Daily Brief

South Korean web giant Naver acquired cryptocurrency exchange Upbit just before it suffered a $30 million cyber theft, raising immediate concerns over the investment's security. Upbit temporarily suspended Solana cryptocurrency withdrawals and deposits, initially citing maintenance, before revealing an abnormal withdrawal incident. The heist involved ₩44.5 billion ($30 million) being illicitly withdrawn, prompting Upbit to enhance security measures and assure customers of loss coverage from its assets. Upbit has been previously targeted by cyber attackers allegedly linked to North Korea, known for targeting cryptocurrency exchanges to fund governmental and military activities. The incident adds to South Korea's history of significant cryptocurrency breaches, spotlighting the ongoing vulnerability of digital asset platforms in the region. Naver's acquisition, valued at $10.27 billion, now faces scrutiny as the company navigates the immediate financial and reputational impacts of the breach. The situation underscores the critical need for robust cybersecurity protocols in cryptocurrency exchanges to prevent similar incidents in the future.

Bloody Wolf, an unidentified cyber group, has expanded its malicious campaign from Kyrgyzstan to Uzbekistan, targeting finance, government, and IT sectors with NetSupport RAT since June 2025. The attackers impersonate Kyrgyzstan's Ministry of Justice using deceptive PDF documents and domain names to distribute malicious Java Archive (JAR) files. The operation employs social engineering tactics, tricking recipients into downloading JAR files that deploy the NetSupport RAT, maintaining a low operational profile. The campaign's Uzbekistan phase introduces geofencing, redirecting non-local requests while delivering malicious payloads to local users through embedded links. The JAR loaders are created using Java 8, and the NetSupport RAT payload is an older version from 2013, showcasing the use of low-cost, accessible tools in cyber operations. This campaign highlights the persistent threat of cybercriminals exploiting trust in government institutions to conduct regionally targeted attacks in Central Asia. Group-IB's collaboration with Kyrgyz authorities underscores the need for regional cooperation in addressing these sophisticated cyber threats.

Palo Alto Networks Unit42 examined WormGPT 4 and KawaiiGPT, large language models (LLMs) designed to facilitate cybercrime, offering tools for ransomware and phishing attacks. WormGPT 4, available for a subscription fee, can generate ransomware scripts using AES-256 encryption, enabling low-skilled attackers to execute complex cyber operations. KawaiiGPT, a community-driven alternative, can automate lateral movement and privilege escalation, though it lacks WormGPT 4's encryption capabilities. Both LLMs are gaining traction in cybercriminal circles, with hundreds of users exchanging tips on dedicated Telegram channels. The models produce sophisticated phishing lures, eliminating common grammatical errors, making them more convincing to potential victims. These tools allow inexperienced hackers to conduct advanced attacks at scale, reducing the time needed for attack preparation and execution. As LLMs become more integrated into cyber operations, security teams are urged to adopt best practices to mitigate emerging threats.

ReliaQuest has identified over 40 phishing domains mimicking Zendesk, part of a campaign by Scattered Lapsus$ Hunters targeting Zendesk users for extortion. The campaign involves typosquatted domains and fake single sign-on pages to harvest credentials and submit fraudulent helpdesk tickets. Attackers are using these tactics to drop remote-access trojans on helpdesk agents' machines, potentially accessing sensitive corporate data. Similarities with a previous campaign against Salesforce suggest the same criminal group is responsible, leveraging identity and trust in SaaS platforms. The group, a coalition of cybercrime specialists, has claimed responsibility for other high-profile breaches, including Salesforce and Gainsight. Zendesk's widespread use in over 100,000 companies makes its compromise particularly concerning, posing a significant risk to enterprise IT infrastructure. The attackers have publicly warned of ongoing campaigns, indicating a strategic focus on support platforms for future operations.

OpenAI's former data analytics provider, Mixpanel, experienced a data breach affecting API users, with no impact on regular ChatGPT users unless they also use the API. The breach involved profile data such as names, email addresses, locations, operating systems, and browser details linked to OpenAI platform accounts. Mixpanel detected the breach on November 9, sharing the affected dataset with OpenAI by November 25, prompting OpenAI to sever ties with the provider. OpenAI is conducting a comprehensive security review of its vendor ecosystem, raising security standards and notifying impacted organizations, administrators, and users directly. The breach has led OpenAI to stress vigilance against phishing attempts, advising users to be cautious of suspicious emails but not requiring password resets. OpenAI remains committed to transparency and has publicly shared its notification details, emphasizing the importance of trust, security, and privacy in its operations. The incident underscores the need for robust vendor management and security practices to safeguard sensitive data and maintain customer trust.

