Daily Brief

Munich Airport experienced a temporary shutdown due to drone sightings, impacting operations and leaving nearly 3,000 passengers stranded overnight. German air traffic control suspended flight operations, affecting 17 departures and diverting 15 incoming flights to alternative airports. The incident coincided with Oktoberfest, adding to security concerns as the festival already faced overcrowding and a bomb scare earlier in the week. Federal Police arrived with drone defense equipment, but the drones had already left the area; reports suggest up to six drones were involved. Drone incidents are increasingly causing disruptions across Europe, with a similar situation recently affecting airports and airbases in Denmark. The potential threat of drones to aircraft safety is significant, prompting immediate grounding of flights to prevent possible collisions. The Munich incident may fuel calls for stricter drone regulations and improved detection technologies to prevent future disruptions. Past incidents, such as the 2018 Gatwick Airport shutdown, highlight the challenges and potential overreactions in managing drone-related threats.

Oracle has identified an extortion campaign linked to Clop ransomware, targeting vulnerabilities in its E-Business Suite, patched in July 2025. Oracle's Chief Security Officer confirmed customers received extortion emails, urging them to apply the latest Critical Patch Updates for protection. The July 2025 update addressed nine security flaws, including three remotely exploitable vulnerabilities without user credentials, posing significant risk. Mandiant and Google's Threat Intelligence Group reported executives received ransom demands to prevent alleged data leaks from Oracle systems. Clop claims responsibility, asserting exploitation of an Oracle bug, continuing their history of targeting zero-day vulnerabilities across various platforms. Despite Clop's claims, there is insufficient evidence of actual data theft, but the threat remains credible given their previous campaigns. The U.S. State Department offers a $10 million reward for information linking Clop attacks to foreign governments, reflecting the severity of the threat.

The UK government is considering a digital ID system, sparking opposition from 2.76 million citizens who signed a petition against it. Prime Minister Keir Starmer announced the initiative, which was not part of his party's election manifesto, raising concerns about public support. Palantir, a tech company previously linked to government projects, has declined involvement due to the lack of electoral mandate. The digital ID aims to streamline access to public and private services, reducing bureaucracy and fraud, and aiding those without physical IDs. Privacy advocates warn that the system could threaten civil liberties by centralizing personal data and enabling extensive state surveillance. The government plans to consult with various stakeholders before legislating, emphasizing privacy and security as core components of the initiative. The digital ID system will be voluntary, and police will not have the authority to demand it during stop-and-search operations.

Trend Micro researchers identified SORVEPOTEL, a self-spreading malware targeting Brazilian users via WhatsApp, focusing on rapid propagation rather than data theft or ransomware. The campaign leverages phishing messages with malicious ZIP attachments, requiring users to open them on desktops, indicating a potential focus on enterprise targets. Upon execution, the malware uses WhatsApp Web to distribute itself to all contacts, leading to account suspensions due to excessive spam activity. The attack primarily affects sectors such as government, public service, and manufacturing, with 457 of 477 cases reported in Brazil. The malware employs a PowerShell script to retrieve its main payload, establishing persistence and connecting to a command-and-control server for further instructions. Initial phishing messages originate from compromised WhatsApp contacts, enhancing credibility, while distribution also occurs via seemingly legitimate emails. The SORVEPOTEL incident underscores the growing use of popular communication platforms for large-scale malware dissemination with minimal user interaction.

Oracle has advised E-Business Suite (EBS) users to apply July patches following extortion emails from attackers linked to the Clop ransomware group. Cybercriminals claim to have accessed sensitive data, threatening to leak payroll and financial records unless ransoms are paid. Oracle's blog post reaffirms that previously identified vulnerabilities were addressed in the July 2025 Critical Patch Update. Security firms Mandiant and Google's Threat Intelligence Group report no direct compromise of Oracle's systems, despite ongoing extortion attempts. Halcyon suggests attackers exploit internet-facing Oracle EBS portals, bypassing enterprise SSO controls and exploiting default configurations. Attackers demand up to $50 million, using screenshots and file trees as evidence of their claims. Oracle has not disclosed the number of potentially affected customers, maintaining its standard guidance on the importance of timely patching.

