Author: Staff Writer

Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Essential Insights Betterment disclosed a social engineering attack that exposed personal data of approximately 1.4 million customers, primarily through fraudulent crypto scam messages. The breach involved tricking an employee into sharing credentials, enabling attackers to access systems used for customer communications without compromising login credentials or financial accounts. Exposed information includes personal identifiers such as names, addresses, contact details, date of birth, and device info—creating risks for targeted scams—while financial data remained secure. Betterment responded promptly, revoked unauthorized access, warned users, and confirmed the incident’s scope, leading to its recognition as a large-scale personal data exposure in February 2026. Key…

Read More

Top Highlights ShadowSyndicate, a threat group first identified in 2022, has advanced its infrastructure management by adopting server transition methods that rotate SSH keys across multiple servers, complicating tracking efforts. The group initially used a single SSH fingerprint for numerous servers, but recent operational security mistakes and discovered additional fingerprints reveal a shift towards more sophisticated, less traceable tactics. ShadowSyndicate controls at least 20 command-and-control servers linked to various attack tools (e.g., Cobalt Strike, Metasploit) and maintains connections with prominent ransomware groups like BlackCat, Ryuk, and Cl0p. The group’s infrastructure demonstrates consistent patterns with specific hosting providers and autonomous system…

Read More

Quick Takeaways The Buhlmann Group was targeted by the notorious ransomware group Akira, which claims to have stolen 55 GB of sensitive data. The attack impacted a US subsidiary, with no access or data compromise reported at the German headquarters. The company confirmed that the IT systems in Germany and the EU remain unaffected and secure from the breach. Buhlmann employs 2,000 staff across 23 countries, and reported a revenue of 428 million euros in 2024. The Issue The Buhlmann Group, a prominent steel trader based in Bremen, was targeted by a notorious ransomware group called Akira. According to a…

Read More

Essential Insights Attackers exploited an expired and revoked Windows kernel driver (EnCase driver) using a BYOVD technique to disable endpoint security tools, highlighting a flaw in Driver Signature Enforcement that allows legacy drivers to load despite expiration. The attacker gained high-privilege kernel access by leveraging the signed driver’s valid timestamp, which bypasses current revocation checks, enabling process termination and security tool disruption. The malicious “EDR killer” driver continuously targeted major security processes, except Huntress, by constructing a process kill list and re-establishing persistence as a kernel service, illustrating the severity of kernel-mode manipulation. Recommendations include enabling Microsoft’s Vulnerable Driver Blocklist,…

Read More

Quick Takeaways ERP systems like SAP are now recognized as critical assets, with vulnerabilities causing severe operational, financial, and reputational damage, exemplified by the 2025 Jaguar Land Rover cyberattack. The threat landscape is escalating, with cybercriminals rapidly exploiting ERP vulnerabilities—often within hours of patch releases—highlighting the urgent need for proactive security measures. Regulatory frameworks such as SOX, GDPR, NIS2, and DORA impose strict liability on boards and executives to ensure ERP security, emphasizing the importance of clear ownership and accountability. Boards must demand comprehensive ERP risk visibility, invest in resilience testing, and foster a shared responsibility model to prevent devastating…

Read More

Fast Facts Critical Vulnerability: A severe security flaw (CVE-2026-25049) in n8n allows unauthorized execution of system commands via manipulated workflow expressions, scoring 9.4 on the CVSS scale. Previous Issues Unresolved: This vulnerability stems from inadequate safeguards for a related defect (CVE-2025-68613) that was patched, highlighting the importance of robust security measures in software. Exploitation Risks: An attacker with minimal permissions can exploit the issue to gain server control, steal sensitive credentials, or access internal systems, especially when using public webhooks. Recommended Mitigations: Users should limit workflow permissions to trusted individuals and deploy n8n in a secure manner to curb potential…

Read More

Top Highlights DragonForce is a sophisticated, multi-platform ransomware-as-a-service operation targeting sectors like manufacturing and technology, primarily in the US, UK, Germany, Australia, and Italy. It employs dual-extortion tactics by encrypting data and secretly stealing sensitive information for leverage unless ransom is paid. The malware demonstrates advanced capabilities such as multi-threaded encryption, network reconnaissance, and deletion of backup snapshots, increasing difficulty of recovery. Experts recommend strong cybersecurity practices including multifactor authentication, regular backups, and advanced endpoint protection to defend against this evolving threat. The Core Issue In late 2023, a new and highly advanced ransomware operation called DragonForce emerged, posing a…

Read More

Essential Insights Threat actors are stealthily compromising NGINX servers, particularly those using Baota (BT) management panels, by injecting malicious directives into configuration files to redirect web traffic to malicious domains without immediate detection. The attack leverages the standard NGINX proxy_pass feature, with attackers deploying automated shell scripts to scan, inject payloads into server configs, and exfiltrate data, effectively hijacking legitimate traffic. These campaigns target mainly Asian TLDs (.in, .id, .th, .bd) and sensitive sites (.gov, .edu), redirecting users to malicious domains such as gambling or scam sites, while retaining legitimate headers to evade detection. Security advisories recommend examining NGINX configs…

Read More

Top Highlights Italy has thwarted cyberattacks on its foreign ministry offices, including one in Washington, and on Winter Olympics sites and hotels in Cortina d’Ampezzo. Foreign Minister Antonio Tajani disclosed that these attempted attacks were “of Russian origin.” Security measures have been ramped up, with 6,000 security officers deployed across the Winter Olympics venues. The Winter Olympics began Wednesday with the first curling matches in Cortina, just days before the opening ceremony. [gptA technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘Italy says it has averted Russian-linked cyberattacks targeting Winter Olympics…

Read More

Summary Points The U.S. CISA confirmed that ransomware groups are actively exploiting CVE-2025-22225, a high-severity VMware ESXi sandbox escape vulnerability patched in March 2025, enabling hypervisor control and ransomware deployment. CVE-2025-22225, rated 8.2, allows privilege escalation through arbitrary kernel writes, often chained with other zero-days, to fully escape VMs and target enterprise hypervisors holding sensitive data. Over 41,500 vulnerable ESXi instances remain exposed, with recent activity including ransomware campaigns and the use of stealthy backdoors like VSOCKpuppet for persistent control. Immediate patching, following CISA and vendor guidance, alongside enhanced security measures such as EDR monitoring and privilege restrictions, is critical…

Read More