Daily Brief

LayerX's report identifies AI as the primary channel for data exfiltration, surpassing shadow SaaS and unmanaged file sharing in enterprise environments. Generative AI tools like ChatGPT, Claude, and Copilot are being used by 45% of employees, with 67% of this usage occurring through unmanaged personal accounts. Sensitive data, including PII and PCI, is frequently uploaded to AI platforms, with 40% of files containing such information and 77% of data pasted into AI tools from unmanaged accounts. Traditional data loss prevention tools fail to address this risk, as they are designed for sanctioned, file-based environments rather than browser-based AI interactions. The report emphasizes the need for CISOs to shift focus from traditional security perimeters to browser-based data flows to mitigate AI-driven data breaches. Instant messaging also poses a significant risk, with 87% of enterprise chat usage occurring through unmanaged accounts and 62% of users pasting sensitive data. The findings suggest a governance collapse, urging security leaders to treat AI as a current, critical threat rather than an emerging technology.

Trellix researchers reported the resurgence of XWorm malware, now featuring over 35 plugins, enhancing its ability to conduct a wide range of malicious activities. XWorm, initially linked to the threat actor EvilCoder, is known for data theft, keylogging, screen capture, and ransomware operations, primarily spread through phishing emails. The malware's modular design allows it to execute commands from an external server, including system shutdowns, file downloads, and even DDoS attacks. Recent campaigns distributing XWorm 6.0 utilize malicious JavaScript in phishing emails, injecting malware into legitimate Windows processes like RegSvcs.exe to avoid detection. A significant development is the discovery of a remote code execution vulnerability in XWorm, allowing attackers to execute arbitrary code with the C2 encryption key. Despite the original developer's apparent departure, XWorm 6.0 is being sold on cybercrime forums, raising concerns about its ongoing evolution and potential impact. The malware's ability to host other malicious software, such as DarkCloud Stealer and Remcos RAT, underscores its threat to global cybersecurity. Organizations are reminded to strengthen their defenses against phishing and to monitor for signs of XWorm infections to mitigate potential breaches.

The UK Ministry of Defence is advancing projects to protect satellites from laser attacks and develop carrier-launched drones, emphasizing strategic defense capabilities in space and naval operations. Collaboration with the UK Space Agency aims to create sensors that detect laser threats to satellites, safeguarding vital communication and observation systems critical to national infrastructure. The satellite industry significantly contributes to the UK economy, with nearly 20% of GDP reliant on spaceborne services, highlighting the importance of protecting these assets. Concerns over adversaries like China using lasers to disrupt satellite operations drive the development of these protective technologies, ensuring resilience in contested space environments. Project VANQUISH seeks to demonstrate a jet-powered drone capable of operating from Royal Navy carriers, enhancing the fleet's operational flexibility without traditional launch and recovery systems. The Royal Navy's initiative to integrate drones with F-35B aircraft aims to expand mission capabilities, including strike missions and mid-air refueling, by 2026. An estimated £10 million contract will fund the technical demonstration, with successful outcomes informing future procurement decisions for production aircraft in the 2030s.

The UK Home Office announces a £60 million initiative to develop an application for integrating automated number plate recognition (ANPR) data into live reporting systems. This project aims to enhance law enforcement capabilities by providing real-time alerts and search functionalities using ANPR data from police forces and law enforcement agencies. The National Strategic ANPR Platform will serve as the central hub, compiling live data streams for use in investigations and intelligence operations. Despite the controversial nature of ANPR systems, the Home Office emphasizes their role in detecting criminal activity and supporting national security. The National Infrastructure and Service Transformation Authority reported a 30% budget variation due to a year-long delay in the central database project. The total projected cost for the ANPR data integration initiative is estimated at £538.9 million over its lifespan. The procurement does not include hardware components like cameras or servers, focusing solely on software and data integration capabilities.

Redis has disclosed a critical vulnerability, CVE-2025-49844, affecting all versions of its in-memory database software, allowing potential remote code execution. The flaw, known as RediShell, has been given a maximum CVSS score of 10.0, underscoring its severity and potential impact on systems. Exploitation requires authenticated access, emphasizing the importance of securing Redis instances with strong authentication and avoiding exposure to the internet. Redis has released patches for versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2 to address this vulnerability, with temporary workarounds available for immediate mitigation. Discovered by Wiz, the flaw involves a use-after-free memory corruption bug, existing in the Redis codebase for approximately 13 years. Potential attack scenarios include credential theft, malware deployment, data exfiltration, and lateral movement within cloud environments. Approximately 330,000 Redis instances are exposed online, with 60,000 lacking authentication, presenting a significant risk for exploitation. Organizations are urged to apply patches promptly and implement strict access controls to mitigate the threat effectively.