Passwork 7 introduces a revamped interface focused on simplifying credential management, addressing the complexity of storing and sharing passwords and secrets within modern organizations. The platform's hierarchical structure allows businesses to align credential management with internal processes, supporting both departmental separation and cross-functional collaboration. New role-based access control features enable administrators to define granular permissions, ensuring only authorized users access sensitive information and simplifying compliance. Integration capabilities, including SSO and LDAP, streamline user onboarding and management, enhancing operational efficiency and reducing administrative overhead. Comprehensive logging and real-time alerts provide visibility into system changes, supporting rapid incident response and regulatory compliance. The platform supports secrets management alongside password management, offering tools for DevOps integration and reducing tool sprawl within IT environments. Passwork 7's zero-knowledge architecture and AES-256 encryption ensure data security, with options for client-side encryption to meet stricter security requirements. ISO 27001 certification affirms Passwork's commitment to international information security standards, making it a viable solution for regulated industries.

Google has introduced end-to-end encryption for Gmail enterprise users, allowing secure email communication across different email platforms without complex key exchanges. The feature, initially beta-tested in April 2025, is now rolling out to all Enterprise Plus subscribers with the Assured Controls add-on, expected to be fully available in two weeks. Gmail's encryption utilizes client-side encryption (CSE), enabling organizations to manage encryption keys outside Google's servers, enhancing data privacy and regulatory compliance. Non-Gmail recipients can access encrypted emails via a guest Google Workspace account, ensuring secure communication without additional software requirements. This development aims to simplify IT processes while maintaining robust data sovereignty, privacy, and security controls, addressing regulatory needs like HIPAA and data export controls. The CSE feature was previously introduced in other Google Workspace services, such as Google Drive and Google Docs, and reached general availability for enterprise customers in early 2023. By encrypting data on the client-side before transmission, Google ensures that sensitive information remains unreadable to its servers and third parties, bolstering security measures for business communications.

The Cavalry Werewolf group, linked to YoroTrooper, has launched attacks on Russian state agencies using FoalShell and StallionRAT malware. The campaign primarily targeted sectors including energy, mining, and manufacturing, using phishing emails mimicking Kyrgyz government officials. FoalShell and StallionRAT, written in multiple programming languages, allow attackers to execute commands and exfiltrate data via a Telegram bot. BI.ZONE reports Cavalry Werewolf's ties to Kazakhstan, suggesting a nation-state affiliation, with significant overlaps with other threat clusters like Tomiris. The attacks involved compromised legitimate email addresses to distribute malicious RAR archives, enhancing their credibility and effectiveness. The group is expanding its toolkit, indicating a broader targeting scope and increasing sophistication in its attack methods. Analysis of underground forums revealed compromises in over 500 Russian companies, affecting commerce, finance, education, and entertainment sectors. Attackers often used legitimate tools for data extraction, highlighting the need for robust security measures and rapid threat intelligence updates.

Renault UK has alerted customers to a data breach involving a third-party supplier, compromising personal details such as names, contact information, and vehicle registration numbers. The breach did not involve financial data, as the affected supplier did not store banking information, according to Renault UK. Renault UK confirmed that its internal systems remain secure, with the breach isolated to the supplier's systems. Impacted customers, including those from Renault's sister brand Dacia, have been advised to be cautious of phishing attempts and unsolicited requests for personal data. The incident has been reported to regulatory authorities, and the supplier has taken steps to address and contain the breach. The automotive industry continues to face cybersecurity challenges, with recent attacks on other manufacturers like Jaguar Land Rover and Stellantis highlighting sector vulnerabilities. Renault has expressed regret over the incident, emphasizing its commitment to data privacy and directing concerned customers to its Data Protection Officer for further inquiries.

CISA has added the Meteobridge CVE-2025-4008 vulnerability to its Known Exploited Vulnerabilities catalog, indicating active exploitation of this high-severity flaw. The vulnerability, with a CVSS score of 8.7, involves command injection in the Meteobridge web interface, potentially allowing remote code execution with root privileges. Discovered by ONEKEY, the flaw affects the web application managing weather station data, exploiting insecure eval calls in the CGI script "template.cgi". Attackers can exploit the vulnerability without authentication, using specially crafted GET requests, making it possible to execute arbitrary code remotely. Meteobridge addressed the issue in version 6.2, released in May 2025; however, active exploitation necessitates immediate patching. Federal Civilian Executive Branch agencies must apply updates by October 23, 2025, to mitigate risks associated with this vulnerability. The inclusion of this flaw in the KEV catalog underscores the critical need for timely patch management to protect against emerging threats.

