Daily Brief

Spanish fashion retailer MANGO disclosed a data breach affecting customer information due to a compromise at an external marketing vendor. The breach exposed customer first names, countries, postal codes, email addresses, and phone numbers, but sensitive financial and identification data remained secure. MANGO's corporate infrastructure and IT systems were not compromised, ensuring uninterrupted business operations across its global network. The company activated all security protocols upon discovering the breach and informed the Spanish Data Protection Agency and other relevant authorities. A dedicated support line and email have been established for customer inquiries regarding potential data exposure. The identity of the attackers remains unknown, and no ransomware group has claimed responsibility for the incident. The breach highlights the risks associated with third-party vendors and the importance of robust security measures in protecting customer data.

Research revealed over 100 Visual Studio Code extensions leaked access tokens, posing a significant supply chain risk by enabling potential malicious updates across a 150,000 install base. Wiz security identified 550 secrets across more than 500 extensions, with 67 distinct types of secrets, potentially compromising both public and internal extensions. The leaked tokens could facilitate unauthorized updates, including malware distribution, affecting large organizations like a $30 billion Chinese corporation. Microsoft responded by revoking leaked tokens and plans to enhance secret scanning to prevent future leaks and notify developers of detected secrets. Users are advised to limit extensions, scrutinize them before downloading, and consider centralized allowlists to mitigate risks. The TigerJack threat actor has exploited these vulnerabilities, publishing malicious extensions that steal code, mine cryptocurrency, and establish backdoors. Microsoft's security measures currently cover only the VS Code Marketplace, leaving other platforms like Open VSX vulnerable to similar threats. The incident underscores the ongoing challenges in securing software supply chains and the necessity for comprehensive security strategies across all platforms.

Cybersecurity experts emphasize the importance of Network Detection and Response (NDR) to identify dark web threats, including ransomware and data exfiltration, hidden within regular network traffic. Dark web activities often use anonymizing tools like Tor, I2P, and Freenet, which can be detected through unusual port usage and encrypted traffic patterns. NDR systems utilize AI and machine learning to monitor network traffic in real-time, improving detection and response times for dark web-related threats. Strategic placement of NDR sensors across network segments is recommended to identify command-and-control activities and data exfiltration attempts. Initial network baselining is crucial for NDR platforms to distinguish between normal and suspicious activities, preventing false positives in threat detection. Corelight's NDR platform offers advanced detection capabilities, including monitoring of Tor activity, I2P connections, and suspicious DNS queries. Integrating threat intelligence feeds with NDR enhances the detection of Indicators of Compromise (IOCs) and strengthens overall cybersecurity posture.

F5, a leading cybersecurity firm, reported a breach by suspected nation-state hackers in August 2025, compromising its BIG-IP product development systems. Attackers accessed F5's systems, stealing source code and undisclosed security vulnerabilities related to the BIG-IP product, used globally for application delivery networking. Despite the breach, F5 confirms no evidence of the stolen information being used in attacks or any compromise of its software supply chain. The U.S. government requested a delay in public disclosure to secure critical systems, with F5 filing a report in compliance with regulatory requirements. F5 is conducting a thorough review to identify affected customers and will provide guidance to those impacted by the theft of configuration details. Independent cybersecurity firms have validated the safety of BIG-IP releases, ensuring no suspicious code modifications occurred. The incident is reported to have no material impact on F5's operations, with all services remaining fully operational and secure.

F5, a major U.S. cybersecurity firm, experienced a breach in August 2025, with suspected nation-state actors accessing its systems and stealing sensitive data. The attackers gained long-term access to F5's BIG-IP product development environment, stealing source code and undisclosed vulnerabilities. Despite the breach, F5 reports no evidence of the stolen information being used in attacks or disclosed publicly. The breach did not compromise F5's software supply chain or result in suspicious code modifications, maintaining the integrity of its platforms. F5 is actively reviewing which customers might have had their configuration details stolen and will provide guidance to affected parties. The U.S. government requested a delay in public disclosure to secure critical systems, reflecting the breach's potential national security implications. F5 assures that its operations remain unaffected, with all services deemed safe following independent cybersecurity reviews.