Microsoft plans to block unauthorized script injections in Entra ID logins, aiming for a global rollout by October 2026, enhancing security against cross-site scripting (XSS) attacks. The update to Content Security Policy (CSP) will allow only scripts from trusted Microsoft domains, safeguarding the login.microsoftonline.com experience from malicious code. This proactive measure is part of Microsoft's Secure Future Initiative, which focuses on strengthening security in response to increasing cyber threats. Organizations are advised to test their sign-in flows early to ensure seamless transitions and avoid disruptions when the new policy is enforced. Microsoft cautions against using browser extensions that inject scripts into Entra sign-ins, recommending alternative tools that comply with the new security standards. The Secure Future Initiative, launched in 2023, has already introduced over 50 new detections and achieved 99.6% adoption of phishing-resistant multi-factor authentication. The initiative aligns with Zero Trust principles, advocating for automated vulnerability management and real-time security incident visibility across hybrid and cloud environments.

GreyNoise Labs introduced GreyNoise IP Check, a free tool to identify if an IP address is involved in malicious scanning or botnet activities. The tool addresses the growing issue of residential proxy networks turning home connections into exit points for unauthorized traffic. Users can receive a 90-day historical timeline of IP activity, aiding in pinpointing potential infection sources. The tool offers a non-intrusive method to check for malicious activity, supplementing traditional methods like examining device logs and network traffic. GreyNoise also provides a JSON API for more technical users, allowing integration into scripts for automated checks. Users with suspicious results are advised to perform malware scans, update firmware, change admin credentials, and disable unnecessary remote access on devices. This initiative aims to empower users to proactively secure their networks against covert malware installations.

The Federal Communications Commission (FCC) has issued a warning following cyber intrusions that hijacked US radio broadcast systems to transmit fake emergency alerts and offensive content. Attackers exploited unsecured studio-to-transmitter links (STLs), notably targeting devices from Swiss manufacturer Barix, to stream unauthorized audio over legitimate programming. Incidents have been reported in Texas and Virginia, affecting stations like ESPN Houston, which confirmed its broadcast was overtaken with explicit content. The FCC has provided broadcasters with a checklist of best practices, including updating firmware, using strong passwords, and securing equipment behind firewalls or VPNs. Broadcasters are advised to report suspicious activities to the FCC and the FBI's Internet Crime Complaint Center (IC3) to mitigate future risks. The recent incidents echo past compromises of the Emergency Alert System, such as the 2013 "zombie apocalypse" hoax, highlighting ongoing vulnerabilities in broadcast security. The FCC emphasizes the necessity for broadcasters to implement overdue security measures to prevent similar hijacks and protect public trust.

Asahi has confirmed a ransomware attack in September affected nearly 2 million individuals, compromising personal data such as names, addresses, and contact information. The Qilin ransomware group claimed responsibility, reportedly stealing 27 GB of sensitive internal files, including employee records and financial documents. The attack disrupted Asahi's operations, halting order processing, shipments, and customer service, and delaying the company's annual earnings report by over 50 days. Entry was gained through compromised network equipment at a Japanese datacenter, with ransomware deployed on live servers and connected PCs, causing widespread operational suspension. Asahi is notifying affected individuals and restoring systems cautiously, with product shipments resuming in phases as systems are validated for security. The breach has significant implications for Asahi's business continuity, with logistics potentially not fully restored until February, affecting investor and distributor confidence. This incident underscores the critical need for robust cybersecurity measures to protect sensitive data and maintain operational resilience in the face of cyber threats.

Comhairle nan Eilean Siar in Scotland has been rebuilding systems for two years following a ransomware attack in November 2023, with key financial systems still not fully restored. The attack significantly impacted the council's finance department, delaying the publication of 2024 annual accounts and increasing operational workloads across departments. An audit by Scotland's Accounts Commission praised the council's immediate response but noted ongoing cybersecurity gaps, including unimplemented improvements and insufficient staff training. The council's IT infrastructure, primarily locally hosted, was vulnerable, with inadequate backups exacerbating the attack's impact, highlighting the need for robust cybersecurity measures. Direct costs of the attack are estimated at £950,000 ($1.25 million), with the council seeking insurance and government support to cover expenses related to consultancy and cloud services. Staffing shortages and increased workloads have strained council operations and morale, with five of 17 IT positions vacant at the time of the attack. The Accounts Commission urges the council to set realistic timelines for implementing cybersecurity recommendations and to test business continuity plans against severe attack scenarios.

