Daily Brief

Microsoft plans to disable external workbook links to blocked file types in Excel between October 2025 and July 2026 to enhance security. Workbooks with links to blocked file types will show a #BLOCKED error or fail to refresh following the update. This security measure is part of the new FileBlockExternalLinks group policy, expanding current File Block Settings. Microsoft 365 will inform users about these changes via a business bar warning in workbooks with external links to blocked file types starting from Build 2509. Admins can re-enable links to blocked file types by modifying the Excel security settings in the Windows registry. These changes include previously initiated actions such as the disabling of ActiveX controls and expansion of the Antimalware Scan Interface for better protection against malware. Microsoft has also recently increased bounty payouts to $40,000 for certain vulnerabilities, reflecting their continued focus on security enhancements across their platforms.

Microsoft has updated its Azure AI Speech service to include a new feature that allows users to create voice replicas with just seconds of sampled speech. The enhanced model, called "DragonV2.1Neural," offers more natural and expressive voice outputs and supports over 100 languages. The improved system provides better speech naturalness, realistic prosody, and enhanced pronunciation accuracy. This upgrade enables various applications such as customizing chatbot voices and dubbing video content across multiple languages. Despite potential for misuse, Microsoft includes safety measures like watermarking and usage policies requiring original speaker consent and prohibiting impersonation. Concerns have grown around AI voice cloning technology, especially given its application in scams and the lack of sufficient safeguards in some voice cloning services. Earlier warnings from Consumer Reports and the FBI highlight the risks associated with AI voice cloning technologies in fraud schemes.

Microsoft has updated its .NET bug bounty program to increase rewards, offering up to $40,000 for critical vulnerabilities. The program now includes higher payouts for issues in .NET and ASP.NET Core, reflecting the complexity and risk associated with these vulnerabilities. Critical remote code execution and privilege escalation flaws can fetch up to $40,000, with $30,000 available for critical security feature bypasses. The updated bounty program also covers critical remote denial-of-service (DoS) bugs, with rewards up to $20,000. Expansion includes more comprehensive coverage of .NET framework vulnerabilities. These changes are part of Microsoft's Secure Future Initiative (SFI), aimed at enhancing overall cybersecurity in response to criticisms from the Department of Homeland Security. Microsoft continues incentivizing research and security improvements across its platforms, including enhancements in AI security with increased bounties.

China's Cyberspace Administration suspects backdoor vulnerabilities in Nvidia's H20 AI chips and demands an explanation under stringent security laws. The issue emerged after the U.S. lifted a ban that previously blocked the export of these chips to China, originally imposed over fears of military use. Beijing's renewed scrutiny appears tied to the U.S. Chip Security Act mandating tracking technology in AI chips, raising espionage fears. Allegations include embedded technologies in Nvidia's chips for tracking, positioning, and remote shutdown capabilities. Despite U.S. restrictions, a significant volume of Nvidia's AI chips reportedly entered China's black market, circumventing official channels. Nvidia denies any intentional backdoors in its chips, emphasizing their commitment to stringent cybersecurity practices. This confrontation underscores ongoing tensions and technologies' geopolitical implications, especially in the AI and semiconductor sectors.

Secret Blizzard, a Russian nation-state actor, is targeting foreign embassies in Moscow via sophisticated AitM attacks at the ISP level. The group employs malware called ApolloShadow, designed to trick devices with fake certificates and gain persistent access. The campaign has been active since at least 2024, utilizing local ISPs to compromise diplomatic communications for intelligence gathering. Microsoft's report reveals tactics including lawful intercept misuse, installing rogue root certificates, and redirecting internet traffic through a captive portal. ApolloShadow's functionalities include modifying system settings to facilitate potential lateral movement within networks without direct attempts observed. Microsoft suggests embassies enforce least privilege access, review privileged accounts regularly, and secure traffic through encrypted tunnels or VPNs to mitigate threats. The group uses complex methods to obscure its activities, including leveraging infrastructure from unrelated third-party threat actors.

