Daily Brief

North Korean threat actors have adapted their tactics, employing JSON storage services to deliver malware in the Contagious Interview campaign. The campaign targets professionals on LinkedIn, luring them with job assessments or project collaborations, leading them to download malicious projects from platforms like GitHub. Malicious payloads are hosted on JSON storage services, disguised as API keys, and include JavaScript malware BeaverTail and Python backdoor InvisibleFerret. The InvisibleFerret backdoor now fetches an additional payload, TsunamiKit, from Pastebin, with capabilities for system fingerprinting and data collection. The attackers' use of legitimate platforms like JSON Keeper and GitHub helps them blend into normal traffic, complicating detection efforts. This campaign aims to compromise software developers, leading to the exfiltration of sensitive data and cryptocurrency wallet information. The evolving tactics of these threat actors highlight their commitment to stealth and persistence in cyber espionage activities.

Fortinet has addressed a critical zero-day vulnerability in its FortiWeb application firewall, previously exploited by attackers to create unauthorized admin accounts on exposed devices. The vulnerability, now identified as CVE-2025-64446, involves path traversal in FortiWeb's GUI, allowing unauthenticated command execution via crafted HTTP/HTTPS requests. Security firm Defused first reported the flaw on October 6, with a proof-of-concept exploit demonstrating the vulnerability's potential impact on Internet-facing systems. Fortinet released a silent patch in version 8.0.2 on October 28, three weeks after initial reports, closing the exploit path for versions 8.0.1 and earlier. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated U.S. federal agencies to patch affected systems by November 21 to mitigate potential risks. Organizations unable to upgrade immediately are advised to disable HTTP/HTTPS on management interfaces and restrict access to trusted networks to prevent exploitation. Fortinet advises reviewing system logs for unauthorized admin accounts and unexpected changes, ensuring configurations are secure against ongoing threats.

UK-based Checkout.com experienced a data breach by the ShinyHunters group, affecting a legacy cloud storage system with merchant data from 2020 and earlier. The breach impacts less than 25% of Checkout's current merchant base, but past customers are also exposed due to unauthorized access to legacy systems. Checkout.com provides global payment solutions, integrating with major companies like eBay, Uber Eats, and Samsung, handling significant merchandise revenue. ShinyHunters, known for data exfiltration and extortion, demanded a ransom, which Checkout.com refused to pay, opting to donate to cybersecurity research instead. In response, Checkout.com plans to enhance its security infrastructure and protect customer data more effectively in the future. The breach exploited a third-party system not properly decommissioned, though specific details on the method or system remain undisclosed. The company’s decision to fund research at Carnegie Mellon University and the University of Oxford underscores a proactive approach to combating cybercrime.

The FBI has issued an alert about a scam targeting Chinese speakers in the U.S., involving fake surgery bills and threats of extradition. Scammers impersonate U.S. health insurers, using spoofed phone numbers to trick victims into believing they owe money for surgeries they didn't have. Victims are coerced into video calls where they are shown fraudulent invoices and threatened with prosecution by a fake Chinese law enforcement officer. The scam includes demands for personal data and payments, with some victims instructed to install software for alleged surveillance purposes. The FBI advises potential targets to verify the identity of supposed insurance representatives and avoid sharing personal information or making payments. Healthcare fraud remains a prevalent issue, with impersonation of healthcare professionals being a common tactic in these scams. The FBI's Internet Crime Report notes over 859,000 complaints in 2024, with significant financial losses, highlighting the ongoing threat of such scams.

Researchers identified critical vulnerabilities in AI inference engines from Meta, Nvidia, and Microsoft, primarily due to unsafe ZeroMQ and Python pickle deserialization practices. The vulnerabilities, rooted in Meta's Llama framework, have been patched; however, similar issues persist across multiple AI projects due to code reuse. Exploiting these flaws could allow attackers to execute arbitrary code, escalate privileges, and deploy malicious payloads, posing significant risks to AI infrastructure. The vulnerabilities have been traced back to code copied across projects like NVIDIA TensorRT-LLM, Microsoft Sarathi-Serve, and others, spreading unsafe patterns. To mitigate risks, AI developers are advised to audit code for unsafe deserialization patterns and ensure secure coding practices in AI frameworks. Additional security measures include disabling Auto-Run in IDEs, vetting extensions, and using API keys with minimal permissions to safeguard against potential exploits. The findings emphasize the need for rigorous security reviews in rapidly evolving AI projects to prevent widespread vulnerabilities.

