Hello, stay ahead with CISO Brief 🚀

Root Cause Analysis Lags, Undermining Incident Resilience

🔍 Post-incident learning often falls behind containment, with Foundry’s Security Priorities study reporting 57% of security leaders struggled to identify root causes last year. Experts warn that prioritizing firefighting over forensic investigation leaves organizations exposed to repeat breaches and that disciplined evidence preservation is essential. Centralized telemetry such as SIEM, and forensic-capable services like MDR and XDR, plus structured postmortems, are key to building long-term resilience.

Salesforce Flags Unauthorized Access via Gainsight OAuth

🔒 Salesforce reported detected 'unusual activity' involving Gainsight-published applications that used OAuth connections to its platform and said the activity may have enabled unauthorized access to some customers' Salesforce data. The company revoked all active access and refresh tokens for affected apps and temporarily removed those listings from the AppExchange while it investigates. Gainsight also pulled its app from the HubSpot Marketplace as a precaution. Security analysts have linked the activity to the ShinyHunters (UNC6240) group and are urging customers to review and revoke suspicious third-party integrations.

Sneaky2FA Adds Browser-in-the-Browser to Phishing Kits

🛡️ Researchers report that the Sneaky2FA phishing-as-a-service kit now includes browser-in-the-browser (BITB) functionality that lets attackers embed a fake browser window with a customizable URL bar to mimic legitimate sites such as Microsoft. The iframe-backed pop-up captures credentials and MFA codes in real time, enabling attackers to hijack active sessions. This change lowers the skill threshold for criminals and undermines many signature-based defenses, prompting calls for updated training and stronger browser configurations.

AWS Landing Zone Accelerator: Universal Configuration

🔒 AWS has released the Landing Zone Accelerator on AWS sample security baseline called the Universal Configuration, designed to deploy a secure, multi-account environment rapidly. It encodes AWS Well‑Architected security best practices and automates hundreds of controls to accelerate compliance for regulated workloads. The release is paired with the LZA Compliance Workbook on AWS Artifact, which maps technical controls to frameworks such as NIST, ISO, HIPAA, and CMMC.

Google Details BadAudio Malware Used by China APT24

🔐 Google Threat Intelligence Group (GTIG) disclosed a previously undocumented loader, BadAudio, used by China-linked APT24 in a multi-year espionage campaign that employed spearphishing, watering-hole infections, and supply-chain compromises. The loader is heavily obfuscated, leverages DLL search-order hijacking and control-flow flattening, and exfiltrates encrypted system data to hard-coded C2 servers. In at least one observed case it delivered an Cobalt Strike Beacon, and many samples remained undetected by most antivirus engines.

Amazon Connect Adds Persistent Agent Connection Feature

📞 Amazon Connect now supports a persistent agent connection that keeps an open channel between agents and the service after a call ends. Administrators can enable the feature per agent profile to reduce customer connect time and help meet telemarketing compliance such as the U.S. Telephone Consumer Protection Act (TCPA) for outbound campaigns. The capability is available in all Amazon Connect regions and carries no additional charge beyond standard Amazon Connect usage and telephony fees.

Transfer Data Across AWS Partitions with Roles Anywhere

🔐 AWS outlines replacing cross-partition IAM user keys with IAM Roles Anywhere to securely transfer data between AWS partitions. The post explains partition isolation (Commercial, GovCloud, China), why long-lived access keys are discouraged, and how IAM Roles Anywhere uses X.509 certificates and temporary credentials. It also covers using an external CA or AWS Private CA to issue and manage certificates for workloads.

Fortinet Criticized for Silent Patching of Two Zero-Days

⚠️Fortinet has faced criticism for quietly patching two zero-day vulnerabilities in its FortiWeb WAFs before publicly disclosing them. The first, CVE-2025-64446, is rated critical (CVSS 9.4) and involves a GUI path-traversal plus an authentication-bypass flaw; the second, CVE-2025-58034 (CVSS 6.7), is an OS command injection that may allow authenticated code execution. Both fixes were included in the 8.0.2 update on October 28 and have been observed exploited in the wild, prompting calls for greater transparency and urgent patching.

AWS Tag Policies: Validate and Enforce Required Tags

🔒 AWS Organizations Tag Policies introduces Reporting for Required Tags, a validation check that ensures IaC deployments include mandatory tags. You define a tag policy specifying required keys and enable validation for CloudFormation, Terraform, or Pulumi workflows. Validation is implemented by activating the AWS::TagPolicies::TaggingComplianceValidator Hook in CloudFormation, adding plan-time checks in Terraform, or enabling the aws-organizations-tag-policies policy pack in Pulumi. The feature is available via the AWS Management Console, AWS CLI, and AWS SDK in supported Regions.

