Daily Brief

Kaspersky reports a resurgence of the "RevengeHotels" group, now using AI-generated code to enhance malware effectiveness, posing increased risks to hotel guests' card and personal data. Between June and August, Kaspersky's Global Research and Analysis Team observed the deployment of AI-enhanced malware, making intrusions more difficult to detect and counter. The group continues to use phishing emails disguised as booking requests or job applications, delivering the VenomRAT trojan to gain remote access to hotel systems. AI-generated code allows the group to create new malware variants that evade traditional security tools, complicating detection and response efforts for hotel IT staff. Brazil has been the primary target of these attacks, but incidents are emerging in other regions, indicating a broader threat landscape. Kaspersky advises hotels to enhance staff training, adjust spam filters, and implement advanced endpoint detection to mitigate these sophisticated threats. Travellers are encouraged to monitor card activity and consider using virtual payment methods to reduce exposure to potential data theft. RevengeHotels has been active for over a decade, with a history of selling access to compromised systems on dark-web markets, facilitating further criminal activities.

European law enforcement arrested five individuals linked to a cryptocurrency fraud ring, which defrauded over €100 million from more than 100 victims across 23 countries. The operation, coordinated by Eurojust and supported by Europol, involved investigative teams from Spain, Portugal, Bulgaria, Italy, Lithuania, and Romania. The fraud scheme, active since at least 2018, promised high returns on cryptocurrency investments via sophisticated online platforms, diverting funds to Lithuanian-controlled accounts. Victims faced additional fees when attempting to recover investments, ultimately losing substantial sums as fraudulent websites went offline. The joint action day resulted in searches across multiple countries, freezing bank accounts and financial assets linked to the suspects. This case is part of a broader trend, with Spanish police previously dismantling similar operations causing significant financial damages. The U.S. Federal Trade Commission reported Americans lost $12.5 billion to fraud in 2024, with investment scams accounting for $5.7 billion of these losses.

The Open Source Security Foundation (OpenSSF) and major foundations call for financial backing to sustain open-source infrastructure, crucial for global software development. Registries like Maven Central and npm manage billions of downloads monthly, yet rely on limited donations and sponsorships, posing sustainability challenges. The coalition warns that increasing demands, such as fast dependency resolution and zero downtime, are unsustainable without commercial-scale support. AI-driven dependency scraping and large-scale automated requests exacerbate infrastructure strain, leading to wasteful usage and increased operational costs. Proposed solutions include forming partnerships with commercial users, implementing tiered access models, and enhancing transparency around usage and costs. Previous appeals for government support, such as GitHub's call for open-source funding, highlight ongoing concerns over ecosystem fragility and volunteer burnout. The statement emphasizes the urgent need for financial contributions from major consumers to prevent potential downtime and ensure the infrastructure's longevity.

Tenfold Software introduces a free Identity Governance & Administration (IGA) tool for organizations with up to 150 users, aiming to simplify access management and enhance security practices. The tool automates IT onand offboarding through role-based access control, ensuring users receive necessary permissions efficiently and lose them upon departure. A self-service portal reduces IT helpdesk workload by enabling users to reset passwords and request access independently, streamlining internal processes. Tenfold's platform provides comprehensive visibility into Active Directory and SharePoint permissions, aiding administrators in maintaining best practice group structures. The tool offers centralized monitoring of file sharing in Microsoft 365, helping organizations prevent data leaks and manage external sharing effectively. Regular access reviews are facilitated, mitigating privilege creep by ensuring users only retain necessary access rights, thereby reducing security risks. Tenfold's Community Edition targets small to mid-sized businesses, offering a full feature set to improve identity governance without the complexity of enterprise solutions.

SolarWinds has issued a hotfix for a critical remote code execution vulnerability in Web Help Desk, tracked as CVE-2025-26399, affecting version 12.8.7 and earlier. The vulnerability arises from unsafe deserialization in the AjaxProxy component, allowing unauthenticated attackers to execute commands on the host machine. This is the third patch attempt, following previous flaws CVE-2024-28986 and CVE-2024-28988, which were also exploited in attacks and listed in CISA's Known Exploited Vulnerabilities catalog. The vulnerability was reported to SolarWinds by the Trend Micro Zero Day Initiative, although no active exploitation by threat actors has been publicly reported. Organizations using Web Help Desk are advised to install the hotfix via the SolarWinds Customer Portal to mitigate potential security risks. The ongoing patching efforts reflect the complexity of securing software against evolving threats and the importance of timely updates.

