Daily Brief

A Chrome extension named Crypto Copilot was discovered injecting hidden Solana transfer fees into Raydium swaps, diverting funds to an attacker's wallet. The extension, published by "sjclark76," claims to facilitate crypto trading with real-time insights but secretly manipulates transactions. Crypto Copilot has 12 installs and remains available for download, raising concerns about potential user impact and financial loss. The extension uses obfuscated code to append a hidden transfer fee to each swap, charging a minimum of 0.0013 SOL or 0.05% of the trade amount. This malicious activity is concealed through techniques like minification and variable renaming, making detection challenging for users. Communication with backend domains, which host no real product, registers wallets and reports user activity, furthering the attack's reach. The extension leverages legitimate services to appear credible, potentially misleading users into trusting its operations. This incident underscores the importance of scrutinizing browser extensions for hidden malicious behavior to prevent unauthorized fund transfers.

Community-maintained tools like Chocolatey and Winget are widely used for system updates due to their speed and flexibility, but they pose potential security risks. These tools allow anyone to add or update packages, which can lead to vulnerabilities if packages are outdated, lack safety checks, or are maliciously altered. Hackers exploit these vulnerabilities, similar to incidents observed in platforms like NPM and PyPI, highlighting the need for vigilance with Windows tools as well. A free webinar led by Gene Moody, Field CTO at Action1, will provide practical guidance on mitigating these risks while maintaining efficient update processes. Participants will learn to implement safety measures such as source pinning, allow-lists, and hash/signature verification to secure their systems. The session will also cover how to prioritize updates using known vulnerability data and how to safely integrate community tools with direct vendor sources. This webinar targets IT professionals managing software updates, offering actionable insights to enhance security without compromising operational efficiency.

Black Friday 2025 presents a strategic opportunity for IT directors and CISOs to stretch security budgets with significant discounts on critical cybersecurity solutions. Darktrace reports a 692% surge in phishing attacks during Black Friday and Cyber Monday, exploiting the chaos of the shopping season. Offers include up to 60% discounts on solutions like Passwork password manager, CrowdStrike Falcon, Bitdefender Total Security, ESET Internet Security, and Exploit Pack. Passwork offers a 50% discount on its self-hosted, GDPR-compliant password manager, appealing to organizations needing on-premise control and data sovereignty. CrowdStrike Falcon provides substantial discounts on its EDR solutions, with the Enterprise tier offering threat hunting capabilities for sophisticated threat landscapes. Bitdefender and ESET offer proven, lightweight protection with significant discounts, appealing to businesses with diverse device ecosystems and BYOD policies. The article advises careful evaluation of deals to avoid hidden costs and ensure solutions align with actual security needs, emphasizing the importance of trials and demos. Executives are urged to act decisively, as attackers are active during this period, making informed procurement decisions critical to maintaining robust security postures.

RomCom threat actors targeted a U.S.-based civil engineering firm using the SocGholish JavaScript loader to deploy Mythic Agent malware, marking a new distribution method for RomCom payloads. Arctic Wolf Labs attributes this activity to Russia's GRU Unit 29155, with medium-to-high confidence, focusing on entities with historical ties to Ukraine. SocGholish, linked to TA569, acts as an initial access broker, distributing malware via fake browser update alerts on compromised websites. The attack chain exploits poorly secured websites, leveraging known vulnerabilities to inject malicious JavaScript and initiate the infection process. RomCom, associated with both cybercrime and espionage, uses spear-phishing and zero-day exploits to deliver remote access trojans, targeting Ukraine and NATO-related entities. The attack was thwarted before completion, but it underscores the persistent interest of RomCom in targeting Ukraine-linked organizations. The rapid progression from initial access to infection, under 30 minutes, highlights the significant threat posed by SocGholish attacks globally.

The FBI reports cybercriminals have exploited financial institutions, resulting in over $262 million in account takeover (ATO) fraud losses this year, affecting individuals and organizations across various sectors. Attackers gain unauthorized access to accounts using social engineering tactics, such as phishing emails, calls, and fake websites, to deceive victims into revealing login credentials and multi-factor authentication codes. Methods include impersonating financial institution employees and law enforcement to manipulate victims into sharing sensitive information, leading to unauthorized account access and fund transfers. Cybercriminals utilize SEO poisoning and malicious search engine ads to redirect users to counterfeit sites, further facilitating credential theft and account compromise. Stolen funds are often transferred to cryptocurrency wallets, complicating the tracking of illicit transactions and obscuring the money trail. To mitigate risks, the FBI advises vigilance against phishing, using complex passwords, verifying website URLs, and monitoring accounts for irregularities. The rise in AI-driven phishing campaigns and holiday scams, such as Black Friday fraud and QR code scams, poses additional threats, with attackers leveraging AI tools to enhance the credibility of their attacks. Security firms have detected a surge in malicious domains and exploited vulnerabilities in popular e-commerce platforms, emphasizing the need for robust security measures during the holiday season.

