PowerShell commands to download malware, while displaying a decoy PDF from the State Bank of Vietnam. The malware sideloads a malicious DLL through Microsoft Edge's "identity_helper.exe," performing system reconnaissance and deploying a fast reverse proxy for persistent network access. ChaosBot employs evasion techniques, such as patching ntdll!EtwEventWrite and checking MAC addresses, to bypass Windows Event Tracing and avoid virtual machine environments. Fortinet reports a new Chaos ransomware variant in C++, introducing destructive file deletion and clipboard hijacking to redirect cryptocurrency transfers, marking a shift towards aggressive financial gain tactics. The Chaos-C++ ransomware masquerades as utilities like System Optimizer v2.1, using a combination of encryption methods to ensure robust execution and maximize impact.

Oracle has issued a security alert for a vulnerability in its E-Business Suite, tracked as CVE-2025-61884, which could allow unauthorized access to sensitive data. The flaw, with a CVSS score of 7.5, affects versions 12.2.3 through 12.2.14 and can be exploited remotely without authentication via HTTP. Successful exploitation may result in unauthorized access to critical data, posing significant risks to affected organizations. Oracle urges immediate application of the available update to mitigate potential exploitation, though no active exploitation has been reported. This vulnerability follows recent disclosures of zero-day exploits in Oracle's E-Business Suite impacting numerous organizations. The flaw could be leveraged by attackers, potentially linked to the Cl0p ransomware group, to deploy malware such as GOLDVEIN.JAVA and SAGEGIFT. Organizations using Oracle E-Business Suite should prioritize patching to protect sensitive resources and prevent potential data breaches.

A smishing campaign is impersonating New York's Department of Taxation and Finance, falsely offering "Inflation Refunds" to steal personal and financial data from residents. The legitimate Inflation Refund initiative automatically sends checks to eligible New Yorkers, requiring no application or personal information submission. Scammers send texts urging recipients to click a link, leading to a fake website that requests sensitive information, potentially resulting in identity theft and financial fraud. Governor Kathy Hochul's office has issued a warning, emphasizing that the Tax Department and IRS do not solicit personal information via text or email. The New York Department of Taxation and Finance advises residents to be cautious of unsolicited communications and report any suspicious messages to authorities. Residents are encouraged to avoid clicking on links from unexpected messages and to report scams to the Tax Department or IRS to mitigate risks. This incident serves as a reminder of the importance of public awareness and vigilance against phishing and smishing attacks.

Spanish Guardia Civil dismantled the GXC Team, a cybercrime group, arresting its leader, a 25-year-old Brazilian known as "GoogleXcoder." The GXC Team operated a crime-as-a-service platform, offering AI-powered phishing kits, Android malware, and voice-scam tools via Telegram and hacker forums. Targeting banks, transport, and e-commerce sectors in Spain, Slovakia, the UK, the US, and Brazil, the group replicated websites of numerous institutions for phishing. The group developed nine Android malware strains to intercept SMS and one-time passwords, aiding in account hijacking and fraudulent transactions. Coordinated police raids across multiple Spanish cities led to the seizure of electronic devices, phishing kit source code, and stolen cryptocurrency. Authorities shut down Telegram channels used for scam promotion, including one provocatively named "Steal everything from grandmothers." Forensic analysis of seized devices and cryptocurrency transactions enabled the identification of six individuals linked to the criminal network. The investigation is ongoing, with potential for further arrests as Spanish authorities continue to dismantle the cybercrime ring.