Daily Brief

ESET researchers identified two Android spyware campaigns, ProSpy and ToSpy, targeting users in the U.A.E. by impersonating Signal and ToTok apps through fake websites. The spyware apps are not available on official app stores, requiring users to manually install them from third-party sites posing as legitimate services. Once installed, the malware gains persistent access to devices, exfiltrating sensitive data such as contacts, SMS messages, files, and device information. The ProSpy campaign, active since 2024, uses deceptive websites to distribute malicious APKs claiming to be upgrades for Signal Encryption Plugin and ToTok Pro. ToSpy, ongoing since June 2022, mimics the Samsung Galaxy Store to lure users into downloading a compromised version of the ToTok app, exploiting its past removal from official stores. Both spyware families employ tactics to maintain persistence, including foreground services and Android's AlarmManager, while disguising their presence by redirecting users to legitimate app sites. ESET advises caution against downloading apps from unofficial sources and warns against enabling installations from unknown origins to prevent such malware infections.

Red Hat experienced a security incident with unauthorized access to its private GitHub repositories, involving nearly 570GB of data across 28,000 projects. The Crimson Collective, an extortion group, claims responsibility and alleges the theft includes 800 Customer Engagement Reports (CERs) containing sensitive client information. CERs may hold critical infrastructure details, configuration data, and authentication tokens, posing a risk to customer network security if exploited. Red Hat has initiated remediation steps, asserting no impact on other services or products and confidence in its software supply chain integrity. The hacking group published a directory listing of the stolen data and CERs on Telegram, implicating major organizations like Bank of America, T-Mobile, and the U.S. Navy. The attackers attempted extortion, but Red Hat's response was limited to standard communication channels, involving legal and security teams. This incident underscores the importance of securing code repositories and sensitive client data to prevent unauthorized access and potential exploitation.

Mandiant and Google are tracking extortion emails sent to executives, claiming theft of data from Oracle E-Business Suite systems. The campaign began in late September 2025, with emails sent from numerous compromised accounts, some linked to the FIN11 threat group. While emails contain addresses associated with the Clop ransomware gang, there is no confirmed evidence of actual data theft. Organizations receiving these emails are advised to investigate their Oracle systems for any signs of unusual access or compromise. Clop, also known as TA505 and FIN11, has a history of exploiting zero-day vulnerabilities and engaging in ransomware and extortion activities. The U.S. State Department offers a $10 million reward for information connecting Clop's activities to a foreign government. This incident underscores the importance of vigilant monitoring and response strategies to mitigate potential threats from extortion campaigns.

A new extortion campaign has surfaced, with emails claiming data theft from Oracle E-Business Suite systems sent to multiple company executives. Mandiant and Google are actively investigating these claims, which began on or before September 29, 2025, but have yet to verify the data theft. The emails originate from numerous compromised accounts, with at least one linked to the FIN11 group, known for ransomware and extortion activities. Contact addresses in the emails match those on Clop ransomware's data leak site, suggesting a potential connection to the extortion group. Organizations receiving these emails are advised to check for unusual access or compromises within their Oracle systems to mitigate potential threats. The Clop group, active since 2019, has shifted focus from ransomware to exploiting zero-day vulnerabilities for data theft and extortion. The U.S. State Department offers a $10 million reward for information linking Clop's activities to any foreign government involvement.

Motility Software Solutions, a dealer management software provider, faced a ransomware attack affecting 766,000 customers across various dealership sectors in the U.S. The attack on August 19, 2025, resulted in the encryption of systems and potential theft of personal data, impacting business operations significantly. Exposed data varies per individual and could include sensitive personal information; however, the company has no evidence of misuse at this time. Motility responded by conducting a thorough investigation, enhancing security measures, and restoring systems from backups to mitigate the impact. To detect any misuse of stolen data, Motility has implemented dark web monitoring systems and is actively watching underground forums. Affected individuals are offered a year of free identity monitoring services through LifeLock, with recommendations to monitor credit reports and consider fraud alerts. No ransomware group has claimed responsibility for the attack, leaving the identity of the perpetrators unknown.