OpenAI disclosed a data breach affecting some ChatGPT API customers due to a security incident at Mixpanel, its third-party analytics provider. The breach involved limited analytics data, impacting only API users, with no compromise of chat logs, credentials, or sensitive user information. Mixpanel's breach resulted from a smishing attack detected on November 8, affecting a small subset of its customers, including OpenAI. OpenAI has removed Mixpanel from its production services and is notifying affected users, advising vigilance against potential phishing attempts. The company recommends enabling two-factor authentication and cautions against sharing sensitive information via unsecured channels. Mixpanel has contacted affected customers, secured accounts, and implemented new security measures to mitigate future risks. OpenAI's proactive response includes an internal investigation to assess the incident's full impact and ongoing communication with stakeholders.

The ShadowV2 botnet, based on Mirai, targeted IoT devices globally during an AWS outage in October 2025, exploiting multiple vulnerabilities to expand its network. Fortinet suggests this campaign was likely a test for future attacks, highlighting the ongoing threat posed by IoT device vulnerabilities. The botnet exploited several CVEs, including those affecting D-Link, DigiEver, and TP-Link devices, to recruit compromised devices into a DDoS-capable network. Following successful exploitation, a downloader shell script installs ShadowV2 malware, preparing devices for potential DDoS attacks. The incident underscores the critical need for improved IoT security measures to prevent such devices from being used in large-scale cyber attacks. Another botnet, RondoDox, also based on Mirai, has been observed using similar tactics, indicating a broader trend of targeting IoT environments. Organizations are advised to patch known vulnerabilities and enhance monitoring of IoT devices to mitigate risks associated with these evolving threats.

Gainsight has expanded the list of customers impacted by a security incident linked to its Salesforce applications, following initial reports of suspicious activity. The breach has been associated with the cybercrime group ShinyHunters, prompting Gainsight to revoke access and refresh tokens for affected applications. Companies like Zendesk, Gong.io, and HubSpot have temporarily suspended Gainsight integrations, while Google has disabled certain OAuth clients to mitigate risks. Salesforce and Gainsight have released indicators of compromise, including specific user agent strings and IP addresses, to aid in identifying unauthorized access. The incident coincides with the emergence of ShinySp1d3r, a new ransomware-as-a-service platform developed by ShinyHunters and associated groups. ShinySp1d3r features advanced capabilities, such as disabling Windows Event Viewer logging and encrypting open network shares, posing significant threats to organizations. Gainsight and affected partners are actively investigating the breach, while urging customers to implement recommended security measures to protect their environments.

Fortinet's FortiGuard Labs identified the ShadowV2 botnet, leveraging Mirai-based malware, targeting IoT devices during an AWS outage, potentially as a test run. ShadowV2 exploits at least eight known vulnerabilities in IoT products, including a critical command injection flaw in end-of-life D-Link devices. The botnet targeted routers, NAS devices, and DVRs across seven sectors globally, affecting regions such as North and South America, Europe, Africa, Asia, and Australia. ShadowV2 supports DDoS attacks using UDP, TCP, and HTTP protocols, with its command-and-control infrastructure triggering these attacks. Fortinet researchers provided technical details and indicators of compromise (IoCs) to aid in identifying and mitigating the threat. D-Link issued advisories warning users that outdated devices will not receive security updates, stressing the importance of maintaining firmware currency. The exact operators and monetization strategy behind ShadowV2 remain unknown, but typical DDoS botnets monetize through extortion or renting attack capabilities.

Gainsight CEO minimized the breach impact, claiming only a few customers were affected, contradicting reports of over 200 impacted Salesforce instances. Google's Threat Intelligence Group linked the breach to ShinyHunters, a known extortion group, which later confirmed involvement. Salesforce discovered suspicious activity on November 19, leading to the revocation of all access and refresh tokens for Gainsight applications. Gainsight's forensic investigation is ongoing, with Salesforce integration still disabled and no timeline for restoration provided. Gainsight is addressing login issues for some customers using GSuite for SSO, indicating broader operational disruptions. Other CRM platforms, including Zendesk and HubSpot, have also revoked access to Gainsight, reflecting the breach's wider impact. Salesforce issued a security advisory listing indicators of compromise related to ShinyHunters, urging network defenders to review them. Gainsight is actively communicating with affected customers through town halls and support teams to manage the situation.