Daily Brief

The Cybersecurity & Infrastructure Security Agency (CISA) warns of active exploitation of a critical flaw in Motex Lanscope Endpoint Manager, identified as CVE-2025-61932, with a severity score of 9.3. The vulnerability arises from improper verification of incoming request origins, allowing unauthenticated attackers to execute arbitrary code via crafted packets. Lanscope Endpoint Manager, developed by Motex, is widely used across Japan and Asia, primarily through AWS, for endpoint management and security. Motex confirmed that some environments have already been targeted with malicious packets, indicating zero-day exploitation of the vulnerability. The flaw impacts versions 9.4.7.2 and earlier, with updates available to address the security issue; no workarounds exist, making patching essential. Japan's CERT Coordination Center also issued warnings about the exploitation, noting increased attack activity on domestic organizations. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, mandating a patch deadline of November 12 for federal agencies. Organizations are urged to apply the latest updates promptly to mitigate potential risks from this critical vulnerability.

The US Cyberspace Solarium Commission's 2025 report reveals a decline in implementing cybersecurity reforms, with only 35% of recommendations fully realized, down from 48% last year. Workforce and budget cuts during the Trump administration are cited as primary factors hindering progress, particularly affecting the Cybersecurity and Infrastructure Security Agency (CISA). CISA's ability to scale early-warning systems and maintain industry partnerships has been compromised, weakening its critical infrastructure protection mandate. Diplomatic cyber capacity has diminished due to cuts in the State Department's programs, impacting US cyber power projection and coordination with allies. The report stresses the need for renewed investment to prevent adversaries from surpassing US capabilities, urging restoration of CISA funding and staffing. Concerns are raised over the narrowing federal cyber talent pipeline, exacerbated by previous administration policies on diversity and hiring practices. The commission warns that adversaries like China, Russia, and Iran continue to innovate rapidly, posing ongoing threats that require sustained US cyber defense efforts.

Microsoft has updated File Explorer to automatically disable previews for files downloaded from the Internet, aiming to prevent credential theft attacks via malicious documents. This security enhancement is active for users who have installed the latest Patch Tuesday updates on Windows 11 and Windows Server systems. The update targets files marked with the Mark of the Web (MotW), indicating they were downloaded from a web browser or received as email attachments. The change blocks threat actors from exploiting vulnerabilities that leak NTLM hashes when users preview files with HTML tags referencing attacker-controlled servers. This vulnerability was particularly concerning as it required no user interaction beyond selecting a file to preview, simplifying exploitation for attackers. Users are automatically protected with the October 2025 security update, though manual unblocking is possible for trusted files from known sources. Organizations can adjust settings for Internet Zone file shares by adding addresses to Trusted sites or Local intranet security zones through the Internet Options control panel.

North Korean hackers, linked to the Lazarus Group, are targeting European defense companies to steal drone technology, as part of the ongoing Operation Dream Job campaign. The campaign, active since March 2025, involves social engineering tactics, offering fake job opportunities to defense engineers to install malware on their systems. Targeted firms include a metal engineering company in Southeastern Europe and a Central European aircraft component manufacturer, focusing on unmanned aerial vehicle (UAV) technology. The malware families ScoringMathTea and MISTPEN are used to extract proprietary information, with ScoringMathTea previously linked to attacks in India and Poland. Attackers use trojanized PDF readers and decoy documents to deliver malware, employing techniques that evade detection while maintaining consistent attack patterns. The operation's persistence since 2020 highlights the strategic importance of drone technology to North Korea's military ambitions and the ongoing threat posed by state-sponsored cyber activities. Companies in the defense sector are urged to enhance their cybersecurity measures, particularly against social engineering threats, to safeguard sensitive technological information.

Researchers at SquareX identified a vulnerability in the AI sidebars of OpenAI's Atlas and Perplexity's Comet browsers, allowing threat actors to execute spoofing attacks. The attack involves injecting a fake sidebar via a malicious browser extension, indistinguishable from the real AI sidebar, potentially leading users to follow harmful instructions. Scenarios tested include cryptocurrency theft, unauthorized access to Gmail and Google Drive, and device hijacking, highlighting the potential severity of these spoofing attacks. The spoofing technique requires only common browser permissions, making it feasible for attackers to exploit without raising immediate suspicion. SquareX has reached out to both Perplexity and OpenAI regarding the vulnerability, but no response has been received from either company. Users are advised to limit the use of these AI browsers to non-sensitive tasks, as they are not yet secure enough for handling private or financial information. The findings emphasize the need for enhanced security measures in agentic AI browsers to protect users from emerging threats.