CISA announced the availability of Thorium, an open-source platform for malware and forensic analysis designed to automate tasks in cyberattack investigations. Developed in collaboration with Sandia National Laboratories, Thorium can schedule over 1,700 jobs per second and handles more than 10 million files per hour per permission group. Thorium integrates commercial, open-source, and custom tools to enhance cybersecurity teams' analytical capabilities in software analysis, digital forensics, and incident response. The platform enables cybersecurity analysts to efficiently assess complex malware threats and supports various mission functions. Installation instructions and access to Thorium are available on CISA's official GitHub repository, promoting the use of advanced tools across the cybersecurity community. Scalable analysis provided by Thorium aids in understanding and addressing vulnerabilities in benign software, enhancing overall security readiness. Thorium is part of CISA’s continued efforts to support the cybersecurity community, following the release of the Eviction Strategies Tool and the "Malware Next-Gen" analysis system in previous years.

Russian cyberspies, attributed to the Kremlin-backed group Secret Blizzard, are targeting foreign embassies in Moscow using local ISP networks. Microsoft Threat Intelligence has reported the espionage since at least 2024, pinpointing AiTM (adversary-in-the-middle) attacks facilitated likely by lawful intercepts. The attackers employ fake networks and captive portals to redirect embassy communications and deploy the ApolloShadow malware. ApolloShadow facilitates extensive privileges on compromised devices, enabling manipulation of network settings and data interception. Once infected, ApolloShadow can manipulate DNS settings to redirect communications to a control server, exposing sensitive diplomatic communications. Microsoft advises entities in Moscow to use encrypted communication channels or VPNs not reliant on local ISPs to mitigate risk. This case highlights the strategic use of geopolitical control over ISPs, turning local infrastructure into an extension of espionage capabilities.

Microsoft has identified a Russian hacker group, Secret Blizzard, targeting diplomatic missions in Moscow using local ISP access. The hackers employ Adversary-in-the-Middle (AiTM) attacks, redirecting targets to download the ApolloShadow malware via fake portals. ApolloShadow malware installs a deceptive trusted root certificate mimicking Kaspersky Anti-Virus, facilitating long-term espionage. The cyber-espionage tactics leverage Russia’s System for Operative Investigative Activities (SORM) for extensive AiTM campaigns. This cyber threat has been monitored actively by Microsoft since 2024, with Secret Blizzard's ISP-level espionage capabilities newly confirmed. Secret Blizzard, linked to the Russian FSB, has been involved in global cyber-espionage since 1996, targeting sensitive government and research entities. The group is known for sophisticated and unconventional cyber tactics, including the control of malware via social media and hijacking other nation's cyber infrastructures.

Cybersecurity researchers have uncovered a sophisticated phishing campaign that exploits Proofpoint’s link wrapping service to mask malicious URLs and evade detection. Attackers gain unauthorized access to email accounts within an organization and use this access to send emails with malicious URLs wrapped by Proofpoint, making them appear legitimate. The malicious emails feature multi-layer redirects, initially using a URL shortening service like Bitly, before being further obscured by Proofpoint’s URL Defense, creating a complex redirection chain to evade security measures. This technique is employed in various deceptive emails, such as fake voicemail notifications and Microsoft Teams messages, which trick users into clicking on links that lead to fake Microsoft 365 login pages designed to harvest credentials. The phishing campaign also utilizes Scalable Vector Graphics (SVG) files and fake Zoom meeting links in separate schemes to bypass traditional security protocols and trick users into divulging personal information. Cloudflare highlights the increasing sophistication of phishing attacks that cleverly use trusted tools and methodologies to increase their success rate in credential theft. Recent reports by Cofense and other cybersecurity entities indicate a rise in such multi-stage phishing attacks, signaling a shift towards more elaborate and covert methods of cybercrime.

