Daily Brief

As MCP becomes the standard for linking LLMs to tools and data, security teams are prioritizing robust protection measures to safeguard these integrations. The cheat sheet provides seven actionable security best practices designed to enhance the security posture of organizations implementing MCP. Key recommendations include regular security audits, implementing access controls, and ensuring encrypted data transmissions to prevent unauthorized access and data breaches. Organizations are advised to maintain a proactive approach in monitoring and updating MCP-related systems to address emerging threats and vulnerabilities. The guidance aims to assist security teams in mitigating risks associated with the rapid adoption of MCP, ensuring secure and efficient operations. Adoption of these practices is crucial for organizations to protect sensitive data and maintain trust while leveraging the capabilities of LLMs.

Google has launched interoperability between Android Quick Share and Apple AirDrop, initially supporting Pixel 10-series devices, allowing seamless file sharing with iPhones. This development marks a significant step in bridging the gap between Android and iOS ecosystems, enhancing user convenience and flexibility in file sharing. The new feature supports secure file sharing through Bluetooth and Wi-Fi Direct, adhering to stringent security protocols, including threat modeling and penetration testing. An independent audit by NetSPI confirmed the robustness of the system, ensuring no data leakages and reinforcing user trust in the new feature. Google's implementation leverages Rust programming language to eliminate memory-safety vulnerabilities, enhancing the security of wireless data parsing. The current mode allows direct device-to-device connections without server intermediaries, requiring users to manually verify device authenticity to prevent accidental data sharing. Future updates, in collaboration with Apple, aim to introduce a "Contacts Only" mode, further enhancing interoperability between Android and iOS devices.

Passwork 7 introduces a unified platform for managing both human and machine credentials, addressing operational complexities in enterprise environments. The update focuses on usability and security enhancements, offering improved workflow efficiency and feature accessibility based on real-world feedback. Key features include a flexible vault architecture, granular access control with RBAC, and secure credential sharing for internal and external users. Passwork's zero-knowledge encryption and self-hosted deployment ensure maximum security and compliance with data residency regulations. The platform supports seamless migration from other password managers, offering a 10% discount for transitioning organizations. Automation capabilities through API, Python connector, CLI, and Docker integration streamline DevOps workflows and credential management. A Black Friday promotion offers up to 50% discounts, encouraging organizations to test and adopt the platform during the trial period.

Iberia, Spain's largest airline, has informed customers of a data breach linked to a third-party supplier, potentially exposing certain customer information. The breach did not compromise Iberia account credentials, passwords, or financial details, according to the airline's security notice. Iberia has implemented enhanced security protocols, including verification codes for email changes, and is monitoring systems for unusual activity. Authorities have been notified, and an ongoing investigation is underway in coordination with the affected supplier. A threat actor claimed online possession of 77 GB of Iberia data, attempting to sell it for $150,000, though its connection to the breach remains unverified. Customers are advised to remain vigilant against potential phishing attempts and report any suspicious communications to Iberia's call center. The incident underscores the importance of robust vendor management and security protocols to protect sensitive data.

Costco introduces a promotion offering a $40 Digital Shop Card with the purchase of a 1-Year Gold Star Membership, priced at $65, targeting new or lapsed members. The offer aims to attract new customers and those whose memberships have been inactive for at least 18 months, enhancing holiday shopping convenience. To qualify, participants must provide a valid email and enroll in auto-renewal using a Visa or Mastercard debit card at sign-up. The Digital Shop Card, redeemable online or in-store, will be emailed within two weeks of successful membership registration and auto-renewal enrollment. This initiative excludes existing members seeking upgrades or renewals, as well as Costco employees, ensuring focus on expanding the member base. The promotion, valid until December 31, 2025, is part of a StackCommerce deal, with BleepingComputer.com earning a commission on sales through their platform. Participants are advised to enter accurate email information to avoid issues with receiving the Digital Shop Card, which cannot be used at Costco Food Courts.

