Daily Brief

A high-severity flaw in OneLogin's IAM solution, CVE-2025-59363, could expose sensitive OIDC client secrets, posing significant security risks. The vulnerability, rated 7.7 on the CVSS scale, results from incorrect resource transfer, allowing unauthorized access to confidential data. Attackers with valid API credentials could exploit the flaw to retrieve client secrets for all OIDC applications within a OneLogin tenant. Exploitation could enable threat actors to impersonate users and access other applications, facilitating potential lateral movement. OneLogin's RBAC model grants broad endpoint access, and lack of IP allowlisting increases the risk of remote exploitation. The issue was responsibly disclosed on July 18, 2025, and patched in version 2025.3.0, which hides OIDC client_secret values. No evidence suggests the vulnerability was exploited in the wild, but it underscores the need for robust API security measures.

A new webinar by Tines explores the integration of AI with human workflows, addressing the challenges of automation in cybersecurity operations. AI is transforming automation, but reliance solely on AI or human-led processes can result in fragile systems unable to adapt to change. The webinar emphasizes the importance of blending human judgment, traditional automation, and AI to create robust, reliable workflows. Cybersecurity leaders face the challenge of developing workflows that are fast, secure, and explainable to maintain operational integrity. Participants will gain insights into practical strategies for deploying automation that strengthens defenses without introducing new risks. The session targets security and operations teams seeking to avoid over-engineered systems that fail under real-world pressures. Attendees will learn to identify the right mix of human, rules-based, and AI automation, ensuring secure and scalable implementations.

A severe vulnerability in Red Hat OpenShift AI, CVE-2025-10725, could enable attackers to escalate privileges and control the entire infrastructure, impacting hybrid cloud environments. The flaw, with a CVSS score of 9.9, affects the platform's ability to manage AI model lifecycles, posing significant risks to data integrity and service availability. Exploitation requires an authenticated account, allowing a low-privileged user to gain full cluster administrator rights, potentially compromising all hosted applications. Red Hat advises restricting permissions, particularly avoiding broad system-level access, to mitigate risks and adhere to the principle of least privilege. Organizations using affected versions should implement recommended mitigations promptly to prevent potential breaches and protect sensitive data. The vulnerability underscores the critical need for robust access control measures in AI and cloud infrastructure environments.

Allianz Life, WestJet, and Motility Software Solutions announced data breaches affecting a combined total of approximately 3.7 million customers and employees in North America. Allianz Life reported that 1.4 million customer records, including sensitive personal information, were accessed due to a breach at a third-party CRM provider. WestJet confirmed a cyberattack attributed to Scattered Spider, exposing data of 1.2 million Americans, but assured that payment details and operational integrity remained secure. Motility Software Solutions experienced a ransomware attack, potentially compromising records of over 766,000 individuals, though no misuse of data has been detected so far. All three companies are offering identity protection and credit monitoring services to affected individuals, with coverage durations varying from one to two years. These incidents highlight the ongoing vulnerability of third-party relationships and the importance of robust cybersecurity measures and incident response plans. Companies are urged to continually assess and strengthen their cybersecurity frameworks to protect against evolving threats and safeguard customer data.

Gartner's survey reveals only 15% of organizations are considering or deploying fully autonomous AI agents, reflecting a cautious approach due to trust and security concerns. A significant 74% of respondents identified AI agents as a potential new attack vector, indicating security risks are a major barrier to adoption. Despite AI's potential, only 19% of leaders express high confidence in vendors' ability to prevent AI hallucinations, highlighting governance and maturity issues. Companies like Klarna and Duolingo have reverted to human roles after AI deployments led to reduced service quality, signaling challenges in AI implementation. Gartner predicts over 40% of agentic AI projects may be canceled by 2027, citing rising costs and unclear business value as primary factors. Industry examples, such as Salesforce and BT, show mixed results, with some organizations cutting jobs but facing difficulties in achieving expected AI efficiencies. The survey indicates that most leaders do not anticipate AI agents replacing applications or workers in the next two to four years, suggesting a slow adoption curve.

