Daily Brief

Colt Technology Services experienced a cyber incident impacting its customer portal and Voice API platform, leading to a temporary shutdown of these services as a protective measure. The attack targeted internal systems, reportedly separate from customer-supporting infrastructure, with no evidence of unauthorized access to customer or employee data. In response, Colt proactively took systems offline and notified authorities, while engaging third-party cybersecurity experts to assist in restoration efforts. The disruption began on August 12, with services like Colt Online remaining unavailable, prompting customers to seek support through alternative communication channels. Technical investigations suggest potential cybercriminal activity, with Shodan scans revealing interactions with Colt's SharePoint servers, which were subsequently secured with enhanced firewall protections. The incident underscores the importance of robust cybersecurity measures, especially for multinational firms with extensive global operations and customer bases. As restoration efforts continue, Colt emphasizes customer patience and commitment to resolving the issue swiftly, while maintaining transparency through regular status updates.

The U.S. Department of the Treasury has sanctioned Grinex, a successor to the Russian crypto-exchange Garantex, for facilitating money laundering for ransomware groups. Grinex was promoted on Telegram channels associated with Garantex after U.S. authorities seized Garantex's domains for processing $100 million in illicit transactions. Two Garantex administrators were charged, with one arrested in India, as part of the ongoing crackdown on cybercriminal networks. Garantex had ties to major cybercrime groups, including Hydra, Conti RaaS, and several ransomware gangs such as LockBit and Ryuk. Grinex's creation was reportedly a direct response to sanctions and asset freezes impacting Garantex, continuing its operations under a new name. The Treasury's Office of Foreign Assets Control renewed sanctions against Garantex and its associates, including six partner companies in Russia and Kyrgyzstan. The Department of State announced a $6 million reward for information leading to the arrests or convictions of Garantex executives, emphasizing the threat to national security. Grinex has processed billions in cryptocurrency transactions, raising concerns about the integrity of virtual asset service providers.

Researchers from King's College London have demonstrated that AI chatbots can be manipulated to harvest personal data by using system prompt engineering techniques. The study involved 502 participants and utilized popular large language models, revealing that manipulated chatbots elicited significantly more personal information than their benign counterparts. Models such as Meta's Llama and Mistral's Mistral were used without retraining, showing that simple prompt adjustments can bypass existing privacy guardrails. The research warns of the ease with which individuals with minimal technical skills can deploy malicious AI chatbots, raising concerns about privacy invasion democratization. OpenAI's GPT Store is identified as a potential platform for abuse, where custom GPTs can be pre-prompted to collect data under the guise of investigative roles. Participants were most likely to disclose basic personal details, with some sharing sensitive information, indicating a gap in user awareness of privacy risks. The study suggests the need for enhanced protective mechanisms and regulatory measures to mitigate privacy threats posed by AI chatbots. The findings were presented at the 34th USENIX Security Symposium, emphasizing the importance of transparency and early audits by platform providers.

Cisco has addressed a critical vulnerability in its Secure Firewall Management Center (FMC) Software, identified as CVE-2025-20265, with a maximum CVSS score of 10.0. The flaw permits unauthenticated remote attackers to execute arbitrary shell commands due to improper input handling during the RADIUS authentication phase. Affected versions include Cisco Secure FMC Software releases 7.0.7 and 7.7.0, specifically when RADIUS authentication is enabled for web-based or SSH management interfaces. The vulnerability requires immediate patching, as no workarounds exist, to prevent potential exploitation that could lead to high-privilege command execution. Discovered by Brandon Sakai during internal testing, the flaw has not yet been exploited in the wild, but swift action is advised due to the high-risk nature of network appliance vulnerabilities. Cisco's advisory emphasizes the importance of updating to the latest software version to mitigate this and other high-severity vulnerabilities.

The UK government plans to allocate £9 billion over five years on Microsoft products, sparking a debate on fiscal responsibility and potential open-source alternatives. The Strategic Partnership Arrangement 2024 aims to deliver enhanced value through Microsoft's product portfolio, yet critics question the cost-effectiveness compared to free and open-source software (FOSS). Microsoft's financial performance remains robust, with recent quarterly revenue increasing by 18% to $76.4 billion and maintaining high net margins, raising concerns about negotiation leverage. Comparisons reveal the spending commitment rivals significant public sector expenditures, such as school building programs and winter fuel allowance adjustments, highlighting the scale of investment. Advocates for FOSS suggest potential savings and flexibility, while others argue for maintaining Microsoft's established infrastructure to ensure continuity and reliability in public services. The discussion reflects broader considerations of technology procurement strategies, balancing innovation, cost, and operational efficiency in government IT investments.

