Daily Security Briefing #091

December 2, 2025 | Read Online

Evilginx MFA bypass phishing, nopCommerce session cookie exploit, Lazarus Group remote-worker scheme revealed

Executive Summary

Today’s cybersecurity landscape highlights increasing sophistication in both attack techniques and defensive measures. Phishing campaigns using AI-based methods and sophisticated tools like Evilginx continue to undermine multi-factor authentication, particularly targeting educational institutions. Vulnerabilities in widely used platforms, such as nopCommerce, expose critical risks related to session management. Meanwhile, threat intelligence reveals evolving nation-state tactics, including Lazarus Group’s network of remote IT workers facilitating persistent infiltration. On the defense side, automation and continuous assurance frameworks, exemplified by Rapid7’s HITRUST partnership and advanced SIEM solutions, are becoming vital for modern security operations. Regulatory moves, such as India’s restrictions on messaging apps and FTC data privacy enforcement, reflect growing emphasis on controlling misuse and protecting user data.

Top Articles

Evilginx Attack Techniques Allow Hackers to Defeat MFA Through SSO Phishing
A persistent phishing campaign since April 2025 is bypassing multi-factor authentication at over 18 U.S. universities using the open-source Evilginx tool. By employing adversary-in-the-middle tactics, attackers intercept login credentials and session cookies, enabling unauthorized access via single sign-on systems. This sophisticated approach highlights the challenge of securing authentication flows against advanced phishing threats.
BleepingComputer

nopCommerce Vulnerability Enables Attackers to Gain Access to the Application Using Captured Cookie
Researchers disclosed a serious flaw in nopCommerce (CVE-2025-11699) that allows attackers to hijack user accounts through exploitation of captured session cookies. The vulnerability arises from improper session invalidation even after user logout, affecting large customers including Microsoft, Volvo, and BMW. Immediate patching is advised to prevent account compromise.
CyberPress

Researchers Capture Lazarus APT’s Remote-Worker Scheme Live on Camera
A collaborative investigation exposed a remote IT worker network linked to North Korea’s Lazarus Group Famous Chollima division. Using interactive malware analysis, researchers documented this persistent infiltration approach that leverages remote workers as a covert foothold in targeted organizations. This insight enhances understanding of state-sponsored advanced persistent threats.
TheHackerNews

Global Windows Users Hit by Candiru’s Powerful DevilsTongue Spyware
Newly identified infrastructure tied to Israeli spyware vendor Candiru (Saito Tech Ltd.) is deploying DevilsTongue, a Windows-based spyware targeting government clients worldwide. The spyware facilitates highly targeted surveillance, exemplifying ongoing advancements in state-level offensive capabilities.
CyberPress

Rapid7 Helps Lower Your Cost to Assurance for HITRUST
Rapid7’s partnership with HITRUST introduces automated evidence collection and continuous validation of security controls aligned with HITRUST frameworks. This approach reduces the burden of periodic audits and manual compliance, improving security assurance for regulated organizations.
Rapid7

Announcing Rapid7’s Next-Gen SIEM Buyer’s Guide
Rapid7 released a comprehensive guide highlighting modern SIEM capabilities, integrating AI, automation, and contextual analysis to enhance threat detection, investigation, and response. The guide addresses challenges faced by security teams evolving beyond traditional logging toward proactive defense.
Rapid7

Early Indicators of Insider Threats Through Authentication and Access Controls
Nisos researchers identify a detection gap where behavioral anomalies and external intelligence are insufficiently correlated. Insider threats often manifest as subtle early signs rather than obvious malicious actions, necessitating improved authentication and access control monitoring to prevent escalation.
GBHackers

FTC settlement requires Illuminate to delete unnecessary student data
The FTC mandates Illuminate Education to delete excess student data and enhance protections following a 2021 incident that exposed information of 10 million students. This settlement underscores regulatory focus on data minimization and security in education technology.
BleepingComputer

India Orders Messaging Apps to Work Only With Active SIM Cards to Prevent Fraud and Misuse
India’s Department of Telecommunications requires messaging apps like WhatsApp, Telegram, and Signal to link accounts exclusively to active SIM cards, aiming to reduce fraud and abuse. This regulatory move targets anonymous misuse of communication platforms by enforcing stronger identity verification.
TheHackerNews

Cybercrime Goes SaaS: Renting Tools, Access, and Infrastructure
Cybercrime operations increasingly adopt subscription-based models, offering phishing kits, data logs, and malware on-demand. This “crime-as-a-service” ecosystem lowers entry barriers for low-skill actors and enables scalable malicious campaigns.
BleepingComputer

Like Social Media, AI Requires Difficult Choices
Jamie Susskind reflects on societal challenges of AI governance, comparing today’s debate on AI’s role in our lives to prior questions on state versus market control. As AI becomes pervasive, difficult choices around control and direction must be addressed in politics and policy.
Schneier on Security

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.