Daily Brief

NordVPN has launched its 2025 Black Friday promotion, offering up to 77% off on VPN plans, appealing to both individual and corporate users seeking enhanced online security. The promotion includes discounts on NordVPN's Basic, Plus, and Ultimate plans, with additional features such as Threat Protection Pro and identity theft insurance for U.S. residents. This deal positions NordVPN as a cost-effective choice for comprehensive online security, including VPN services, password management, and encrypted cloud storage. NordVPN's infrastructure supports fast connection speeds and access to global streaming services, making it ideal for users prioritizing privacy and entertainment needs. The company emphasizes the importance of online security during the holiday shopping season, a period of heightened cybercriminal activity. NordVPN's headquarters in Panama allows it to maintain a strict no-logs policy, enhancing user privacy by avoiding data retention laws. This promotion runs from October 16 through December 10, 2025, providing an extended window for securing these significant savings.

A high-severity vulnerability, CVE-2025-12816, in the node-forge JavaScript library allowed bypassing of signature verifications through crafted data. The flaw originated from the ASN.1 validation mechanism, permitting malformed data to pass as valid, impacting cryptographic protocol integrity. Discovered by Hunter Wodzenski of Palo Alto Networks, the vulnerability was responsibly reported and demonstrated with a proof-of-concept. Carnegie Mellon CERT-CC warns of potential impacts such as authentication bypass and signed data tampering, especially in trust-critical environments. Node-forge, with nearly 26 million weekly downloads, is essential for projects needing cryptographic functions, amplifying the flaw's potential reach. A fix has been issued in version 1.3.2, urging developers to update immediately to mitigate risks associated with the vulnerability. Persistent flaws in open-source projects can endure post-disclosure due to environmental complexity and testing requirements, necessitating prompt patch adoption.

The ShadowV2 botnet, a Mirai variant, emerged during an AWS outage, infecting IoT devices across 28 countries, indicating a potential test for future large-scale attacks. Fortinet's FortiGuard Labs reported that ShadowV2 exploited vulnerabilities in devices from multiple vendors, including D-Link and TP-Link, to form a network capable of DDoS attacks. The botnet's activity coincided with the AWS outage, affecting sectors such as technology, retail, government, and education, but ceased once the outage ended. Attackers used a downloader script to deploy ShadowV2, connecting to a command-and-control server to execute DDoS operations, similar to the LZRD Mirai variant. The incident underscores the critical need for securing IoT devices, updating firmware, and monitoring network traffic to prevent exploitation by malicious actors. Fortinet provided a list of indicators of compromise to aid in threat detection and mitigation efforts for organizations potentially impacted by ShadowV2. Shortly after ShadowV2's activity, Microsoft's Azure faced a record-breaking DDoS attack from the Aisuru botnet, which was successfully mitigated without service disruptions.

Comcast agreed to a $1.5 million settlement with the FCC over a vendor data breach that compromised personal information of nearly 275,000 customers. The breach originated from Financial Business and Consumer Solutions (FBCS), a former debt collector for Comcast, impacting 4.2 million individuals overall. Attackers accessed sensitive data including names, addresses, Social Security numbers, and Comcast account details between February 14 and February 26, 2024. Comcast's compliance plan includes enhanced vendor oversight, regular risk assessments, and mandatory reporting of any security violations to the FCC. Despite the settlement, Comcast maintains it was not responsible for the breach, as its network was not directly compromised. The incident underscores the critical need for robust vendor management and security compliance to protect customer data. Comcast, a leading telecommunications firm, continues to focus on safeguarding customer privacy while navigating complex vendor relationships.

The Shai-Hulud v2 campaign has expanded from npm to Maven, compromising over 830 npm packages and affecting thousands of developers worldwide. Attackers targeted Maven Central with compromised packages, embedding malicious components that exfiltrate sensitive data like API keys and cloud credentials. The campaign leverages CI misconfigurations in GitHub Actions, exploiting vulnerabilities in workflows to execute malicious code and compromise projects. Over 28,000 repositories have been impacted, with attackers using stealthy techniques to hide core logic and increase infection scale. The attack's self-replicating nature allows a single infected account to escalate the threat quickly, affecting multiple downstream applications. Security firms advise rotating tokens, auditing dependencies, and enhancing CI/CD environment security to mitigate future risks. The incident highlights vulnerabilities in software distribution pathways, emphasizing the need for improved security measures in open-source ecosystems.