At least a dozen ransomware groups now use kernel-level EDR killers, bypassing major endpoint security tools to escalate privileges and encrypt data, prompting ransom demands. Crypto24, a new ransomware variant, has targeted nearly two dozen companies across the US, Europe, and Asia since April, affecting sectors like financial services and technology. These attacks utilize a customized version of RealBlindingEDR, disabling endpoint detection by targeting kernel-level hooks from 28 security vendors, including Sophos and Kaspersky. Sophos researchers identified that multiple ransomware families, such as Blacksuit and Medusa, employ updated EDRKillShifter tools to disable endpoint defenses before launching attacks. RansomHub's EDR killer leverages a "Bring Your Own Vulnerable Driver" method, exploiting signed but vulnerable drivers to gain kernel-level access and disable security functions. The ability to move laterally across cloud-connected networks after disabling endpoint defenses poses a significant risk, as attackers exploit unmonitored communication paths. Legitimate software tools like HRSword are being repurposed by threat actors to disable endpoint protections, complicating detection and response efforts for cybersecurity teams.

Over $300 million in cryptocurrency linked to cybercrime has been frozen through collaborative efforts involving law enforcement and private sector entities. The T3+ Global Collaborator Program, initiated by TRM Labs, TRON, Tether, and Binance, has frozen over $250 million in criminal assets since September 2024. This initiative has aided global law enforcement in tackling money laundering, investment fraud, and other financial crimes by analyzing billions in transactions worldwide. A separate joint operation by the U.S. and Canada, supported by Chainalysis, has identified over $74.3 million in fraud losses, leading to significant asset freezes. Project Atlas and Operation Avalanche, led by Canadian authorities, have uncovered over 2,000 crypto wallets linked to fraud across 14 countries. Collaboration with Tether has resulted in the blacklisting of over $50 million in USDT, preventing further movement of stolen assets. These initiatives demonstrate the effectiveness of global partnerships in disrupting cybercriminal activities at the blockchain level.

Cybercriminals are selling access to active FBI and other global law enforcement email accounts on dark web forums for as little as $40. Abnormal AI researchers confirmed these accounts are live, allowing criminals to impersonate government officials and manipulate investigations. Compromised accounts are used to send fraudulent subpoenas and emergency data requests, exploiting legal mechanisms like CALEA and EDRs. Criminals leverage these accounts to access law enforcement portals on platforms such as Meta, TikTok, and Twitter, extracting private user data. Common attack vectors include credential stuffing, weak passwords, phishing, and info-stealing malware, leading to a surge in compromised credentials. The FBI has warned about the misuse of government email addresses to submit fraudulent requests, posing significant risks to personal data security. This situation highlights the critical need for stronger authentication measures and cybersecurity awareness among government employees.

The Crypto24 ransomware group has targeted large organizations across the U.S., Europe, and Asia, focusing on sectors like finance, manufacturing, entertainment, and technology. Trend Micro researchers suggest that Crypto24 may include former members of defunct ransomware groups, indicating a high level of expertise and operational knowledge. After initial access, the group uses administrative accounts on Windows systems to maintain persistent access, employing custom batch files for reconnaissance. Crypto24 deploys a customized RealBlindingEDR tool to disable security solutions by targeting kernel drivers, effectively evading detection by multiple vendors. The group exploits legitimate tools like Trend Micro's XBCUninstaller.exe to remove security agents, facilitating the deployment of keyloggers and ransomware payloads. Data exfiltration is conducted via Google Drive using a custom tool, while ransomware execution follows the deletion of volume shadow copies to hinder recovery efforts. Trend Micro has released indicators of compromise to assist cybersecurity teams in detecting and mitigating Crypto24 attacks at early stages.

Researchers discovered a design flaw in HTTP/2, named 'MadeYouReset', allowing attackers to execute massive Denial of Service (DoS) attacks by bypassing built-in concurrency limits. Over 100 vendors, including major names like Google, Microsoft, and IBM, were notified due to the widespread implementation of HTTP/2 across the web. The vulnerability, identified as CVE-2025-8671, builds on the previous CVE-2023-44487 'Rapid Reset' flaw, which remains partially unresolved. Attackers can exploit this flaw to create unbounded concurrent requests, potentially causing servers to crash due to out-of-memory errors. Companies such as Apache Tomcat, Fastly, and Varnish Software have released patches, while other organizations are investigating potential impacts and remediation strategies. Mitigation strategies include stricter protocol validation, enhanced stream state tracking, and deploying anomaly detection systems to prevent exploitation. Organizations using HTTP/2 should verify with vendors about patch availability and implement recommended security measures to protect their infrastructure.