Researchers from the University of Vienna and SBA Research identified a vulnerability in WhatsApp's contact-discovery API, enabling the extraction of 3.5 billion user accounts without rate limiting. The flaw allowed researchers to compile a global list of active WhatsApp accounts, revealing usage patterns even in countries with bans, such as China and Iran. The team used a single server and five sessions to query WhatsApp's servers at a rate of over 100 million numbers per hour, highlighting the lack of adequate safeguards. Additional API endpoints provided access to user profile photos, "about" text, and device information, raising significant privacy concerns. WhatsApp has since implemented rate-limiting measures to prevent future abuse, following the researchers' responsible disclosure of the vulnerability. This incident emphasizes the critical need for robust API security measures, as similar vulnerabilities have led to large-scale data breaches on platforms like Facebook and Twitter. The findings serve as a stark reminder of the potential impact of API misconfigurations on user privacy and data security.

APT31, a China-linked cyber espionage group, targeted the Russian IT sector, focusing on contractors for government agencies, from 2024 to 2025. The group utilized legitimate cloud services like Yandex Cloud for command-and-control operations, aiming to blend in with normal traffic and evade detection. Attacks included spear-phishing emails with RAR archives, deploying the Cobalt Strike loader "CloudyLoader" via DLL side-loading. APT31 employed both publicly available and custom tools, maintaining persistence through scheduled tasks mimicking applications like Yandex Disk and Google Chrome. The group exfiltrated data using cloud storage services, collecting sensitive information such as passwords from victim devices. Russian cybersecurity firms identified overlaps with the EastWind threat cluster and documented these activities, highlighting the group's sophisticated methods. The use of cloud services and social media profiles for staging encrypted commands allowed APT31 to remain undetected for extended periods, posing significant challenges for cybersecurity defenses.

Cox Enterprises disclosed a data breach affecting personal data after cybercriminals exploited a zero-day vulnerability in Oracle's E-Business Suite in August 2025. The breach was not detected until late September, prompting an internal investigation and notification to affected individuals. Cl0p ransomware group claimed responsibility, leveraging CVE-2025-61882 before Oracle released a patch on October 5, 2025. The breach impacted various sectors, with companies like Logitech and Harvard University also affected by similar Oracle E-Business Suite vulnerabilities. Cox Enterprises is offering 12 months of free identity theft protection and credit monitoring services to 9,479 impacted individuals. The incident adds to Cox's history of breaches, including a 2024 attack on Cox Communications and a 2021 ransomware incident at Cox Media Group. Cl0p continues to target high-profile organizations, recently listing 29 new companies as victims, signaling ongoing risks from zero-day exploits.

Huntress Labs investigated a Qilin ransomware attack where the agent was installed post-incident, limiting initial visibility to a single endpoint. The incident involved the installation of rogue software, including ScreenConnect, used to transfer malicious files to the compromised endpoint. Analysts utilized Windows Event Logs and other data sources to piece together the attack timeline and identify attempted actions by the threat actor. The threat actor disabled Windows Defender, attempting to execute infostealer malware, which ultimately failed due to system defenses. The investigation revealed the use of ransomware-as-a-service (RaaS) tactics, with the threat actor leveraging Remote Desktop Protocol (RDP) for access. Despite initial data limitations, the use of multiple data sources enabled a comprehensive understanding of the attack and informed remediation efforts. The case emphasizes the importance of deploying security tools pre-incident and utilizing diverse data sources for accurate threat analysis and response.

CISA has added a critical Oracle Identity Manager vulnerability, CVE-2025-61757, to its Known Exploited Vulnerabilities catalog due to active exploitation evidence. The flaw allows unauthenticated remote code execution, impacting versions 12.2.1.4.0 and 14.1.2.1.0, with a CVSS score of 9.8, indicating severe risk. Researchers identified the vulnerability as a bypass of a security filter, allowing attackers to manipulate authentication flows and escalate privileges. Exploitation involves tricking protected endpoints into public access by appending "?WSDL" or ";.wadl" to URIs, exploiting a flawed allow-list mechanism. The vulnerability was addressed in Oracle's recent quarterly updates, yet exploitation attempts were detected before the patch release, suggesting zero-day activity. Federal agencies are mandated to apply the necessary patches by December 12, 2025, to mitigate potential threats to their networks. Analysis of honeypot logs revealed multiple IP addresses scanning for the vulnerability, indicating coordinated attack efforts potentially from a single actor.