Palo Alto Networks' Unit 42 reports WormGPT 4, an AI model designed for cybercrime, is now available for $220 lifetime access, significantly reducing barriers for potential attackers. WormGPT 4 can generate complex malware, including ransomware scripts, capable of encrypting files and demanding ransoms, though it requires human intervention to evade detection. The model's capabilities extend beyond simple phishing, enabling the creation of sophisticated attack scripts, such as those for data exfiltration and lateral movement on compromised systems. KawaiiGPT, another malicious AI tool, is freely accessible on GitHub, offering entry-level cyber offense capabilities and further democratizing access to cybercriminal tools. These AI-driven tools automate critical steps in cyberattacks, such as spear phishing and privilege escalation, posing a growing threat to cybersecurity defenses. The emergence of these models signals a shift in cybercrime, where AI assists in streamlining attack processes, making sophisticated cyber operations accessible to less skilled individuals. Organizations must enhance their security measures to counteract AI-assisted threats, focusing on advanced detection and response strategies to mitigate potential risks.

ReliaQuest identified Akira ransomware affiliates exploiting SonicWall SSL VPN vulnerabilities to infiltrate parent companies during mergers and acquisitions. Acquiring firms often inherit compromised SonicWall devices, leaving critical vulnerabilities exposed and allowing ransomware operators network access. Akira affiliates exploited these vulnerabilities to swiftly access sensitive systems, reaching domain controllers in an average of 9.3 hours. Common security gaps included zombie privileged credentials, default hostnames, and insufficient endpoint protection, facilitating rapid lateral movement. The ransomware attacks typically progressed from lateral movement to deployment in under an hour, highlighting the speed and efficiency of the intrusions. Akira operators targeted unprotected hosts or attempted to disable security measures using DLL sideloading techniques to encrypt systems undetected. Organizations undergoing mergers and acquisitions are advised to thoroughly assess inherited IT assets and close security gaps to prevent such attacks.

Crisis24 confirmed a cyberattack on its OnSolve CodeRED platform, disrupting emergency alert systems used by U.S. state and local governments, police, and fire agencies. The attack led to the decommissioning of the legacy CodeRED environment, affecting emergency notifications, weather alerts, and other critical warnings nationwide. Crisis24's investigation revealed that data, including names, addresses, and passwords, was stolen, though there is no evidence of it being publicly posted. The INC Ransomware gang claimed responsibility, publishing screenshots of customer data and offering stolen information for sale after a failed ransom demand. Crisis24 is rebuilding its service using backups from March 31, 2025, but this may result in missing accounts and further operational challenges. Impacted customers are advised to reset any reused passwords due to the exposure of clear-text credentials in the breach. The incident highlights the vulnerabilities in emergency notification systems and the need for robust cybersecurity measures to protect critical infrastructure.

Black Friday 2025 offers significant discounts on cybersecurity software, VPNs, antivirus products, and online courses, providing cost-effective opportunities for enhancing security infrastructure. Password managers like Passwork, LastPass, and Dashlane offer up to 60% discounts, facilitating better password management at reduced costs. VPN services such as NordVPN, SurfShark, and ProtonVPN are available with discounts up to 88%, promoting enhanced privacy and secure internet access. Antivirus software from leading providers like Malwarebytes, Avast, and ESET is discounted up to 70%, allowing businesses to strengthen malware defenses affordably. Discounts on IT and security courses from platforms like Udemy and ISC2 provide a chance for professionals to upskill and prepare for certifications at lower prices. The deals are time-sensitive, with varying expiration dates, urging quick decision-making to capitalize on these offers. These promotions reflect a strategic opportunity for organizations to invest in cybersecurity tools and training, aligning with budget planning for 2026.

Cato Networks discovered the "HashJack" attack, exploiting AI browser assistants by embedding malicious prompts in URL fragments, effectively bypassing traditional network and server defenses. The attack manipulates AI browsers like Copilot, Gemini, and Comet, turning legitimate websites into vectors for data exfiltration, phishing, and misinformation. HashJack's method involves adding a "#" to URLs, followed by malicious instructions, which AI browsers process without detection, increasing the risk of successful attacks. Cato's research indicates AI browsers are particularly susceptible to indirect prompt injections, as they misinterpret hidden commands as user inputs. Google classified the issue as low severity, while Microsoft and Perplexity AI have implemented fixes to counteract the vulnerability in their AI browsers. The discovery signals a shift in threat landscapes, emphasizing the need for layered defenses, AI governance, and client-side monitoring to protect against such attacks. Organizations are urged to reconsider security strategies, focusing on how AI browsers handle hidden context, as these tools become more mainstream.

