Daily Brief

A DDoS mitigation provider in Western Europe faced a massive 1.5 billion packets per second attack, threatening its ability to stay online. The attack originated from thousands of compromised routers and IoT devices across over 11,000 global networks, indicating a widespread botnet operation. FastNetMon, a network monitoring company, was engaged to counter the attack and utilized its automated detection systems to identify the threat within seconds. The attack emphasized the vulnerability of DDoS scrubbing services to high packet-rate floods, which can overwhelm systems through processing demands rather than bandwidth. A similar attack of nearly identical scale targeted another DDoS provider in Eastern Europe, suggesting a coordinated effort by the same botnet. An extortion email linked to the attack was sent to the second targeted entity, indicating a potential financial motive behind the incidents. FastNetMon's founder highlighted the need for ISPs to filter attack traffic at the source to prevent routers from being exploited by botnet operators. The incident follows a recent 11.5 Tbps DDoS attack mitigated by Cloudflare, reflecting an ongoing trend of adversaries testing the limits of network defenses.

Researchers at ETH Zurich unveiled VMScape, a Spectre-like attack that compromises guest-host isolation on AMD and Intel processors, affecting cloud virtualization security. VMScape allows a malicious virtual machine to extract cryptographic keys from an unmodified QEMU hypervisor, bypassing existing Spectre mitigations. The attack exploits speculative execution vulnerabilities, impacting AMD Zen 1 to Zen 5 and Intel Coffee Lake CPUs, but not newer models like Raptor Cove. VMScape achieves a data leak rate of 32 bytes/second, with a 98.7% accuracy, posing a significant risk to multi-tenant cloud environments. ETH Zurich reported the vulnerability to AMD and Intel, leading to the assignment of CVE-2025-40300 and subsequent security bulletins. Linux kernel developers have released patches to mitigate VMScape by implementing an Indirect Branch Prediction Barrier (IBPB) on VMEXIT. The mitigation strategy involves minimal performance impact, enhancing security without significantly affecting common workloads.

ETH Zurich researchers identified a new Spectre-based vulnerability, VMSCAPE (CVE-2025-40300), affecting AMD Zen and Intel Coffee Lake processors, threatening cloud environments by leaking hypervisor secrets. VMSCAPE allows malicious cloud users to extract sensitive data from the host domain without code modifications, posing a significant risk to virtualization security. The vulnerability targets Kernel Virtual Machine (KVM) and QEMU, exploiting incomplete branch predictor isolation to access host memory at a rate of 32 B/s on AMD Zen 4. Hardware fixes are deemed impractical; Linux maintainers have developed software mitigations, resulting in a performance overhead, particularly impacting emulated device environments. Intel and AMD are collaborating with Linux developers to implement existing and new mitigations, including "IBPB before exit to userspace," to address this vulnerability. The Linux patch is expected to be integrated into various distributions, with a focus on minimizing performance impact while securing affected systems. The discovery emphasizes the ongoing challenges of securing virtualization boundaries and the need for continuous vigilance against speculative execution vulnerabilities.

Google Pixel 10 phones now include C2PA support to verify digital content authenticity, enhancing transparency for AI-generated media. C2PA's Content Credentials provide a cryptographically signed manifest, offering verifiable provenance for images, videos, and audio files. The Pixel Camera app has achieved Assurance Level 2, the highest security rating defined by the C2PA Conformance Program. Pixel 10 devices feature on-device trusted time-stamps, ensuring the trustworthiness of images even if captured offline. This capability is supported by Google Tensor G5, Titan M2 security chip, and Android's hardware-backed security features. Google's initiative marks a significant step toward media transparency and trust, supporting the creative use of AI in digital content.

U.S. Senator Ron Wyden has requested the FTC investigate Microsoft for alleged cybersecurity negligence linked to ransomware attacks on critical infrastructure, including healthcare networks. The call to action follows a ransomware incident at healthcare provider Ascension, affecting 5.6 million individuals and disrupting electronic health records. Attackers exploited Microsoft's default security settings and the outdated RC4 encryption to gain unauthorized access, highlighting potential systemic weaknesses. Wyden criticized Microsoft's failure to enforce stronger password policies and its continued support for insecure encryption technologies like RC4. Microsoft plans to deprecate RC4 in future updates, aiming to enhance security by disabling the cipher by default in Windows 11 24H2 and Windows Server 2025. The senator's letter raises concerns about the broader implications of relying on a single vendor for national infrastructure, stressing the need for secure-by-design defaults. This scrutiny adds to previous criticisms of Microsoft's cybersecurity practices, including incidents involving Chinese threat actors and Microsoft Exchange Online compromises.