AWS DMS Schema Conversion Adds SAP ASE to PostgreSQL

🤖 AWS Database Migration Service (DMS) Schema Conversion now supports conversions from SAP Adaptive Server Enterprise (ASE) to both Amazon RDS for PostgreSQL and Amazon Aurora PostgreSQL. The integrated generative AI capability helps automatically translate complex database code such as stored procedures, functions, triggers, cursors, and other ASE-specific constructs that traditionally require manual conversion. Schema Conversion also provides detailed assessment reports to help migration teams plan, estimate effort, and reduce risk when executing migrations to PostgreSQL-compatible managed databases on AWS.

Mozilla Ends Partnership with Onerep After Investigation

🛡️ Mozilla announced it will end its partnership with Onerep and discontinue Monitor Plus on Dec. 17, 2025. Current subscribers will retain access through the wind-down period and receive prorated refunds for any unused portion of their subscriptions. Mozilla said it will continue to offer its free Monitor breach service integrated with Firefox’s credential manager and is focusing on integrating more privacy and security features, including its VPN. The company cited high vendor standards and the realities of the data broker ecosystem as reasons for ending the collaboration after reporting revealed Onerep’s founder maintained ties to other people-search services.

Agentic AI Reshapes Cybercrime and Defensive Options

🤖Agentic AI gives autonomous agents the ability to access external systems, gather information, and take actions within defined workflows, making routine multi-system tasks far more efficient for human operators. Cisco Talos warns this efficiency is already being mirrored in the cyber crime economy, including the first observed AI-orchestrated campaign in early 2025. While AI lowers barriers to entry and speeds operations for attackers, it is imperfect and still requires skilled instruction and human oversight. Defenders can respond by building their own agentic tools, deploying honeypots to engage malicious agents, and refining detection to stay ahead.

Hacker Claims 2.3TB Theft from Italian Rail IT Provider

🔒 A threat actor claims to have stolen 2.3 terabytes of data from Almaviva, the IT services provider linked to Italy's state-owned rail operator, FS Italiane Group. The actor posted the alleged dump on a dark web forum and described the contents as confidential documents, technical files, contracts, HR and accounting archives. Almaviva confirmed a cyberattack affecting corporate systems, said some data were taken, and reported it to national authorities while an investigation is ongoing.

Hacker Claims Theft of 2.3TB from Almaviva Affecting FS

🔓 A threat actor claims to have stolen 2.3 terabytes of data from IT services provider Almaviva and posted the material on a dark web forum. The leak reportedly includes confidential documents and sensitive information related to FS Italiane Group, such as internal shares, technical documentation, contracts, HR and accounting archives. D3Lab's Andrea Draghetti says the files are recent (Q3 2025) and not recycled from a 2022 Hive incident. Almaviva confirmed a breach, says affected systems were isolated, and that authorities have been notified while an investigation continues.

Amazon OpenSearch Serverless Adds PrivateLink for Management

🔒 Amazon OpenSearch Serverless now supports AWS PrivateLink for management console access, enabling private connectivity between your VPC and OpenSearch Serverless without traversing the public internet. This allows administrators to create, manage, and configure serverless resources via a private interface endpoint, reducing reliance on public IPs and firewall-only controls. Data ingestion and query operations continue to require OpenSearch Serverless VPC endpoint configuration. PrivateLink is available in regions where the service is offered and will incur additional VPC endpoint charges.

AWS Recycle Bin Extends Support to EBS Volumes Now

♻️ Recycle Bin for Amazon EBS now supports EBS Volumes, allowing you to recover accidentally deleted volumes directly rather than restoring from snapshots. You can create retention rules to protect all volumes or target specific volumes with tags; recovered volumes retain tags, permissions, and encryption and are immediately available at full performance. Volumes in Recycle Bin are billed at standard EBS Volume rates and the capability is available via CLI, SDKs, and the AWS Console across commercial, China, and AWS GovCloud (US) Regions.

Amazon RDS Adds Multi-AZ for SQL Server Web Edition

🔔 Amazon RDS for SQL Server Web Edition now supports Multi‑AZ deployments, providing web‑focused workloads with built‑in high availability and automated failover to a standby replica in a separate Availability Zone. Customers enable the feature by selecting the Multi‑AZ option when configuring their RDS instance; RDS synchronously replicates data and handles failover automatically. This removes the need to move to more expensive SQL Server editions for HA—check pricing and regional availability in the RDS documentation.

ShadowRay 2.0 Worm Uses Ray Flaw to Build Global Botnet

🪲 Oligo Security warns of an active campaign, codenamed ShadowRay 2.0, that exploits a two-year-old authentication flaw in the Ray AI framework (CVE-2023-48022, CVSS 9.8) to convert exposed clusters with NVIDIA GPUs into a self-replicating cryptomining botnet using XMRig. Operators submit malicious jobs to the unauthenticated Job Submission API (/api/jobs/), stage payloads on GitLab and GitHub, and abuse Ray’s orchestration to pivot laterally, establish persistence via cron jobs, and propagate to other dashboards. Oligo recommends restricting access, enabling authentication on the Ray Dashboard (default port 8265) and using Anyscale’s Ray Open Ports Checker plus firewall rules to reduce accidental exposure.