Daily Brief

A new FileFix attack variant employs cache smuggling to secretly download malicious files, bypassing security software and posing as a Fortinet VPN Compliance Checker. The attack was discovered by cybersecurity researcher P4nd3m1cb0y and detailed further by Expel's Marcus Hutchins, showcasing sophisticated social engineering tactics. The attack uses a padded network path to conceal a PowerShell command that extracts a malicious ZIP file from Chrome's cache, evading traditional security scans. Cache smuggling allows malware to be stored as a fake image in browser cache, bypassing detection by security tools scanning for direct downloads or web requests. Ransomware gangs and other threat actors have quickly adopted this technique, integrating it into their campaigns to enhance stealth and effectiveness. Palo Alto Unit 42 identified a new ClickFix kit, IUAM ClickFix Generator, automating the creation of similar lures, expanding the attack ecosystem. The ClickFix Generator supports OS-specific payloads, increasing the threat's adaptability and reach across different operating systems. Organizations must prioritize employee education on avoiding execution of commands copied from websites to mitigate risks from such social engineering attacks.

The Qilin ransomware group has claimed responsibility for a cyberattack on Asahi, Japan's largest brewing company, exfiltrating over 27GB of data. The breach led to the suspension of operations at six Asahi facilities, significantly impacting production and causing potential losses of up to $335 million. Hackers published 29 images as proof of the breach, including internal financial documents, employee IDs, and confidential contracts. Asahi confirmed the attack on October 3rd, following initial disruptions on September 29th, and has since resumed production using a temporary manual system. Qilin ransomware, linked to North Korean hackers, is known for exploiting critical network device vulnerabilities and deploying credential theft tools. Asahi's flagship product, "Super Dry," is back in production, with further shipping expected to resume by October 15th, although full operational capacity has not yet been restored. The company has postponed the launch of new products originally scheduled for October 2025 due to the attack's impact on business operations.

The Crimson Collective threat group has been targeting AWS cloud environments, stealing data and extorting companies, including a significant attack on Red Hat. They exfiltrated 570 GB of data from thousands of private GitLab repositories and demanded ransom from Red Hat, collaborating with Scattered Lapsus$ Hunters to increase pressure. The group compromises AWS environments by exploiting exposed credentials, using tools like TruffleHog, and escalating privileges through IAM accounts. Attackers gain full AWS control by attaching 'AdministratorAccess' policies to new IAM users, enabling extensive data enumeration and exfiltration. They modify RDS master passwords, create snapshots, and export data to S3 for exfiltration, leveraging permissive security groups for data transfer. Extortion notes are sent via AWS Simple Email Service within the compromised environment and externally, with multiple IP addresses used to facilitate operations. Rapid7's analysis suggests scanning environments for exposure using tools like S3crets Scanner to mitigate risks and prevent breaches from leaked AWS secrets. The size and composition of Crimson Collective remain unknown, but their tactics present a significant threat to cloud security.

Salesforce has refused to pay a ransom to cybercriminals threatening to leak nearly 1 billion customer records, maintaining a firm stance against extortion. The group, identified as Scattered LAPSUS$ Hunters, claims to have accessed Salesforce customer data through prior breaches, not recent vulnerabilities. Salesforce has communicated with affected customers, ensuring them that the platform itself remains uncompromised and secure. The attackers have set an October 10 deadline for ransom negotiations, threatening to publish the data if their demands are unmet. Google and Salesforce have alerted organizations potentially impacted by the breach, emphasizing the data was stolen from SalesLoft's Drift application. The breach involved the theft of OAuth tokens, granting unauthorized access to multiple Salesforce environments through the compromised application. Salesforce's response includes collaboration with external experts and authorities to investigate and mitigate the impact of the extortion attempts. The incident underscores the importance of robust third-party application security and the risks associated with integration vulnerabilities.

Cybercriminals are targeting WordPress sites with malicious JavaScript injections, redirecting users to deceptive sites through compromised theme files like "functions.php". Attackers use Google Ads references to evade detection, while the "brazilc[.]com" domain serves as a remote loader for dynamic payloads. The infection chain leverages the "porsasystem[.]com" domain, leading victims to ClickFix-style pages for malware distribution, including information stealers. The IUAM ClickFix Generator phishing kit enables attackers to create customizable phishing pages mimicking browser verification challenges, enhancing the lure's effectiveness. These phishing kits facilitate sophisticated, multi-platform attacks, lowering entry barriers for cybercriminals by promising antivirus and web protection bypass. A new ClickFix variant employs cache smuggling, storing data in the browser's cache to evade detection, without downloading explicit malicious files. The campaign uses a Fortinet VPN Compliance Checker guise, executing an obfuscated payload via PowerShell, masked as a cached JPEG image.