Browser extensions, often overlooked, pose significant security risks by executing privileged code and accessing sensitive data within enterprise-approved browsers. Keep Aware's guide emphasizes the need for visibility, control, and real-time response to manage these risks effectively. Malicious or compromised extensions can harvest business data, expose credentials, or enable network intrusions, highlighting the need for vigilant management. Even trusted extensions can be compromised through supply chain attacks, turning them into persistent threats. Various management approaches include GPO/MDM policies, EDR tools, enterprise browsers, and purpose-built security extensions like Keep Aware. Keep Aware offers real-time monitoring and automated policy enforcement, enhancing security without disrupting user productivity. Organizations must balance security with usability, ensuring effective extension management without hindering employee workflows.

U.S. Senator Ron Wyden has called for an FTC investigation into Microsoft's alleged security negligence, following a ransomware attack on Ascension, a major U.S. hospital network. The attack exploited weaknesses in Microsoft's default configurations, impacting over 140 hospitals and compromising the personal and medical data of approximately 5.6 million patients. Wyden criticized Microsoft for continuing to use the outdated RC4 encryption algorithm, which has been a known vulnerability for years, increasing exposure to cyber threats. The senator accused Microsoft of prioritizing profit over security, citing the company's lucrative business in selling cybersecurity add-ons to organizations. Wyden's letter emphasized that Microsoft's dominant market position sets a low security baseline for government and critical infrastructure, posing national security risks. The FTC's potential investigation could pressure Microsoft to implement more secure default settings and expedite promised security updates, such as the RC4 patch. This situation reflects broader concerns about vendor accountability in securing software that supports critical services, with implications for regulatory oversight in the tech industry.

The EU is considering legislation that mandates ISPs and messaging apps to scan user content or implement encryption backdoors, sparking significant privacy concerns. Over 600 security experts have opposed the proposal, arguing it is intrusive and technically unfeasible, with a high potential for false positives. Critics warn that the legislation could lead to a "national security disaster," potentially exposing data to adversarial nations and undermining privacy. The proposed rules aim to combat child sexual abuse material (CSAM) but lack clear guidance on implementation, relying on AI for detection. If passed, encrypted app providers like WhatsApp and Signal would be required to comply, despite technical and ethical challenges. Some EU member states, such as Germany, are expressing reservations, potentially delaying the legislation for further review. Companies like Signal and Tuta have pledged to resist compliance, citing EU constitutional privacy rights and potential legal challenges. Similar UK legislation has faced implementation hurdles, highlighting the complexity and contentious nature of such surveillance measures.

Akira ransomware group targets SonicWall devices, exploiting a year-old SSL VPN flaw (CVE-2024-40766) and misconfigurations to gain unauthorized access. Rapid7 reports a surge in SonicWall intrusions, with Akira leveraging brute-force attacks on user credentials to breach networks. SonicWall advises enabling Botnet Filtering and Account Lockout policies, and reviewing LDAP SSL VPN Default User Groups to mitigate risks. Misconfigured LDAP settings can allow attackers to bypass Active Directory controls, granting unauthorized access to sensitive network services. Australian Cyber Security Centre confirms Akira's targeting of vulnerable Australian organizations, emphasizing global implications. Akira's recent tactics include SEO poisoning and using the Bumblebee malware loader to deploy ransomware and exfiltrate data. Organizations are urged to rotate passwords, remove inactive accounts, and restrict Virtual Office Portal access to bolster defenses against these attacks.

London North Eastern Railway (LNER) confirmed a data breach involving customer contact details and travel information accessed through a third-party supplier. The breach did not affect sensitive financial data such as bank accounts, payment cards, or passwords, according to LNER's statement. Operational services, including ticketing and rail services, remain unaffected, ensuring continuity of LNER's inter-city operations across major UK hubs. Customers are advised to remain vigilant against phishing attempts and to maintain secure password practices as a precautionary measure. The breach's connection to recent Salesloft Drift attacks remains speculative, with no definitive attribution to the ongoing incidents. LNER has committed to providing further updates as more information becomes available, while the exact method of the breach remains unclear. The incident emphasizes the need for robust third-party risk management strategies to safeguard customer data from supplier-related vulnerabilities.