The rise of AI agents in enterprises introduces significant security challenges, particularly around identity governance and trust, posing risks to traditional Zero Trust architectures. AI agents often inherit credentials without clear ownership or identity governance, leading to potential security vulnerabilities and unauthorized access within enterprise systems. The NIST AI Risk Management Framework (AI RMF) offers guidance to manage AI risks, emphasizing the importance of identity as the root of trust for AI agents. Organizations are encouraged to inventory AI agents, assess their access permissions, and ensure continuous monitoring to detect anomalous behavior and potential security breaches. Implementing identity-driven Zero Trust principles involves right-sizing permissions, revoking stale credentials, and enforcing lifecycle policies for AI agents. Orphaned AI agents can act as backdoors for attackers, and over-permissioned agents pose risks of data exfiltration, highlighting the need for stringent identity controls. By embedding identity governance into AI deployment, businesses can enhance their security posture and ensure compliance, transforming AI agents into governed entities.

Google removed over 3,000 YouTube videos spreading malware disguised as cracked software and game cheats, significantly impacting the "YouTube Ghost Network." Check Point identified the network's use of hijacked YouTube accounts to post tutorials promising free software, which instead installed infostealers like Rhadamanthys and Lumma. The operation surged in 2025, tripling the number of malicious videos compared to previous years, highlighting a shift in malware distribution tactics. The Ghost Network leveraged fake accounts to simulate trust through views, likes, and comments, making malicious content appear legitimate to unsuspecting users. Victims were misled into disabling antivirus software and downloading malware from platforms like Dropbox and Google Drive, compromising credentials and crypto wallets. Despite takedowns, the network's modular design allowed it to quickly regenerate, using rotating payloads and updated links to maintain resilience. The campaign's success with gaming cheats, particularly for Roblox, underscores the evolving threat landscape where social credibility on mainstream platforms is exploited. Check Point warns that while current operators are profit-driven cybercriminals, similar tactics could be adopted by nation-state actors targeting high-value individuals.

North Korean Lazarus hackers targeted three European defense companies in a campaign called Operation DreamJob, focusing on unmanned aerial vehicle (UAV) technology. The campaign used fake recruitment offers to trick employees into downloading malicious files, granting hackers access to company systems. ESET researchers noted the campaign aligns with North Korea's efforts to enhance its drone capabilities, inspired by Western designs. The attack chain involved trojanized applications and DLL sideloading to deploy the ScoringMathTea RAT, enabling remote access and control. The RAT supports 40 commands, allowing attackers to manipulate files, execute commands, and download additional malware. Despite previous exposure, Operation DreamJob remains effective, highlighting the ongoing threat posed by North Korean cyber activities. ESET provided indicators of compromise (IoCs) to help organizations detect and mitigate the threat from Lazarus hackers.

A recent webinar addresses the security challenges posed by the rapid adoption of AI agents, which are proliferating at an unprecedented rate in organizations. Companies now deploy approximately 100 AI agents for every human employee, with 99% lacking proper management and oversight, creating potential security vulnerabilities. Traditional security tools are inadequate for managing the lifecycle and oversight of AI identities, leading to increased risk exposure. The webinar, "Turning Controls into Accelerators of AI Adoption," offers strategies to integrate security measures without hindering business agility. Participants will learn how to transform security controls into enablers for safe and accelerated AI adoption, moving from a reactive to a proactive security posture. The session is designed for engineers, architects, and CISOs who are grappling with the challenges of AI security management. By implementing the strategies discussed, organizations can enhance their security frameworks while continuing to innovate with AI technologies.

The Lumma Stealer group has faced significant operational disruption following a doxxing campaign exposing five core members' identities, including their PII and financial records. The exposure campaign, driven by internal rivalries, has led to a decline in Lumma Stealer's activity and customer trust, pushing clients towards alternatives like Vidar and StealC. Lumma Stealer's communication channels, particularly Telegram accounts, were compromised, further hindering their ability to coordinate operations. The doxxing campaign suggests insider access to compromised accounts and databases, indicating deep infiltration within the group. Despite previous law enforcement actions against Lumma Stealer, the group had resumed operations, but current developments threaten its future viability. The emergence of Vidar Stealer 2.0, with advanced evasion capabilities and credential extraction methods, poses a new threat in the information stealer landscape. Organizations are advised to remain vigilant and update security measures to mitigate risks associated with evolving information stealer threats.

