Daily Brief

Privacy advocates criticize the European Commission's proposed reforms to GDPR and AI regulations, alleging favoritism towards Big Tech and potential weakening of privacy protections. The proposed "Digital Omnibus" package aims to amend regulations on AI, cybersecurity, data protection, and privacy, potentially impacting businesses and individuals across Europe. Critics argue that the reforms could introduce loopholes allowing companies more freedom to use personal data commercially, undermining existing GDPR protections. Changes could limit individuals' rights to access, correct, or delete their data, affecting employees, journalists, and researchers' ability to leverage data access in disputes. Proposals may weaken protections for sensitive data, allowing companies to infer personal information without triggering existing safeguards, raising concerns about discrimination risks. The reforms are presented as reducing administrative burdens for small businesses, but privacy groups view this as a strategy to garner public support for the changes. The outcome of these proposals could influence global policymaking, as past EU regulations have inspired similar laws in other regions, including the United States.

The OWASP 2025 report identifies broken access control as the leading application security risk, affecting 3.73% of tested applications, emphasizing its prevalence across web apps, APIs, and digital systems. Security misconfiguration ranks second, driven by a trend towards configuration-based security, particularly impacting cloud and infrastructure environments. Software supply chain failures debut in the top three, attributed to their high exploit potential and impact, despite fewer occurrences. The report introduces a new category, mishandling of exceptional conditions, addressing vulnerabilities from improper error handling and race conditions. Prompt injection is flagged as the top risk for AI applications, where input manipulation can bypass security checks in large language models. OWASP's list, based on extensive data and community feedback, aims to guide organizations in prioritizing security efforts effectively. Developers express concern that despite increased identification of issues, secure coding remains a low priority until incidents occur.

BleepingComputer and SC Media will host a webinar on December 2nd, focusing on modern patch management strategies to address persistent challenges in vulnerability remediation. Gene Moody, Field CTO at Action1, will discuss innovative approaches to overcome delays and risks associated with outdated patching processes. The session will highlight how automation and continuous visibility can help prioritize risks, maintain compliance, and accelerate patching in dynamic IT environments. Action1's cloud-native platform offers a real-time solution, addressing the limitations of legacy tools like Microsoft WSUS, which struggled with scalability and maintenance. Practical advice and real-world examples will be shared, illustrating how organizations can align remediation efforts with business impact, freeing resources through automation. The webinar aims to equip IT and security teams with strategies to bridge the gap between detection and remediation, reducing exposure to breaches from known vulnerabilities. Participants will learn to prioritize patches based on business impact, improve visibility, and implement policy-driven, compliance-aware patching practices.

GlobalLogic, owned by Hitachi, reported a data breach affecting over 10,000 current and former employees, linked to Clop ransomware's exploitation of Oracle E-Business Suite vulnerabilities. Exposed data includes sensitive personal information such as Social Security numbers, passport details, and bank account information, raising significant privacy and security concerns. The breach is part of a broader campaign impacting high-profile entities like The Washington Post and Allianz UK, exploiting Oracle EBS vulnerabilities CVE-2025-61882 and CVE-2025-61884. GlobalLogic's investigation indicates unauthorized access began in July 2025, aligning with findings from Google Threat Intelligence Group and Mandiant on suspicious traffic targeting Oracle EBS servers. Oracle released emergency patches in September; however, many organizations were likely compromised before the updates were available, highlighting the need for timely patch management. Clop's strategy focuses on data theft and extortion rather than encryption, using leak sites to pressure victims, which has proven profitable in past incidents. The incident underscores the critical importance of securing enterprise resource planning systems, which are often deeply integrated into corporate operations.

The UK government is examining potential cybersecurity risks in Chinese-made Yutong electric buses, prompted by concerns from Norwegian operator Ruter about remote access vulnerabilities. Ruter's tests revealed that Yutong buses might be remotely accessed for software updates and diagnostics, raising fears of potential operational disruptions. The UK National Cyber Security Centre is collaborating with the Department for Transport to assess and mitigate any identified risks in the 700 Yutong buses operating in the UK. Pelican, the UK importer, asserts that Yutong vehicles comply with international cybersecurity standards, and updates are manually applied by engineers on-site. Yutong claims compliance with UN and ISO cybersecurity regulations, storing EU data in Frankfurt, but questions about remote power management access remain unanswered. The situation highlights the importance of robust cybersecurity measures in procurement processes for critical public infrastructure like electric buses. Industry leaders, including First Bus, emphasize the significance of cybersecurity in procurement, acknowledging the broader industry learning from Ruter's findings.

