Daily Brief

700Credit, a major U.S. financial services provider, is notifying 5.8 million individuals of a data breach involving personal information exposure. The breach originated from a compromised integration partner's API, which was exploited by a threat actor from May to October. The breach went unnoticed by the partner, leading to unauthorized copying of dealership customer data until 700Credit detected suspicious activity in October. Approximately 20% of consumer data was stolen due to a security flaw in the API, which failed to validate consumer reference IDs properly. 700Credit is handling regulatory notifications on behalf of affected clients and has informed the National Automobile Dealers Association to increase awareness. Impacted individuals are offered a year of free identity protection and credit monitoring through TransUnion to mitigate potential risks. No ransomware group has claimed responsibility, and further details are awaited from 700Credit regarding the incident.

Phishing attacks in 2025 have evolved to include omni-channel strategies, with one-third of attacks occurring outside traditional email, leveraging platforms like LinkedIn and Google Search. Attackers are utilizing Phishing-as-a-Service (PhaaS) kits, such as Tycoon and Evilginx, to bypass multi-factor authentication and enhance attack sophistication. Non-email phishing vectors are less protected, allowing attackers to bypass traditional security measures, increasing the likelihood of successful credential harvesting. Techniques such as consent phishing and device code phishing are being used to circumvent phishing-resistant authentication methods, posing new challenges for security teams. Detection evasion tactics, including bot protection and multi-stage page loading, are prolonging the undetected lifespan of phishing sites, complicating traditional URL blocking efforts. Security teams are urged to enhance browser-based detection and response capabilities to address modern phishing threats, as browser activity remains a significant blind spot. Push Security emphasizes the need for proactive vulnerability management and comprehensive browser security to mitigate identity-based threats effectively.

Horizon3.ai identified multiple vulnerabilities in FreePBX, including a critical flaw allowing authentication bypass under specific configurations, posing significant security risks to affected systems. The vulnerabilities are not present in FreePBX's default setup but can be exploited when certain advanced settings are enabled, allowing remote code execution. Attackers can craft HTTP requests to bypass authentication and insert malicious users into the "ampusers" database, mirroring tactics seen in CVE-2025-57819. FreePBX has released patches addressing these issues, removing the option to choose an authentication provider from Advanced Settings, now requiring manual configuration via command-line. Users are advised to set "Authorization Type" to "usermanager" and disable "Override Readonly Settings" to mitigate risks, alongside system reboots to terminate rogue sessions. A warning on the dashboard cautions against using the "webserver" authentication type, which offers reduced security compared to "usermanager." Organizations should conduct thorough system analyses for potential compromises if the vulnerable AUTHTYPE was inadvertently enabled.

The European Central Bank's delay in adopting a new messaging standard led to a £23 million increase in costs for the Bank of England's RTGS system overhaul. The Bank of England's project, initially budgeted at £431 million, faced a total cost increase of £56 million due to multiple replanning phases. The delay in the ECB's ISO 20022 migration forced the Bank of England to reschedule its own system launch to manage user change safely. The RTGS system provides settlement services for sterling payments in the UK, handling transactions worth approximately £790 billion daily. The National Audit Office acknowledged the cost increase as reasonable, citing the program's complexity and the external "shock" from the ECB's schedule change. The project, executed with Accenture as the technical partner, transitioned from mainframe technology to cloud-native solutions for improved flexibility. Despite cost overruns, the project's expenses were deemed lower than industry standards for similar financial system upgrades.

Google's threat intelligence team has connected five additional Chinese hacking groups to React2Shell attacks, exploiting a critical remote code execution flaw in React and Next.js applications. The vulnerability, CVE-2025-55182, impacts recent versions of React and allows attackers to execute arbitrary code with a single HTTP request. Palo Alto Networks reported breaches in dozens of organizations, with attackers stealing AWS credentials and sensitive data, linked to Chinese state-backed actors. Amazon Web Services warned of Chinese groups Earth Lamia and Jackpot Panda exploiting the flaw soon after its disclosure. Google identified new groups UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595 using various malware, including tunneling software and backdoors. Discussions in underground forums reveal threat actors sharing tools and experiences related to the vulnerability, indicating widespread interest. Over 116,000 IP addresses remain vulnerable, with significant exposure in the United States, and active exploitation attempts observed globally. Cloudflare linked a global website outage to emergency measures taken against the React2Shell vulnerability, highlighting the flaw's widespread impact.

