Daily Brief

Cybersecurity firm Socket discovered five malicious Chrome extensions targeting enterprise HR and ERP platforms, including Workday, NetSuite, and SAP SuccessFactors, affecting over 2,300 installations. The extensions masqueraded as productivity and security tools, stealing authentication credentials and blocking access to security administration pages critical for incident response. Attackers used cookie exfiltration, DOM manipulation, and bidirectional cookie injection to hijack sessions, maintain access, and potentially facilitate large-scale ransomware or data theft attacks. Extensions shared identical infrastructure and code patterns, indicating a coordinated operation despite being listed under different publisher names. Two extensions, Tool Access 11 and Data By Cloud 2, specifically blocked access to security pages, preventing administrators from managing authentication policies and responding to incidents. The Software Access extension enabled bidirectional cookie manipulation, allowing attackers to take over authenticated sessions without user credentials or multi-factor authentication. Socket reported the malicious extensions to Google, resulting in their removal from the Chrome Web Store; affected users are advised to report incidents and change passwords.

Researchers discovered 17 malicious browser extensions linked to the GhostPoster campaign, collectively installed 840,000 times across Chrome, Firefox, and Edge. These extensions concealed malicious JavaScript in logo images, enabling browser activity monitoring and backdoor installation. The campaign originated on Microsoft Edge, later expanding to Firefox and Chrome, with some extensions active since 2020. Advanced variants, such as the 'Instagram Downloader,' employ sophisticated techniques to evade detection and execute malicious code. The malicious extensions have been removed from Mozilla and Microsoft's stores, but users with prior installations remain at risk. Google confirmed the removal of these extensions from the Chrome Web Store following exposure by security researchers. The ongoing campaign illustrates the evolving threat landscape of browser-based malware and the need for vigilant security practices.

Researchers at KU Leuven identified a flaw in Google's Fast Pair system, affecting hundreds of millions of Bluetooth accessories like earbuds and speakers, allowing unauthorized control. The vulnerability, named "WhisperPair," arises from inadequate enforcement of pairing protocols, enabling attackers to pair devices without user consent. Attackers within Bluetooth range can hijack devices, potentially injecting audio, manipulating volume, or activating microphones, using just a phone or laptop. The issue stems from poor implementation of Fast Pair specifications by device manufacturers, not inherent flaws in Bluetooth technology itself. Google has been informed and is collaborating with manufacturers to issue firmware updates, though many cheaper devices may remain unpatched. The flaw also poses risks to Google's Find My Device network, as attackers could register stolen accessories to their accounts for location tracking. This incident underscores the ongoing challenge of ensuring security in smart devices, where rapid production often compromises robust implementation of security protocols.

OpenAI will begin displaying ads to logged-in U.S. adults using ChatGPT's free and Go plans, expanding its revenue model beyond subscriptions. Ads will be clearly labeled and appear at the bottom of user conversations, with an emphasis on user privacy and control over ad personalization. The initiative aims to make artificial general intelligence more accessible and support small businesses and emerging brands by offering a new advertising platform. OpenAI assures that user data and conversations remain private from advertisers, and ads will not influence chatbot responses. Ads will not be shown to users under 18 or near sensitive topics such as health and politics, ensuring compliance with ethical advertising standards. Users on Plus, Pro, Business, and Enterprise plans will not see ads, maintaining a premium, ad-free experience for higher-tier subscribers. CEO Sam Altman describes the decision as a strategic move to sustain OpenAI's operations, acknowledging the challenge of balancing AI development costs with user affordability.

CyberArk researchers identified a cross-site scripting (XSS) flaw in the StealC malware control panel, allowing them to gather intelligence on the operators' hardware and active sessions. StealC, an info-stealing malware, gained popularity in early 2023 for its evasion capabilities and data theft features, with enhancements like Telegram bot alerts introduced in version 2.0. The XSS vulnerability enabled researchers to hijack sessions, collect browser and hardware fingerprints, and observe threat actor characteristics, including their location and computer details. A StealC customer, dubbed 'YouTubeTA', hijacked legitimate YouTube channels to distribute malware, resulting in the theft of over 390,000 passwords and 30 million cookies by 2025. Researchers determined the attacker used an Apple M3-based system and operated from Ukraine, revealing their real IP address due to a VPN oversight. CyberArk disclosed the XSS flaw to disrupt StealC operations and impact the malware-as-a-service market, amid a rise in StealC operators following recent industry events. The incident underscores the risks associated with malware-as-a-service platforms, which facilitate rapid scaling but also expose threat actors to vulnerabilities.

