Daily Brief

Discord experienced a data breach on September 20, affecting a limited number of users through a compromised third-party customer service provider. Hackers accessed personally identifiable information, including names, email addresses, government-issued IDs, and partial payment details. The breach was financially motivated, with hackers demanding a ransom to prevent the leak of stolen data. Discord promptly isolated the compromised support provider, revoked access, and initiated an investigation with a leading forensics firm and law enforcement. The Scattered Lapsus$ Hunters group claimed responsibility, exploiting a Zendesk instance used by Discord for customer support operations. The breach highlights vulnerabilities in third-party service integrations, emphasizing the need for robust security measures and regular audits. The incident could have broader implications, potentially aiding in solving crypto-related hacks and scams if the data is leaked. Discord's response includes ongoing investigations and collaboration with security experts to mitigate potential risks and prevent future breaches.

Cybersecurity researchers have identified a new attack, CometJacking, targeting Perplexity's Comet AI browser to extract sensitive data through malicious prompts embedded in URLs. The attack leverages a crafted URL to trigger unauthorized data access from connected services like email and calendar, bypassing traditional security measures. CometJacking operates without credential theft, exploiting the browser's existing authorized access to services, and uses Base64 encoding to obfuscate and transmit data. The attack is initiated when a user clicks a malicious link, redirecting the AI browser to execute hidden commands that capture and exfiltrate data. Perplexity has downplayed the security impact, but the incident reveals vulnerabilities in AI-native tools that can circumvent conventional defenses. The attack underscores the need for security-by-design in AI browsers, focusing on agent prompts and memory access rather than just page content. Organizations are urged to implement controls to detect and neutralize malicious agent prompts, as AI browsers become potential command-and-control points within enterprise environments.

GreyNoise reports a 500% rise in suspicious IPs scanning Palo Alto Networks login portals, peaking on October 3 with over 1,285 unique IPs involved. The scans primarily originated from the U.S., with additional clusters in the U.K., Netherlands, Canada, and Russia, suggesting a coordinated global reconnaissance effort. 91% of the IP addresses were deemed suspicious, while 7% were classified as malicious, indicating potential preparation for exploiting vulnerabilities. The targeted scans focused on Palo Alto GlobalProtect and PAN-OS profiles, likely sourced from public scanning tools or attacker-originated reconnaissance. GreyNoise previously linked similar scan activity to exploit preparation, though the correlation with Palo Alto products is currently weaker than past incidents. An increase in exploitation attempts on Grafana's CVE-2021-43798 vulnerability was also noted, with 110 malicious IPs, mostly from Bangladesh, targeting systems. Administrators are advised to ensure Grafana systems are patched and to block identified malicious IPs, while monitoring logs for path traversal attempts.

Hackers accessed Discord user data by compromising a third-party customer service provider on September 20, impacting users who interacted with Discord's support teams. The breach exposed personally identifiable information, including names, email addresses, and partial payment details, affecting a limited number of users. Attackers demanded a ransom from Discord, indicating a financially motivated breach, with threats to leak the stolen information. Discord responded by isolating the compromised provider, launching an internal investigation, and enlisting a forensic firm and law enforcement for remediation. Exposed data includes sensitive information such as government-issued ID photos and partial billing info, raising significant privacy concerns. The breach could aid in solving crypto-related hacks, as many scammers use Discord, according to Hudson Rock's CTO. The exact number of affected users remains undisclosed, and further details on the third-party provider and access vector are awaited.

GreyNoise reported a 500% increase in scanning activity targeting Palo Alto Networks login portals on October 3, 2025, marking the highest level in three months. Approximately 1,300 unique IP addresses participated in the scanning, with 93% classified as suspicious and 7% as malicious, predominantly geolocated in the U.S. The scanning activity shares characteristics with recent Cisco ASA scanning, including regional clustering and tooling overlap, suggesting a coordinated effort. GreyNoise's analysis indicates a dominant TLS fingerprint linked to infrastructure in the Netherlands, affecting both Palo Alto and Cisco ASA login portals. Past patterns suggest that such scanning surges often precede the disclosure of new CVEs, potentially indicating upcoming vulnerabilities in Palo Alto Networks technology. GreyNoise's Early Warning Signals report from July 2025 noted that malicious scanning often leads to new CVE disclosures within six weeks, as seen in recent Cisco ASA incidents. Organizations using Palo Alto Networks are advised to ensure their systems are updated to the latest software versions to mitigate potential threats.

