Daily Brief

RatOn, an Android malware, has evolved into a sophisticated remote access trojan with NFC relay and Automated Transfer System capabilities, posing a significant threat to financial security. The malware targets cryptocurrency wallet applications such as MetaMask and Trust, enabling account takeovers and unauthorized money transfers, particularly affecting Czech and Slovakian users. RatOn employs fake Play Store listings, masquerading as TikTok 18+, to distribute malicious dropper apps that bypass Android security measures and install the malware. The trojan requests extensive permissions, including device administration and accessibility services, to execute its malicious functions and conduct NFC relay attacks using the Ghost Tap technique. RatOn's ransomware-like features use overlay screens to coerce victims into paying cryptocurrency ransoms, capturing device PIN codes in the process for further exploitation. The malware records sensitive data via a keylogger and exfiltrates it to external servers, enabling unauthorized access to victims' accounts and theft of cryptocurrency assets. The threat actor group initially focused on the Czech Republic, with Slovakia as a potential next target, possibly collaborating with local money mules for automated transfers.

Cybersecurity researchers identified a phishing campaign targeting Japanese users, deploying MostereRAT malware to gain control over systems and exfiltrate sensitive data. The attack uses advanced evasion techniques, including Easy Programming Language (EPL) for payload development, and mutual TLS for secure command-and-control communications. MostereRAT disables Windows security mechanisms and blocks network traffic from security programs, complicating detection and analysis. The malware operates with elevated permissions, allowing interference with critical Windows processes and unauthorized modifications to system files. A parallel campaign uses "ClickFix-esque techniques" to distribute MetaStealer, leveraging social engineering to bypass security measures. Attackers employ CSS-based obfuscation and AI manipulation to deliver malicious instructions, exploiting user trust in AI-generated summaries. Organizations are advised to update security solutions and educate users on social engineering dangers to mitigate these evolving threats.

HMD Global introduces HMD Secure, a new business unit focusing on mobile security for European governments and critical sectors with its first product, the Ivalo XE smartphone. The Ivalo XE is an Android-based 5G smartphone, designed, developed, and manufactured in Europe, targeting security-conscious customers wary of American tech reliance. The device incorporates Qualcomm's Dragonwing Q-6690 chip, offering enterprise-grade processing power, RFID capability, and advanced wireless standards, despite Qualcomm being US-based. Security features include anti-tamper design, dual encryption, secure boot, and a fingerprint reader, with certifications for durability and resilience. HMD Secure provides tailored operating systems and ensures long-term support, spare parts, and security updates for the Ivalo XE until 2032. The smartphone offers modular connectivity options for additional hardware, aiming to deliver a versatile and secure communication tool for high-stakes environments. HMD Global strategically positions itself to capture market share in Europe amid growing concerns over data sovereignty and supply chain transparency.

Akamai researchers identified a cryptojacking campaign leveraging the TOR network to target misconfigured Docker APIs, building on findings from Trend Micro's June 2025 report. The attack involves deploying an XMRig cryptocurrency miner using a TOR domain for anonymity, potentially laying the groundwork for a botnet. Attackers exploit Docker API misconfigurations to execute a container with a Base64-encoded payload, downloading a shell script from a .onion domain. The script modifies SSH configurations for persistence and installs tools for reconnaissance and command-and-control communication. The malware uses Masscan to propagate by scanning for open Docker API services, with future capabilities hinted at for ports 23 and 9222. The campaign underscores the need for organizations to secure Docker APIs, limit service exposure, and enforce strong credential policies to mitigate such threats.

Anthropic's Claude Code employs AI for automated security reviews, aiming to prevent code deployment without a baseline security check. Checkmarx discovered that while Claude Code identifies simple vulnerabilities, it can miss complex ones, such as remote code execution via Python's pandas library. The AI tool sometimes misclassifies vulnerabilities, as seen when a misleading "sanitize" function was erroneously deemed secure. Executing test cases during reviews can inadvertently introduce risks, especially if malicious code is present in third-party libraries. Developers are advised to heed Claude Code's warnings and apply additional safeguards, such as human confirmation for risky actions and endpoint security measures. The research suggests that AI security reviews need rigorous human oversight to ensure robust application security, given the tool's susceptibility to suggestion and prompt injection issues.