Law enforcement in Ukraine and Germany identified Oleg Evgenievich Nefedov as the leader of the Black Basta ransomware gang, adding him to Europol and Interpol’s wanted lists. Investigations led to the identification of two additional individuals involved in the gang, specializing in breaching protected systems and facilitating ransomware attacks. Raids in Ukraine resulted in the seizure of digital storage devices and cryptocurrency assets, disrupting the gang's operational capabilities. Black Basta, emerging in April 2022, is linked to over 600 ransomware incidents, impacting major organizations like Rheinmetall, Hyundai, and the American Dental Association. The gang is considered a rebranding of the now-defunct Conti group, with Nefedov allegedly connected to both operations. Security researchers analyzed leaked chat messages, confirming Nefedov's leadership role and potential ties to a $10 million bounty related to the Conti gang. This development underscores the ongoing threat posed by ransomware groups and the importance of international collaboration in combating cybercrime.

GootLoader, a JavaScript-based malware loader, uses malformed ZIP archives with 500-1,000 concatenated files to evade detection by common unarchiving tools. The default Windows unarchiver can process these archives, enabling victims to extract and execute the malicious JavaScript payload. GootLoader is distributed through SEO poisoning and malvertising, targeting users seeking legal templates, redirecting them to compromised WordPress sites. Recent campaigns use custom WOFF2 fonts and WordPress comment endpoints to obfuscate filenames and deliver payloads, complicating detection efforts. The malware employs hashbusting, creating unique ZIP files for each user, rendering hash-based detection ineffective. Once executed, the JavaScript payload establishes persistence by creating a Windows shortcut in the Startup folder and executing further commands via PowerShell. Organizations are advised to block "wscript.exe" and "cscript.exe" for downloaded content and configure JavaScript files to open in Notepad by default to mitigate risks.

Cisco Talos researchers identified a China-linked group, UAT-8837, exploiting Sitecore zero-day vulnerabilities to target North American critical infrastructure, aiming for initial access into organizations. The group has been active since at least 2025, employing compromised credentials and server vulnerabilities to breach networks, indicating a focus on espionage. A recent attack involved CVE-2025-53690, a ViewState Deserialization flaw, leading to the deployment of a reconnaissance backdoor named 'WeepSteel'. Post-exploitation tactics include using Windows native commands for reconnaissance and disabling RDP RestrictedAdmin to harvest credentials. UAT-8837 relies on open-source and living-off-the-land utilities, adapting tools to avoid detection, and has exfiltrated DLLs for potential supply-chain attacks. Cisco Talos provides a detailed report including attack commands, tools, and indicators of compromise to assist organizations in identifying and mitigating threats. The group's activities suggest a persistent threat to critical infrastructure, emphasizing the need for robust security measures and vigilance against zero-day exploits.

Microsoft's latest security update for Windows 11 23H2 has led to shutdown and hibernation failures on some PCs, affecting system power management. The issue is linked to the Secure Launch feature, which uses virtualization-based protections to ensure trusted components load during boot. Users report that affected systems remain operational despite shutdown commands, leading to potential battery drain and operational disruptions. Microsoft advises using the command "shutdown /s /t 0" as a temporary workaround to force shutdown on impacted devices. The company has not provided specific details on the number of affected devices or a timeline for a permanent fix, leaving users in a state of uncertainty. Additional issues have been identified with Outlook POP account profiles freezing post-update, adding to user frustration. While updates aim to address security vulnerabilities, they occasionally introduce new challenges, emphasizing the need for thorough testing before deployment.

German authorities have placed Oleg Evgenievich Nefekov, leader of the Black Basta ransomware group, on the EU's most-wanted list, seeking information on his whereabouts. Nefekov, a Russian national, is accused of orchestrating attacks that targeted approximately 700 organizations globally, generating over $100 million in extortion payments. Black Basta emerged as a dominant force in ransomware following the decline of LockBit, leveraging sophisticated tactics to infiltrate, encrypt, and demand ransoms from victim organizations. As the group's managing director, Nefekov was responsible for target selection, recruitment, ransom negotiations, and distribution of illicit proceeds among group members. Despite a major leak in 2025, Black Basta operations ceased, yet Nefekov remains at large, believed to be residing in Russia, with his exact location unknown. German police urge the public to provide information on Nefekov's location, travel plans, or online activities, ensuring anonymity for informants. Security researchers at Trellix linked Nefekov to various online aliases and suggested potential assistance from the Russian state in his 2024 escape from Armenian custody.

