Daily Brief

Russian-origin threat actors targeted Ukrainian business and government entities, employing advanced living-off-the-land (LotL) tactics to access sensitive data and maintain network persistence. The attacks leveraged minimal malware and dual-use tools, reducing digital footprints and enhancing stealth, with web shells like LocalOlive facilitating next-stage payload delivery. Initial access was gained through unpatched vulnerabilities in public-facing servers, allowing attackers to execute PowerShell commands and perform regular memory dumps. Despite the use of tools linked to the Sandworm group, no direct evidence connects these intrusions to Sandworm, though the activity appears Russian in origin. The campaign reflects a broader trend of Russian cybercriminals decentralizing operations, pressured by state control and international law enforcement efforts. Recorded Future's analysis reveals Russian cybercriminals' evolving relationships with intelligence services, including data sharing and leveraging political connections for impunity. The Russian cybercriminal ecosystem is adapting to increased scrutiny, with operations fracturing under state influence and internal mistrust, impacting their operational dynamics.

The Information Commissioner's Office (ICO) fined Bharat Singh Chand £200,000 for sending 966,449 spam texts targeting financially vulnerable individuals in the UK. The messages, sent between December 2023 and July 2024, promoted debt solutions and energy-saving grants without proper sender identification. Chand's activities came under scrutiny during a separate investigation, revealing his involvement in a potential SIM farm operation. Despite denying involvement, evidence such as call scripts and WhatsApp messages linked Chand to the spam operation. The ICO received 19,138 complaints through the 7726 spam reporting service, leading to the significant penalty. Chand's appeal against the fine voided a potential 20% discount for early payment, increasing his financial liability. This case underscores the ICO's commitment to protecting consumers from unlawful marketing practices, particularly those exploiting vulnerable groups.

AI is revolutionizing Governance, Risk, and Compliance (GRC) by accelerating audits, identifying risks quicker, and reducing manual workload, enhancing efficiency and accuracy across operations. Despite its benefits, AI introduces challenges such as potential biases, blind spots, and regulatory gaps that are not yet fully addressed by governing bodies. The rapid pace of AI innovation is creating a gap between technological capabilities and the existing legal frameworks, posing immediate risk exposure for organizations. A free expert webinar titled "The Future of AI in GRC: Opportunities, Risks, and Practical Insights" aims to provide clarity and direction for organizations at various stages of AI adoption. The session promises actionable insights and practical advice to help organizations proactively integrate AI into their compliance strategies, turning potential risks into competitive advantages. Participants will gain a deeper understanding of AI's impact on GRC, preparing them to lead with confidence in an evolving regulatory landscape.

The UK government is recruiting a new Chief Technology Officer (CTO) to address a £23 billion technology overhaul, following the departure of David Knott for family reasons. The role offers a starting salary between £100,000 and £162,500, with external candidates expected to start at the lower end, despite competitive market rates. The CTO position is part of the Government Digital Service within the Department for Science, Innovation and Technology, tasked with modernizing the digital landscape. A recent report indicates that digital, data, and technology professionals constitute only 4.5% of the UK civil service, highlighting a significant talent gap. The Public Accounts Committee noted that pay constraints hinder government departments from competing with the private sector for top digital talent. The new CTO will play a pivotal role in aligning digital strategies across government departments to achieve a cohesive digital transformation. The National Audit Office reported a £3 billion increase in costs due to delays in digital transformation, emphasizing the need for effective leadership in this role.

Ten malicious npm packages were discovered, targeting developer credentials on Windows, macOS, and Linux systems, with over 9,900 downloads since their upload on July 4, 2025. The packages impersonate popular libraries such as TypeScript and discord.js, using typosquatting to deceive developers into downloading them. Upon installation, a postinstall hook triggers a script that executes an obfuscated payload, launching the malware in a new terminal window to avoid detection. The malware uses four layers of obfuscation, including XOR cipher and URL encoding, to conceal its operations and resist analysis. It captures the victim's IP address and downloads a 24MB PyInstaller-packaged information stealer that harvests credentials from system keyrings and browsers. The stolen credentials, including those from email clients, cloud storage, and VPN connections, are compressed and sent to an external server, risking unauthorized access to sensitive corporate resources. Developers are advised to scrutinize npm package sources and monitor for unusual terminal activity during installations to mitigate such threats.