Adobe Analytics experienced a data ingestion issue, causing customer data to appear in other organizations' reports, impacting services globally for approximately one day. The issue originated from a performance optimization change on September 17, 2025, which inadvertently introduced a bug affecting data integrity. Approximately 3–5% of collected data was corrupted, with fields overwritten by data from other customers, affecting Data Feeds, Live Stream, and reporting applications. Adobe's advisory recommends immediate deletion of impacted data from systems, backups, and downstream environments to prevent further data retention or misuse. Although not a malicious attack, the incident raises potential compliance concerns under regulations such as VPPA, CPPA, and GDPR due to the exposure of sensitive data. Adobe has reverted the change and is actively cleansing affected datasets, with notifications to be sent to customers once the platform is stable for accurate reporting. The incident highlights the importance of rigorous testing and monitoring of system changes to prevent unintended data exposure and compliance risks.

Red Hat OpenShift AI is affected by a critical vulnerability (CVE-2025-10725) with a CVSS score of 9.9, allowing potential full cluster control. The flaw permits a low-privileged attacker with minimal authentication to escalate privileges and compromise the platform's integrity, confidentiality, and availability. Exploitation involves abusing the ClusterRoleBinding linked to the system:authenticated group, enabling unauthorized job creation in any namespace. Red Hat advises removing the ClusterRoleBinding and adhering to the principle of least privilege to mitigate the risk. Security teams are urged to patch systems urgently and investigate potential breaches to ensure environments remain secure. OpenShift AI's vulnerability could lead to data theft, service disruption, and control over infrastructure if not addressed promptly. The vulnerability's discovery emphasizes the need for robust access controls and regular security audits in hybrid cloud environments.

Klopatra, a new Android banking trojan, has infected over 3,000 devices across Europe, disguising itself as an IPTV and VPN app. Developed by a Turkish-speaking cybercrime group, Klopatra steals banking credentials through overlay attacks and exfiltrates sensitive data. The malware features a hidden VNC mode, allowing attackers to perform actions on devices while appearing idle to the victim. Klopatra evades detection by using commercial-grade code protection, anti-debugging mechanisms, and attempts to uninstall popular antivirus apps. Researchers identified multiple command and control points linked to two campaigns, despite operators using Cloudflare to obscure their tracks. Since its emergence in March 2025, Klopatra has undergone 40 builds, indicating rapid development and adaptation by its operators. Android users are advised to avoid installing APKs from untrusted sources, deny Accessibility Service permissions, and keep Play Protect active.

The US Air Force is investigating a potential privacy breach involving Microsoft SharePoint, which may have exposed Personally Identifiable Information (PII) and Protected Health Information (PHI). A breach notification suggests a service-wide shutdown of SharePoint, affecting mission files and critical tools for service members, with potential impacts on operational readiness. The Air Force is assessing the scope of the breach and exploring technical remediation solutions to ensure compliance with the Privacy Act and maintain operational capabilities. Reports indicate that SharePoint, along with Microsoft Teams and Power BI dashboards, could be blocked Air Force-wide, with restoration efforts possibly extending up to two weeks. The incident follows previous security vulnerabilities in SharePoint exploited by foreign entities, raising concerns about the integrity of US government systems. Microsoft has not confirmed any connection to prior SharePoint vulnerabilities exploited by foreign adversaries, leaving questions about the breach's origins and impact. The breach underscores ongoing challenges in securing military and government digital infrastructure, emphasizing the need for robust cybersecurity measures and vendor accountability.

Researchers from Georgia Tech and Purdue University have demonstrated a new attack, WireTap, that bypasses Intel's SGX security on DDR4 systems, exposing sensitive data. The WireTap attack uses a memory-bus interposer to extract an SGX secret attestation key, compromising the confidentiality of SGX-protected data. This method allows attackers to masquerade as legitimate SGX hardware, potentially exposing sensitive information and undermining SGX's security assurances. The attack requires physical access to install an interposer, with costs around $1,000, making it a feasible threat under specific conditions. Intel has acknowledged the vulnerability but stated it falls outside their threat model, as it assumes physical access, and does not plan to issue a CVE. Organizations using SGX-backed systems are advised to ensure secure physical environments and consider cloud providers with robust physical security measures. The findings stress the importance of evaluating physical security in environments relying on hardware-based encryption protections like SGX.