Infoblox has identified Detour Dog as the operator behind campaigns distributing the Strela Stealer malware, utilizing DNS TXT records for command-and-control communications. The threat actor has been active since at least February 2020, initially focusing on redirecting traffic to scams before evolving to malware distribution. Detour Dog's infrastructure hosts the first stage of the attack using StarFish, a reverse shell that facilitates the deployment of Strela Stealer. The malware is distributed via spam emails originating from botnets like REM Proxy and Tofsee, with Detour Dog's infrastructure playing a key role. DNS-based communications allow the malware to persist undetected by executing remote code on compromised sites, which appear normal 90% of the time. Infoblox, in collaboration with the Shadowserver Foundation, has taken action to sinkhole two of Detour Dog's command-and-control domains, disrupting their operations. The shift to malware distribution suggests financial motivations, with Detour Dog functioning as a distribution-as-a-service provider, complicating threat detection efforts.

Signal has launched the Sparse Post-Quantum Ratchet (SPQR) to protect against future quantum computing threats, enhancing its encryption capabilities for up to 100 million users. SPQR ensures forward secrecy and post-compromise security, safeguarding future messages even if current encryption keys are compromised. The new system integrates post-quantum Key-Encapsulation Mechanisms (ML-KEM) and efficient chunking to manage large key sizes without increasing bandwidth. SPQR forms part of Signal's Triple Ratchet system, creating a "mixed key" for heightened security through a Key Derivation Function. Developed with PQShield, AIST, and NYU, SPQR's design is based on research from USENIX 2025 and Eurocrypt 2025, and has been formally verified. Signal's rollout of SPQR will be gradual, requiring users to update their clients, while ensuring backward compatibility during the transition phase. Once fully deployed, SPQR will be enforced across all Signal sessions, marking a significant advancement in protecting communications against quantum threats.

Rhadamanthys Stealer, a prominent information-stealing malware, now includes device and browser fingerprinting, enhancing its threat to both personal and corporate data security. The malware is marketed under a malware-as-a-service (MaaS) model, with tiered pricing from $299 to $499 per month, indicating a professional business approach. Recent updates feature steganographic techniques to conceal payloads within PNG files, complicating detection and analysis efforts for cybersecurity teams. The stealer's infrastructure includes sophisticated checks to evade sandbox environments, ensuring its execution only on legitimate targets. Rhadamanthys' evolution includes a Lua runner for additional plugins, allowing for extensive data theft and advanced customization options. The threat actor behind Rhadamanthys has rebranded as "RHAD security" and "Mythical Origin Labs," signaling long-term business intentions. Security analysts are advised to monitor changes in payload delivery methods and update detection tools to address the stealer's evolving obfuscation techniques.

Renault and Dacia UK customers were informed of a data breach involving a third-party provider, compromising sensitive personal information. The breach did not involve banking or financial data, reducing potential direct financial impacts on customers. The affected third-party provider has isolated the incident and removed the threat from its systems, mitigating further risks. Renault has notified the UK Information Commissioner's Office, ensuring regulatory oversight and compliance with data protection laws. Customers are advised to be vigilant against phishing and social engineering attempts, as exposed data could be used in such attacks. The exact number of affected customers remains undisclosed due to contractual limitations with the third-party provider. This incident follows a significant cyberattack on Jaguar Land Rover, highlighting ongoing cybersecurity challenges in the automotive sector.

Red Hat disclosed a breach in its consulting GitLab system, confirming unauthorized access and data exfiltration by a group known as the Crimson Collective. The breach involved the theft of Customer Engagement Reports, potentially containing sensitive information like architecture diagrams and network maps. Red Hat has engaged top security experts and informed law enforcement, emphasizing that core products and services remain unaffected. The Crimson Collective claims to have compromised 28,000 repositories, with potential impacts on major sectors including banking, telecoms, and government. Belgium's national cybersecurity authority has issued a warning, advising organizations to revoke and rotate all tokens and credentials shared with Red Hat. Red Hat has not disclosed whether ransomware or extortion were involved, and the Crimson Collective's credibility remains uncertain. The incident coincides with a critical bug in OpenShift AI, presenting challenging optics for Red Hat as it manages multiple security concerns.

