Daily Brief

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-26829 to its Known Exploited Vulnerabilities catalog, indicating active exploitation of this cross-site scripting flaw. Affecting OpenPLC ScadaBR on Windows and Linux, the vulnerability allows attackers to manipulate system settings and deface interfaces, posing risks to industrial control systems. A pro-Russian hacktivist group, TwoNet, exploited the flaw in a honeypot simulating a water treatment facility, demonstrating the potential for rapid operational disruption. Federal Civilian Executive Branch agencies must implement necessary patches by December 19, 2025, to mitigate risks associated with this vulnerability. TwoNet, initially known for DDoS attacks, has expanded its activities to include industrial system targeting, doxxing, and ransomware services, raising the threat profile. VulnCheck reported a long-running OAST endpoint on Google Cloud, indicating a sustained exploit operation with significant activity focused on Brazil. The use of legitimate internet services like Google Cloud by attackers complicates detection efforts, as they blend malicious activity with normal network traffic. This incident underscores the importance of timely patch management and monitoring of industrial control systems to prevent exploitation of known vulnerabilities.

Asahi Group Holdings, Japan's leading beer producer, confirmed a data breach affecting up to 1.9 million individuals, compromising personal information like names, addresses, and emails. The breach, initially disclosed in September, forced Asahi to halt production and shipping operations due to a ransomware attack by the Qilin group. Qilin ransomware operators claimed responsibility, alleging possession of 27GB of Asahi's data, with proof shared on their data leak site. Affected data varies by category, with customer data including contact details and employee data also containing birth dates; no payment card information was compromised. Asahi has established a dedicated contact line for affected individuals and is actively restoring systems while resuming shipments in stages. CEO Atsushi Katsuki announced ongoing efforts to enhance security measures, including network control improvements, threat detection upgrades, and revised business continuity plans. The breach underscores the critical need for robust cybersecurity frameworks in protecting sensitive data and ensuring operational resilience.

A 44-year-old Australian was sentenced to over seven years for operating an "evil twin" WiFi network to steal data from travelers during flights and at airports. The individual used a WiFi Pineapple device to mimic legitimate airport networks, directing users to phishing pages to capture social media credentials. Thousands of intimate images and personal credentials were found on seized devices, highlighting the extensive nature of the data theft. After authorities confiscated his equipment, the man attempted to delete evidence and accessed confidential information from his employer's laptop. The Australian Federal Police warned the public about the dangers of free WiFi, recommending VPNs and caution with captive portals. This case underscores the potential risks of public WiFi networks and the importance of cybersecurity awareness among travelers. Despite their rarity, "evil twin" attacks pose significant privacy threats, necessitating vigilance in public spaces.

A security engineer discovered over 17,000 exposed secrets across 5.6 million public GitLab repositories, affecting more than 2,800 unique domains. The engineer employed TruffleHog, an open-source tool, to identify sensitive credentials like API keys, passwords, and tokens within the repositories. The scan revealed a significant presence of Google Cloud Platform credentials, followed by MongoDB keys, Telegram bot tokens, and OpenAI keys. The process utilized GitLab's public API and AWS services, completing the scan in just over 24 hours at a cost of $770. The researcher responsibly disclosed the findings to affected parties using automated notifications, resulting in multiple bug bounties totaling $9,000. Despite many organizations revoking their exposed secrets, some remain vulnerable, underscoring ongoing risks in secrets management. Historical data from the scan indicates that most leaked secrets are from post-2018, though some date back to 2009 and are still valid. This incident highlights the critical need for robust secrets management practices and proactive security measures in software development environments.

PostHog experienced its largest security incident with the Shai-Hulud 2.0 worm, impacting its JavaScript SDKs and developer credentials. The worm exploited an automation flaw in the CI/CD workflow, allowing malicious pull requests to execute with elevated privileges. Affected packages, including those from Zapier and Postman, led to the compromise of over 25,000 developers' secrets in three days. The malware leveraged a pre-install script to exfiltrate credentials to public GitHub repositories, facilitating further malicious package releases. PostHog responded by revoking compromised tokens, removing malicious packages, and implementing a "trusted publisher" model for npm releases. The incident highlights the critical need for secure CI/CD configurations and cautious privilege management in automated workflows. Organizations are urged to review their CI/CD practices to prevent similar vulnerabilities from being exploited by malware campaigns.

