Daily Brief

Microsoft Azure faced a significant DDoS attack, reaching 15.72 terabits per second, originating from the Aisuru botnet, utilizing over 500,000 IP addresses. The attack targeted a specific public IP in Australia, employing high-rate UDP floods, and achieved nearly 3.64 billion packets per second. Aisuru is a Turbo Mirai-class IoT botnet, exploiting vulnerabilities in home routers and cameras, primarily affecting residential ISPs globally. Cloudflare linked Aisuru to a previous record-breaking 22.2 Tbps attack, demonstrating the botnet's capability to execute large-scale disruptions. The botnet expanded significantly in April 2025 after breaching a TotoLink router firmware server, infecting around 100,000 additional devices. Cloudflare has taken steps to mitigate the botnet's impact by removing related domains from its rankings to prevent manipulation and maintain trust. The incident underscores the growing threat of IoT-based botnets and the need for robust defenses against increasingly sophisticated DDoS attacks.

eSentire has identified the EVALUSION campaign, leveraging ClickFix tactics to distribute Amatera Stealer and NetSupport RAT, posing significant risks to data security. Amatera Stealer, an evolution of the ACR Stealer, is available via subscription and targets crypto-wallets, browsers, and messaging applications, among others. The malware employs advanced evasion techniques, including WoW64 SysCalls, to bypass common security measures like sandboxes and anti-virus solutions. Attackers trick users into executing malicious commands through phishing pages, initiating a process that downloads and executes the malware via PowerShell scripts. The payload, Amatera Stealer DLL, is packed using PureCrypter and injected into the MSBuild.exe process to harvest sensitive data. NetSupport RAT is only downloaded if the victim's machine is part of a domain or contains files of potential value, such as crypto wallets. The campaign is part of a broader trend of phishing attacks using sophisticated obfuscation techniques to evade detection by security tools.

A vulnerability in DoorDash's systems allowed unauthorized sending of branded emails, creating a potential phishing channel until recently patched by the company. The flaw was discovered by a security researcher, who reported it could be exploited for social engineering scams using DoorDash's official email templates. The vulnerability involved manipulating the DoorDash for Business platform to send emails with crafted HTML, bypassing spam filters and appearing legitimate. A dispute arose between the researcher and DoorDash over the handling of the disclosure, with accusations of unethical behavior from both parties. Despite the flaw being patched, the researcher claims it remained exploitable for over 15 months, criticizing DoorDash's delayed response. DoorDash asserts the issue was out of scope for their bug bounty program and accuses the researcher of attempting extortion. The incident highlights the challenges in vulnerability disclosure processes and the need for clear communication and ethical standards between researchers and companies.

The Pennsylvania Attorney General's Office confirmed a data breach following an August 2025 ransomware attack by the INC Ransom group, affecting personal and medical information. The attack led to significant operational disruptions, taking down the office's website, email accounts, and phone lines, causing widespread impact. Personal data compromised includes names, Social Security numbers, and medical information, as per the Office's investigation. The breach exploited vulnerabilities in Citrix NetScaler appliances, specifically CVE-2025-5777, known as Citrix Bleed 2, affecting public-facing systems. INC Ransom claimed responsibility on their dark web site, alleging theft of 5.7TB of data and potential access to an FBI network. The Pennsylvania OAG chose not to pay the ransom, following a precedent set by previous breaches within the state. This incident marks the third ransomware attack on Pennsylvania state entities, highlighting ongoing cybersecurity challenges.

Europol's Internet Referral Unit conducted a large-scale operation on November 13, targeting extremist content across gaming and related platforms. The operation identified thousands of URLs, including 5,408 links to jihadist content and 1,070 promoting violent right-wing extremism. This initiative marks Europol's first significant action focusing on gaming platforms, which are increasingly exploited for radicalization and extremist recruitment. Extremists use gaming spaces for strategic dissemination of propaganda, employing tactics like re-enacting violent scenes in games to attract young audiences. Europol's action forms part of a coordinated "Referral Action Day," involving multiple countries to combat the misuse of digital platforms. The IRU's efforts align with the EU's Radicalisation Awareness Network, which warns of the strategic use of gaming spaces by extremist groups. Gaming platform operators may face increased pressure to collaborate with law enforcement and swiftly address extremist content. This development serves as a caution to parents and young gamers about the evolving risks within gaming environments.