Microsoft has stopped displaying inline SVG images in Outlook for Web and Windows, a move to counter security threats such as cross-site scripting (XSS) attacks. This update commenced globally in early September 2025, with completion anticipated by mid-October 2025, affecting less than 0.1% of all images sent via Outlook. SVG images will now appear as blank spaces, while SVGs sent as classic attachments remain viewable, mitigating risks without significant user impact. SVG files have been used by threat actors to deploy malware and phishing forms, with a reported 1800% increase in phishing attacks using SVGs from early 2025 to April 2024. The change is part of Microsoft's broader strategy to eliminate or disable features in Office and Windows that have been exploited in attacks. Recent security measures include blocking .library-ms and .search-ms file types in Outlook, which have been used in attacks targeting government entities. Microsoft has expanded its Antimalware Scan Interface and blocked VBA Office macros by default, enhancing protection across Microsoft 365 applications.

DrayTek has issued a security advisory for a critical vulnerability in its Vigor routers, identified as CVE-2025-10547, allowing remote code execution by unauthenticated actors. The flaw was discovered by ChapsVision researcher Pierre-Yves Maes and involves sending crafted HTTP/HTTPS requests to the device's Web User Interface. Exploitation of this vulnerability can lead to memory corruption and system crashes, potentially enabling attackers to execute arbitrary code remotely. To mitigate risks, DrayTek recommends disabling remote WebUI/SSL VPN access or using ACLs/VLANs to restrict access, although local attackers can still access the WebUI over LAN. The vulnerability's root cause is linked to an uninitialized stack value, which can be exploited to perform arbitrary memory operations via the free() function. Affected models are prevalent in prosumer and SMB environments, necessitating urgent firmware updates to secure systems. DrayTek has not reported any active exploitation of this flaw but advises immediate action to apply the recommended firmware updates. Full technical details of the vulnerability are expected to be disclosed by the researcher, emphasizing the need for prompt patching.

Kodex Global experienced a service outage after attackers used social engineering to manipulate AWS into freezing its domain on October 1, affecting website, portal, API, and email services. The attack targeted Kodex's domain registrar through a fraudulent legal order, leading to a temporary freeze but no transfer of domain ownership occurred. No customer credentials or data were compromised during the incident, and Kodex's internal systems remained secure throughout the attack. AWS quickly addressed the issue upon notification and is implementing measures to prevent future occurrences of similar attacks. Kodex's platform, utilized by over 15,000 government agencies and major tech companies, faced potential risks of email interception and unauthorized account access. The attack coincided with a recent warning from Kodex about similar compromises affecting law enforcement and government domains globally. This incident underscores the growing threat of social engineering in cybercrime, emphasizing the need for robust verification processes.

Red Hat confirmed a breach of its GitLab repositories by the Crimson Collective, impacting 28,000 internal projects and approximately 570GB of data. The breach includes around 800 Customer Engagement Reports (CERs), containing sensitive client infrastructure details and authentication tokens. Potentially affected clients span various sectors, including major corporations and government entities like Bank of America, T-Mobile, and the U.S. Navy. Red Hat has initiated remediation efforts, asserting confidence in the security of other services and the integrity of its software supply chain. The Crimson Collective attempted extortion, claiming to have accessed downstream customer infrastructure using information from the CERs. The hacking group publicized directory listings of the stolen data on Telegram, raising concerns about further unauthorized access and exploitation. Red Hat's response to the extortion attempt was limited, directing the group to submit a vulnerability report, which was escalated internally. This incident underscores the critical need for robust security measures and response protocols to protect sensitive customer data and maintain trust.

Red Hat experienced a security incident involving its GitLab repositories, with hackers claiming to have stolen 570GB of data from 28,000 projects. The breach reportedly includes approximately 800 Customer Engagement Reports (CERs) containing sensitive customer network and platform information. CERs may include infrastructure details, configuration data, and authentication tokens, posing a risk to customer network security if exploited. Red Hat has initiated remediation steps and asserts that the breach does not impact other services or the integrity of its software supply chain. The Crimson Collective, the group behind the breach, attempted extortion, claiming to have used stolen data to access downstream customer infrastructure. Affected sectors include major organizations like Bank of America, T-Mobile, and the U.S. Navy, highlighting potential widespread impact. The hacking group released a directory listing of stolen data on Telegram, raising concerns over the exposure of sensitive information. Red Hat has not confirmed the extent of the data breach but remains focused on ensuring system security and data integrity.