Synced passkeys, while enhancing usability, pose significant security risks for enterprises, according to recent advisories from the FIDO Alliance and Yubico. These vulnerabilities are primarily due to the reliance on cloud accounts and recovery workflows, which expand the attack surface. Proofpoint researchers identified a downgrade attack on Microsoft Entra ID, exploiting browser and OS compatibility issues to bypass WebAuthn security. Attackers can leverage compromised browser environments to hijack WebAuthn calls, using malicious extensions or XSS bugs to manipulate passkey processes. Device-bound passkeys are recommended for enterprises, as they are tied to specific devices with secure hardware components, offering better security assurances. Enterprises are advised to implement robust identity security systems focusing on policy, browser and extension posture, and device hygiene. Upcoming webinars will further explore these vulnerabilities and provide insights on mitigating risks, featuring case studies from Snowflake and Cornell University.

Capita faced a £14 million penalty from the UK's ICO after a cyberattack exposed 6.6 million individuals' data, impacting 325 organizations relying on Capita's services. The breach involved sensitive data, including bank details, biometrics, and passport information, resulting from a 58-hour delay in response to the attack. Attackers exploited a malicious JavaScript download, installing Qakbot malware and Cobalt Strike, leading to significant network infiltration and data exfiltration. Capita's security operations center failed to act on alerts promptly, allowing attackers to establish a foothold and move laterally across networks. Despite prior penetration tests identifying vulnerabilities, Capita did not address these issues, contributing to the breach's severity. Following the incident, Capita implemented security improvements and cooperated with authorities, which reduced the initial proposed fine from £45 million. The breach underscores the critical need for timely incident response and robust security measures to protect sensitive data and maintain public trust.

Microsoft addressed 183 security flaws, including two critical zero-days, as part of its latest patch release, coinciding with the end of support for Windows 10 without Extended Security Updates. The two actively exploited zero-days, CVE-2025-24990 and CVE-2025-59230, involve elevation of privilege vulnerabilities, affecting all Windows versions, potentially allowing attackers to gain administrator access. CVE-2025-24990 is rooted in a legacy driver present in all Windows systems, with Microsoft planning to remove the driver entirely to mitigate the risk. CVE-2025-59230 represents the first zero-day exploitation in the RasMan component, highlighting ongoing vulnerabilities despite numerous patches since 2022. A Secure Boot bypass vulnerability in IGEL OS (CVE-2025-47827) could enable kernel-level rootkit deployment, posing significant risks to virtual desktops, especially during physical access attacks. All three vulnerabilities have been added to CISA's Known Exploited Vulnerabilities catalog, mandating federal agencies to apply patches by November 4, 2025. Other critical vulnerabilities include a remote code execution flaw in Windows Server Update Service (CVE-2025-59287) and a privilege escalation issue in Microsoft Graphics Component (CVE-2025-49708). Organizations are urged to prioritize patching these vulnerabilities to maintain system integrity and prevent potential exploitation, particularly in virtualized environments.

Two critical vulnerabilities, CVE-2023-40151 and CVE-2023-42770, in Red Lion Sixnet RTUs could allow attackers to execute commands with root privileges. These flaws are rated 10.0 on the CVSS scale, indicating the highest level of severity and potential impact. Affected devices include SixTRAK and VersaTRAK RTUs, widely used in energy, water treatment, transportation, and manufacturing sectors. Exploiting these vulnerabilities could enable attackers to bypass authentication and achieve remote code execution, risking significant operational disruption. Red Lion has advised users to apply patches immediately and enable user authentication to mitigate these risks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert, emphasizing the critical nature of these vulnerabilities. Organizations are urged to block TCP access to the affected RTUs to prevent unauthorized command execution and potential system compromise.

A critical vulnerability, CVE-2025-2611, in ICTBroadcast software allows unauthenticated remote code execution, impacting versions 7.4 and below. The flaw arises from improper input validation, enabling attackers to inject shell commands via session cookies. Approximately 200 online instances of ICTBroadcast are exposed to this vulnerability, with active exploitation detected since October 11. Attackers use a two-phase approach: initial time-based exploit checks followed by reverse shell setup attempts. Overlaps with known malicious infrastructure suggest possible shared tooling with previous email campaigns in Europe. The vulnerability's patch status remains unknown, raising concerns over continued exploitation risks. Organizations using ICTBroadcast should urgently review security measures and monitor for suspicious activity.