Google's new developer verification rules, set for 2026, may threaten the future of F-Droid, a third-party app store for open-source Android apps. The new policy mandates that all apps on certified Android devices come from developers who have verified their identity with Google, potentially blocking unregistered apps. F-Droid argues that this requirement is not a genuine security measure but a move to consolidate control over the Android ecosystem. The policy could prevent users from accessing and updating a wide range of trustworthy open-source apps, impacting software freedom. F-Droid is unable to compel developers to register with Google, nor can it assume control of app identifiers without seizing distribution rights. Google claims sideloading will remain possible for verified developers, with some exemptions for hobbyists, but F-Droid warns of broader implications for digital rights. F-Droid urges regulators to scrutinize this policy under competition and digital rights frameworks, encouraging advocacy for software freedom.

WestJet confirmed a data breach affecting 1.2 million customers, exposing personal information such as passports and ID documents. The breach, disclosed in June, disrupted internal systems and made the WestJet app unavailable, impacting customer service operations. Attackers used social engineering to reset an employee's password, gaining access through Citrix to compromise Windows and Microsoft cloud networks. WestJet has assured customers that no credit card details or passwords were compromised in the breach. The airline is working with the FBI and technical experts to assess the full scope of the incident and prevent future occurrences. Affected customers are offered a free 2-year identity theft protection and monitoring service, with instructions included in the notification. WestJet continues to update customers and authorities, emphasizing ongoing efforts to secure their systems and data.

Google has launched an AI-driven ransomware detection feature for Google Drive desktop, aiming to minimize the impact of ransomware attacks by pausing file syncing when threats are detected. The feature uses a specialized AI model trained on millions of ransomware samples to identify malicious file alterations, protecting documents stored in Google Drive. Upon detecting unusual activity, Drive halts file syncing to prevent widespread data corruption, alerting users to restore files via a simple web interface. The solution is automatically enabled for Google Workspace users across various subscription tiers, with options for IT administrators to disable it if necessary. Users must have Google Drive version 114 or later to receive ransomware detection alerts, ensuring compatibility with the latest security features. Google's approach contrasts with traditional methods by offering a user-friendly restoration process without needing complex re-imaging or third-party tools. This development aligns with similar offerings from Microsoft and Dropbox, enhancing competitive positioning in cloud storage security solutions.

Allianz Life's investigation revealed a data breach affecting 1.5 million individuals, compromising names, addresses, dates of birth, and social security numbers. The breach involved unauthorized access to a third-party cloud-based CRM system, potentially linked to the ShinyHunters extortion group. Impacted parties include Allianz Life customers, financial professionals, and employees, though Allianz SE's global operations remain unaffected. Allianz Life is offering a two-year identity theft monitoring service through Kroll to help mitigate potential risks for affected individuals. The company has communicated the breach details to U.S. authorities and established a dedicated support team to assist customers. Affected individuals are advised to remain vigilant for phishing attempts, enable credit monitoring, and consider implementing a credit freeze. This incident underscores the ongoing risks associated with third-party cloud services and the importance of robust security measures.

CISA's recent guidance positions microsegmentation as a core component of Zero Trust, shifting from its previous view as an advanced, optional strategy. The global microsegmentation market is projected to reach $41.24 billion by 2034, driven by the demand for enhanced cyber defenses. Despite its recognized value, only 5% of organizations currently implement microsegmentation due to perceived complexity and cost. CISA's roadmap advises a phased approach to microsegmentation, though traditional methods may still present operational challenges. Modern solutions, such as those offered by Zero Networks, promise streamlined deployment through automation and identity-aware policies. The emphasis is shifting from detection to containment, with microsegmentation seen as vital for limiting attack impact and enhancing incident response. Organizations are encouraged to adopt modern microsegmentation techniques to achieve comprehensive security more efficiently.