Daily Brief

Cybersecurity researchers have discovered seven vulnerabilities in OpenAI's ChatGPT models, GPT-4o and GPT-5, which could be exploited to extract personal data from users. These vulnerabilities enable indirect prompt injection attacks, allowing attackers to manipulate large language models into performing unintended actions. Some vulnerabilities have been addressed by OpenAI, but systemic fixes for prompt injection issues remain elusive, posing ongoing risks. The research highlights the expanded attack surface when AI chatbots interact with external tools, increasing opportunities for threat actors. Studies suggest that training AI models on "junk data" can lead to degradation, while poisoning attacks on training data are more feasible than previously assumed. The findings emphasize the need for robust safety mechanisms to prevent prompt injection and mitigate potential damage. Concerns arise over market-driven optimization of AI models, which may compromise safety for competitive advantage, risking deceptive practices.

International authorities dismantled three credit card fraud networks, affecting over 4.3 million cardholders and resulting in losses exceeding €300 million across 193 countries. The coordinated effort, named "Operation Chargeback," involved law enforcement from Germany, the USA, Canada, and several European nations, leading to 18 arrests. In Germany, authorities executed 29 searches across eight states, seizing assets worth more than €35 million, including luxury vehicles, cryptocurrency, and electronic devices. The fraud networks exploited the infrastructure of four major German payment service providers to process and launder illicit transactions, involving over 19 million fake online subscriptions. Suspects allegedly used shell companies registered in the UK and Cyprus to facilitate fraudulent transactions, minimizing detection risks and chargebacks. The operation underscores the effectiveness of international cooperation in tackling complex financial crimes, leveraging analytical capabilities and cross-border coordination. Europol highlights the success of the operation as a significant step in combating global credit card fraud and money laundering activities.

Marks & Spencer reported a £136 million cost from an April cyberattack, impacting its financial results significantly, as detailed in their recent half-year report. The British retailer incurred £83 million in immediate system recovery expenses, with additional costs for legal and professional services, partially offset by a £100 million cyber insurance claim. The attack contributed to a 55.4% drop in profits, with the company also facing a packaging disposal levy, adding £50 million in expenses. Online sales were severely disrupted, declining by 42.9%, as the company had to disconnect warehouse management systems and resort to manual processes. Despite a 22.1% rise in overall revenues to £7.96 billion, operational challenges led to a reduction in operating profit margin from 12% to 2.7%. The retailer's fashion, home, and beauty sales dropped 16.4%, while food sales increased 7.8%, yet profits were impacted by increased markdowns and waste. CEO Stuart Machin noted the challenges faced but expressed confidence in the company's recovery and future trajectory.

Samsung Knox offers a comprehensive security platform for Samsung Galaxy devices, combining hardware and software protections to enhance data security for enterprises. The platform addresses common security myths about Android, emphasizing proactive, layered defense mechanisms to protect against evolving threats. Samsung Knox's enterprise controls allow IT administrators to manage app approvals and prevent sideloading, reducing risks associated with third-party applications. AI-powered malware defenses are integrated to fortify the Android ecosystem, providing an additional layer of protection for enterprise devices. Human vulnerabilities, such as outdated devices and inadequate IT policies, are identified as significant risks; Samsung Knox helps mitigate these through strong policies and device behavior visibility. The Knox E-FOTA tool enables detailed scheduling and stable deployment of Android updates, transforming mobile updates into a strategic, manageable process. Samsung Knox shifts the perception of Android from a security risk to a robust, enterprise-grade solution, offering government-level protection and centralized management capabilities.

A new threat cluster, UNK_SmudgedSerpent, targeted U.S. policy experts amid Iran-Israel tensions, focusing on academics and foreign policy professionals from June to August 2025. The campaign employed tactics similar to Iranian groups like TA455, TA453, and TA450, using political themes to engage targets and extract credentials. Attackers used phishing emails impersonating U.S. foreign policy figures, leading victims to malicious URLs disguised as Microsoft Teams or OnlyOffice login pages. Over 20 experts from U.S. think tanks, including Brookings Institution and Washington Institute, were targeted, focusing on Iran-related policy issues. Malicious URLs often led to MSI installers deploying legitimate RMM software like PDQ Connect, with potential hands-on-keyboard activity to install additional tools. The operation reflects Iran's strategic focus on Western policy analysis and suggests evolving cooperation between Iranian intelligence and cyber units. The campaign's sophistication and alignment with geopolitical events underscore the persistent threat of state-sponsored cyber espionage.