ReversingLabs identified vulnerabilities in legacy Python packages, risking supply chain attacks via domain takeover on the Python Package Index (PyPI). The vulnerability stems from outdated bootstrap scripts in packages like tornado, pypiserver, and slapos.core, accessing a domain now available for sale. The scripts automate library downloads and installations, fetching from python-distribute[.]org, a domain that could be weaponized by attackers. Despite some packages removing the risky scripts, slapos.core and Tornado still include the vulnerable code, posing ongoing risks. The scripts, written in Python 2, are not automatically executed, but their presence creates an exploitable attack surface. Historical context shows similar domain takeover incidents, such as the npm package fsevents, emphasizing the need for vigilant package management. HelixGuard's recent discovery of a malicious PyPI package further underscores the critical nature of securing software supply chains.

North Korean threat actors have deployed 197 malicious npm packages, spreading an updated OtterCookie malware variant, downloaded over 31,000 times, targeting JavaScript and crypto-centric workflows. The malware, combining features of BeaverTail and previous OtterCookie versions, evades detection, profiles systems, and establishes a command-and-control channel for remote access and data theft. Attackers use fake job interviews to deceive victims into running Node.js applications, leading to malware infections, as documented by Cisco Talos in a case involving a Sri Lanka-based organization. The campaign leverages a hard-coded Vercel URL to fetch the OtterCookie payload from a GitHub repository, with the GitHub account now inaccessible. Fake assessment-themed websites deliver GolangGhost malware under the guise of fixing technical issues, employing ClickFix-style instructions for distribution. GolangGhost achieves persistence on macOS via LaunchAgent scripts, capturing sensitive information through decoy applications mimicking Chrome prompts. This campaign diverges from other DPRK schemes by targeting individuals through fraudulent recruiting processes, highlighting a sophisticated approach to cyber espionage.

The French Football Federation (FFF) experienced a data breach via a compromised account accessing administrative management software used by football clubs. Attackers stole personal information, including names, birth details, and contact information of French football club members. In response, the FFF disabled the compromised account, reset all user passwords, and secured the affected systems. The FFF has filed a criminal complaint and notified France's National Cybersecurity Agency (ANSSI) and the National Commission on Informatics and Liberty (CNIL). Members are advised to be cautious of communications requesting sensitive information, as attackers may attempt phishing scams. The FFF is enhancing its security measures to address the growing threat landscape and protect entrusted data. This incident follows another recent breach affecting the French social security service, highlighting a trend of increasing cyberattacks in France.

British telecommunications company Brsk confirmed a data breach affecting over 230,000 customer records, with data being auctioned on a cybercrime forum. The compromised data includes full names, email and home addresses, phone numbers, and indicators of vulnerability status, although no financial or login credentials were accessed. Brsk is providing affected customers with 12 months of free personal, financial, and web-monitoring services through Experian as a precautionary measure. The breach has been reported to the Information Commissioner's Office, police, and relevant regulatory bodies, with specialist security partners engaged for investigation. The incident did not impact Brsk's core network or broadband services, ensuring continuity of operations for its 140,000 registered customers. This breach places Brsk alongside other UK telcos like Colt and ICUK, which have faced cybersecurity challenges this year, highlighting the sector's ongoing vulnerabilities. The company's swift response and transparency aim to mitigate customer concerns and reinforce trust in their security measures.

GrapheneOS, a mobile operating system, has ceased using OVHcloud servers due to concerns about France's digital privacy stance and potential state access to data. The decision reflects apprehension over France's support for EU legislation potentially mandating backdoors in encryption for state surveillance purposes. OVHcloud's reputation is further challenged by ongoing legal battles in Canada regarding data sovereignty, raising industry-wide concerns. The move by GrapheneOS underscores a broader industry trend of privacy-focused companies reassessing their data hosting strategies in light of national privacy laws. France's position on privacy and data sovereignty is prompting companies to reconsider their operations within the country, impacting business and operational decisions. The situation highlights the complex balance between legal compliance, data sovereignty, and customer trust in the cloud services sector. As privacy debates continue, cloud providers face increasing pressure to ensure data protection aligns with client expectations and legal frameworks.

