Daily Brief

Al-Tahery Al-Mashriky, a 26-year-old from Rotherham, UK, received a 20-month prison sentence for hacking activities affecting thousands of websites globally. Arrested in 2022, Al-Mashriky was charged with stealing login details of millions of Facebook users and hacking sites in Yemen, Israel, the U.S., and Canada. He pleaded guilty to nine offenses under the Computer Misuse Act, avoiding a trial originally scheduled for March. Al-Mashriky was linked to extremist groups, using his hacks to deface sites with political and religious messages, causing significant operational disruptions. The National Cyber Crime Unit emphasized the potential for widespread fraud due to the stolen personal data. This case highlights the ongoing threat posed by individual hackers with ideological motivations, impacting both public and private sectors. Collaboration between U.S. and UK law enforcement was crucial in apprehending and prosecuting Al-Mashriky.

Microsoft-owned Nuance agreed to an $8.5 million settlement to resolve a class action lawsuit related to the MOVEit Transfer data breach, affecting over 1.225 million individuals. The breach, part of the Clop ransomware gang's mass exploitation of MOVEit, compromised sensitive data, raising significant concerns given Nuance's role in the healthcare sector. Plaintiffs alleged negligence, claiming Nuance failed to secure data properly and that Progress Software did not adequately inform users about MOVEit's security requirements. Nuance denied liability, arguing it acted swiftly by taking its MOVEit system offline, applying necessary patches, and conducting an internal investigation. Despite denying fault, Nuance chose to settle to avoid prolonged litigation, offering affected individuals financial compensation and credit-monitoring services. The settlement is relatively modest compared to other MOVEit-related cases, reflecting the ongoing legal complexities surrounding supply chain cybersecurity breaches. This case underscores the heightened scrutiny on healthcare data breaches and the legal challenges organizations face in securing third-party software.

Cybersecurity researchers revealed the exploitation of a patched Windows vulnerability, CVE-2025-29824, to deploy PipeMagic malware in RansomExx ransomware attacks. The vulnerability affects the Windows Common Log File System (CLFS) and was patched by Microsoft in April 2025. PipeMagic acts as a backdoor, providing remote access and command execution capabilities, targeting industrial firms in Southeast Asia, Saudi Arabia, and Brazil. The malware leverages a fake OpenAI ChatGPT app as bait, using DLL hijacking techniques to mimic legitimate software. PipeMagic's modular design includes a loader that unpacks and executes encrypted shellcode, with components hosted on Microsoft Azure. Recent attacks show advancements in malware functionality, improving persistence and lateral movement within networks. The use of renamed ProcDump tools to extract memory from the LSASS process indicates sophisticated tactics for data extraction.

Over 800 N-able N-central servers remain unpatched, exposing them to critical vulnerabilities CVE-2025-8875 and CVE-2025-8876, which are actively being exploited. These flaws allow authenticated attackers to execute commands on unpatched devices due to improper input sanitization and insecure deserialization. N-able has released patches in version 2025.3.1 and urges immediate updates to prevent further exploitation, especially in on-premises environments. Shadowserver Foundation reports 880 vulnerable servers, predominantly in the U.S., Canada, and the Netherlands, highlighting the widespread nature of the threat. CISA has added these vulnerabilities to its Known Exploited Vulnerabilities Catalog, mandating U.S. federal agencies to patch systems by August 20. Non-government organizations are strongly advised to secure their systems, as these vulnerabilities are common targets for cyberattacks. The situation emphasizes the critical need for timely patch management and adherence to security advisories to mitigate risks.

Workday disclosed a breach involving a third-party CRM platform, accessed through social engineering tactics, but confirmed its core systems and customer data remain unaffected. Attackers obtained business contact information, including names, emails, and phone numbers, which could facilitate future phishing or vishing attacks. Workday acted swiftly to cut unauthorized access and implemented additional security measures, although specific details on these measures were not disclosed. The breach has been linked to the ShinyHunters group, known for social engineering attacks and selling stolen data on underground forums. Workday has notified affected customers and partners, advising them to bolster defenses against potential phishing campaigns. The incident is part of a broader pattern of collaboration among cybercrime groups, including ShinyHunters, Scattered Spider, and Lapsus$, exchanging tactics and possibly targets. The breach was discovered on August 6, with Workday alerting impacted parties, though the exact number of affected customers remains unspecified.