Germany's cybersecurity agency (BSI) reports that 92% of Exchange servers are running unsupported software, risking network security and operational integrity. Microsoft's support for Exchange Server 2016 and 2019 ended on October 14, leaving many organizations vulnerable to unpatched security flaws. Affected entities include critical sectors such as hospitals, schools, social services, and local authorities, potentially impacting essential services. The BSI warns that outdated servers could lead to severe network compromises, data leaks, ransomware attacks, and extended operational downtime. Microsoft offers a six-month Extended Update Program, but post-April 2024, organizations must upgrade or secure their systems independently. The BSI advises restricting Exchange Server access to trusted IPs or using VPNs to mitigate exposure to potential threats. Historical vulnerabilities like ProxyShell and ProxyLogon serve as reminders of the consequences of unpatched Exchange systems.

CISA and VulnCheck report active exploitation of critical vulnerabilities in Dassault Systèmes DELMIA Apriso and XWiki, urging immediate attention to patching these flaws. The vulnerabilities, CVE-2025-6204 and CVE-2025-6205, affect DELMIA Apriso versions from 2020 to 2025, with patches released in early August. A previous flaw in the same product, CVE-2025-5086, was flagged for exploitation shortly after detection by the SANS Internet Storm Center. VulnCheck identifies a two-stage attack chain using CVE-2025-24893 to deploy a cryptocurrency miner, with initial exploitation attempts traced back to March 2025. Attack traffic originates from a Vietnamese IP, previously flagged for malicious activity, emphasizing the need for robust network monitoring. Users are advised to apply updates promptly, with FCEB agencies mandated to remediate DELMIA Apriso vulnerabilities by November 18, 2025. This incident underscores the critical importance of timely patch management and continuous threat monitoring to mitigate exploitation risks.

Australia's Federal Police (AFP) is creating an AI tool to decode emojis and slang used by Gen Z and Gen Alpha in criminal communications, aiming to tackle decentralized online crime networks. These networks, termed "crimefluencers," are involved in violent extremism and sadistic online exploitation, often targeting pre-teen and teenage girls. The AFP identified 59 alleged offenders, leading to nine international and three domestic arrests, with those arrested in Australia aged between 17 and 20. A Five Eyes Law Enforcement Group sub-team, including Australia, the UK, USA, Canada, and New Zealand, has been formed to address these criminal activities. The AFP's anti-terrorism efforts have investigated 48 youths since 2020, charging 25 with terrorism-related offenses, highlighting the role of social media in radicalization. In a separate operation, the AFP recovered $9 million in cryptocurrency by deciphering a crypto wallet's recovery seed phrase, showcasing innovative forensic capabilities. The AFP collaborates with Sydney’s University of Technology to study how smart devices can determine the time of death, enhancing forensic investigations in natural disasters or foul play cases.

Microsoft has rolled out the KB5067036 update for Windows 11, introducing the Administrator Protection feature to enhance system security by requiring identity verification for administrative actions. This optional update, part of the non-security preview schedule, allows users to test new features before the official Patch Tuesday release, impacting Windows 11 24H2 and 25H2 versions. Administrator Protection aims to mitigate risks from malicious software by demanding Windows Hello authentication for actions needing administrative privileges, such as software installation and system settings changes. The update also addresses several technical issues, including bugs affecting the Media Creation Tool, HTTP/2 connections, and Kerberos Key Distribution Center service on server domain controllers. A redesigned Start Menu is being gradually introduced, offering new categories, grid views, and a responsive layout to improve user experience and accessibility. Organizations are encouraged to consider enabling the Administrator Protection feature to bolster defenses against unauthorized system changes and potential malware threats. The update is available for manual installation via Windows Update settings or the Microsoft Update Catalog, with no known issues reported at this time.

Dentsu's U.S.-based subsidiary, Merkle, experienced a cybersecurity breach affecting staff and client data, prompting immediate system shutdowns as a precautionary measure. The breach led to the exposure of sensitive information, including bank details, payroll data, and personal contact information of employees and clients. Dentsu has engaged third-party incident response services to assess the breach's scale and impact, with ongoing investigations to determine the full extent of data compromised. The company has informed relevant authorities in affected countries in compliance with legal requirements and is notifying impacted individuals. Despite the breach, Dentsu's Japan-based network systems remain unaffected; however, the incident is anticipated to have some financial repercussions. No ransomware group has claimed responsibility for the attack, and the investigation continues to identify the perpetrators. The incident underscores the importance of robust cybersecurity measures and proactive incident response strategies to mitigate potential damages.