CISA, in collaboration with the FBI and European partners, issued a warning about Akira ransomware's new focus on Nutanix AHV virtual machines, expanding from previous targets like VMware ESXi. The ransomware group, linked to Russia, poses a significant threat to critical national infrastructure sectors, including healthcare, finance, and government, with revenues estimated at $244.17 million. Akira affiliates exploit vulnerabilities in VPN products, notably CVE-2024-40766 in SonicWall SSL-VPNs, with over 438,000 devices exposed, creating a substantial attack surface. The ransomware group employs various techniques for initial access, including compromised VPN credentials, password spraying, and exploiting SSH protocol vulnerabilities. Once inside, Akira affiliates move laterally to deploy encryption payloads on Nutanix AHV, risking exposure of sensitive business-critical data. CISA's advisory includes updated indicators of compromise and mitigation strategies, emphasizing patching, MFA deployment, and strong password policies. Akira, an offshoot of Conti, has been active since 2023, targeting diverse sectors and claiming attacks on entities like Stanford University and the Toronto Zoo. Organizations are urged to prioritize vulnerability remediation and maintain robust cybersecurity measures to counteract Akira's sophisticated attack strategies.

U.S. authorities have launched a new task force to combat Chinese cryptocurrency scams defrauding Americans of nearly $10 billion annually, involving agencies like the DOJ, FBI, and Secret Service. The Scam Center Strike Force aims to trace illicit funds, seize cryptocurrencies, and collaborate with international partners to dismantle supporting infrastructures. Scammers operate from compounds in Southeast Asia, often involving human trafficking, and use social media to lure victims into fraudulent investment platforms. The Justice Department reports scam-generated revenue in some regions accounts for nearly half of the local GDP, highlighting the scale of operations. The task force has already seized over $401 million in cryptocurrency and initiated forfeiture proceedings for an additional $80 million in stolen funds. The Treasury Department imposed sanctions on entities and individuals linked to these scams, blocking assets and prohibiting U.S. dealings with them. The Justice Department's recent actions include the seizure of $15 billion in bitcoin from a criminal organization leader, reflecting the significant financial impact of these scams.

APT42, linked to Iran's IRGC, has launched SpearSpecter, an espionage campaign targeting senior defense and government officials, as well as their families, to broaden attack vectors. The operation employs sophisticated social engineering, including impersonating known contacts and inviting targets to prestigious events, to build trust before delivering malicious payloads. Attack methods include redirecting victims to fake meeting pages to capture credentials and deploying the TAMECAT PowerShell backdoor for persistent access and data exfiltration. TAMECAT uses HTTPS, Discord, and Telegram for command-and-control, ensuring continuous access even if one channel is compromised, and features advanced evasion techniques. The campaign's infrastructure integrates legitimate cloud services with attacker-controlled resources, facilitating seamless initial access and covert data exfiltration. This operation reflects a high level of agility and operational security, posing a significant threat to high-value targets and highlighting the need for enhanced cybersecurity measures.

Google initially planned to enforce strict identity verification for Android developers by 2026 to curb malware from sideloaded apps, sparking significant backlash. Developers and users criticized the new process, citing concerns over fees and mandatory government ID submission, prompting reports to national regulators. F-Droid, a major third-party app store, warned that the new rules could threaten its existence, questioning Google's motives as power consolidation rather than security. In response, Google announced plans for a dedicated account type for limited app distribution and a new flow for users comfortable with sideloading risks. Google aims to balance security with accessibility, addressing feedback from students, hobbyists, and power users seeking flexible app installation options. The revised developer verification program will gradually roll out, starting with early access invitations and expanding globally by 2027. This move reflects Google's attempt to maintain an open ecosystem while enhancing security measures against potential malware threats.

Check Point Research identified a record 85 active ransomware and extortion groups in Q3 2025, indicating a significant increase in decentralized operations. The fragmentation stems from the collapse of large RaaS groups, leading to smaller, independent actors and a proliferation of ephemeral leak sites. Law enforcement's focus on infrastructure takedowns has limited impact, as affiliates quickly rebrand and regroup, fostering a resilient ransomware ecosystem. LockBit 5.0's return in September 2025 suggests a potential re-centralization, offering affiliates reputation and structure, which could reshape the ransomware economy. The decentralized nature of current ransomware operations undermines market credibility, with payment rates declining as victims distrust smaller actors. DragonForce's coalition claims with LockBit and Qilin illustrate the trend towards corporate-style branding within ransomware groups, emphasizing image and credibility. Geographic and sector targeting in Q3 2025 shows ransomware's alignment with business logic, focusing on regions and industries with valuable data and low downtime tolerance.