Immersive's Cyber Workforce Benchmark reveals a gap between confidence and capability, with teams scoring only 22% accuracy in cyber simulations and taking over a day to contain threats. Despite 94% of organizations believing they can effectively handle major incidents, resilience metrics have stagnated since 2023, highlighting a disconnect between perception and actual performance. The report identifies outdated threat scenarios as a key issue, with 60% of training focused on vulnerabilities over two years old, leaving teams unprepared for evolving attacker techniques. Only 41% of organizations involve non-technical roles in simulations, undermining cross-functional communication and collaboration during incidents, despite 90% believing their communication is effective. Organizations frequently use training completion rates as a preparedness measure, which the report criticizes as "false metrics" that obscure real capability gaps. Participation in AI-scenario labs by senior staff has decreased, while non-technical manager involvement has increased, indicating a shift in focus that may impact readiness for novel threats. The report calls for a shift from confidence based on assumptions to evidence-backed readiness, emphasizing continuous improvement across all business levels to ensure true resilience.

Eurofiber confirmed a cyberattack on November 13 compromised data from its French operations, affecting internal systems and regional brands like Eurafibre, FullSave, Netiwan, and Avelia. The attack exploited a vulnerability in Eurofiber's ticket management platform, which has since been patched; no banking or critical data was compromised. Although the attack had a limited business impact, some systems used by indirect sales and wholesale partners were operationally affected. Eurofiber's customer-facing services remained fully operational during the incident, and enhanced security measures were promptly implemented. The company reported the incident to French cybersecurity agencies CNIL and ANSSI, indicating an extortion-related attack but did not confirm if a ransom was paid. Eurofiber's response included notifying affected customers and collaborating with cybersecurity experts to manage the incident's impact. This incident is part of a broader trend of cyberattacks on B2B telcos, with recent attacks also affecting companies like Colt and ICUK.

A vulnerability in Fortinet's FortiWeb WAF, identified as CVE-2025-64446, has been actively exploited since early October 2025, allowing attackers to create malicious administrative accounts. This flaw, with a CVSS score of 9.1, combines path traversal and authentication bypass vulnerabilities, enabling attackers to perform privileged actions without detection. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated Federal Civilian Executive Branch agencies to apply patches by November 21, 2025, to mitigate the risk. The exploitation's origin remains unknown, but the flaw's addition to CISA's Known Exploited Vulnerabilities catalog signals its criticality and widespread threat potential. Organizations using FortiWeb should prioritize patching and review administrative account activities to detect any unauthorized access or changes. This incident emphasizes the importance of timely patch management and continuous monitoring of security advisories to prevent exploitation of known vulnerabilities.

UK prosecutors have seized £4.11 million in cryptocurrency from Joseph James O'Connor, involved in the 2020 Twitter hack targeting high-profile accounts. O'Connor, also known as "PlugwalkJoe," is serving a five-year sentence in the US for conspiracy, wire fraud, and money laundering. The Twitter breach utilized SIM-swapping and social engineering to access accounts of figures like Barack Obama and Bill Gates, netting over $100,000 in Bitcoin. The UK Crown Prosecution Service leveraged civil proceeds-of-crime legislation to seize assets, including Bitcoin and Ethereum, despite O'Connor's conviction occurring abroad. This action underscores the UK's commitment to recovering illicit gains from cybercriminals, regardless of where the crime occurred. O'Connor's activities included accessing private messages and extorting victims, showcasing a broader pattern of cybercriminal behavior. The CPS has recovered nearly £478 million in proceeds-of-crime actions over the past five years, emphasizing its dedication to combating cybercrime.

Phishing attacks are increasingly targeting LinkedIn, with one-third of such attacks now occurring outside traditional email channels, impacting enterprises in financial and technology sectors. Attackers leverage LinkedIn's messaging system, bypassing traditional email security tools, making detection and prevention more challenging for security teams. The lack of multi-factor authentication on social media accounts facilitates account takeovers, providing attackers with credible platforms for launching phishing campaigns. LinkedIn's professional networking environment allows attackers easy access to high-value targets, enhancing the effectiveness of spear-phishing tactics. Phishing on LinkedIn can lead to significant breaches, allowing attackers access to core business functions and datasets through compromised accounts. Organizations are urged to adopt comprehensive solutions that detect and block phishing across all communication channels, beyond just email. The 2023 Okta breach exemplifies the risks of personal device compromise leading to corporate account vulnerabilities, emphasizing the need for robust security measures.