Organizations are moving from static secrets to managed identities, achieving significant productivity gains and reducing credential management complexities in cloud environments. Traditional static secrets, such as API keys and passwords, pose risks due to manual lifecycle management and potential credential leaks. Managed identities offer a shift to short-lived, automatically rotated credentials, enhancing security and reducing management time by up to 95% per application component. Despite the benefits, managed identities don't address all authentication challenges, particularly with third-party APIs and legacy systems that still require static credentials. Organizations are adopting a hybrid approach, reducing reliance on static secrets by 70-80% while maintaining robust secret management for necessary use cases. Comprehensive visibility into existing credential landscapes is crucial; platforms like GitGuardian's NHI Security help identify and manage hidden API keys and passwords. Strategic reduction of static secrets creates resilient architectures that leverage both managed identities and effective secret management solutions.

SpaceX has deactivated over 2,500 Starlink terminals in Myanmar, which were used by criminal networks for cyber-fraud and human trafficking activities. These terminals supported operations in Myanmar's border zones, where traditional telecom services face restrictions or monitoring. The action follows a major raid by Myanmar's military on a compound near the Thai border, resulting in over 2,000 arrests and the seizure of Starlink equipment. Criminal syndicates, often linked to Chinese-speaking groups, exploited Starlink's global coverage for scams, including crypto fraud and fake romance schemes. Black market Starlink terminals have been entering Southeast Asia through Thailand and China, sold at high prices and activated with foreign accounts. SpaceX's senior vice president stated the company is committed to preventing misuse and ensuring compliance with local laws across its operational markets. This incident highlights the dual-use nature of satellite technology, underscoring the need for vigilant oversight to prevent exploitation by illicit actors.

Cybercriminal group Jingle Thief targets retail and consumer services sectors, focusing on exploiting cloud environments for unauthorized gift card issuance. The group employs phishing and smishing tactics to steal credentials, gaining access to organizations' cloud infrastructure to issue and resell gift cards. Jingle Thief's operations coincide with festive seasons, leveraging the anonymity and traceability challenges associated with gift cards for financial gain. Researchers have linked Jingle Thief with moderate confidence to criminal groups Atlas Lion and Storm-0539, with origins traced to Morocco. The group maintains long-term access within compromised systems, conducting extensive reconnaissance and lateral movement to avoid detection. Recent attacks in April and May 2025 involved coordinated phishing campaigns, breaching 60 user accounts in a single organization over 10 months. Jingle Thief's tactics include creating inbox rules to forward emails, bypassing MFA with rogue apps, and enrolling devices to maintain persistent access. Organizations are advised to bolster cloud security measures and enhance phishing awareness to mitigate risks associated with such stealthy cybercriminal activities.

Over 250 Magento stores were targeted within 24 hours due to a critical vulnerability in Adobe Commerce, identified as CVE-2025-54236, with a CVSS score of 9.1. The flaw, known as SessionReaper, involves improper input validation via the Commerce REST API, potentially allowing attackers to take over customer accounts. Despite Adobe releasing a patch last month, 62% of Magento stores remain unpatched, leaving them susceptible to exploitation and urging immediate action from administrators. Threat actors have been observed using the flaw to deploy PHP webshells and extract PHP configuration data, posing significant security risks to affected platforms. The vulnerability, a nested deserialization flaw, allows for remote code execution, similar to a previous Adobe Commerce vulnerability, CosmicSting, exploited in 2024. Security firms, including Sansec and Searchlight Cyber, emphasize the urgency of applying patches to prevent further exploitation as proof-of-concept exploits become publicly available. The ongoing threat highlights the critical importance of timely patch management in safeguarding e-commerce platforms from emerging vulnerabilities.

CISA has added CVE-2025-61932, a critical Lanscope Endpoint Manager flaw, to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. The vulnerability affects on-premises Lanscope Endpoint Manager versions, allowing arbitrary code execution through specially crafted packets. Impacted versions include 9.4.7.1 and earlier, with the flaw stemming from improper verification of communication channels. Motex has confirmed at least one customer received a malicious packet targeting this vulnerability, though the attack's scale and perpetrators remain unknown. Federal Civilian Executive Branch agencies are advised to remediate the vulnerability by November 12, 2025, to protect their systems. The vulnerability's CVSS v4 score of 9.3 underscores its critical nature, necessitating immediate attention and patching from affected organizations. Organizations should prioritize updating to patched versions to mitigate potential risks associated with this security flaw.