Chinese state-sponsored hackers employed Anthropic's AI technology, Claude, to execute automated cyber espionage attacks on approximately 30 global targets, including tech firms and government agencies. The campaign, identified as GTG-1002, represents a pioneering use of AI for large-scale cyber attacks with minimal human intervention, targeting high-value intelligence assets. Attackers manipulated Claude's capabilities to automate various attack stages, such as reconnaissance, vulnerability exploitation, lateral movement, and data exfiltration, significantly reducing the need for human oversight. Anthropic responded by banning the compromised accounts and implementing defensive measures to detect similar AI-driven attacks in the future. The operation underscores a shift in cyber threat landscapes, where AI systems can perform complex tasks traditionally requiring teams of skilled hackers. Despite its sophistication, the campaign faced challenges due to AI's limitations, such as generating false data and credentials, affecting the overall attack efficacy. The incident follows previous AI-related cyber operations, indicating a growing trend of AI exploitation by threat actors, raising concerns about the accessibility of advanced cyber attack capabilities.

ASUS has addressed a critical authentication bypass vulnerability, tracked as CVE-2025-59367, affecting several DSL series routers, including DSL-AC51, DSL-N16, and DSL-AC750 models. The flaw allows remote, unauthenticated attackers to access affected routers through low-complexity attacks without user interaction, posing significant security risks. ASUS released firmware version 1.1.2.3_1010 to mitigate this vulnerability, urging users to update promptly to prevent unauthorized access. For users unable to update immediately, ASUS advises disabling internet-accessible services like remote WAN access, port forwarding, and VPN server to reduce exposure. No active exploitation has been reported, but similar vulnerabilities have been used to build botnets for DDoS attacks, highlighting the importance of timely updates. ASUS emphasizes additional security measures, such as using complex passwords and regularly checking for firmware updates, to enhance router security. The incident reflects ongoing challenges in securing network devices, stressing the need for proactive vulnerability management and user awareness.

The cybercrime group Clop claims to have breached the UK's National Health Service (NHS) using an Oracle E-Business Suite zero-day exploit. Clop added the NHS to its leak site but has not yet disclosed any specific data or identified the affected NHS branch. The NHS, comprising numerous organizations, is investigating the claim with the National Cyber Security Centre, though no intrusion has been confirmed. Clop's listing of the NHS's revenue appears to be a misinterpretation of the Department of Health and Social Care's budget figures. The NHS, a critical healthcare provider and major European employer, remains a target due to its reliance on vital systems and sensitive patient data. Historically, the NHS does not pay ransoms, and proposed UK legislation may soon ban public sector ransom payments entirely. Previous attempts to extort the NHS have failed, with cyberattacks primarily resulting in potential patient harm rather than financial gain for attackers.

A critical authentication bypass flaw in Fortinet's FortiWeb was exploited in the wild before a silent patch was issued in version 8.0.2. Attackers can leverage this vulnerability to take over admin accounts, compromising the entire device by adding new administrator accounts. The exploitation involves sending a payload via an HTTP POST request to a specific endpoint, allowing unauthorized admin account creation. The origins of the threat actor exploiting this vulnerability remain unknown, with activity first detected early last month. Fortinet has not yet assigned a CVE identifier or released an official advisory, raising concerns about vulnerability management and communication. Rapid7 advises immediate patching of FortiWeb versions prior to 8.0.2, as unpatched devices are at high risk of being compromised. The vulnerability's details were reportedly sold on a black hat forum, complicating the threat landscape for enterprises using FortiWeb. Organizations are urged to check for signs of compromise and contact Fortinet for further guidance while applying necessary patches.

DoorDash disclosed a data breach on October 25, 2025, impacting user contact information across multiple regions, including the U.S., Canada, Australia, and New Zealand. The breach resulted from a social engineering scam targeting a DoorDash employee, leading to unauthorized access to user data. DoorDash's incident response team quickly shut down the unauthorized access, initiated an investigation, and notified law enforcement. This marks the third significant security incident for DoorDash, following breaches in 2019 and 2022, raising concerns about the company's data protection measures. Criticism has emerged over the 19-day delay in notifying affected users, with some questioning the adequacy of DoorDash's response and communication. DoorDash has enhanced security measures, increased employee training, and engaged a cybersecurity forensic firm to assist in the ongoing investigation. Users are advised to be cautious of potential phishing attempts and suspicious communications claiming to be from DoorDash.