GitHub is enhancing npm registry security following a surge in phishing attacks and malware infections affecting JavaScript package maintainers. Over 500 compromised npm packages have been removed, with additional uploads blocked through enhanced security scanning measures. Upcoming changes include the removal of legacy authentication methods and the introduction of 2FA-enforced local publishing as a default security measure. Trusted publishing, leveraging OpenID Connect, will verify package sources and issue short-lived tokens to mitigate risks associated with long-lived tokens. The transition to trusted publishing will be gradual to minimize disruption, though attackers' activities necessitate swift implementation. Current trusted publishing support is limited to GitHub Actions and GitLab CI/CD pipelines, with plans to expand to more providers. Concerns remain among developers about potential risks with OpenID Connect, prompting calls for additional security measures and review processes.

SonicWall has issued a firmware update for its SMA 100 series devices to remove rootkit malware, following threats identified by the Google Threat Intelligence Group. The update, version 10.2.2.2-92sv, includes additional file checking to eliminate known rootkit malware and is crucial for devices nearing end-of-support status. The OVERSTEP rootkit, deployed by threat actor UNC6148, allows attackers to maintain access by hiding malicious components and creating reverse shells on compromised devices. This malware compromises sensitive files, including credentials and OTP seeds, raising significant security concerns for affected organizations. SonicWall advises administrators to upgrade immediately and follow security measures from a prior advisory to mitigate risks associated with outdated firmware. Previous incidents linked to Abyss ransomware suggest a pattern of exploiting SonicWall devices, emphasizing the need for timely updates and security vigilance. SonicWall has also addressed other security issues, including a critical vulnerability (CVE-2024-40766) exploited by the Akira ransomware group, reinforcing the importance of patch management.

The White House announced a deal for Oracle to store all US TikTok user data on American servers, enhancing data security and privacy measures. Oracle will serve as TikTok's trusted security provider, ensuring protection against foreign surveillance and interference, particularly from Chinese entities. TikTok's algorithm will be managed in the US, with majority ownership by American investors and oversight by a board with national security expertise. The agreement extends Oracle's existing relationship with TikTok, transitioning US user data storage entirely to Oracle Cloud Infrastructure. The partnership aims to generate significant economic activity, with projections of $178 billion within the US over the next four years. The deal maintains TikTok's global interoperability, allowing seamless content sharing between US users and international audiences. The US government asserts that this arrangement will bolster national security while maintaining TikTok's operational integrity and user engagement.

SolarWinds has released a hotfix for CVE-2025-26399, a critical remote code execution vulnerability in its Web Help Desk software, rated at a CVSS score of 9.8. The flaw involves deserialization of untrusted data, potentially allowing attackers to execute arbitrary commands on affected systems without authentication. This vulnerability affects versions up to SolarWinds Web Help Desk 12.8.7 and is a patch bypass for previous vulnerabilities CVE-2024-28988 and CVE-2024-28986. An anonymous researcher, in collaboration with Trend Micro's Zero Day Initiative, identified and reported the vulnerability. Users are strongly advised to update to SolarWinds Web Help Desk 12.8.7 HF1 to mitigate potential exploitation risks. While no active exploitation of CVE-2025-26399 has been reported, the original flaw CVE-2024-28986 was previously added to CISA's Known Exploited Vulnerabilities catalog. The recurring nature of these vulnerabilities calls for heightened vigilance and prompt patch management practices to safeguard systems.

Jaguar Land Rover (JLR) extended its production shutdown due to a cyberattack, impacting operations at Solihull and Halewood, with potential losses reaching £2.2 billion ($2.9 billion) in revenue. The attack has disrupted JLR's ability to order parts, affecting not only production but also the livelihoods of thousands of employees and small businesses in the supply chain. The cyberattack is believed to be orchestrated by the group Scattered Lapsus$ Hunters, though formal attribution has not been confirmed. JLR is collaborating with cybersecurity specialists, the National Cyber Security Centre (NCSC), and law enforcement to investigate and secure systems before resuming operations. Reports suggest JLR may lack adequate cyber insurance, potentially increasing financial strain as the company navigates recovery efforts. The UK government is considering emergency support measures for JLR and its supply chain to mitigate economic and employment impacts. The incident underscores the critical importance of robust cybersecurity measures and comprehensive insurance coverage to protect against operational disruptions.