The FBI reports cybercriminals have stolen over $262 million since January 2025 by impersonating bank support teams in account takeover fraud schemes. More than 5,100 complaints were filed with the FBI's Internet Crime Complaint Center, affecting individuals, businesses, and organizations across various sectors. Criminals use social engineering and fraudulent websites to access online bank, payroll, or health savings accounts, then transfer funds to cryptocurrency wallets. The FBI advises using unique passwords, enabling multi-factor authentication, and visiting banking sites via bookmarks to prevent unauthorized access. Victims should contact their financial institution immediately to request fund recalls and file complaints with detailed information at ic3.gov. Attackers often impersonate bank staff or law enforcement via texts, calls, or emails to obtain login credentials, including multi-factor authentication codes. Phishing websites mimic legitimate financial institutions, with some using SEO poisoning to appear in top search results, further complicating detection and prevention.

Tor has introduced the Counter Galois Onion (CGO) algorithm to replace the outdated tor1 encryption, improving resilience against traffic-interception attacks and enhancing user anonymity. The Tor network, crucial for privacy-conscious users, relies on onion routing through multiple relays, with each hop adding a layer of encryption to protect data. The previous tor1 algorithm had vulnerabilities, including malleable relay encryption and partial forward secrecy, which could be exploited by adversaries for traffic modification. CGO addresses these issues with modern cryptographic standards, offering tagging resistance, immediate forward secrecy, and longer authentication tags without significant bandwidth impact. The new system is based on the UIV+ construction, verified for security requirements, and aims to ensure robust encryption and authentication for Tor users. Implementation of CGO in the C Tor and Rust-based Arti clients is underway, with users benefiting automatically once fully deployed, although a timeline for default adoption is not yet specified. This upgrade reflects Tor's commitment to maintaining a secure platform for users, including activists, journalists, and others requiring privacy and anonymity online.

Trend Micro anticipates a significant rise in AI-aided ransomware in 2026, driven by both state-sponsored and cybercriminal groups leveraging agentic AI technologies. Agentic AI, a step beyond generative AI, allows systems to perform actions autonomously, potentially automating cyberattack processes without human intervention. While state-backed groups are early adopters, the technology's success and scalability could soon attract broader cybercriminal use, simplifying complex attacks. The democratization of AI-powered ransomware-as-a-service (RaaS) is expected to lower the skill barrier for launching sophisticated attacks, expanding the threat landscape. The emergence of agentic AI services may create a new underground market, offering these capabilities to less experienced cybercriminals. Security measures must evolve to protect AI agents from compromise, employing least privilege and access management controls akin to human users. Attackers could exploit AI agents indirectly by manipulating surrounding infrastructure, highlighting the need for robust defenses against subtle, sophisticated threats.

Research by watchTowr Labs identified over 80,000 files containing sensitive credentials leaked via JSONFormatter and CodeBeautify, impacting sectors like government, telecoms, and critical infrastructure. The dataset includes usernames, passwords, API keys, and other sensitive information, with five years of historical JSONFormatter data and one year from CodeBeautify. Organizations affected span critical infrastructure, finance, healthcare, and even cybersecurity, revealing widespread reliance on these online tools for code formatting. The tools' functionality allowed saving formatted code as shareable links, which could be easily accessed by bad actors using predictable URL patterns. Examples of leaked data include AWS credentials, Active Directory credentials, and encrypted configuration files from cybersecurity firms, posing significant security risks. JSONFormatter and CodeBeautify have disabled their save functionality, likely in response to the breaches, aiming to improve security measures. The incident underscores the importance of secure handling of sensitive information and the risks of using public online tools for storing credentials.

Researchers identified over 80,000 user pastes exposing credentials and sensitive data from sectors like government, banking, and healthcare via JSONFormatter and CodeBeautify platforms. The data, totaling over 5GB, was accessible through the platforms' Recent Links feature, which lacks proper security measures, allowing public access to sensitive information. Exposed data included encrypted credentials, SSL certificate passwords, and sensitive configuration files from major companies and government entities. A technology company inadvertently leaked a cloud infrastructure configuration file, revealing domain names, email addresses, and credentials for various services. A financial exchange's production AWS credentials were found, posing a significant risk if exploited by threat actors. WatchTowr's honeypot experiment confirmed that threat actors are actively scanning these platforms, with fake AWS keys accessed even after link expiration. Despite notifications, many affected organizations have not addressed the vulnerabilities, leaving their data at risk. Organizations are urged to review their data handling practices on public platforms and implement stronger access controls to prevent similar exposures.