Cybercriminals are using Matrix Push C2, a new command-and-control platform, to execute phishing attacks through browser notifications across various operating systems. The attack method involves social engineering tactics to trick users into permitting browser notifications, which are then used to distribute malicious links. The platform operates as a malware-as-a-service (MaaS), available for purchase via crimeware channels, with subscriptions ranging from $150 to $1,500. Matrix Push C2 enables attackers to impersonate well-known brands, using templates to craft convincing phishing messages and landing pages. The service includes a web-based dashboard for tracking victim interactions, creating shortened URLs, and recording browser extensions, including cryptocurrency wallets. This technique bypasses traditional security measures by operating entirely within the browser, posing a cross-platform threat. The ultimate objective often involves data theft or financial gain, such as draining cryptocurrency wallets or exfiltrating personal information. The emergence of Matrix Push C2 indicates a shift in initial access strategies, highlighting the evolving nature of cyber threats.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) alerts agencies to patch Oracle Identity Manager vulnerability CVE-2025-61757, actively exploited since August 2025. The flaw, identified as a pre-authentication remote code execution vulnerability, allows attackers to bypass Oracle Identity Manager's REST API security filters. Exploitation involves appending parameters to URL paths, enabling unauthorized access to a Groovy script endpoint for malicious code execution. Oracle addressed the vulnerability in its October 2025 security updates, released on October 21, urging immediate action to mitigate risks. Searchlight Cyber's technical report provides detailed exploitation methods, raising concerns about the vulnerability's ease of use by threat actors. CISA mandates Federal Civilian Executive Branch agencies to patch the flaw by December 12, citing significant risks to federal systems. Evidence suggests the vulnerability was exploited as a zero-day, with multiple IP addresses scanning for the flaw before Oracle's patch release.

ShinyHunters claimed responsibility for a breach affecting Gainsight and hundreds of Salesforce customers, exploiting OAuth tokens from a Salesloft GitHub account compromise. The breach allowed unauthorized access to Salesforce customer data through compromised OAuth tokens, affecting integrations with third-party applications like Gainsight and Drift. Salesforce swiftly revoked access and refresh tokens for Gainsight applications and temporarily removed them from the AppExchange to mitigate further unauthorized access. Gainsight enlisted Google's Mandiant for incident response, emphasizing the breach originated from external application connections rather than Salesforce platform vulnerabilities. Zendesk and HubSpot also took precautionary measures by revoking connector access and pulling Gainsight apps from their marketplaces during the investigation. Google Threat Intelligence Group linked the breach to UNC6240, with over 200 Salesforce instances potentially affected, highlighting the widespread impact of the OAuth token compromise. Salesforce maintained its stance against paying ransom demands, reinforcing its policy of not engaging with extortionists.

Grafana Labs identified a critical vulnerability (CVE-2025-41115) in its Enterprise product, enabling potential admin privilege escalation when SCIM provisioning is enabled. The flaw is exploitable if both 'enableSCIM' and 'user_sync_enabled' options are true, allowing compromised SCIM clients to provision users with admin rights. Grafana's internal audit discovered the issue, and a security update was released within 24 hours, with no exploitation detected in Grafana Cloud services. The vulnerability affects Grafana Enterprise versions 12.0.0 to 12.2.1, while Grafana OSS users remain unaffected. Grafana Cloud services have already been patched. Administrators of self-managed installations are urged to apply the patches or disable SCIM to mitigate the risk of exploitation. The vulnerability's discovery comes amid increased scanning activity for older flaws, suggesting potential preparatory actions for exploiting new vulnerabilities. Grafana's swift response highlights the importance of proactive internal audits and timely patch management to safeguard against privilege escalation threats.

CrowdStrike confirmed an insider leaked internal system screenshots to unknown threat actors, but no breach of their systems or customer data occurred. The insider was identified and terminated following an internal investigation, with the case now in the hands of law enforcement. Screenshots appeared on Telegram, linked to groups like ShinyHunters and Scattered Spider, now operating as "Scattered Lapsus$ Hunters." These groups have a history of targeting major companies through voice phishing and extortion, impacting brands like Google, Cisco, and LVMH subsidiaries. The cybercriminal collective claimed responsibility for a significant breach at Jaguar Land Rover, causing over £196 million in damages. ShinyHunters and Scattered Spider are transitioning to a new ransomware platform, ShinySp1d3r, after using various other ransomware tools. The incident underscores the ongoing threat of insider risks and the importance of robust internal security measures.