A malicious npm package, "@acitons/artifact," was discovered targeting GitHub-owned repositories by mimicking the legitimate "@actions/artifact" package. The package aimed to execute scripts during GitHub repository builds to exfiltrate tokens and publish malicious artifacts. Six versions of the package included a post-install hook to download and execute malware, but these versions have been removed by the threat actor. The package, uploaded on October 29, 2025, achieved 47,405 downloads, indicating significant exposure before removal. Another similar package, "8jfiesaf83," was identified but is no longer available; it had been downloaded 1,016 times. The malware used an obfuscated shell script to exfiltrate data from GitHub Actions workflows to a specific subdomain. This attack specifically targeted GitHub's own repositories, suggesting a highly focused campaign against the organization.

AI-enabled supply chain attacks have surged by 156% in the past year, challenging traditional security measures and demanding innovative defensive strategies from organizations. Recent incidents include the NullBulge group's attacks on Hugging Face and GitHub, which leveraged open-source repositories to target AI tools and gaming software. The Solana Web3.js library was compromised through phishing, leading to the theft of up to $190,000 in cryptocurrency by exploiting backdoor code. Wondershare RepairIt vulnerabilities exposed sensitive data through hardcoded cloud credentials, allowing potential supply chain attacks on AI models. The 3CX attack of 2023, affecting 600,000 companies, showcased polymorphic traits of AI-assisted malware, complicating detection efforts. Traditional security approaches, such as signature-based detection, are increasingly ineffective against rapidly mutating AI-generated threats. Regulatory frameworks like the EU AI Act impose stringent requirements on AI supply chain security, with penalties reaching up to 7% of global turnover. Organizations are urged to adopt a new defensive framework, integrating AI-specific controls to gain a competitive advantage in cybersecurity resilience.

Fantasy Hub, a new Android remote access trojan, is marketed on Russian-speaking Telegram channels as a Malware-as-a-Service (MaaS) offering, targeting financial and enterprise mobile users. The malware enables extensive espionage capabilities, including SMS interception, contact extraction, and banking credential theft, posing significant risks to businesses using BYOD policies. Fantasy Hub users can create fake Google Play Store pages to distribute the malware, which masquerades as legitimate apps, enhancing its reach and effectiveness. The service includes a bot-driven subscription model, allowing attackers to customize and deploy trojanized APKs, with prices ranging from $200 weekly to $4,500 annually. The malware abuses default SMS handler roles to gain permissions, using fake overlays to capture banking credentials from Russian institutions like Alfa and Sberbank. Zscaler ThreatLabz reports a 67% increase in Android malware transactions, highlighting the growing threat of sophisticated spyware and banking trojans. CERT Polska warns of Android malware, NGate, targeting Polish banks via NFC relay attacks, emphasizing the need for robust mobile security measures.

The Association of British Insurers reported a significant increase in cyber insurance payouts in the UK, totaling £197 million ($259 million) in 2024, up from £59 million ($77 million) in 2023. Ransomware and malware incidents accounted for 51% of claims in 2024, a notable rise from 32% in 2023, reflecting growing attack sophistication and impact. Cyber insurance is seen as a critical risk management tool, offering financial support and access to expert advice, threat monitoring, and incident response planning. High-profile companies like Marks & Spencer and Jaguar Land Rover faced substantial financial impacts from cyberattacks, with varying levels of insurance coverage affecting their recovery strategies. The debate continues over whether cyber insurance encourages ransom payments, with some experts advocating for policy changes to prevent incentivizing criminal activities. Industry leaders argue that cyber insurance can drive improved security standards by enforcing minimum requirements on policyholders. The UK's National Cyber Security Centre supports the role of cyber insurance in enhancing organizational security, despite ongoing discussions about its influence on ransom payments.

The UK's Ministry of Defence has declared initial operating capability for the Ajax armored fighting vehicle, despite significant delays and ongoing safety concerns affecting crew health. Originally planned for delivery in 2017, the Ajax program is at least five years behind schedule, with only 165 of the 589 vehicles delivered to date. Technical issues, including excessive noise and vibration, have led to crew injuries, prompting hospital visits and raising questions about the vehicle's fitness for purpose. A House of Commons report criticized the Ministry of Defence and General Dynamics for underestimating the complexity of developing Ajax, which required meeting 1,200 capability requirements. Despite the challenges, the British Army values the advanced situational awareness and control features of Ajax, which represent a significant upgrade over previous armored vehicles. Concerns persist about Ajax's vulnerability to modern drone warfare, as it lacks airburst ammunition, which could enhance its defense against aerial threats. The program's cost has escalated to an estimated £6.3 billion ($8.3 billion), exceeding the initial budget, with further financial implications anticipated.