A critical vulnerability, CVE-2025-5947, in the Service Finder WordPress theme allows attackers to bypass authentication and gain administrator access. The flaw affects versions 6.0 and older, with a severity score of 9.8, due to improper validation of the original_user_id cookie. Over 13,800 exploitation attempts have been recorded since August 1, with a significant surge of 1,500 daily attacks observed recently. Attackers use an HTTP GET request with a specific query parameter to impersonate users, primarily originating from five IP addresses. Aonetheme, the theme's vendor, released a patch in version 6.1 on July 17, but exploitation began shortly after public disclosure. Website administrators are advised to apply the security update immediately or discontinue use to mitigate potential risks. Wordfence recommends reviewing logs for suspicious activities, as attackers can erase evidence of compromise with administrator access. The vulnerability's active exploitation status necessitates urgent attention to prevent unauthorized access and potential data breaches.

Two 17-year-olds were arrested in Bishop's Stortford for their involvement in a ransomware attack on Kido nurseries, targeting sensitive data of over 1,000 children. The cybercrime group, Radiant Group, leaked children's photos and addresses on the dark web after breaching Kido's systems, seeking to extort the nursery chain. The attack exploited a software service, Famly, although no breach of Famly's security infrastructure was confirmed, according to its CEO. The Metropolitan Police and UK NCSC have been actively investigating, with significant progress marked by these arrests. This incident is part of a broader trend of teenagers in the UK being linked to high-profile cyberattacks, raising concerns about youth involvement in cybercrime. The breach has raised alarms about data security in educational institutions, emphasizing the need for robust cybersecurity measures. Authorities continue efforts to bring all responsible parties to justice, ensuring community reassurance and enhanced cyber resilience.

Attackers exploited stolen OAuth tokens to access Google Workspace mailboxes via Drift integrations, bypassing traditional security measures and highlighting the risks of delegated access. Google responded swiftly by revoking the compromised tokens and disabling the affected integration, demonstrating the importance of rapid incident response capabilities. The incident reflects a broader trend where attackers prioritize token theft over endpoint breaches, leveraging legitimate access to conduct high-volume data exfiltration. Material Security emphasizes a shift towards resilience and containment, advocating for robust detection and response strategies across cloud environments. The event underscores the need for comprehensive OAuth governance, including inventory management, scope tightening, and proactive revocation of risky app permissions. Organizations are advised to enhance identity security beyond MFA, focusing on phishing-resistant authentication and monitoring for suspicious account behaviors. The incident serves as a reminder that securing the perimeter is insufficient; protecting the content and assuming breaches will occur are critical to minimizing impact.

Cybersecurity firm Huntress identified a campaign by suspected Chinese hackers using the Nezha tool to deploy Gh0st RAT malware, targeting over 100 machines primarily in Taiwan, Japan, South Korea, and Hong Kong. The attackers utilized a technique known as log poisoning to plant a web shell on vulnerable web servers, gaining control through the ANTSWORD tool. Initial access was achieved via a publicly exposed phpMyAdmin panel, where attackers executed SQL commands to drop a PHP web shell, exploiting general query logging features. The Nezha agent facilitated remote command execution, allowing the deployment of PowerShell scripts to bypass Microsoft Defender Antivirus and launch Gh0st RAT. The operation's dashboard, intriguingly run in Russian, listed victims globally, including in the U.S., U.K., and several Asian and European countries. This incident illustrates the increasing abuse of publicly available tools by threat actors, leveraging them for low-cost, deniable, and often undetected attacks. Organizations are reminded to secure publicly exposed interfaces and monitor for unusual activities, particularly those involving open-source tools.

Germany has announced its opposition to the EU's proposed "Chat Control" regulations, which would mandate scanning of private communications for child sexual abuse material. The regulations would require communication platforms to implement AI-powered content filters, potentially compromising end-to-end encryption and user privacy. Germany's stance is pivotal, as its population size significantly influences the EU's legislative process, likely preventing the regulations from passing. Privacy-focused organizations, including Signal and Tuta Mail, have threatened to exit the EU market if the regulations are enacted, citing privacy and security concerns. Critics argue that the regulations could lead to mass surveillance, undermining digital privacy and security, and posing risks to activists, journalists, and other vulnerable groups. The opposition from Germany and other countries forms a blocking minority, crucial for halting the legislation, which requires a qualified majority to pass. The debate emphasizes the ongoing tension between privacy rights and regulatory efforts to combat illegal content online.