A new Android malware, PhantomCard, is exploiting NFC technology to conduct relay attacks, primarily targeting banking customers in Brazil. Victims are deceived into installing malicious apps that misuse NFC to capture credit and debit card data during a fake verification process. Stolen card information is transmitted to attackers' NFC relay servers, enabling fraudulent transactions via contactless payment systems. The compromised card details are further used by money mules to purchase physical goods using platforms like Apple Pay and Google Pay. This attack vector showcases the evolving tactics of cybercriminals leveraging everyday technologies for sophisticated financial fraud. Organizations should enhance mobile app security and educate users on the risks of installing unverified applications to prevent such threats. This incident emphasizes the need for robust NFC security protocols and user awareness to mitigate potential financial losses.

Cybersecurity researchers identified malicious packages in PyPI and npm repositories, exploiting dependencies to establish persistence and execute remote code, affecting Python and JavaScript ecosystems. The PyPI package "termncolor" and its dependency "colorinal" were downloaded hundreds of times before removal, utilizing DLL side-loading for persistence and C2 communication via Zulip. The npm ecosystem faced similar threats, with packages designed to harvest sensitive data like iCloud Keychain and cryptocurrency wallets, employing tactics such as job assessment scams. Threat actors leveraged legitimate services like Dropbox for data exfiltration, targeting developers with malicious proof-of-concept code and kernel patch disguises. Automated dependency management tools, such as Dependabot, inadvertently amplified risks by merging updates without scrutiny, as seen in the eslint-config-prettier compromise. The incidents underscore the critical need for vigilant monitoring of open-source ecosystems and careful management of automated dependency updates to mitigate supply chain risks. Organizations are advised to enhance their supply chain security measures, including rigorous validation of dependencies and cautious use of automated tools.

Researchers from the Singapore University of Technology and Design introduced Sni5Gect, a tool exploiting vulnerabilities in 5G networks, at the 34th USENIX security conference. Sni5Gect can sniff 5G traffic and perform connection downgrade attacks without rogue base stations, targeting the handshake phase between devices and networks. The tool exploits unencrypted messaging during pre-authentication, enabling attackers to inject messages and perform surveillance with high accuracy. Testing demonstrated over 80% accuracy in traffic sniffing and 70-90% success in packet injection, including downgrading connections from 5G to 4G. The GSMA has acknowledged the discovery, assigning it CVD-2024-0096, and is working on addressing these vulnerabilities within the 5G standard. Some advanced exploits remain undisclosed to prevent misuse, available only to verified institutions for research purposes. The Sni5Gect framework is open-source under the GNU Affero General Public Licence 3, with usage restricted to research and educational purposes.

Wazuh, an open-source security platform, integrates XDR and SIEM capabilities to aid organizations in meeting regulatory compliance standards across various sectors, including healthcare, finance, and government contracting. The platform offers out-of-the-box modules and dashboards for compliance with PCI DSS, GDPR, HIPAA, and other frameworks, providing real-time visibility into compliance status and alert management. Wazuh's File Integrity Monitoring and log analysis modules enable organizations to detect and manage sensitive information, enhancing their overall security posture and compliance efforts. The Active Response module automates incident responses, allowing custom scripts to address specific threats, such as disabling user accounts after multiple failed login attempts. Compliance events are visualized through dedicated dashboards, offering insights into alert timelines, agent-specific alerts, and compliance requirement classifications for targeted auditing and monitoring. Regular updates to regulatory compliance documentation within Wazuh ensure that organizations stay informed of the latest standards, aiding compliance specialists and auditors in maintaining adherence. By centralizing threat detection and compliance monitoring, Wazuh supports organizations in protecting sensitive data and meeting evolving regulatory requirements efficiently.

OpenAI users found their queries unexpectedly appearing in Google searches, raising significant privacy concerns about data retention and visibility. OpenAI had previously allowed users to make chats discoverable, potentially exposing sensitive information to public searches. A federal court order mandates OpenAI to retain all user interactions, including those marked as deleted, due to an ongoing copyright lawsuit. OpenAI has removed the option to make chats publicly searchable and is working to de-index existing content from search engines. The incident emphasizes the need for users to understand data-sharing implications and the permanence of digital interactions. Similar concerns extend to other AI platforms like Google's Gemini and Anthropic's Claude, which retain conversation data for personalization and analytics. The situation highlights the broader risks of AI data retention policies, especially regarding sensitive and potentially damaging information.