The U.S. Treasury sanctioned eight individuals and two entities linked to North Korea for laundering $12.7 million via cybercrime and IT worker fraud schemes. Sanctioned actors are accused of generating revenue for North Korea's nuclear weapons program, posing a threat to U.S. and global security. A portion of $5.3 million is tied to a North Korean ransomware actor previously targeting U.S. victims and handling IT worker operation revenues. North Korean cyber actors are reported to have stolen over $3 billion in digital assets over three years using advanced malware and social engineering. The regime employs IT workers globally, who obscure their identities to gain employment and funnel income back to North Korea. Some DPRK IT workers partner with foreign freelancers to execute projects, splitting revenues to evade sanctions. TRM Labs identified cryptocurrency wallet addresses linked to First Credit Bank, showing consistent inbound flows resembling salary payments. These actions form a critical part of North Korea's sanctions-evasion strategy, facilitating the movement of millions through traditional and digital means.

Security Operations Centers (SOCs) face significant analyst burnout due to alert fatigue and repetitive tasks, impacting overall team performance and security posture. Alert overload is a primary concern, with analysts spending excessive time on incomplete data. Real-time context solutions, like ANY.RUN's sandbox, enhance prioritization and decision-making. Advanced interactive sandboxes demonstrate the entire attack chain in real-time, allowing analysts to quickly identify threats, such as phishing attacks, with increased clarity and efficiency. Automation of routine tasks, such as log collection and report generation, frees analysts to focus on high-value activities, reducing burnout and improving response times. Integrating real-time threat intelligence minimizes outdated data checks and context-switching, allowing analysts to act on current, verified information, enhancing workflow efficiency. SOCs adopting these strategies report higher efficiency and reduced burnout, enabling teams to maintain focus and improve overall security operations. Engaging with experts, such as those from ANY.RUN, can provide tailored solutions to transform SOC operations from fatigue-prone to focused and high-performing.

The U.S. Treasury Department sanctioned two North Korean banks and eight individuals for laundering cryptocurrency linked to cybercrime and fraudulent IT worker schemes. Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company were designated for facilitating sanctions-evasion activities and fraudulent IT operations. Sanctioned individuals include North Korean bankers managing funds tied to ransomware attacks on U.S. victims, revealing extensive financial networks in Russia and China. Over the past three years, North Korean cybercriminals have stolen over $3 billion in cryptocurrency using advanced malware and social engineering techniques. North Korean IT workers globally disguise their identities to earn millions through IT development contracts, posing significant challenges to international security. The sanctions freeze assets under U.S. jurisdiction and warn financial institutions against transacting with these entities, risking secondary sanctions. These measures follow a report identifying North Korea's sophisticated cyber capabilities, threatening global digital economies and violating UN sanctions.

Renowned cryptographer Daniel J. Bernstein has endorsed Fil-C, a new type-safe C/C++ compiler, praising its compatibility and memory safety features. Fil-C, based on Clang and LLVM, aims to address memory safety issues prevalent in C/C++ programming, which contribute to numerous software vulnerabilities. Bernstein's testing revealed that many libraries and applications work seamlessly with Fil-C, enhancing its appeal for developers seeking safer code. While Fil-C improves safety, it introduces performance trade-offs, running slower than traditional C code and lacking full ABI compatibility. The development of Fil-C reflects a broader industry trend towards improving memory safety, with similar efforts like CHERI and OMA gaining attention. Fil-C's ability to trap common C errors offers a compelling alternative for enhancing security in discrete components of large systems. Bernstein's endorsement is significant given his reputation for writing secure C code, adding credibility to Fil-C's potential in mitigating vulnerabilities.

The UK's Defra invested £312 million to upgrade IT infrastructure, replacing 31,500 Windows 7 laptops with Windows 10, which recently lost support. Despite the investment, over 40% of Defra's devices still run Windows 10, raising concerns about future security and operational efficiency. The upgrade addressed 49,000 critical vulnerabilities, migrated 137 legacy applications, and closed one datacenter, with plans for three more closures. Defra's modernization aims to improve efficiency, enhance critical systems' reliability, and reduce cyber risks, but challenges remain with 24,000 devices still needing replacement. The department's strategy includes cloud migration and automation to improve productivity, but the transition may be more complex and costly than anticipated. Questions arise regarding whether the Windows 10 deployment is a temporary solution before a broader shift to cloud-based systems. The success of Defra's future plans hinges on executing its cloud migration and decommissioning strategies to avoid repeating past technical debt issues.