Shadow AI agents are proliferating within enterprises, operating outside the visibility of traditional security measures, and posing significant risks to organizational security. These agents can be easily deployed by individuals or business units, often without the knowledge or oversight of IT or security teams. The rapid deployment of AI agents is facilitated by identity providers and PaaS platforms, making it challenging for governance to keep pace. A forthcoming panel, "Shadow AI Agents Exposed," will discuss strategies for identifying and controlling these agents to mitigate associated risks. The panel aims to provide actionable insights for improving visibility and control over AI operations within organizations. As shadow AI agents continue to multiply, enterprises must enhance their security frameworks to prevent potential breaches and unauthorized access. Organizations are encouraged to attend the panel to better understand the implications and prepare for future challenges posed by shadow AI.

Security leaders face challenges in securing budget approval, needing to align cybersecurity with business objectives to gain board support. Gartner reports 88% of boards view cybersecurity as a business risk, yet many CISOs struggle to communicate its value effectively. Translating technical goals into business outcomes, such as revenue protection and compliance, is crucial for gaining board approval. Continuous threat exposure management and automated testing are recommended to identify vulnerabilities and demonstrate proactive risk management. Industry standards like ISO 27001 and NIST can strengthen budget requests by providing a familiar framework for decision-making. Real-world examples and automated security validation can illustrate the business impact of potential breaches and justify investment. Tailoring communication to different audiences, from boards to security teams, helps bridge the gap between technical details and business priorities. Emphasizing security as a business enabler, rather than a cost center, can shift board perspectives and support ongoing investment.

The UK government plans to amend the Online Safety Act, requiring tech firms to proactively prevent self-harm content, marking it as a "priority offence." Newly appointed Science and Technology Minister Liz Kendall emphasized the importance of keeping harmful content off social media to protect families. The amendment aims to shift platform responsibility from reactive removal to proactive prevention, potentially impacting operational processes for tech companies. The Samaritans charity supports the amendment, citing the potential to save lives by reducing exposure to harmful content online. Critics argue the Act may infringe on privacy and grant excessive censorship power, with concerns about its broad application to various online platforms. The law's implementation could affect niche online communities, raising operational challenges for platforms with user-generated content. The new regulations will be enacted three weeks post-approval from both Houses of Parliament, intensifying the compliance timeline for affected companies.

A phishing attack led to the compromise of multiple npm packages, affecting over 2 billion weekly downloads, by targeting a maintainer's account. The attack involved a phishing email mimicking npm support, tricking the maintainer into providing credentials through an adversary-in-the-middle technique. Malicious code was injected into the packages, designed to intercept and alter cryptocurrency transactions by swapping wallet addresses. The malware operates as a browser-based interceptor, targeting end users with connected wallets visiting sites with compromised code. This incident underscores the vulnerability of package ecosystems like npm and PyPI, frequently targeted due to their extensive reach. Security experts emphasize the need for vigilance, hardening CI/CD pipelines, and securing dependencies to prevent such attacks. The attack reflects a growing trend where adversaries exploit popular open-source packages to infiltrate organizations and steal sensitive information.

Signal now offers 100MB of free encrypted storage for media, with a $1.99/month option for 100GB, enhancing user data management. The storage feature is opt-in, ensuring users maintain control over message retention preferences and can delete messages after a set period. Encrypted storage is backed up with a 64-character key stored on the user's device, inaccessible to Signal, ensuring data privacy. Signal's approach to storage includes padding files with extraneous data to prevent decryption attempts, reinforcing its commitment to user privacy. The storage feature is initially available on Android, with plans to expand to iOS and desktop, supporting cross-platform encrypted message history transfers. As a nonprofit, Signal's introduction of a paid tier helps cover storage costs without resorting to data monetization or advertising. Users should consider how the storage feature impacts message retention, particularly for messages intended to disappear, as this could affect privacy expectations.