Apple and Google have issued security updates to address two zero-day vulnerabilities actively exploited in targeted attacks, affecting multiple platforms including iOS, macOS, and Chrome. The vulnerabilities, CVE-2025-14174 and CVE-2025-43529, involve memory corruption and use-after-free issues, allowing arbitrary code execution via malicious web content. Google's Chrome browser update includes a fix for CVE-2025-14174, which is linked to the ANGLE library, used across various platforms. Commercial spyware vendors are suspected of exploiting these vulnerabilities, although specific exploitation methods remain undisclosed. Organizations are urged to apply these patches immediately to mitigate potential security risks from these vulnerabilities. The rapid exploitation of these flaws underscores the critical need for timely updates and robust vulnerability management practices. Failure to update systems promptly could result in significant security breaches, emphasizing the importance of proactive cybersecurity measures.

Jaguar Land Rover (JLR) suffered a cyberattack in August, leading to the theft of sensitive payroll data affecting thousands of employees and former staff. The breach halted JLR's manufacturing operations for over a month, causing a £1.5 billion sales drop and £196 million in related losses. Stolen data includes bank account details, tax codes, and other personal information critical to payroll and employee benefits. JLR has advised employees to remain vigilant against potential fraud and phishing attempts, although no misuse of data has been confirmed yet. The attack, attributed to the hacker group Scattered Lapsus Hunters, also reportedly involved customer data, though JLR has not confirmed this. The incident is classified as a systemic event, potentially costing the UK economy up to £2.1 billion, impacting GDP and highlighting corporate vulnerabilities. JLR is working with regulators and contacting affected employees as part of its response strategy, emphasizing the need for robust cybersecurity measures.

ShadyPanda, a cybercrime group, compromised popular Chrome and Edge extensions, affecting 4.3 million users by turning trusted add-ons into spyware and backdoors. The campaign involved a long-term strategy of gaining user trust before deploying malicious updates via automatic extension updates. Compromised extensions enabled remote code execution, allowing attackers to exfiltrate browsing data, credentials, and even impersonate SaaS accounts. Traditional identity defenses like MFA were ineffective, as the attack leveraged authenticated browser sessions to bypass security measures. Organizations are advised to enforce extension allow lists, audit permissions, and monitor extension behavior to mitigate such risks. Security teams should treat browser extensions as part of the SaaS attack surface and integrate their oversight into identity and access management processes. The incident underscores the importance of bridging endpoint and SaaS security to protect against similar threats in the future.

The French Interior Ministry experienced a cyberattack on its email servers, potentially compromising document files, though data theft remains unconfirmed. The breach was detected between December 11 and December 12, prompting immediate security enhancements and access control measures. French authorities have launched an investigation to identify the attack's origin, considering possibilities such as foreign interference, activist actions, or cybercrime. Interior Minister Laurent Nuñez emphasized the need for vigilance, noting the ministry's role in overseeing police forces and internal security. The attack highlights the ministry as a high-value target, similar to previous incidents linked to the Russian APT28 hacking group. The French National Agency for the Security of Information Systems (ANSSI) has previously reported APT28's focus on strategic intelligence theft from governmental and diplomatic entities. This incident serves as a reminder of the persistent threat state-sponsored hackers and cybercriminals pose to national security infrastructure.

Apple and Google issued emergency patches to address zero-day vulnerabilities actively exploited in sophisticated attacks, impacting iPhones, iPads, Macs, and Chrome browsers. Apple's security updates targeted WebKit bugs, which were part of a highly sophisticated attack against specific individuals, though technical details remain sparse. Google addressed multiple Chrome security flaws, including CVE-2025-14174, an out-of-bounds memory access vulnerability already exploited in the wild. The discovery of the Chrome vulnerability was credited to Apple's security team and Google's Threat Analysis Group, indicating potential spyware-grade exploitation. Both companies' rapid response highlights the ongoing threat posed by zero-day vulnerabilities, with Apple addressing nine and Google eight in 2025 alone. The patching efforts underscore the critical need for users to promptly update devices to mitigate risks from these high-priority vulnerabilities. These incidents reflect the persistent targeting of browsers and mobile platforms, emphasizing their value to attackers seeking lucrative opportunities.