GitHub is implementing new security measures, including mandatory two-factor authentication (2FA) and access tokens, to combat recent supply-chain attacks affecting npm repositories. Recent attacks such as "s1ngularity," "GhostAction," and "Shai-Hulud" compromised thousands of accounts and repositories, leading to data theft and high remediation costs. The platform's new strategy includes trusted publishing to eliminate the need for managing API tokens in build systems, enhancing security for npm maintainers. Developers are encouraged to adopt these security measures, with GitHub providing documentation and migration guides to ensure a smooth transition and minimize workflow disruptions. Ruby Central is also tightening governance over RubyGems, limiting admin access to staff until new policies are in place, following similar supply-chain security challenges. These changes reflect a broader push for community involvement in strengthening ecosystem security and mitigating risks associated with software supply chains.

Cybersecurity firm Darktrace has identified the ShadowV2 botnet, exploiting misconfigured AWS Docker containers to facilitate distributed denial-of-service (DDoS) attacks. This botnet employs a Go-based malware to convert infected systems into attack nodes, integrating them into a larger DDoS network. The attack infrastructure relies on a Python-based command-and-control framework hosted on GitHub Codespaces, showcasing advanced capabilities such as HTTP/2 Rapid Reset and Cloudflare bypass techniques. ShadowV2's approach involves deploying a generic setup container from an Ubuntu image, potentially avoiding forensic detection by operating directly on victim machines. The botnet's C2 server, shielded by Cloudflare, features a comprehensive API and user interface, indicating its development as a DDoS-for-Hire service. Cloudflare reported autonomously blocking hyper-volumetric DDoS attacks peaking at 22.2 Tbps, underscoring the scale and sophistication of current DDoS threats. The emergence of such services highlights the growing trend of cybercrime-as-a-service, presenting significant challenges for cybersecurity defenses.

Workforce reductions in major companies have left security teams with fewer resources, increasing the risk and cost of security incidents. IBM reports that 86% of breaches involve compromised credentials, with an average containment time of 292 days, highlighting the need for faster response. Hardcoded secrets present significant vulnerabilities, with potential breach costs exceeding $11 million for U.S. organizations, according to HashiCorp. Manual management of secrets is costly, wasting nearly $1.4 million annually on developer and security analyst time. The s1ngularity attack illustrated the dangers of unmanaged secrets, leading to widespread credential exposure and potential supply chain compromises. Advanced platforms now focus on contextual information to reduce false positives and streamline remediation efforts, crucial for lean security teams. Effective remediation frameworks emphasize proactive detection, clear ownership, and integration with existing developer workflows to mitigate risks efficiently.

Check Point Research reports Iranian-backed Nimbus Manticore is targeting European defense, manufacturing, and telecommunications sectors with sophisticated phishing and malware tactics. The campaign involves fake job portals mimicking companies like Boeing and Airbus, leading victims to download malware disguised as legitimate hiring software. Victims are tricked into entering credentials on spoofed login pages, triggering a multi-stage sideloading attack to deploy MiniJunk backdoor and MiniBrowse stealer. The malware uses advanced techniques, including DLL hijacking and obfuscation, to evade detection and maintain persistent access to compromised systems. The operation shows a strategic focus on Western Europe, particularly Denmark, Portugal, and Sweden, indicating a shift in targeting priorities. The campaign's tactics bear similarities to North Korea's Lazarus Group, suggesting possible tradecraft sharing between the two nations. This development underscores the evolving threat landscape, where state-sponsored actors leverage complex methods to infiltrate critical sectors.

The npm package 'fezbox' was discovered using QR codes to deploy cookie-stealing malware, targeting sensitive user data like credentials. This package masqueraded as a utility library on npmjs.com, the largest open-source registry for JavaScript and Node.js developers. The package was downloaded at least 327 times before being removed by registry administrators, indicating potential exposure. Malicious code within 'fezbox' retrieves a JPG image containing a QR code, which executes a second-stage payload. The threat actor used reversed URL strings to evade detection by static analysis tools, enhancing the malware's stealth capabilities. The payload extracts cookies and credentials, sending them to a remote server via an HTTPS POST request if both username and password are present. This attack showcases a novel use of QR codes in malware delivery, bypassing traditional security measures by mimicking ordinary image traffic. The incident emphasizes the need for enhanced scrutiny and monitoring of open-source packages to prevent similar threats.