TryHackMe is addressing criticism for an all-male lineup in its Advent of Cyber event, a 24-day beginner-level cyber training program. The company is collaborating with Eva Benn from Microsoft to recruit female cybersecurity professionals to join the event's helper list. The initial absence of women was attributed to scheduling conflicts and non-responses from female creators, not a lack of effort. Ethical hacker Katie Paxton-Fear confirmed she was approached but unable to participate due to prior commitments. The situation has sparked broader discussions about gender diversity and representation in the cybersecurity industry. Influencers like Caitlin Sarian and Lesley Carhart have criticized the event, pointing to deeper issues of sexism and influencer culture. TryHackMe is actively expanding its roster to include more women, acknowledging the need for better communication and representation.

The Office for Budget Responsibility (OBR) inadvertently uploaded its Economic and Fiscal Outlook online before the official announcement, leading to an unintended early disclosure of budget details. Reporters accessed the document by guessing its URL, which closely resembled previous official document links, exposing significant procedural oversight. OBR Chair Richard Hughes expressed regret over the incident, labeling it a "serious error" and committing to prevent future occurrences. Former NCSC chief Ciaran Martin has been appointed to lead an investigation, supported by Treasury IT and security experts, to identify the breach's root cause. The investigation aims to establish how the early access occurred, evaluate the publication process, and propose corrective actions to safeguard future releases. The findings of the investigation are set for publication by December 1, with recommendations expected to enhance OBR's document management protocols. This incident underscores the importance of robust digital security practices, even in seemingly low-risk environments, to prevent unauthorized access and information leaks.

The UK government has announced a £1.8 billion cost for its digital ID initiative, aimed at providing digital identities to all legal residents by August 2029. The Office for Budget Responsibility (OBR) reports an annual cost of £600 million for the scheme, with no identified savings to offset expenses. Funding for the digital ID project will be sourced from existing departmental expenditure limits, divided between capital and resource spending. The digital IDs are initially intended to verify eligibility to work, with potential expansion to streamline access to key services for citizens. Concerns arise regarding the lack of specific funding, as the scheme's costs may impact other departmental priorities and obligations. The initiative is a priority for the UK government, with the Government Digital Service tasked with system development under Cabinet Office oversight. The project reflects ongoing debates over budget allocations and departmental negotiations, as highlighted by discussions in the House of Commons.

Organizations are increasingly adopting Remote Privileged Access Management (RPAM) to secure critical systems in distributed and hybrid work environments, addressing the limitations of traditional Privileged Access Management (PAM) solutions. RPAM provides secure access for IT administrators, contractors, and third-party vendors from any location, supporting zero-trust principles and eliminating reliance on VPNs. Unlike traditional PAM, RPAM extends granular access controls beyond corporate perimeters, ensuring least-privilege access and detailed session monitoring without exposing credentials. The shift to remote work has amplified the need for robust access controls, with RPAM offering Just-in-Time access to mitigate risks associated with standing privileges. Cybercriminals frequently exploit weak remote access points; RPAM counters this by enforcing Multi-Factor Authentication and eliminating shared credentials, reducing potential attack surfaces. Compliance with regulatory frameworks like ISO 27001 and HIPAA is enhanced through RPAM's automated session logging and detailed audit trails, streamlining audits and ensuring transparency. As IT environments evolve, RPAM solutions are positioned as the future of privileged access management, offering AI-driven threat detection and zero-trust architectures to preemptively address potential breaches.

Cybersecurity researchers identified a vulnerability in Microsoft Teams where guest access can bypass Microsoft Defender protections, posing a significant security risk for organizations. When users join external tenants as guests, they are subject to the host tenant's security policies, potentially leaving them unprotected. The new Teams feature allows users to chat with anyone via email, increasing collaboration but also expanding potential security threats. Attackers can exploit this by creating tenants without Defender protections, allowing them to send phishing links or malware to unsuspecting guests. Security controls such as SPF, DKIM, and DMARC checks are bypassed since emails originate from Microsoft's infrastructure, reducing detection chances. Organizations are advised to restrict B2B collaboration to trusted domains and educate users on identifying unsolicited Teams invitations. Microsoft has been approached for comments regarding this vulnerability, with updates pending.