Workday disclosed a data breach following a social engineering attack on a third-party CRM platform, affecting business contact information but not customer tenants. The breach exposed names, email addresses, and phone numbers, potentially aiding further social engineering scams targeting affected organizations. The incident was discovered on August 6, and Workday has notified potentially impacted customers, emphasizing no access to customer tenant data occurred. Attackers impersonated HR or IT staff to trick employees into revealing sensitive information, using text and phone communications. The breach is linked to a broader campaign by the ShinyHunters group, known for targeting Salesforce CRM instances through social engineering and voice phishing. Other high-profile companies, including Google and Louis Vuitton, have also been targeted in this wave of attacks, which began earlier this year. The attackers use malicious OAuth apps to access and steal company databases, subsequently demanding extortion payments from victims.

Researchers at Safety identified malicious npm packages targeting Russian cryptocurrency developers, potentially linked to state-sponsored ransomware groups. The malware, disguised as legitimate Solana SDK components, aims to steal cryptocurrency tokens and sensitive data from developers. The threat actor, using the name "cryptohan," exploits the npm Registry to distribute infostealers under the guise of credibility. Data extracted by the malware is sent to command and control servers with IP addresses associated with the USA. Victims appear to be primarily located in Russia, raising suspicions of geopolitical motivations behind the attack. The incident underscores the need for developers to secure their software supply chains against such threats. Safety offers assistance to developers in sanitizing their software ecosystems to prevent further exploitation.

New York Attorney General filed a lawsuit against Zelle's operator, Early Warning Services, accusing it of enabling widespread fraud affecting users between 2017 and 2023. Zelle, a peer-to-peer payment service, reportedly lacked critical security features, allowing scammers to exploit the platform and steal over $1 billion. The lawsuit claims Zelle's design flaws included inadequate verification steps, facilitating fraudulent account creation mimicking legitimate brands. Victims of fraud on Zelle faced significant challenges in recovering stolen funds due to the platform's rapid payment processing and lack of effective restitution mechanisms. Despite developing safeguards, Zelle allegedly failed to implement them, resulting in continued exploitation by fraudsters. The lawsuit seeks monetary restitution for New York residents affected by the fraud, stressing the need for stronger security measures in financial platforms.

The U.S. Department of Justice seized over $2.8 million in cryptocurrency from Ianis Aleksandrovich Antropenko, linked to the Zeppelin ransomware operation. Antropenko, indicted for computer fraud and money laundering, targeted global entities, including U.S. businesses, with Zeppelin ransomware from 2019 to 2022. Alongside digital assets, authorities confiscated $70,000 in cash and a luxury vehicle, showcasing the financial scale of the operation. Zeppelin ransomware, a VegaLocker/Buran variant, exploited MSP software flaws, particularly affecting healthcare and IT sectors. Antropenko attempted to launder ransom proceeds through services like ChipMixer and crypto-to-cash exchanges, complicating tracking efforts. Despite Zeppelin's defunct status since 2022, security researchers had decryption keys since early 2020, aiding victims in data recovery. Recent seizures, including from BlackSuit and Chaos ransomware, highlight ongoing efforts to disrupt financial gains from cybercrime activities.

Election officials express rising concerns over threats and intimidation, fearing reduced federal support as the 2026 election approaches, potentially impacting both physical and digital security measures. Bill Gates, an Arizona election official, recounts past threats and harassment, emphasizing the importance of federal support from agencies like CISA in maintaining election security. The Brennan Center survey reveals 61% of election officials are worried about CISA budget cuts affecting election security, with 80% advocating for sustained federal support. Natalie Adona, a California election official, highlights the critical role CISA played in providing low-cost tools and support, which is now uncertain due to staffing and budget reductions. Tina Barton, a senior election expert, stresses the importance of collaborative planning and information sharing, which is jeopardized by the shutdown of key security centers like EI-ISAC. The potential lack of federal resources raises concerns about local election offices' ability to combat cyber threats from state actors, as smaller communities face challenges in defending against sophisticated attacks. Organizations like The Elections Group are stepping in to bridge the gap, aiming to ensure democracy is protected from misinformation and malicious activities in the upcoming election cycle.