North Korean group APT37 leverages Google Find Hub to track and reset Android devices, primarily targeting South Korean individuals through KakaoTalk messenger. The campaign, linked to KONNI activity, involves spear-phishing attacks spoofing South Korean agencies, leading to device compromise and data exfiltration. Attackers use remote access trojans, including RemcosRAT and QuasarRAT, to harvest credentials and manipulate security settings on victim devices. The use of Google Find Hub allows attackers to remotely wipe devices, isolating victims and erasing traces of the attack to hinder recovery efforts. Genians' analysis reveals attackers timed GPS tracking and device resets to coincide with victims being less responsive, enhancing attack effectiveness. Recommendations include enabling multi-factor authentication for Google accounts and verifying sender identity before opening files in messaging apps. Genians provides technical analysis and indicators of compromise to assist organizations in identifying and mitigating related threats.

Microsoft researchers discovered a side-channel attack, Whisper Leak, targeting large language models (LLMs) by analyzing packet size and timing patterns to infer encrypted prompt topics. This vulnerability affects models from providers such as Anthropic, AWS, DeepSeek, and Google, posing risks to both personal and enterprise communications. The attack exploits streaming models, which send responses incrementally, making them susceptible to interception and analysis by attackers monitoring encrypted traffic. Microsoft disclosed the flaw to affected vendors, with Mistral, Microsoft, OpenAI, and xAI implementing mitigations, while others remain unresponsive or declined to act. The attack's probabilistic nature means different vendors experience varying impacts, with proof-of-concept tests showing high precision in identifying sensitive topics. Mitigation strategies include adding random text sequences to responses and grouping tokens to obscure size and timing patterns, reducing attack effectiveness. Despite no known active attacks, the potential for offline exploitation remains, emphasizing the need for vigilant monitoring and proactive defenses against such vulnerabilities.

Mozilla has announced Firefox 145 with advanced anti-fingerprinting features aimed at reducing user tracking across web sessions, initially available in Private Browsing and ETP Strict modes. Fingerprinting allows tracking of users through unique digital signatures derived from subtle identifiers like timezone and hardware details, even when cookies are blocked. The new Phase 2 protections reduce unique fingerprinting capability to 20%, down from 35%, by blocking requests for hardware and software details. Mozilla balances privacy with usability, allowing users to disable protections on specific sites to prevent disruption of legitimate website functionalities. Firefox 145 is available for download, marking the first release without a 32-bit Linux version due to decreased demand. These privacy enhancements reflect Mozilla’s ongoing commitment to user privacy while maintaining essential web functionalities.

Quantum Route Redirect, a phishing automation platform, is exploiting around 1,000 domains to steal Microsoft 365 credentials, impacting users worldwide, with 76% of attacks targeting the U.S. The platform enables less skilled cybercriminals to execute sophisticated phishing attacks by automating traffic rerouting and victim tracking, increasing the threat landscape. Phishing emails mimic legitimate communications like DocuSign requests or payment notifications, directing victims to credential harvesting sites with URLs following a specific pattern. The platform's built-in filtering mechanism can differentiate between bots and human visitors, redirecting victims to phishing pages while sending automated systems to benign sites. KnowBe4 researchers have identified the platform's extensive use across 90 countries, predicting its growth due to its ability to evade URL scanning technologies. Similar phishing services such as VoidProxy and Darcula have gained traction, but robust URL filtering and account monitoring tools are recommended to mitigate these threats. Organizations are advised to enhance their cybersecurity measures to detect and prevent phishing attempts, safeguarding sensitive user credentials from compromise.

Mandiant Threat Defense identified active exploitation of a critical vulnerability in Triofox, tracked as CVE-2025-12480, allowing unauthorized access and execution of arbitrary payloads. The flaw, with a CVSS score of 9.1, enables attackers to bypass authentication and access Triofox configuration pages, facilitating the upload of malicious files. Threat actor UNC6485 has been exploiting this vulnerability since August 2025, despite a patch released by Gladinet in July 2025. Attackers created a new admin account, leveraging it to execute malicious scripts via Triofox's antivirus feature, inheriting SYSTEM account privileges. Malicious scripts downloaded Zoho UEMS to deploy remote access tools like Zoho Assist and AnyDesk, enabling reconnaissance and privilege escalation. To evade detection, attackers used tools like Plink and PuTTY to establish encrypted tunnels for inbound RDP traffic to a command-and-control server. Triofox users are urged to update to the latest software version, audit admin accounts, and ensure antivirus configurations do not allow unauthorized script execution.