Microsoft has linked the cybercriminal group Storm-1175 to the exploitation of a critical flaw in Fortra's GoAnywhere software, facilitating the deployment of Medusa ransomware. The vulnerability, CVE-2025-10035, is a critical deserialization bug with a CVSS score of 10.0, allowing command injection without authentication. Successful exploitation enables attackers to perform system discovery, maintain access, and deploy additional tools for lateral movement and malware distribution. Attackers use remote monitoring and management tools like SimpleHelp and MeshAgent to maintain persistence, with .jsp files created within GoAnywhere directories. Lateral movement is achieved using Windows Remote Desktop Connection, while Rclone is used for data exfiltration in some environments. Organizations using GoAnywhere MFT have been vulnerable since September 11, with attackers having a month-long head start before public disclosure. Questions remain about how threat actors obtained the necessary private keys and why affected organizations were not informed sooner, raising concerns over transparency.

23andMe faced a £2.31 million fine from the UK's Information Commissioner's Office following a credential stuffing attack affecting 6.9 million users. Attackers exploited recycled passwords and poor security practices, gaining unauthorized access to sensitive genetic data through interconnected accounts. The breach highlighted the absence of rate limiting in 23andMe's login API, allowing unlimited login attempts without triggering security alerts. Approximately 14,000 accounts were directly compromised, with the exposure extending to 5.5 million DNA Relatives and 1.4 million Family Tree profiles. Credential stuffing leverages stolen credentials from past breaches, testing them across various platforms to exploit password reuse. Automated tools facilitate these attacks, testing millions of combinations per minute, challenging traditional detection and prevention methods. Organizations are urged to enforce strong password policies, monitor for suspicious activities, and deploy sophisticated bot defenses to mitigate such risks. Passwork offers a solution by generating complex, unique passwords, reducing the likelihood of credential stuffing attacks through improved password hygiene.

CrowdStrike attributes the exploitation of Oracle E-Business Suite's CVE-2025-61882 to the threat actor Graceful Spider, known as Cl0p, with moderate confidence. The vulnerability, scoring 9.8 on the CVSS scale, allows remote code execution without authentication, posing significant risks to affected systems. An observed attack sequence involves exploiting Oracle's XML Publisher Template Manager to upload and execute malicious templates, leading to persistent access. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-61882 to its Known Exploited Vulnerabilities catalog, urging immediate patching by October 27, 2025. Cl0p has been actively exploiting this flaw since August 2025, leading to data theft and extortion attempts against multiple Oracle EBS users. A Telegram channel has shared the exploit while criticizing Graceful Spider, indicating potential collaboration or competition among threat actors. Security experts recommend urgent patching, aggressive threat hunting, and enhanced security controls to mitigate risks associated with this vulnerability.

Red Hat has been targeted by the ShinyHunters group, which is extorting the company following a significant data breach involving customer engagement reports (CERs). The breach, initially claimed by the Crimson Collective, resulted in the theft of nearly 570GB of data from Red Hat's internal development repositories, including sensitive customer information. Red Hat confirmed that the breach affected its GitLab instance, which was used for consulting engagements, but has not responded to extortion demands. ShinyHunters, operating as an extortion-as-a-service, is threatening to publicly release the stolen data unless Red Hat negotiates a ransom by October 10th. The leaked data includes CERs from major organizations such as Walmart, HSBC, and the Department of Defence, raising concerns about potential operational impacts. This incident underscores the growing trend of extortion-as-a-service operations, where groups like ShinyHunters facilitate data leaks for a share of the ransom. Companies are advised to strengthen their cybersecurity posture and prepare for potential extortion attempts, focusing on robust incident response and communication strategies.

A critical vulnerability in Fortra's GoAnywhere MFT tool, tracked as CVE-2025-10035, has been exploited by the Storm-1175 group in Medusa ransomware attacks. The flaw, caused by deserialization of untrusted data, allows remote exploitation without user interaction, posing significant risks to affected organizations. Microsoft confirmed that Storm-1175 has been leveraging this vulnerability since September 11, 2025, utilizing tactics aligned with known Medusa ransomware operations. Attackers maintained persistence using remote monitoring tools like SimpleHelp and MeshAgent, conducting network reconnaissance and lateral movement across compromised systems. The Medusa ransomware payloads were deployed to encrypt files, and Rclone was used for data exfiltration, impacting multiple organizations. Fortra patched the vulnerability on September 18, but the flaw was already exploited as a zero-day, prompting urgent patching and log inspections for affected users. Microsoft and Fortra recommend updating to the latest software versions and reviewing logs for specific error strings to assess potential impacts. The Medusa ransomware operation has previously affected over 300 critical infrastructure organizations, highlighting the ongoing threat posed by such vulnerabilities.