Denmark's government is proposing amendments to limit VPN use for accessing illegal streaming and blocked content, sparking privacy concerns among citizens and activists. The proposed law aims to update existing regulations to address modern piracy methods, focusing on illegal IPTV services and VPN misuse. The draft legislation intends to be tech-neutral, allowing future-proofing against emerging technologies that might bypass content restrictions. Privacy advocates argue the proposal could infringe on personal freedoms and privacy rights, viewing it as a potential overreach of government control. Danish Culture Minister Jakob Engel-Schmidt clarified that the bill is not a blanket ban on VPNs but targets illegal streaming activities. The proposal surfaces amid broader European debates on tech regulation, including the controversial EU Chat Control initiative, which Denmark initially supported. The public opposition to the VPN restrictions reflects wider concerns about governmental approaches to tech regulation and privacy in Europe.

The UK government is initiating changes to the Computer Misuse Act to support ethical hacking, recognizing its importance in combating cybercrime. Current laws do not adequately protect cybersecurity researchers, limiting their ability to test live infrastructure without legal risk. The initiative aims to transform ethical hacking into a high-status profession, encouraging more individuals to enter the field. Challenges include a shortage of cybersecurity researchers and the need for structured pathways to attract and train new talent. Proposed changes include creating accessible environments for ethical hacking, akin to a learner's driving license, to ensure responsible practice. The initiative seeks to increase collaboration between ethical hackers and organizations, enhancing security through proactive testing. This approach could significantly reduce cybercrime costs and improve overall cybersecurity resilience by fostering a culture of ethical hacking.

Seqrite Labs has identified Operation MoneyMount-ISO, a phishing campaign targeting Russian finance and accounting sectors, delivering Phantom Stealer malware via malicious ISO images. The campaign uses fake payment confirmation emails with ZIP attachments, which contain ISO files that mount as virtual CD drives to execute the malware. Phantom Stealer extracts sensitive data, including cryptocurrency wallet information, browser passwords, and credit card details, while evading detection in virtualized environments. Data is exfiltrated using Telegram bots or Discord webhooks, and files can be transferred to an FTP server, posing significant data security risks. Parallel campaigns, such as DupeHike, target Russian HR and payroll departments with DUPERUNNER malware, leveraging Adaptix C2 for command-and-control operations. The Russian aerospace sector has faced attacks attributed to Ukrainian-aligned hacktivists, using compromised email servers to distribute spear-phishing messages. These campaigns are part of broader efforts to exploit entities linked to Russia's military, reflecting geopolitical tensions and the impact of Western sanctions.

CyberVolk, a pro-Russian hacktivist group, launched VolkLocker, a ransomware-as-a-service targeting Windows and Linux systems, with a significant flaw enabling free decryption. SentinelOne discovered that VolkLocker’s master keys are hard-coded and stored in plaintext, allowing victims to recover encrypted files without paying ransom. The ransomware uses AES-256 encryption and attempts privilege escalation, reconnaissance, and system enumeration, while also modifying Windows Registry and deleting shadow copies. Despite its encryption capabilities, a design error in VolkLocker leaves the master key in a temporary folder, facilitating self-recovery by affected users. CyberVolk manages its RaaS operations via Telegram, charging between $800 and $2,200, and has expanded its offerings to include remote access trojans and keyloggers. The group has faced repeated bans on Telegram but continues to operate, reflecting a trend among politically-motivated actors leveraging convenient platforms for cybercrime. Businesses should remain vigilant against ransomware threats and consider this case as a reminder of the importance of robust cybersecurity measures and incident response plans.

Coupang's CEO, Park Dae-joon, resigned after a significant data breach exposed information on over 30 million customers, impacting more than half of South Korea's population. The breach has raised serious concerns about data privacy and security practices within the company, prompting a leadership change to address the fallout. Coupang has appointed Harold Rogers, Chief Administrative Officer and General Counsel, as interim CEO to steer the company through the recovery phase. The company has publicly apologized and committed to enhancing its information security measures to prevent future incidents and regain customer trust. This incident underscores the critical need for robust cybersecurity frameworks in protecting sensitive customer data in the e-commerce sector. The breach serves as a stark reminder of the potential reputational and operational impacts of inadequate data protection strategies.