A cyberattack has disrupted IT systems of the Royal Borough of Kensington and Chelsea and Westminster City Council, affecting critical services and communication channels. The attack impacted shared IT infrastructure, prompting activation of emergency plans to maintain essential services for 360,000 residents. The London Borough of Hammersmith and Fulham implemented enhanced security measures, resulting in additional business disruptions to safeguard networks. The councils are collaborating with the National Cyber Security Centre and cyber incident experts to protect systems, restore operations, and investigate the attack. Investigations into the perpetrators and potential data compromise are ongoing, with updates to be provided to the public as more information becomes available. The UK Information Commissioner’s Office has been notified, aligning with established protocols for handling such incidents. Security experts suggest a ransomware attack at a shared services provider, though no group has claimed responsibility yet.

The GSMA report indicates fragmented cybersecurity regulations are inflating costs for mobile operators without enhancing network safety. Mobile operators' cybersecurity spending is expected to more than double by 2030 due to evolving threats and complex regulatory demands. The report highlights that operators face overlapping laws and sector-specific policies, leading to increased compliance expenses and resource diversion. Current regulations often require operators to implement additional activities or invest in mandated technologies, increasing operational costs. GSMA advocates for aligning cybersecurity policies with international standards like ISO 27001 and the NIST Cybersecurity Framework. The organization suggests a shift from punitive enforcement to collaborative approaches, emphasizing prevention and long-term investment. Harmonized, risk-based cybersecurity frameworks are recommended to enhance safety across the digital ecosystem while reducing compliance burdens.

Passwork 7 introduces a unified platform for managing both human and machine credentials, enhancing security and operational efficiency for enterprise teams. The new release offers improved usability, security refinements, and workflow efficiency, addressing the complex needs of distributed teams and infrastructure. Passwork 7's flexible vault architecture supports granular access control, allowing organizations to mirror internal structures and maintain compliance. The platform's zero-knowledge encryption ensures maximum security by encrypting data client-side, protecting sensitive credentials from server compromises. Self-hosted deployment options provide complete control over credential data, meeting data residency and regulatory requirements, and eliminating vendor dependency. Integration with existing corporate identity infrastructure through SSO and LDAP simplifies user management and enhances security posture. Automation tools, including a Python connector and CLI, enable seamless integration into DevOps workflows, supporting programmatic credential management. A 50% Black Friday discount and free trial offer provide organizations an opportunity to evaluate and adopt Passwork 7 with financial incentives.

Crisis24's CodeRED emergency alert system was compromised by the INC ransomware group, affecting municipalities across the United States. The attack resulted in the theft of sensitive data, including names, addresses, email addresses, phone numbers, and passwords of CodeRED users. Douglas County, Colorado, terminated its contract with CodeRED, while other regions are transitioning to a new, secure platform. Crisis24 assured customers that the new platform is hosted on a separate, uncompromised environment with enhanced security measures. In response, affected areas are using alternative communication methods, such as social media and door-to-door notifications, to disseminate emergency alerts. INC ransomware group initially demanded a $950,000 ransom, later reducing it to $450,000, but Crisis24's counteroffers were rejected. The group has threatened to sell the stolen data after releasing a snippet online, increasing pressure on Crisis24 to meet their demands. Crisis24 has not confirmed any online data leaks but warns customers to change passwords and remain vigilant against potential misuse.

Qilin ransomware targeted South Korea's financial sector via a sophisticated supply chain attack, compromising a Managed Service Provider (MSP) to access multiple victims. The attack, dubbed "Korean Leaks," affected 28 victims, resulting in the theft of over 1 million files and 2 TB of data. The campaign unfolded in three waves, initially framing the leaks as a public service exposing corruption, later shifting to financial extortion. Qilin's Ransomware-as-a-Service model involves recruiting affiliates, including North Korean actor Moonstone Sleet, to execute attacks. The breach of GJTec led to ransomware infections across more than 20 asset management companies, highlighting vulnerabilities in MSP security. The Qilin group, likely of Russian origin, claims to be politically motivated, using propaganda to pressure victims and influence public perception. Organizations are urged to adopt Multi-Factor Authentication, apply the Principle of Least Privilege, and segment critical systems to mitigate similar risks. The attack underscores the importance of securing supply chains, as exploiting MSPs offers ransomware groups a practical means to target clustered victims.