Threat actors have been exploiting Milesight industrial cellular routers to send phishing SMS messages, targeting European users since February 2022, primarily affecting Sweden, Italy, and Belgium. The attackers leverage a now-patched information disclosure vulnerability, CVE-2023-43261, with a CVSS score of 7.5, allowing them to send malicious SMS messages via exposed APIs. Approximately 572 routers are potentially vulnerable, with half located in Europe, exposing SMS-related features without requiring authentication, facilitating the smishing operations. Phishing URLs impersonate government and financial entities, using JavaScript to target mobile devices and prompt users to update banking information under false pretenses. The campaign's infrastructure includes domains disabling right-click actions and browser debugging to hinder analysis, with some pages logging visitor connections to a Telegram bot. SEKOIA's findings suggest a targeted approach, focusing solely on smishing without attempts to install backdoors or exploit other vulnerabilities on the devices. The decentralized nature of these attacks complicates detection and takedown efforts, highlighting the need for robust security measures and regular patch management.

Bitdefender's 2025 Cybersecurity Assessment Report highlights a significant increase in pressure on security professionals to conceal data breaches, with 58% reporting such directives. The report indicates a 38% rise since 2023 in organizations prioritizing optics over transparency, potentially compromising stakeholder trust and compliance obligations. Analysis of 700,000 incidents shows 84% of high-severity attacks utilize Living Off the Land techniques, leveraging legitimate tools to bypass traditional defenses. In response, 68% of organizations prioritize reducing their attack surface, focusing on disabling unnecessary services and minimizing lateral movement paths. A disconnect between executives and frontline teams is evident, with differing priorities on AI adoption and cloud security, risking resource dilution and strategic misalignment. The report emphasizes the need for balanced AI threat preparation, acknowledging that fears may exceed the current prevalence of AI-enhanced attacks. The findings stress the importance of preemptive strategies for cyber resilience, urging organizations to align leadership and operational focus areas.

Imgur has restricted UK users' access following an ICO investigation into its handling of children's data, potentially resulting in fines for its parent company, MediaLab. The ICO's investigation, initiated in March, targets major platforms like TikTok and Reddit to ensure compliance with age verification and children's data protection. Despite Imgur's UK exit, the ICO warns that MediaLab remains accountable for any data protection breaches prior to the withdrawal. The investigation aligns with the ICO's Children's code strategy, emphasizing safeguarding children's personal information and holding companies accountable. Imgur's move mirrors actions by other platforms like Fruitlab, which also exited the UK due to similar compliance challenges. UK users now face restricted access to Imgur, with the platform offering data request and deletion options under UK GDPR regulations. The ICO continues to prioritize online safety for children, urging platforms to enhance privacy settings and disable targeted ads for minors.

A new Android banking trojan named Klopatra has compromised over 3,000 devices, predominantly affecting users in Spain and Italy, according to Italian fraud prevention firm Cleafy. Klopatra employs Hidden Virtual Network Computing (VNC) for remote device control and uses dynamic overlays to steal credentials, facilitating unauthorized financial transactions. The malware integrates Virbox, a commercial-grade code protection suite, making it difficult to detect and analyze, and employs native libraries for enhanced stealth. Operated by a Turkish-speaking group, Klopatra is distributed through social engineering lures, like IPTV apps, which trick users into installing malicious dropper apps. The trojan abuses Android's accessibility services to perform actions autonomously, such as reading screen content and recording keystrokes, to execute fraudulent transactions. Klopatra's operators exploit nighttime hours, using stolen device credentials to access banking apps and transfer funds while users are likely asleep and devices are charging. The malware's sophisticated architecture and strategic use of commercial-grade protections signify a growing trend in the professionalization of mobile malware operations.

UK Prime Minister Keir Starmer avoided discussing the mandatory digital ID scheme during his Labour Party conference speech, despite calls to clarify the policy's details and objectives. The digital ID initiative aims to combat illegal working through mandatory right-to-work checks, but its absence in the speech has led to criticism and concerns about its viability. Campaigners and former advisers warn that without clear communication, opposition to the digital ID scheme is gaining momentum, risking the plan's failure within six months. A petition against the digital ID has garnered over 2.6 million signatures, reflecting significant public opposition and potential challenges for the government. Starmer shifted focus to the benefits of artificial intelligence in healthcare, highlighting AI's role in transforming patient care and improving access to medical services. He emphasized the potential of AI-driven remote consultations to enhance healthcare delivery, particularly for underserved populations such as rural residents and busy parents. The speech also portrayed the UK as a key destination for tech investment, citing interest from global tech companies in contributing to the UK's AI future.

