Daily Brief

Picus Security's Blue Report 2025 reveals a shift from encryption to data theft in ransomware and infostealer campaigns, affecting organizations' ability to detect and prevent such threats. Over 160 million attack simulations show a concerning decline in data exfiltration prevention rates to 3%, highlighting vulnerabilities in current cybersecurity defenses. Infostealers have evolved into sophisticated tools for credential theft and data exfiltration, often bypassing traditional security measures by mimicking legitimate access. The report emphasizes that backup solutions alone are insufficient against modern ransomware, which now often relies on data theft and public exposure threats. Key vulnerabilities identified include a lack of outbound monitoring, insufficient data loss prevention (DLP) enforcement, and limited behavioral analytics. Organizations are urged to adopt Continuous Threat Exposure Management (CTEM) strategies to prioritize and address high-risk exposures effectively. The findings stress the importance of proactive detection and prevention measures upstream, before data exfiltration occurs and credentials are exploited.

Japan's CERT coordination center (JPCERT/CC) reported the use of CrossC2, extending Cobalt Strike's capabilities to Linux and macOS, observed between September and December 2024. The campaign targeted multiple countries, including Japan, using CrossC2 alongside tools like PsExec, Plink, and a custom malware loader named ReadNimeLoader. ReadNimeLoader, written in Nim, sideloads a legitimate binary to execute shellcode in memory, avoiding disk traces, and employs anti-debugging techniques. The attacks show overlap with BlackSuit/Black Basta ransomware activities, sharing command-and-control domains and file naming conventions. SystemBC backdoor's ELF versions were present, often preceding Cobalt Strike and ransomware deployments, indicating a sophisticated attack chain. The campaign highlights vulnerabilities in Linux servers lacking Endpoint Detection and Response (EDR) systems, emphasizing the need for enhanced security measures. Organizations are advised to strengthen defenses against cross-platform threats and ensure comprehensive monitoring across all operating systems.

The House of Commons of Canada is investigating a data breach following a cyberattack that compromised employee information, including names, job titles, office locations, and email addresses. The breach involved exploitation of a Microsoft vulnerability, affecting databases that manage computers and mobile devices within the House of Commons. Employees and parliamentarians have been warned about potential fraudulent activities using the stolen data, which could lead to impersonation and scams. The House of Commons is working with the Communications Security Establishment (CSE) to assess the breach's impact, though attribution of the attack remains challenging. The Canadian Centre for Cyber Security has alerted IT professionals to secure systems against two Microsoft vulnerabilities, CVE-2025-53770 and CVE-2025-53786, which have been actively exploited. These vulnerabilities have been linked to breaches of high-profile targets globally, including U.S. government entities and European networks. The incident underscores the critical need for timely patch management and robust cybersecurity measures to protect sensitive governmental data.

Russian-linked cyber actors infiltrated the US federal court's case-management system, accessing sensitive sealed documents and system blueprints over several months. The attack exploited long-standing vulnerabilities in the CM/ECF platform, affecting multiple jurisdictions, including New York City. The breach raises concerns over the security of legal documents and the potential exposure of witness identities and case details. In Norway, suspected Russian operatives took control of a dam's floodgates, holding them open for hours, demonstrating their capability to disrupt critical infrastructure. Norway's domestic intelligence agency attributes the dam incident to pro-Russian cyber actors, viewing it as a tactic to instill fear and chaos. These incidents reflect a strategic shift in Russian cyber activities, targeting less conventional infrastructure to showcase their reach and capabilities. The US and Norwegian authorities are investigating the incidents, but specific Russian groups responsible have yet to be identified. The events highlight the need for strengthened cybersecurity measures across both legal and critical infrastructure systems to prevent future breaches.

Organizations face challenges in managing expansive digital footprints, with forgotten assets like cloud instances and staging servers posing security risks if left unmonitored. External Attack Surface Management (EASM) tools automate the discovery of internet-facing assets, identifying orphaned servers and open ports before they become security incidents. Digital Risk Protection (DRP) solutions monitor external threats, scanning social media and dark web forums for mentions of an organization, providing early alerts on potential risks. EASM and DRP tools enable systematic security practices, ensuring continuous monitoring and proactive management of digital assets and threats. Automated alerts and AI-powered filtering prioritize genuine risks, reducing false positives and focusing attention on critical vulnerabilities. Solutions like Outpost24's CompassDRP integrate EASM and DRP capabilities, offering comprehensive visibility and threat intelligence for effective risk management. Implementing these tools helps organizations maintain a robust cybersecurity posture, preventing costly incidents and ensuring operational resilience.