CISA has added vulnerabilities in Gladinet and Control Web Panel (CWP) to its Known Exploited Vulnerabilities catalog, citing active exploitation evidence. Huntress detected exploitation attempts on CVE-2025-11371, with attackers using Base64-encoded payloads for reconnaissance commands like ipconfig /all. CVE-2025-48703 allows remote attackers to execute pre-authenticated arbitrary commands if they know a valid username on a CWP instance. Federal Civilian Executive Branch agencies must implement necessary patches by November 25, 2025, to protect their networks from these vulnerabilities. The vulnerabilities' inclusion in the KEV catalog follows similar reports of critical flaws in WordPress plugins and themes, urging users to update and secure their sites. Organizations are advised to update affected software immediately, strengthen password policies, and conduct thorough audits for signs of compromise. The proactive measures by CISA aim to mitigate risks and enhance the security posture of federal and private sector networks.

The Department of Homeland Security (DHS) has proposed a rule to significantly expand biometric data collection for immigration processes, affecting immigrants and some U.S. citizens involved in these cases. The proposed rule mandates biometric data submission from a broad range of individuals linked to immigration applications, including U.S. citizens, nationals, and lawful permanent residents. DHS aims to redefine biometrics to include new technologies like ocular imagery, voice prints, and DNA, broadening the scope of data collected for identity verification and security checks. The rule would allow DHS to collect raw DNA or test results to verify familial relationships or biological sex, potentially impacting benefit eligibility. Critics express concerns over privacy, potential misuse, and errors associated with biometric technologies, particularly regarding facial recognition and AI-spoofable voice records. Public feedback on the proposal is overwhelmingly negative, with concerns about government overreach and potential violations of constitutional rights. DHS is accepting comments on the proposal until January 2, with many submissions likening the initiative to practices in authoritarian regimes.

A critical flaw in the Post SMTP plugin affects over 400,000 WordPress sites, allowing attackers to hijack admin accounts and take control of websites. The vulnerability, identified as CVE-2025-11833, has a severity score of 9.8 and impacts all plugin versions up to 3.6.0. Exploitation is possible due to missing authorization checks in the plugin's email log function, enabling unauthorized access to sensitive information. Wordfence validated the exploit and disclosed it to the vendor on October 15; a patch was released on October 29 as version 3.6.1. Despite the patch, around 210,000 sites remain at risk, as only half of the users have updated their plugins. Active exploitation began on November 1, with Wordfence blocking over 4,500 attempts, emphasizing the urgency for users to update or disable the plugin. A similar flaw, CVE-2025-24000, was identified in July, highlighting ongoing security challenges with the Post SMTP plugin.

The Akira ransomware group claims to have breached Apache OpenOffice, alleging theft of 23 GB of sensitive data, including employee and financial information. Apache Software Foundation disputes the claims, stating they do not possess the types of data allegedly stolen, as OpenOffice is an open-source project with no paid employees. The Foundation is actively investigating the claims but has found no evidence of a breach or any ransom demand directed at their infrastructure. Akira's claims include sensitive employee data and internal documents, yet no such data has been leaked or verified by third parties. Apache OpenOffice operates transparently, with all development discussions public, reducing the likelihood of undisclosed vulnerabilities or data theft. The incident highlights the importance of verifying breach claims and maintaining robust security protocols, even for open-source projects. No law enforcement or cybersecurity experts have been engaged by Apache, given the lack of evidence supporting the ransomware group's assertions.

Zscaler reports over 42 million downloads of malicious Android apps from Google Play between June 2024 and May 2025, indicating a significant threat to mobile security. The report notes a 67% year-over-year increase in mobile malware, with spyware and banking trojans being the most prevalent threats. Cybercriminals are increasingly targeting mobile payments through phishing, smishing, and SIM-swapping, exploiting social engineering tactics as traditional card fraud becomes less effective. Zscaler identified 239 malicious apps on Google Play, a rise from 200 the previous year, with adware now accounting for 69% of all detections. Anatsa, a banking trojan, and Android Void, a backdoor malware, are among the top threats, affecting users in regions including Germany, South Korea, India, and Brazil. The report advises users to apply security updates, trust only reputable publishers, disable unnecessary permissions, and perform regular Play Protect scans to mitigate risks. Organizations are encouraged to adopt zero-trust technology and enhance IoT security by monitoring for anomalies and securing firmware to protect against expanding threats.