Zeroday Cloud, a new hacking contest, offers $4.5 million for exploits targeting open-source cloud and AI tools, hosted by Wiz with Google Cloud, AWS, and Microsoft. The competition will take place at the Black Hat Europe conference in London on December 10 and 11, featuring six categories with bounties ranging from $10,000 to $300,000. Researchers must achieve full target compromise, such as Container/VM Escape or 0-click RCE, with submissions to be demonstrated live at the event. Participants must register via HackerOne, complete ID verification, and submit tax forms by November 20 to compete. Entrants from embargoed or sanctioned regions, including Russia and China, are barred from participation. Trend Micro's Pwn2Own organizers accused Wiz of copying their contest rules, but Wiz acknowledged using Pwn2Own's framework as inspiration. This contest aims to advance cloud security by incentivizing researchers to uncover critical vulnerabilities in widely-used technologies.

Redis has released patches for CVE-2025-49844, a critical vulnerability allowing remote code execution on thousands of instances, impacting approximately 75% of cloud environments. The flaw stems from a 13-year-old use-after-free weakness in the Redis source code, exploitable via a crafted Lua script by authenticated users. Successful exploitation enables attackers to gain persistent access, steal credentials, deploy malware, and move laterally within victim networks. Wiz researchers identified around 330,000 Redis instances exposed online, with at least 60,000 lacking authentication, significantly increasing the risk of exploitation. Redis and Wiz recommend immediate patching, enabling authentication, disabling Lua scripting, and implementing strict network access controls to mitigate risks. The vulnerability poses a severe threat due to Redis's widespread deployment, default insecure configurations, and the potential for significant data exfiltration and resource hijacking. Historical attacks on Redis servers have included malware and cryptominer deployments, emphasizing the need for robust security measures.

Scattered Lapsus$ Hunters has initiated a crowdsourced extortion campaign, offering $10 in Bitcoin to individuals who pressure executives into paying ransoms. The group claims to have distributed $1,000 to participants, incentivizing harassment of executives via personal email accounts for higher rewards. Communications from the group, marked by poor grammar, suggest non-native English speakers, raising questions about their origins and capabilities. The extortion scheme targets organizations allegedly breached through a Salesforce integration, with a data leak site listing victims and setting a ransom deadline. Salesforce, in response, stated no compromise of its platform has been identified, attributing the claims to past or unverified incidents. The attack exploited OAuth tokens from Salesloft Drift, a Salesforce integration, allowing unauthorized access to CRM systems. Google and Salesforce preemptively informed potentially affected organizations before the data leak site was launched. Despite recent law enforcement actions against its members, the group continues its activities, maintaining its presence through revived Telegram channels.

The cybersecurity landscape is evolving with attackers using AI-driven tactics, requiring organizations to adopt advanced technologies for defense. Wazuh, an open-source security platform, integrates AI to enhance detection, investigation, and situational awareness across various environments. AI capabilities in Wazuh include anomaly detection, log correlation, and threat intelligence, offering speed and scalability beyond traditional methods. The platform's AI assistant feature, powered by Claude 3.5 Haiku, provides contextual insights, bridging the gap between alerts and actionable responses. AI-driven threat hunting in Wazuh employs semantic search capabilities, allowing analysts to uncover hidden threats through natural language queries. Wazuh's AI analyst service aims to augment security teams by providing automated alerts summaries, contextual enrichment, and next-step guidance. By embedding AI into its cloud platform, Wazuh offers a scalable security solution that adapts to the growing complexity of cyber threats.

Recorded Future's report connects BIETA and CIII to China's Ministry of State Security, suggesting these firms support intelligence and counterintelligence missions. Evidence includes affiliations of at least four BIETA personnel with MSS officers and ties to the University of International Relations. BIETA and CIII are involved in developing technologies for steganography, malware deployment, and military communications, enhancing China's national security capabilities. CIII has developed applications for network simulations, penetration testing, and covert communications, indicating a focus on advanced cyber capabilities. The report suggests these organizations act as fronts for cyber-enabled intelligence operations, supporting Beijing's strategic objectives. The disclosure follows a recent finding of a Chinese proxy service used in North Korean cyber campaigns, highlighting the complexities of APT infrastructure. This development emphasizes the ongoing challenge of distinguishing between commercial and state-sponsored cyber activities.