Italy's digital agency confirms a data breach affecting hotel booking systems, with nearly 100,000 identity documents compromised between June and August. The cybercriminal, known as mydocs, claims responsibility for the breach, listing sensitive documents like passports on a cybercrime forum. AGID verified the authenticity of the stolen data, warning of potential scams, identity theft, and financial fraud targeting affected individuals. The breach impacts at least ten hotels, with the number expected to rise; the Borghese Contemporary Hotel in Rome is among those affected. Italy's data protection authority, GDDP, urges unreported hotels to disclose any irregularities and notify affected guests as per legal requirements. A formal investigation has been launched to determine the breach's extent and the methods used to access the data. The breach poses significant risks, including the creation of false documents and unauthorized bank accounts, highlighting the critical need for enhanced data protection measures.

Cybersecurity researchers have identified a new Android trojan, PhantomCard, which exploits NFC technology to execute relay attacks on banking customers in Brazil. PhantomCard masquerades as legitimate apps on fake Google Play pages, tricking users into installing it by using deceptive positive reviews. Once installed, the app relays NFC data from victims' banking cards to a fraudster's device, allowing unauthorized transactions. The malware is part of a Chinese-origin NFC relay malware-as-a-service, NFU Pay, distributed through underground channels like Telegram. The attack complicates the threat landscape for financial organizations by introducing global threats that bypass regional language and cultural barriers. Similar NFC-enabled fraud has been reported in Southeast Asia, with attackers using tools like Z-NFC and SuperCard X to clone card data. The rise of contactless payments and low-value transaction limits in regions like the Philippines makes these attacks harder to detect and prevent in real-time. Financial institutions are urged to enhance monitoring and adapt security measures to mitigate these evolving threats.

Stock in the Channel (STIC), a UK-based tech stock platform, experienced a ransomware attack, causing significant service disruption and website outage. The attack was executed by a sophisticated criminal group exploiting a zero-day vulnerability in a third-party application. Despite extensive infrastructure damage, STIC reports no evidence of a data breach and has successfully recovered critical data. The company's website remains partially operational, with ongoing efforts to fully restore services; stock and price data may be outdated. STIC's email and phone lines continue to function, maintaining communication channels with its 60,000 users across 22 countries. The incident underscores the importance of securing third-party applications to prevent exploitation by cybercriminals. No customer data compromise is believed to have occurred, but the situation remains under close monitoring.

Implementing deny-by-default policies and multi-factor authentication (MFA) can significantly reduce attack surfaces and prevent unauthorized access to systems. Security-by-default strategies, including application allowlisting, stop ransomware and unauthorized tools before execution, enhancing overall system resilience. Adopting a proactive defense mindset is essential as cyber threats evolve from mere nuisances to profit-driven enterprises. Industry frameworks like NIST and ISO offer guidance, but clear, actionable steps are needed for effective security implementation. Default security configurations, such as disabling Office macros and blocking outbound server traffic, can eliminate significant vulnerabilities. Continuous monitoring and patching are crucial to maintaining security beyond initial configuration, ensuring defenses remain robust against new threats. Emphasizing security-by-default helps organizations prevent breaches, reduce complexity, and maintain operational integrity without alienating IT teams.

CISA issued a warning about active exploitation of two vulnerabilities in N-able's N-central platform, a tool widely used by MSPs and IT departments for network management. The vulnerabilities, CVE-2025-8875 and CVE-2025-8876, involve insecure deserialization and improper input sanitization, potentially allowing command execution by authenticated users. N-able has released patches in version 2025.3.1 and urges immediate updates to prevent potential risks, especially as details of the CVEs will be disclosed in three weeks. Over 2,100 N-central instances are exposed online, primarily in the U.S., Australia, and Germany, increasing the urgency for patch application to mitigate risks. CISA added these vulnerabilities to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to patch by August 20 under BOD 22-01. Organizations, including private sector entities, are advised to follow vendor instructions for mitigation or discontinue use if solutions are unavailable. This alert follows a recent CISA directive on a Microsoft Exchange vulnerability, underscoring the ongoing threat landscape and need for proactive security measures.