LockBit, Qilin, and DragonForce have announced a strategic alliance to enhance their ransomware capabilities, potentially increasing the frequency and sophistication of attacks. This coalition aims to share techniques, resources, and infrastructure, bolstering each group's operational strength and expanding their reach. The resurgence of LockBit, following its previous takedown, is marked by the release of LockBit 5.0, targeting Windows, Linux, and ESXi systems. Qilin, a leading ransomware group, has been particularly active, with over 200 victims in Q3 2025, predominantly targeting North American organizations. The alliance may lead to a surge in attacks on critical infrastructure and sectors previously deemed low risk, posing significant threats to global cybersecurity. A notable trend is the expansion of ransomware attacks to countries like Egypt, Thailand, and Colombia, as threat actors seek to evade law enforcement in traditional hotspots. The professional, scientific, and technical services sectors have been heavily impacted, with over 375 victims, highlighting the broadening scope of ransomware activities.

Weak passwords continue to cause significant financial losses annually, with many breaches preventable through better password management practices. Attackers often exploit simple login credentials, leading to increased security incidents and operational challenges for IT teams. The Hacker News and Specops Software are hosting a webinar titled "Cybersecurity Nightmares: Tales from the Password Graveyard" to address these issues. The session will cover real-world password breach examples and the shortcomings of traditional password policies. Attendees will learn about new tools designed to prevent attacks and enhance security without complicating user experience. Specops Software aims to help IT teams improve security measures while maintaining productivity and reducing user friction. The webinar offers a strategic action plan for IT leaders to mitigate password-related risks effectively.

A severe vulnerability in Figma's MCP server, CVE-2025-53967, allowed remote code execution through command injection, posing significant risks to developers. The flaw stemmed from unsanitized user input in command-line strings, enabling attackers to inject arbitrary system commands. Exploitation could occur via indirect prompt injection, especially impacting AI-driven coding tools like Cursor integrated with Figma. Imperva reported the vulnerability as a "design oversight," emphasizing the need for secure coding practices in AI development environments. The vulnerability was addressed in version 0.6.3 of figma-developer-mcp, released on September 29, 2025, with recommendations to avoid using child_process.exec with untrusted inputs. This incident serves as a reminder of the potential security pitfalls in AI development tools and the importance of keeping security measures aligned with technological advancements. Concurrently, FireTail disclosed a separate vulnerability in Google's Gemini AI, highlighting the ongoing challenges in securing AI-integrated enterprise platforms.

OpenAI identified and disrupted three clusters of cybercriminals using ChatGPT for malware development, involving actors from Russia, North Korea, and China. Russian threat actors leveraged ChatGPT to refine a remote access trojan, employing multiple accounts to develop and troubleshoot components for credential theft. North Korean activities involved using ChatGPT for malware and command-and-control development, targeting South Korean diplomatic missions with spear-phishing campaigns. Chinese hackers utilized the AI tool to enhance phishing campaigns targeting investment firms, focusing on the Taiwanese semiconductor sector. OpenAI's intervention blocked accounts used for scam and influence operations, preventing misuse of AI for social media manipulation and phishing content generation. The findings reveal threat actors' adaptation to evade detection, such as altering text indicators that suggest AI-generated content. OpenAI's actions underscore the ongoing challenge of AI tools being exploited for malicious purposes, highlighting the need for continuous monitoring and response.

Salesforce confirmed it will not pay ransom demands following extensive data theft attacks impacting its customers, warning of potential data leaks by threat actors. Threat actors, identified as "Scattered Lapsus$ Hunters," targeted 39 companies, including major brands like FedEx, Disney, and Google, threatening to release nearly 1 billion stolen records. The data was exfiltrated during two separate campaigns, initiated through social engineering and OAuth token exploitation, affecting Salesforce instances and customer environments. The first campaign involved impersonation tactics to connect malicious applications to Salesforce, enabling database theft and subsequent extortion attempts. The second campaign leveraged stolen OAuth tokens to access CRM environments, focusing on extracting sensitive information like credentials and API tokens. The data leak site used for extortion was reportedly seized by the FBI, with the domain now under control, suggesting law enforcement intervention. Salesforce's stance against ransom payments underscores the importance of robust incident response and highlights the ongoing risk of supply chain vulnerabilities.