SAP has released security updates addressing 13 vulnerabilities, including a critical flaw in SAP NetWeaver AS Java with a CVSS score of 10.0, enabling arbitrary command execution. The vulnerability, CVE-2025-42944, involves insecure deserialization, allowing unauthenticated attackers to exploit the system via the RMI-P4 module. Additional security measures include a JVM-wide filter to prevent deserialization of untrusted Java objects, enhancing application confidentiality, integrity, and availability. Another significant flaw, CVE-2025-42937, involves directory traversal in SAP Print Service, allowing unauthorized file overwriting, with a CVSS score of 9.8. SAP also addressed an unrestricted file upload vulnerability in SAP Supplier Relationship Management, CVE-2025-42910, which could lead to malicious file execution. No active exploitation of these vulnerabilities has been reported, but immediate application of patches and mitigations is strongly advised to prevent potential threats. Security experts emphasize the ongoing risk of deserialization vulnerabilities, urging organizations to implement SAP's fixes and enhanced JVM configurations.

A threat actor known as TigerJack targets developers with malicious Visual Studio Code (VSCode) extensions, aiming to steal cryptocurrency and install backdoors. Two compromised extensions, with 17,000 downloads, were removed from VSCode but remain available on OpenVSX, a community-maintained marketplace. TigerJack republished the malicious code under new names, exploiting the open-source nature of these platforms to reach unsuspecting users. Extensions like C++ Playground and HTTP Format can exfiltrate source code and run crypto miners, significantly impacting the host's processing power. Another variant fetches and executes JavaScript from a remote server, allowing dynamic payload deployment, including credential theft and ransomware. Koi Security researchers identified this campaign, noting the sophisticated use of multiple accounts and credible developer personas to evade detection. Despite being reported, OpenVSX has yet to respond, leaving developers vulnerable; caution is advised when downloading extensions from unverified sources.

Researchers unveiled Pixnapping, a side-channel attack on Android devices, enabling unauthorized pixel extraction to steal sensitive data, including two-factor authentication codes, from apps like Signal and Google Authenticator. The attack exploits Android’s intents system and SurfaceFlinger composition process, allowing a malicious app to isolate and reconstruct pixels, effectively capturing screen content without permissions. Demonstrated on Google Pixel and Samsung Galaxy devices, Pixnapping affects Android versions 13 to 16, suggesting widespread vulnerability across older devices and operating systems. Google and Samsung plan to address the flaw by year-end, with a comprehensive patch expected in the December Android security update, following a bypass of the initial September fix. The attack relies on the GPU.zip side-channel, leveraging graphical data compression in GPUs, although no GPU vendors have announced patching plans for this specific vulnerability. Despite the potential for data theft, current checks show no malicious apps exploiting Pixnapping on Google Play, and the attack requires specific device data, resulting in a low success rate. Organizations should remain vigilant, ensuring devices are updated promptly and monitoring for any emerging threats exploiting this vulnerability.

Microsoft released security updates for 172 vulnerabilities, including six zero-day flaws, during October 2025's Patch Tuesday, enhancing defenses across multiple platforms. Critical vulnerabilities addressed involve remote code execution and privilege elevation, affecting systems such as Windows SMB Server and Microsoft SQL Server. Windows 10 reaches the end of free security support, prompting enterprises to consider Extended Security Updates for continued protection. Key zero-day fixes include vulnerabilities in Windows Agere Modem Driver and Windows Remote Access Connection Manager, which allowed unauthorized privilege escalation. A Secure Boot bypass in IGEL OS and a memory integrity issue in AMD EPYC processors were also addressed, improving system security. Microsoft's proactive measures include removing vulnerable drivers and enhancing security protocols in Azure Confidential Computing environments. Organizations are advised to promptly apply these updates to mitigate potential exploitation risks and safeguard their systems.

The U.S. Department of Justice seized $15 billion in bitcoin from the Prince Group, a criminal syndicate involved in cryptocurrency investment scams targeting U.S. victims. The Prince Group, operating since 2015, used social media, dating sites, and messaging apps to lure victims into fraudulent investment schemes, stealing billions in the process. The organization managed over 100 shell companies in more than 30 countries, employing forced labor in Cambodian compounds to execute scams under threats of violence. Chen Zhi, the leader of the Prince Group, remains at large, having orchestrated the scams and bribed officials to evade law enforcement. Advanced money laundering techniques were employed to obscure the origins of the stolen funds, which were spent on luxury items and investments. In collaboration with the UK, the U.S. Treasury sanctioned Chen Zhi and 146 associates, highlighting the international effort to curb such scams. The rise in online investment scams has resulted in significant financial losses, with U.S. victims losing over $16.6 billion in recent years.