The UK government's five-year Strategic Partnership Agreement with Microsoft, valued at nearly £9 billion, is under debate for its true value to taxpayers. The agreement bundles Microsoft 365, Azure, Business Applications, and Microsoft Copilot, raising concerns about potential lock-in and limited competition. Microsoft's recent financial performance shows significant revenue growth, prompting questions about whether the UK is securing substantial discounts or merely boosting Microsoft's profits. The inclusion of AI tool Copilot could enhance efficiency, but lack of transparent pricing raises concerns about affordability and vendor dependency. The Crown Commercial Service's role in the agreement may prioritize vendor stability over aggressive cost-saving measures, potentially limiting negotiation leverage. Critics suggest exploring alternative platforms or hybrid strategies to foster competition and avoid over-reliance on a single supplier. Historical efforts to control IT costs, such as the 2004 Gershon Review, highlight the need for renewed focus on competition and innovation in procurement practices.

Google mandates cryptocurrency app developers to secure government licenses in 15 regions, including the U.S., UK, and EU, to enhance user safety and compliance. The policy affects developers of cryptocurrency exchanges and wallets, excluding non-custodial wallets, requiring registration with relevant authorities like FCA and FinCEN. Developers must declare their apps as cryptocurrency exchanges or wallets and may need to provide additional compliance information for unlisted jurisdictions. Non-compliant developers are advised to withdraw their apps from targeted regions, reflecting Google's commitment to adapting to evolving regulatory landscapes. Concurrently, the FBI warns of scams where fraudsters pose as law firms to exploit cryptocurrency scam victims, resulting in $9.9 million in reported losses. The FBI advises vigilance against unsolicited law firm contacts and recommends verifying identities through video or documentation to prevent further victimization. These developments underscore the critical need for robust verification processes and regulatory adherence in the rapidly evolving cryptocurrency sector.

CISA has added two N-able N-central security flaws to its Known Exploited Vulnerabilities catalog, indicating active exploitation of these vulnerabilities. N-able N-central, a Remote Monitoring and Management platform, is widely used by Managed Service Providers to manage client endpoints across various operating systems. The vulnerabilities have been addressed in the latest software updates, N-central versions 2025.3.1 and 2024.6 HF2, released on August 13, 2025. N-able advises users to enable multi-factor authentication, especially for admin accounts, to mitigate potential security risks. The specific methods of exploitation and the scale of attacks remain unknown, prompting ongoing inquiries for further details. Federal Civilian Executive Branch agencies have been advised to apply the necessary patches by August 20, 2025, to safeguard their networks. This development follows recent CISA actions addressing older vulnerabilities in Microsoft Internet Explorer and Office, urging timely updates or discontinuation of outdated products.

Fortinet has issued a critical alert for a remote command injection flaw in FortiSIEM, urging immediate application of security updates to prevent exploitation. The vulnerability, CVE-2025-25256, affects FortiSIEM versions 5.4 to 7.3 and is rated with a CVSS score of 9.8, indicating severe risk. Exploit code for this flaw is already circulating, posing a significant threat to organizations using FortiSIEM in sectors like government, finance, and healthcare. Fortinet advises upgrading to supported versions to mitigate risk, as older versions will not receive patches for this vulnerability. The flaw allows unauthenticated attackers to execute arbitrary commands, but it does not produce clear indicators of compromise, complicating detection efforts. A temporary workaround involves restricting access to the phMonitor on port 7900, though this does not resolve the underlying issue. This disclosure follows a recent surge in brute-force attacks on Fortinet products, suggesting heightened threat activity around these systems.

Fortinet has disclosed a critical vulnerability in FortiSIEM, identified as CVE-2025-25256, which allows unauthenticated attackers to execute unauthorized commands, potentially leading to full system compromise. The vulnerability affects FortiSIEM versions 7.3.0-7.3.1, 7.2.0-7.2.5, 7.1.0-7.1.7, 7.0.0-7.0.3, and versions before 6.7.9, receiving a CVSS score of 9.8, indicating severe risk. Fortinet has advised customers to upgrade to patched versions and suggested limiting access to the phMonitor port (7900) as a temporary mitigation measure. Working exploit code for this vulnerability has been detected in the wild, raising concerns about potential exploitation if systems remain unpatched. GreyNoise reported a significant increase in brute-force attempts targeting Fortinet SSL VPNs, with over 780 unique IPs involved, possibly indicating an increased threat landscape. The surge in brute-force attempts coincided with the vulnerability disclosure, although a direct causal link has not been confirmed by GreyNoise. This situation underscores the importance of timely patch management and monitoring for unusual activity to mitigate potential threats effectively.