Daily Brief

BAE Systems is developing the Herne, an extra-large autonomous underwater vehicle designed for military applications, with a focus on protecting underwater infrastructure from potential sabotage threats. The Herne submarine, capable of pre-programmed intelligence and surveillance missions, has completed trials and is set for further development with Cellula Robotics under a 10-year agreement. This uncrewed submarine can travel up to 3,100 miles and operate for 45 days at depths of 16,400 feet, with a flexible cargo space for various mission payloads. Currently battery-powered, BAE is exploring hydrogen fuel cells as a future power source to enhance the submarine's operational capabilities. The Royal Navy's ASW Spearhead program complements these efforts by improving sonar systems for detecting and tracking hostile submarines, enhancing maritime defense capabilities. The Herne's development signifies a shift towards autonomous maritime defense solutions, offering increased endurance and safety by reducing human involvement in potentially hazardous missions. BAE's rapid development strategy aims to provide cost-effective, scalable autonomous capabilities, positioning the Herne as a significant advancement in underwater military technology.

Cybersecurity researchers revealed a campaign using ConnectWise ScreenConnect to deploy AsyncRAT, a remote access trojan, targeting sensitive data on compromised systems. Attackers leverage the legitimate RMM software to gain remote access, employing VBScript and PowerShell loaders to execute obfuscated components from external sources. The infection chain involves trojanized installers masquerading as business documents, distributed via phishing emails, to initiate the malware deployment. Persistence is achieved through a fake "Skype Updater" scheduled task, allowing the payload to execute after each login, evading detection. AsyncRAT capabilities include keystroke logging, credential theft, and scanning for cryptocurrency wallets across multiple web browsers. Exfiltrated data is sent to a command-and-control server, facilitating further payload execution and post-exploitation commands. The use of fileless malware tactics complicates detection and eradication, posing significant challenges to cybersecurity defenses.

NASA has prohibited Chinese nationals from accessing its facilities and networks, including virtual platforms, to safeguard sensitive information and operations. This decision follows the admission of espionage activities by Chenguang Gong, who accessed critical US aerospace data. The espionage involved downloading information on missile-confusing sensors and radiation-hardened cameras used for early warnings. NASA's actions reflect heightened security measures due to its collaboration with the US military and the strategic importance of its projects. The ban aligns with US law, which restricts NASA from engaging with China's space program without Congressional approval. NASA aims to maintain American leadership in space exploration, with plans for lunar and future Mars missions. The move underscores the broader geopolitical competition between the US and China in the space domain.

Bitdefender researchers identified the EggStreme malware, believed to be linked to Chinese APTs, targeting a military company in the Philippines. The EggStreme Framework uses a sophisticated, multi-stage approach to maintain persistent access on compromised systems. Key components include EggStremeFuel and EggStremeLoader, which establish persistence, and EggStremeAgent, a backdoor with extensive capabilities. The malware operates filelessly, executing malicious code in memory, enhancing its stealth and making detection challenging. The attack aligns with China's strategic interests in the South China Sea, where territorial disputes with the Philippines are ongoing. The nature of the targeted entity remains unclear, potentially involving either the Philippine armed forces or a defense contractor. This incident underscores the persistent cyber threats faced by organizations involved in geopolitical conflicts.

Akira ransomware affiliates are exploiting SonicWall vulnerabilities, including CVE-2024-40766, to conduct widespread extortion attacks, impacting numerous organizations globally. The vulnerability, with a CVSS score of 9.8, was initially disclosed in August 2024, yet remains unpatched in many systems, offering a significant attack surface. Over 438,000 SonicWall devices are still publicly accessible, increasing the risk of ransomware attacks due to inadequate patching and security configurations. Rapid7 has responded to multiple incidents involving SonicWall appliances, indicating a potential for widespread industry impact if mitigations are not implemented. SonicWall advises upgrading to SonicOS 7.3.0 and enabling multi-factor authentication to mitigate risks associated with legacy credential use and misconfigurations. Threat intelligence firms have observed an increase in Akira activity since July 2024, exploiting default LDAP configurations and misconfigured VPNs for unauthorized access. Organizations are urged to apply patches, enforce MFA, and limit access to trusted networks to protect against these evolving ransomware threats.