Recent data from Ofqual reveals a rise in cyberattacks on UK schools, with 10% experiencing critical damage, impacting student coursework and operational continuity. Despite increased cybersecurity training for teachers, recovery times have worsened, with only 55% of schools recovering immediately after an incident, down from 63% the previous year. A ransomware attack forced one British high school to temporarily close, highlighting the severe operational impact such attacks can have on educational institutions. Ofqual emphasizes the importance of malware protection and regular data backups to mitigate these threats and ensure faster recovery times. The Information Commissioner's Office reports that over half of school cyberattacks are initiated by students, often using stolen login credentials. Staff practices, such as sending work data to personal devices, contribute to vulnerabilities, indicating a need for enhanced cybersecurity awareness training. As schools increasingly rely on digital platforms, robust cybersecurity measures are crucial to safeguarding educational continuity and students' academic futures.

CERT-UA has identified a cyber attack using CABINETRAT backdoor, targeting Ukrainian entities through Signal-distributed XLL files. The attack, linked to threat cluster UAC-0245, was detected in September 2025, leveraging Excel add-ins for malicious purposes. Attackers used ZIP archives on Signal, disguised as documents about border detentions, to distribute the XLL files. Once executed, the XLL files create executables and modify Windows Registry for persistence, running Excel in hidden mode. CABINETRAT backdoor, written in C, gathers system data, captures screenshots, and allows file manipulation and command execution. Anti-detection measures include checks for virtual environments and system specifications, enhancing evasion capabilities. The attack follows recent warnings from Fortinet about phishing campaigns impersonating Ukrainian authorities to deploy malware.

Palo Alto Networks' Unit 42 identified Phantom Taurus, a China-backed group, using custom malware to target government servers across Asia, Africa, and the Middle East. Phantom Taurus, active since 2022, focuses on diplomatic communications and defense intelligence, aligning with China's strategic interests. The group employs the NET-STAR malware suite, a .NET-based tool targeting Internet Information Services (IIS) web servers, demonstrating advanced evasion techniques. Initially leveraging infrastructure from other China-linked groups, Phantom Taurus now uses its own, indicating increased operational independence. The malware suite includes three backdoors, designed to evade detection, with minimal antivirus flagging, complicating threat detection efforts. Indicators of compromise, such as SHA256 hashes, have been shared to aid in identifying and mitigating threats posed by Phantom Taurus. China's government denies involvement, attributing such accusations to geopolitical tensions and disinformation campaigns.

Okta Threat Intelligence reports North Korean IT workers are increasingly targeting non-tech sectors, with 48% of scams affecting finance, healthcare, and public administration. Over 5,000 companies globally have been targeted since 2021, with 130 identities linked to more than 6,500 job interviews. The scam involves obtaining remote jobs, primarily in software development, to funnel money back to North Korea. Recent trends show a marked increase in interviews within AI-related organizations, posing risks to sensitive intellectual property and proprietary algorithms. Healthcare and medical-tech sectors are also being targeted, with potential access to sensitive personal and clinical data. The scheme's primary goal is financial gain, but it also leads to data theft, extortion, and ransomware activities. The threat is expanding globally, with 27% of targeted companies located outside the United States, including Europe. Organizations must enhance verification processes to mitigate risks from state-sponsored employment scams.

Researchers from Georgia Tech identified several security flaws in Tile Bluetooth trackers, challenging Life360's privacy assurances and revealing potential risks for users concerned about stalking. The study found that Tile trackers transmit identifying data in plaintext, with static MAC addresses and semi-randomized IDs, facilitating unauthorized tracking of individuals. Tile's anti-stalking features are reportedly ineffective, as they require manual scans and do not operate at the OS level, creating detection gaps for users. Life360's partnership with Amazon's Sidewalk network has raised additional concerns about privacy risks, as it may enhance tracking capabilities. Despite researchers offering mitigation strategies, such as MAC address randomization and end-to-end encryption, communication with Life360 ceased without confirmed implementation. Life360 claims to have made unspecified improvements, including transitioning to rotating MAC addresses, but has not provided detailed responses to the vulnerabilities reported. The research suggests users should consider alternative Bluetooth trackers if privacy is a primary concern, given the unresolved security issues with Tile products.