Academic researchers have developed TEE.Fail, a side-channel attack capable of extracting secrets from Intel and AMD's trusted execution environments, affecting DDR5 memory systems. The attack utilizes an interposition device costing under $1,000 to inspect memory traffic, enabling the extraction of cryptographic keys from Intel TDX and AMD SEV-SNP. TEE.Fail can compromise Nvidia's GPU Confidential Computing by using extracted attestation keys, allowing unauthorized AI workload execution without TEE protections. The attack reveals vulnerabilities in the AES-XTS encryption mode, which fails to prevent physical memory interposition attacks, affecting the security of confidential virtual machines. Researchers recommend software countermeasures to address deterministic encryption risks, though these are potentially costly and complex to implement. Intel and AMD have acknowledged the attack but maintain that physical vector attacks remain outside the scope of their current mitigation strategies. The study raises concerns over the adequacy of current hardware security measures, prompting a re-evaluation of encryption and attestation protocols.

Qilin ransomware, previously known as Agenda, has targeted over 700 victims across 62 countries in 2025, marking it as a significant global threat. The ransomware exploits Windows Subsystem for Linux (WSL) to execute Linux encryptors on Windows systems, bypassing traditional security measures. Attackers utilize legitimate remote management tools and built-in Windows utilities to breach networks and extract sensitive data. The group employs Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security software, leveraging signed but vulnerable drivers. Qilin affiliates use open-source tools like "dark-kill" and "HRSword" to deactivate endpoint detection and response (EDR) systems and erase attack traces. The ransomware's Linux encryptor is designed to target VMware ESXi virtual machines, utilizing command-line options for customized encryption. This strategy demonstrates the evolving threat landscape, as ransomware operators adapt to hybrid environments to enhance attack efficacy and evade defenses.

CISA has issued a warning about active exploitation of two vulnerabilities in Dassault Systèmes' DELMIA Apriso, affecting manufacturing operations management systems. The critical vulnerability (CVE-2025-6205) allows unauthorized remote access, while the high-severity flaw (CVE-2025-6204) enables code injection by privileged users. Dassault Systèmes addressed these vulnerabilities in August 2025, affecting releases from 2020 to 2025, but exploitation continues in the wild. Federal Civilian Executive Branch agencies are mandated to secure their networks by November 18, per Binding Operational Directive 22-01. CISA advises all IT administrators to prioritize patching these vulnerabilities to mitigate risks to federal and enterprise systems. DELMIA Apriso is widely used in sectors such as automotive, electronics, and aerospace, where operational integrity and compliance are critical. The vulnerabilities pose significant risks, as these systems manage key functions like warehouse operations, production scheduling, and quality control.

Researchers from Georgia Tech and Purdue University unveiled TEE.Fail, a side-channel attack compromising trusted execution environments (TEEs) in Intel, AMD, and NVIDIA CPUs. TEE.Fail exploits architectural weaknesses in DDR5 systems, allowing extraction of sensitive data from TEEs, such as cryptographic keys, at a cost below $1,000. The attack requires physical access and root-level privileges, targeting Intel's SGX, TDX, and AMD's SEV-SNP, leveraging deterministic AES-XTS memory encryption. Successful execution involves modifying kernel drivers and using a logic analyzer to capture ciphertexts from DRAM, enabling key extraction and attestation forgery. Intel, AMD, and NVIDIA have acknowledged the vulnerabilities and are developing mitigations, with plans to release official statements following the TEE.Fail paper's publication. While complex and requiring physical access, TEE.Fail poses significant implications for the security of confidential computing environments in server-grade hardware. The findings stress the need for enhanced security measures in TEEs, particularly in systems adopting newer memory technologies like DDR5.

Starting October 2026, Google Chrome will default to "Always Use Secure Connections," warning users before accessing non-HTTPS sites. This change aims to protect users from man-in-the-middle attacks, which can compromise data exchanged over unencrypted HTTP connections. Chrome will initially enable this feature for over 1 billion users with Enhanced Safe Browsing in April 2026, ahead of the full rollout. Users will have the option to enable alerts for insecure connections on both public and private sites, though private sites are generally less risky. Google encourages website developers and IT professionals to adopt HTTPS now to mitigate potential disruptions when the feature becomes mandatory. The transition is expected to be smooth, as over 95% of websites have already adopted HTTPS, a significant increase from 45% in 2015. This initiative is part of Google's broader effort to enhance web security, including recent updates to automatically revoke unused notification permissions.