Dragon Breath, also known as APT-Q-27, is targeting Chinese-speaking users with a multi-stage malware campaign using RONINGLOADER to deploy a modified Gh0st RAT. The campaign uses trojanized NSIS installers disguised as legitimate software like Google Chrome and Microsoft Teams to initiate the infection chain. RONINGLOADER employs sophisticated evasion techniques, including tampering with Microsoft Defender and using Protected Process Light (PPL) abuse to disable endpoint security tools. The loader attempts to elevate privileges and terminate processes related to popular Chinese security solutions, such as Qihoo 360 Total Security and Tencent PC Manager. The final payload, Gh0st RAT, allows remote control of infected systems, including keystroke logging, clipboard monitoring, and executing commands via cmd.exe. Parallel campaigns identified by Palo Alto Networks Unit 42 involve large-scale brand impersonation to distribute Gh0st RAT, targeting over 2,000 domains and using complex infection chains. These campaigns demonstrate a strategic use of both old and new infrastructures, suggesting ongoing A/B testing of tactics, techniques, and procedures (TTPs) for effective targeting.

Google announced a reduction in Android memory safety vulnerabilities to below 20% due to adopting the Rust programming language, enhancing security and efficiency. Rust's implementation resulted in a 1000x reduction in memory safety vulnerability density compared to Android's previous C and C++ codebases. The transition to Rust has improved software delivery, with changes experiencing a 4x lower rollback rate and 25% less time in code review. Google plans to extend Rust's security benefits to other Android components, including kernel, firmware, and critical apps like Nearby Presence and Chromium. A memory safety vulnerability (CVE-2025-48530) in an unsafe Rust implementation was patched before public release, demonstrating Rust's robust safety features. The incident underscores the importance of layered defense strategies, combining Rust's built-in safety with other security mechanisms like Scudo. Despite Rust's advantages, Google acknowledges that C and C++ will continue to play roles in Android's development, emphasizing a balanced approach to security.

Tata Motors, owner of Jaguar Land Rover, reported a cyberattack that significantly disrupted UK production, resulting in a financial impact of approximately $2.4 billion. The cyber incident led to exceptional costs of $258 million, with a notable revenue decline from $8.5 billion to $6.4 billion year-over-year. Despite the setback, Tata Motors experienced sales growth in India, which partially mitigated the financial damage from the cyberattack. CFO Richard Molyneux acknowledged the growing prevalence of such cyber incidents affecting businesses globally, emphasizing the need for enhanced cybersecurity measures. The attack serves as a reminder of the vulnerability of manufacturing operations to cyber threats, highlighting the importance of robust incident response strategies. The incident underscores the potential for significant operational and financial disruption due to cybersecurity breaches, urging companies to prioritize resilience planning.

Logitech reported a zero-day attack leading to data exfiltration, affecting both employee and customer information, though sensitive personal data was not compromised. The zero-day vulnerability was patched by Logitech after the software platform vendor released a fix, demonstrating swift response to the breach. DoorDash experienced its third data breach, attributed to a social engineering scam targeting an employee, compromising user information like names and contact details. DoorDash has not found evidence of fraud or identity theft from the breach but advises customers to remain vigilant against phishing attempts. The repeated breaches at DoorDash raise concerns about the company's cybersecurity measures and highlight the ongoing threat of social engineering tactics. These incidents emphasize the need for robust cybersecurity strategies and employee training to mitigate risks from zero-day vulnerabilities and social engineering attacks.

Google announced plans to flag Android apps on the Play Store that excessively drain battery life, impacting their visibility and user experience. The new policy, effective March 2026, introduces a core metric called "excessive partial wake locks" to monitor app performance. Apps exceeding a "bad behavior threshold" of 5% in user sessions over 28 days may be flagged, prompting developers to optimize resource usage. The system tracks non-exempt wake locks, focusing on background activity that prevents devices from entering sleep mode, across a 28-day window. Developers are encouraged to minimize unnecessary wake locks and monitor external libraries and SDKs to enhance app efficiency. This initiative aims to improve battery performance and technical quality rather than targeting malicious apps like spyware or adware. Google's collaboration with Samsung in developing this metric signifies a strategic effort to enhance user experience across the Android ecosystem.