The UK's Communications and Digital Committee reviewed Ofcom's enforcement of the Online Safety Act, with experts expressing concerns over its effectiveness and implications for civil liberties. Ofcom's suggestion that the Act could have prevented the 2024 Southport riots raised concerns about unrealistic expectations and political causality, according to legal academics. The Act's scope is limited to harmful or illegal content, excluding "awful but lawful" material, which restricts Ofcom's regulatory leverage. Critics noted that misinformation spread during the riots would not fall under the Act's regulations, as it was shared by individuals believing it to be true. Ofcom's proposals to reform recommender systems are seen as conflating content moderation with algorithmic changes, raising questions about enforcement feasibility. The rise in VPN use as a workaround to the Act's safeguards for children online has prompted calls for stricter age verification measures, though a ban on VPNs is unlikely. The committee plans to continue discussions with civil society organizations to address ongoing challenges with the Act's implementation and impact.

Cybersecurity researchers have identified two campaigns distributing fake browser extensions via malicious ads and websites, aiming to steal sensitive data from Meta Business accounts. The campaigns involve fake "Meta Verified" extensions, such as SocialMetrics Pro and Madgicx Plus, which falsely promise enhanced Facebook and Instagram features. Once installed, these extensions collect session cookies and IP addresses, sending them to a Telegram bot controlled by attackers, facilitating unauthorized access. The malicious extensions exploit the Facebook Graph API to gather additional account information, potentially leading to the sale of compromised accounts on underground forums. The campaigns are linked to Vietnamese-speaking threat actors, utilizing mass-generated links and tutorials to industrialize malvertising efforts. The extensions, still available on the Chrome Web Store, can intercept and modify network traffic, capture form inputs, and harvest sensitive data. Businesses are advised to scrutinize browser extensions and monitor for unauthorized access to prevent account hijacking and data theft.

A new educational initiative, "Risk Reporting to the Board for Modern CISOs," aims to enhance communication between CISOs and board members by translating technical risks into business-relevant insights. The course addresses the disconnect where 84% of directors see cybersecurity as a business risk, yet only half feel confident in their understanding for effective oversight. Boards are increasingly accountable for cyber risk, with regulations like SEC rules and EU's NIS2 mandating disclosure and oversight, highlighting the need for clear communication. The program teaches CISOs to present risk in terms of governance, finance, and strategy, moving beyond technical metrics to actionable insights that align with business objectives. Dr. Gerald Auger, with extensive industry and teaching experience, leads the course, providing practical tools and templates for effective board communication. By improving CISO-board alignment, organizations can expect stronger support for security initiatives and a more integrated role for cybersecurity in strategic planning. The initiative reflects a growing recognition that cybersecurity is central to business oversight and long-term growth, necessitating clear and actionable insights from security leaders.

BAE Systems is developing the Herne, an extra-large autonomous underwater vehicle designed for military applications, with a focus on protecting underwater infrastructure from potential sabotage threats. The Herne submarine, capable of pre-programmed intelligence and surveillance missions, has completed trials and is set for further development with Cellula Robotics under a 10-year agreement. This uncrewed submarine can travel up to 3,100 miles and operate for 45 days at depths of 16,400 feet, with a flexible cargo space for various mission payloads. Currently battery-powered, BAE is exploring hydrogen fuel cells as a future power source to enhance the submarine's operational capabilities. The Royal Navy's ASW Spearhead program complements these efforts by improving sonar systems for detecting and tracking hostile submarines, enhancing maritime defense capabilities. The Herne's development signifies a shift towards autonomous maritime defense solutions, offering increased endurance and safety by reducing human involvement in potentially hazardous missions. BAE's rapid development strategy aims to provide cost-effective, scalable autonomous capabilities, positioning the Herne as a significant advancement in underwater military technology.

Cybersecurity researchers revealed a campaign using ConnectWise ScreenConnect to deploy AsyncRAT, a remote access trojan, targeting sensitive data on compromised systems. Attackers leverage the legitimate RMM software to gain remote access, employing VBScript and PowerShell loaders to execute obfuscated components from external sources. The infection chain involves trojanized installers masquerading as business documents, distributed via phishing emails, to initiate the malware deployment. Persistence is achieved through a fake "Skype Updater" scheduled task, allowing the payload to execute after each login, evading detection. AsyncRAT capabilities include keystroke logging, credential theft, and scanning for cryptocurrency wallets across multiple web browsers. Exfiltrated data is sent to a command-and-control server, facilitating further payload execution and post-exploitation commands. The use of fileless malware tactics complicates detection and eradication, posing significant challenges to cybersecurity defenses.