The US Navy has decided to terminate the Constellation-class frigate program, limiting production to two ships due to delays and redesign challenges. Secretary of the Navy John Phelan announced the decision, emphasizing the need for faster fleet expansion to address emerging threats. Originally intended for rapid delivery, the Constellation class experienced significant redesigns, resulting in only 15% commonality with the initial design. The program's cancellation affects the Navy's anti-submarine capabilities, as these frigates were to feature advanced sonar systems. Construction of the first two ships will continue to maintain employment at the Fincantieri Marinette Marine facility, though their future remains uncertain. The Navy is exploring alternatives, including autonomous vessels like the Large Unmanned Surface Vehicle, to meet operational needs swiftly. This decision reflects broader challenges in balancing rapid procurement with complex design and capability requirements in naval shipbuilding.

Microsoft is set to bolster Entra ID's security by implementing a robust Content Security Policy to counter script injection attacks starting October 2026. The new policy restricts script execution to Microsoft-trusted domains, aiming to prevent cross-site scripting attacks that could compromise user credentials. This security enhancement applies exclusively to browser-based sign-ins at login.microsoftonline.com, leaving Microsoft Entra External ID unaffected. Organizations are advised to test their sign-in scenarios before the policy takes effect to mitigate potential issues with code-injection dependencies. IT administrators can identify impacted scripts through the browser developer console, where violations will be highlighted in red text. Microsoft recommends discontinuing the use of browser extensions and tools that inject scripts into sign-in pages, as these will be unsupported post-update. This initiative is part of Microsoft's broader Secure Future Initiative, launched to address security culture improvements following a critical review by the U.S. Department of Homeland Security.

Recent analysis reveals that enterprises often underfund their Security Operations Centers (SOCs), despite significant investments in detection tools, leading to potential security gaps. A case study showed that SOCs successfully intercepted a sophisticated phishing campaign targeting C-suite executives, which bypassed eight different email security tools. The disparity between detection tools and SOC funding can overwhelm SOCs, making it difficult to manage the volume of alerts and identify nuanced threats. Detection tools operate rapidly, focusing on immediate threats, whereas SOCs provide broader context and time for thorough investigation. Organizations are increasingly turning to AI SOC platforms, such as Radiant Security, to automate alert triage and reduce false positives by over 90%. AI SOC platforms enable small teams to maintain 24/7 coverage efficiently, eliminating the need for extensive staffing or outsourcing. The case study emphasizes the importance of a balanced investment strategy to maximize the return on existing detection tools and enhance overall security posture.

ASUS has issued new firmware to address nine security vulnerabilities, including a critical authentication bypass flaw affecting routers with AiCloud enabled. The CVE-2025-59366 flaw can be exploited through Samba functionality, allowing unauthorized execution of specific functions via low-complexity attacks. ASUS advises immediate firmware updates to protect devices, particularly for routers using the 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102 firmware series. For end-of-life models, ASUS recommends disabling internet-accessible services and enhancing security with strong passwords to mitigate risks. A previous flaw, CVE-2025-2492, was exploited in Operation WrtHug, targeting outdated ASUS routers globally, potentially for Chinese hacking operations. SecurityScorecard researchers suggest hijacked routers may serve as relay nodes, concealing command-and-control infrastructures. This situation underscores the critical need for timely firmware updates and proactive security measures to safeguard network devices.

The Royal Borough of Kensington and Chelsea and Westminster City Council are investigating a cyber incident affecting shared IT services, impacting phone lines and online access. The London Borough of Hammersmith and Fulham, also using these shared services, is involved in precautionary measures to protect their networks amidst the ongoing investigation. The National Cyber Security Centre is assisting in remediation efforts, focusing on data protection and system restoration, while the affected councils implement business continuity plans. Service disruptions have led to challenges in communication, with residents experiencing delays in accessing essential services such as social care and housing support. Cybersecurity experts suggest the incident bears hallmarks of a serious intrusion, potentially involving lateral movement through shared infrastructure, indicating a possible ransomware attack. The Metropolitan Police's Cyber Crime Unit is conducting inquiries, with no arrests made yet, as they work to determine the attack's origin and impact. Authorities are maintaining transparency with the public, providing updates via social media, and urging patience as they work to resolve the situation.