A European DDoS mitigation provider faced a significant attack reaching 1.5 billion packets per second, marking one of the largest packet-rate floods publicly disclosed. The attack was launched from compromised IoT devices and MikroTik routers across over 11,000 networks globally, primarily using UDP flood techniques. FastNetMon, a defense company specializing in DDoS protection, successfully mitigated the threat using real-time detection and the customer's scrubbing facility. Mitigation strategies included deploying access control lists on edge routers to filter out malicious traffic and prevent service disruptions. This incident follows a recent record-breaking DDoS attack blocked by Cloudflare, emphasizing the growing threat of volumetric attacks. FastNetMon's founder stressed the need for ISP-level intervention to prevent the weaponization of consumer hardware in large-scale attacks. The case underscores the importance of proactive measures and industry collaboration to safeguard against escalating DDoS threats.

ChillyHell, a modular macOS backdoor, has been active for four years, evading detection despite being notarized by Apple. Initially reported by Mandiant in 2023, ChillyHell was linked to UNC4487, a cybercrime group targeting a Ukrainian auto insurance website. The malware's persistence mechanisms include installation as a LaunchAgent, a system LaunchDaemon, or through shell profile alterations. ChillyHell employs advanced evasion tactics such as timestomping and shifting between multiple command-and-control protocols. The malware's modular design enables it to execute various malicious commands, including brute-force attacks and payload deployment. Apple has revoked the developer certificates associated with ChillyHell, but the extent of its deployment remains unclear. This incident underscores the importance of vigilance, as even notarized software can harbor malicious code.

A significant supply-chain attack on the NPM ecosystem affected approximately 10% of cloud environments, exploiting popular packages like Chalk and Debug-js. Attackers gained access through a phishing attack on maintainer Josh Junon, injecting malicious code aimed at cryptocurrency theft. The open-source community swiftly responded, removing malicious packages within two hours, limiting the potential damage. Despite the attack's scale, financial gains for the attackers were minimal, totaling less than $1,000 in diverted cryptocurrency. The attack highlighted the rapid propagation potential of malicious code in supply-chain vulnerabilities, posing a significant operational risk. Technical analysis revealed the attack targeted browser environments, swapping cryptocurrency wallet addresses to redirect transactions. The incident underscores the critical need for robust security measures in managing open-source software dependencies.

Jaguar Land Rover confirmed a data breach following a cyberattack, affecting some company data, though the extent remains under investigation. The attack led to significant operational disruptions, impacting both retail and production activities, with systems taken offline as a precaution. JLR has engaged third-party cybersecurity experts to assist in a forensic investigation, working to restore global applications securely. The company is informing relevant regulators and will notify affected individuals if personal data is confirmed compromised. Employees have been instructed to work from home, with service disruptions reported, including issues with parts ordering and diagnostics. Scattered Spider, a ransomware group linked to previous attacks on Marks & Spencer, is suspected of orchestrating the attack, potentially collaborating with ShinyHunters and Lapsus$. The incident underscores the persistent threat of ransomware to large enterprises, emphasizing the need for robust cybersecurity measures.

Jaguar Land Rover experienced a cyberattack that led to system shutdowns, impacting retail and production operations significantly. Initial assessments suggested no data theft, but further investigations revealed some data was affected, prompting regulatory notifications. The attack has forced employees to work from home, with services like parts ordering and diagnostics disrupted, affecting customer service. Cybersecurity specialists are working continuously to restore global applications safely, while forensic investigations proceed to assess the full impact. Scattered Spider, a known ransomware group, is suspected of the breach, possibly collaborating with ShinyHunters and Lapsus$ in targeting multiple sectors. The incident underscores the vulnerability of critical IT systems in the automotive industry, highlighting the need for robust cybersecurity measures. JLR continues to update stakeholders and express regret for the ongoing disruptions, emphasizing their commitment to resolving the situation.