Asahi Group Holdings, Japan's largest beer brewer, confirmed a ransomware attack affecting its IT systems, leading to factory shutdowns and operational disruptions in Japan. The attack forced Asahi to halt system-based order and shipment processes, compelling a switch to manual operations, impacting efficiency and potentially affecting revenue. Initial investigations revealed evidence of data theft, with the company working to determine the full scope of compromised information. No ransomware group has claimed responsibility, suggesting ongoing negotiations or potential ransom payment by Asahi. An Emergency Response Headquarters was established, collaborating with external cybersecurity experts to expedite system restoration. The incident has highlighted vulnerabilities in Asahi's cybersecurity infrastructure, emphasizing the need for enhanced protective measures. While efforts are underway to restore operations, the timeline for full recovery remains uncertain, with impacts currently confined to Japan.

ShinyHunters has launched a data leak site targeting 39 companies, leveraging Salesforce breaches to extort victims by threatening public disclosure of sensitive data. Impacted organizations include high-profile names such as FedEx, Disney, Google, and Marriott, with threats to release stolen data if demands are not met by October 10. The group claims to possess approximately 1 billion records, urging Salesforce to pay a ransom to prevent further data exposure and legal repercussions under GDPR. Attackers used voice phishing to trick employees into linking malicious OAuth apps to Salesforce, facilitating unauthorized access and data theft. Mandiant tracks these incidents under the threat cluster "UNC6395," though formal attribution to ShinyHunters remains unconfirmed. ShinyHunters announced plans to target companies affected by Salesloft Drift attacks, impacting 760 companies and compromising 1.5 billion records. The breaches highlight vulnerabilities in OAuth integrations and the need for enhanced employee training to prevent social engineering attacks.

Researchers from LayerX have identified a vulnerability in the Comet AI browser, termed "CometJacking," which allows malicious actors to exfiltrate sensitive data using crafted URLs. The attack leverages URL parameters to inject hidden instructions into the browser, enabling access to connected services such as email and calendar without user interaction. Tests demonstrated that the attack can encode sensitive data in base64 and transmit it to an external endpoint, bypassing existing security checks. CometJacking can also instruct the AI to perform unauthorized actions, including sending emails or accessing files, posing a significant threat to user data integrity. Despite the findings, Perplexity, the AI browser developer, has dismissed the vulnerability reports, citing no perceived security impact. The vulnerability highlights the need for enhanced security measures in AI-driven applications to prevent unauthorized data access and manipulation. Organizations using AI browsers should review their security protocols and consider additional safeguards to protect against similar vulnerabilities.

Apple has removed the ICEBlock app from its App Store, responding to safety concerns raised by the U.S. Attorney General and law enforcement agencies. ICEBlock was designed to notify users about the presence of ICE agents, potentially increasing risks to law enforcement personnel. The app's removal follows an incident in Dallas where it was reportedly used by a suspect involved in a shooting at an ICE center. The Justice Department expressed that such apps could endanger ICE agents, prompting Apple's decision to act on safety grounds. This action aligns with Apple's commitment to maintaining a safe and trusted App Store environment, as stated by the company. The decision comes shortly after a meeting between tech leaders and President Trump, emphasizing infrastructure growth and innovation. Apple's CEO acknowledged the Administration's support for American companies, highlighting a significant investment in U.S. manufacturing.

Keep Aware has launched a template to aid CISOs in presenting AI-related risks and governance strategies to boards of directors and AI committees. The resource aims to bridge the gap between technical details and business priorities, fostering clearer communication with leadership. Generative AI's rapid adoption introduces challenges such as data leakage and compliance risks, which the template addresses through structured agenda items. Keep Aware's platform offers full visibility into AI usage, enforcing policies and blocking sensitive data inputs to tools like ChatGPT. By integrating AI monitoring directly into browsers, organizations can prevent data breaches and maintain compliance with governance policies. The template supports CISOs in developing a narrative around risk management and governance, enhancing trust and confidence in AI oversight. Security leaders are encouraged to utilize this tool to ensure responsible and secure AI deployment within their organizations.