CISA has issued new guidance urging organizations to strengthen cybersecurity measures for operational technology (OT) environments, which are increasingly targeted by cyberattacks. OT systems, integral to industries like manufacturing, energy, and transportation, face rising threats due to their growing connectivity to the internet. Security firm Dragos reported an 87% increase in cyberattacks on industrial companies in the US in 2024, highlighting the vulnerability of OT systems. CISA's foundational guidance recommends creating a comprehensive OT asset inventory using a taxonomy-based approach to improve risk management and incident response. The joint effort includes contributions from global cybersecurity agencies, emphasizing the critical role of OT systems in national security and daily life. The guidance provides industry-specific examples and suggests maintaining detailed records of OT assets, including communication protocols and system updates. Organizations are encouraged to adopt these practices to mitigate risks and ensure the continuity of essential services.

Turkish cryptocurrency exchange BtcTurk suspended deposits and withdrawals after detecting unusual activity in its hot wallets on August 14, 2025. The exchange confirmed a significant compromise, with losses estimated at $49 million across various tokens, while trading activities remain unaffected. BtcTurk reassured users that most assets are stored securely in cold wallets, minimizing the impact on customer funds. Blockchain security firm PeckShield suspects a private key leak, complicating efforts to trace and recover the stolen assets. The attacker has reportedly begun converting stolen tokens to Ethereum, further hindering recovery efforts by obfuscating the transaction trail. BtcTurk, with over 6 million users, is working with experts to investigate and negotiate potential recovery, though chances are deemed low. The incident underscores ongoing vulnerabilities in crypto exchanges, with attackers frequently targeting hot wallets due to their internet connectivity.

The Norwegian Police Security Service attributes a cyberattack on a dam's control systems to pro-Russian hackers, who manipulated outflow valves in April. The incident served as a demonstration of Russia's cyber capabilities rather than an attempt to cause physical damage, according to Norwegian authorities. Hackers managed to release over 7.2 million liters of water before dam operators corrected the system settings after four hours. Videos posted by Russian hacktivists on Telegram showcased the dam's control panel, confirming their involvement and linking the attack to a pro-Russian group. The attack is part of a broader pattern of hybrid operations aimed at creating fear and uncertainty in Western nations, as noted by Norway’s Intelligence Chief. This marks the second cyber incident linked to Russia targeting Norway, following a previous DDoS attack on state services. Norway's intelligence highlights Russia as the most significant threat, utilizing cyber tactics to maintain geopolitical tension.

Researchers have identified a new vulnerability, MadeYouReset, affecting multiple HTTP/2 implementations, potentially enabling large-scale denial-of-service (DoS) attacks. MadeYouReset allows attackers to bypass the server-imposed limit of concurrent HTTP/2 requests, leading to potential out-of-memory crashes in some systems. The vulnerability, assigned CVE-2025-8671, impacts several products, including Apache Tomcat, F5 BIG-IP, and Netty, posing a risk to web infrastructure. This flaw builds upon previous vulnerabilities like Rapid Reset, exploiting RST_STREAM frames to trigger protocol violations and induce server resets. CERT Coordination Center warns that MadeYouReset exploits mismatches between HTTP/2 specifications and server architectures, causing resource exhaustion. The discovery emphasizes the need for robust defenses against subtle, spec-compliant attacks on foundational web protocols. Organizations are advised to review and update their HTTP/2 implementations to mitigate potential exploitation and ensure server stability.

Cybercriminals are using the Japanese hiragana character 'ん' to craft deceptive Booking.com phishing URLs that appear legitimate, tricking users into visiting malicious sites. The phishing links redirect victims to a lookalike domain, www-account-booking[.]com, where malware is delivered via a malicious MSI installer. This campaign leverages homoglyphs, characters that visually resemble others, to deceive users, a tactic increasingly used in phishing and homograph attacks. Security measures have been implemented to help users distinguish homoglyphs, but desktop environments remain vulnerable to such visual deceptions. Similar tactics are observed in an Intuit-themed phishing campaign, where 'Lntuit' is used to mimic 'Intuit', exploiting font similarities on mobile devices. Users are advised to verify URLs by hovering over links and checking the actual domain to mitigate risks of falling victim to these phishing strategies. Keeping endpoint security software updated is crucial, as modern phishing kits often deploy malware directly after a link is clicked.