Plex has informed users of a data breach involving unauthorized access to customer authentication data, including email addresses, usernames, and securely hashed passwords. The breach prompted Plex to advise users to reset their passwords and log out of all connected devices to protect their accounts. While the passwords were securely hashed, Plex has not disclosed the hashing algorithm, leaving potential vulnerability to password cracking attempts. No payment card information was compromised, as Plex does not store such data on its servers. Plex has addressed the breach method but has not provided specific technical details about the attack. Users are encouraged to enable two-factor authentication to enhance account security and are reminded that Plex will never request passwords or credit card details via email. This incident mirrors a similar breach from August 2022, emphasizing the ongoing need for robust security measures.

Silent Push identified 45 previously unreported domains linked to China-based Salt Typhoon and UNC4841, active since 2019, indicating extended espionage activities. The domains, dating back to May 2020, suggest that the 2024 Salt Typhoon incidents were not the group's first operations. Salt Typhoon, believed to be operated by China’s Ministry of State Security, targets U.S. telecommunications providers and overlaps with other known threat actors. The infrastructure includes domains registered with fake identities and Proton Mail addresses, pointing to both high-density and low-density IP addresses. Organizations potentially at risk of Chinese espionage are advised to review DNS logs for any activity related to these domains over the past five years. The discovery emphasizes the ongoing threat posed by sophisticated state-sponsored cyber espionage campaigns and the need for vigilant monitoring and response strategies.

Attaullah Baig, former head of security at WhatsApp, has filed a lawsuit against Meta, claiming retaliation for reporting security failings that potentially violated legal commitments. Baig alleges his reports of systemic cybersecurity failures were met with unjust performance reviews, leading to his termination from WhatsApp. The lawsuit claims that around 1,500 WhatsApp engineers had unrestricted access to sensitive user data, posing significant privacy risks. Baig's concerns included potential violations of the US Sarbanes-Oxley Act and SEC rules, which he reported to Meta's top executives, including CEO Mark Zuckerberg. Meta, facing historical privacy criticisms and fines, denies the allegations, asserting a strong commitment to privacy and security. The case raises questions about internal security practices and the handling of whistleblower reports within large technology firms. This legal battle unfolds as WhatsApp awaits a decision in the FTC's antitrust case against Meta, highlighting ongoing regulatory challenges.

Recent network scans have targeted Cisco ASA devices, with GreyNoise recording significant spikes involving up to 25,000 unique IP addresses probing ASA login portals. A Brazilian botnet drove 80% of the second wave of scans, utilizing approximately 17,000 IPs, primarily targeting the United States, with additional focus on the UK and Germany. Overlapping Chrome-like user agents suggest a common origin for the scanning activity, indicating potential reconnaissance for future vulnerabilities. GreyNoise notes that such reconnaissance often precedes new vulnerability disclosures, though this correlation is statistically weaker for Cisco products. System administrators are urged to apply the latest security updates, enforce multi-factor authentication, and avoid exposing certain services directly to the internet. Utilizing scanning activity indicators from GreyNoise and Rat5ak's reports can help preemptively block these attempts, enhancing organizational cybersecurity posture. Cisco has been contacted for comment, and further updates are anticipated as more information becomes available.

The Government Accountability Office (GAO) identified unreliable and incomplete data on the federal cybersecurity workforce across 23 key US government agencies. The report estimates at least 63,934 full-time cybersecurity employees, costing approximately $9.3 billion annually, with an additional $5.2 billion spent on 4,151 contractors. Most agencies lack quality assurance processes for workforce data, with 19 agencies reporting no such measures and 17 lacking standardized definitions for cybersecurity roles. The Office of the National Cyber Director (ONCD) has not provided adequate guidance, contributing to data inconsistencies and suspended workforce data meetings. Sean Cairncross, the newly confirmed National Cyber Director, has no prior cybersecurity leadership experience, raising concerns about future workforce management. The GAO recommended addressing data gaps, improving data quality, standardizing role definitions, and assessing workforce effectiveness, but ONCD has yet to commit to these actions. The Biden administration initiated efforts to enhance workforce data accuracy, but the continuation of these initiatives remains uncertain amid current administrative challenges.