Cybersecurity researchers identified five malicious Chrome extensions posing as HR and ERP tools, targeting platforms like Workday and NetSuite for account hijacking. These extensions steal authentication tokens, block incident response, and enable session hijacking, impacting enterprise security and operational integrity. Key technical tactics include cookie exfiltration, DOM manipulation to block security pages, and encrypted command-and-control traffic. The extensions have been removed from the Chrome Web Store but remain available on third-party sites, posing ongoing risks. Users are urged to uninstall these extensions, reset passwords, and check for unauthorized access from unfamiliar IP addresses. The campaign's sophistication suggests a coordinated operation, potentially involving a single threat actor or shared toolkit. Security teams face challenges in remediation due to blocked administrative interfaces and continuous credential theft.

Check Point has identified the RondoDox botnet exploiting CVE-2025-37164, a critical flaw in HPE OneView, with over 40,000 attack attempts observed in just a few hours. The vulnerability, rated a perfect 10 on the CVSS scale, affects HPE's data center management platform, which controls servers, storage, and networking, posing significant risks to enterprise environments. RondoDox, a Linux-based botnet, uses an "exploit-shotgun" approach, targeting various devices to build networks for DDoS, cryptomining, and secondary payload delivery. The attacks have primarily targeted government organizations, financial services, and industrial manufacturers, with the United States experiencing the highest volume of activity. A single Dutch IP address, known in threat intelligence circles, was identified as the primary source of the attacks, indicating a particularly active operator. HPE has urged OneView users to apply the patch immediately, emphasizing the importance of timely updates to prevent exploitation. This incident serves as a reminder that management platforms require prompt patching, as adversaries exploit vulnerabilities swiftly and at scale.

An Estonian e-scooter owner discovered a master key flaw in Äike scooters after the company filed for bankruptcy, revealing a significant security oversight. The scooters relied on app-controlled authentication, which failed when the company's cloud services ceased, leaving owners unable to operate their devices. Security researcher Rasmus Moorats reverse-engineered the scooter's app, finding that all models shared the same default private key, compromising security. The authentication process involved a simple challenge-response mechanism over Bluetooth, which was ineffective due to the identical placeholder key across all scooters. The flaw allowed Moorats to unlock any Äike scooter within Bluetooth range, raising concerns about IoT security practices and key management. Despite the vulnerability, the risk of mass theft is low due to the limited scale of Äike's sales and different hardware used in shared scooters. Moorats reported the issue to the hardware supplier, but with the manufacturer bankrupt, there was no resolution, highlighting challenges in IoT security responsibility.

A security flaw at Carlsberg's Copenhagen exhibition allows unauthorized access to visitor names, images, and videos via insecure wristband IDs. Ken Munro of Pen Test Partners discovered the vulnerability, enabling brute-force attacks on wristband IDs using a laptop. The wristband IDs, which expire after 30 days, have 26 million possible combinations, but can be easily generated to access personal data. Despite a vulnerability report submitted in August, Carlsberg delayed responding until November, and the issue remains unresolved. Carlsberg attempted to address the flaw by implementing rate limitations, but Munro found these measures ineffective. The breach potentially affects approximately 13,000 visitors monthly, raising concerns about GDPR compliance and data protection. The incident underscores the importance of timely and effective responses to vulnerability disclosures to protect customer data.

The article discusses the widespread availability of personal information online, including names, addresses, and phone numbers, posing significant privacy and security risks. Data brokers and public websites often sell or expose personal details, making them accessible to anyone with internet access, increasing the risk of harassment or scams. Individuals are encouraged to manually remove their data from these sites, a process that can be time-consuming and complex without specialized tools. Incogni, a data removal service, offers a solution by tracking down and deleting personal information from various online platforms on behalf of users. The service provides an Unlimited plan, allowing users to request the removal of information from sites not automatically covered, enhancing personal security. Thousands of users trust Incogni to safeguard their online presence, emphasizing that privacy is an essential component of overall security. The article advocates for proactive measures to protect personal safety by ensuring sensitive information is not easily accessible online.