Google has integrated C2PA Content Credentials into Pixel 10 cameras and Google Photos to help users identify AI-generated or altered images, addressing growing concerns over synthetic media. Each JPEG photo captured on Pixel 10 will automatically include Content Credentials, detailing its creation process, enhancing transparency and trust in digital media. The Content Credentials system uses digital signature technology to secure information about media creation, similar to methods used in online transactions and mobile apps. If images are edited, Google Photos updates the Content Credentials, maintaining a complete history of changes without compromising user anonymity. The system operates offline and is designed to be tamper-resistant, ensuring security and integrity throughout the media's lifecycle. Although currently exclusive to Pixel 10, Google plans to expand this feature to other Android devices, advocating for industry-wide adoption to combat misinformation and deepfakes. Google emphasizes the need for comprehensive adoption of verifiable provenance systems to effectively address the challenges posed by AI-generated content.

A Chinese APT group has compromised a Philippine military company using EggStreme, a sophisticated fileless malware framework, indicating ongoing geopolitical cyber tensions in the South China Sea region. EggStreme employs a multi-stage toolset that injects malicious code directly into memory, leveraging DLL sideloading for payload execution, thus maintaining a low profile. The core component, EggStremeAgent, functions as a backdoor enabling system reconnaissance, lateral movement, and data theft, utilizing a keylogger to harvest sensitive information. Communication with command-and-control servers is maintained through Google Remote Procedure Call (gRPC), supporting 58 commands for extensive system and network exploitation. The malware's resilience is enhanced by multiple C2 servers and the use of the Stowaway proxy utility, complicating detection and maintaining persistent access. The fileless nature and sophisticated execution flow of EggStreme allow it to evade detection, posing a significant threat to targeted entities. This attack highlights the advanced capabilities of state-sponsored actors in bypassing modern defensive measures and emphasizes the need for vigilant cybersecurity strategies.

A vulnerability in Cursor, an AI-powered IDE, permits automatic execution of malicious tasks, posing risks to developers by enabling malware deployment and credential theft. The flaw stems from disabling the Workspace Trust feature, which prevents automatic task execution without explicit user consent, unlike its parent, Visual Studio Code. Oasis Security researchers demonstrated the risk with a proof-of-concept, showing how arbitrary code can execute when a project folder is opened in Cursor. Potential threats include data theft, unauthorized system modifications, and creating vectors for supply-chain attacks, impacting over a million Cursor users. Despite the identified risk, Cursor developers plan to retain the autorun feature, citing user preference for AI functionalities that require Workspace Trust to be disabled. Users are advised to enable Workspace Trust manually, use alternative editors for untrusted projects, and avoid globally exporting sensitive credentials. The Cursor team intends to update their security guidance, offering instructions on enabling Workspace Trust to mitigate risks.

Jaguar Land Rover (JLR) confirmed a cyberattack led to data theft, disrupting production and instructing staff to stay home. The company, owned by Tata Motors India, generates over $38 billion in annual revenue and employs 39,000 globally. The attack severely disrupted JLR's production activities, prompting collaboration with the U.K. National Cyber Security Centre for recovery. JLR is conducting a forensic investigation and has informed relevant authorities and regulators about the data breach. A group called "Scattered Lapsus$ Hunters" claimed responsibility, linking themselves to known cybercriminal entities like Lapsus$ and ShinyHunters. The group has shared evidence of infiltrating JLR's systems and deploying ransomware, though no specific ransomware group has claimed the attack. The incident underscores the vulnerability of major manufacturers to sophisticated cyber threats and the importance of robust cybersecurity measures.

Attackers from the Scattered Spider group exploited human error by impersonating Clorox employees, accessing systems through repeated password and MFA resets via a third-party service desk. The breach resulted in approximately $380 million in damages, including $49 million in remedial expenses and significant business-interruption losses due to production and supply chain disruptions. The attackers conducted reconnaissance to gather internal details, using scripted calls to pressure service desk agents into bypassing security protocols without proper verification. The incident underscores the critical need for robust verification processes, especially when outsourcing help-desk functions, to prevent unauthorized access and protect sensitive systems. The Cybersecurity and Infrastructure Security Agency (CISA) and other bodies have noted similar tactics, urging organizations to strengthen caller verification as a key supply-chain control. Organizations are advised to treat help-desk resets as privileged operations, ensuring vendor-side controls, auditability, and regular social-engineering simulations to mitigate risks. The incident serves as a stark reminder of the potential financial and operational impacts of social engineering attacks, emphasizing the importance of comprehensive security measures and training.