Security researchers at SentinelLabs analyzed an unsealed US DOJ indictment, identifying 16 patents related to offensive cyber tools linked to China's Ministry of State Security (MSS). The patents, filed between 2014 and 2020 by Shanghai Powerock and Shanghai Huayun Firetech, were connected to the Silk Typhoon espionage team, known for their attack on Microsoft Exchange. The tools patented included utilities for decrypting hard drives, network sniffers, forensic software, and spyware capable of accessing files on Apple devices. The Chinese companies involved had previously operated under non-publicized alliances with MSS, supporting ongoing cyber espionage efforts. Yin Kecheng, associated with similar hacking operations through Shanghai Heiying Information Technology, was arrested earlier for his involvement in profitable computer intrusion campaigns since 2013. SentinelLabs stresses that while theoretically possible for defensive use, there is no evidence suggesting these tools were used as such, highlighting a clear intent geared towards espionage. Despite concrete links and ongoing litigation, Beijing continues to deny any involvement in cyber espionage operations.

ClickFix is a social engineering method used by attackers to manipulate users into executing malicious code hidden in their clipboard. Usually triggered by a user clicking on something appearing legitimate (like a CAPTCHA), the malicious code is then silently copied to their clipboard. Keep Aware, a browser security platform, is highlighted for its ability to detect and block these deceptive interactions through clipboard monitoring and real-time activity analysis. An instance of an attack was prevented when Keep Aware alerted a user of a suspicious command after a ClickFix attempt that originated from a search engine result. ClickFix attacks, if successful, can lead to the loading of various malware and remote access trojans, causing significant harm to the compromised device. FileFix represents the latest iteration of this type of attack, targeting user interactions with File Explorer by hiding malicious commands in deceivingly innocuous-looking inputs. These clipboard-based attacks emphasize a critical vulnerability within the browser, showcasing it as a key vector for device compromise largely overlooked by traditional security measures.

North Korea-linked UNC4899 engaged in sophisticated cryptocurrency theft targeting multiple organizations through social engineering via LinkedIn and Telegram. The attackers employed malicious Docker containers and npm packages to infiltrate systems, leveraging job offers and collaborative project lures on platforms like GitHub. UNC4899, also known as Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor, has been active since 2020 and is associated with significant crypto heists. The group exploited cloud environments such as Google Cloud and AWS, using malware like GLASSCANNON, PLOTTWIST, and MAZEWIRE to establish remote connections and perform actions like credential theft. In one instance, malicious actors disabled and later reinstated MFA to maintain access without detection. The operations concluded with the threat actors successfully extracting millions in cryptocurrency by manipulating CloudFront and S3 configurations. Google's intervention highlighted the use of stolen credentials and session cookies in the attacks, which prevented further unauthorized activities due to multi-factor authentication (MFA) barriers. The activity forms part of a broader strategy by North Korea's Lazarus Group, which has escalated inserting malware into npm and PyPI open source registries.

Britain's competition watchdog, after a 21-month investigation, suggests Microsoft and AWS hold too much market power in the UK cloud sector. The Competition and Markets Authority (CMA) intends to grant Microsoft and AWS strategic market status (SMS), allowing for targeted regulatory measures. Microsoft and AWS, controlling 30-40% of the UK's cloud market, could face actions due to their significant unilateral market power and high profit margins. The report highlights issues such as overpricing, technical barriers, and restrictive licensing, which stifle competition and innovation. Google, although a smaller player in the UK cloud market with 5-10% share, escapes similar scrutiny, differing markedly from Microsoft and AWS. The CMA suggests that increased competition could lead to better pricing, potentially saving UK businesses around £500 million annually. AWS and Microsoft disagree with the findings, arguing the report overlooks the dynamic nature of the cloud market and the competition within it. Final recommendations and decisions from the Digital Markets Unit (DMU) are expected by early 2026, with ongoing evaluations influenced by international regulatory actions.

Researchers from GreyNoise have documented a correlation between spikes in malicious network activity and the disclosure of new security vulnerabilities, affecting 80% of CVEs within six weeks. Data analysis from GreyNoise's Global Observation Grid indicates these patterns are statistically significant and repeatable across major enterprise edge vendors such as Ivanti, SonicWall, and Palo Alto Networks. The study identified that half of these malicious spike events precede the announcement of a new CVE by three weeks, with a stronger correlation found in specific vendors. The majority of early attack efforts target older vulnerabilities, which may aid attackers in discovering new security flaws or vulnerable internet-exposed endpoints. GreyNoise advises organizations to enhance monitoring and defensive measures upon detecting suspicious scanning activities, even before CVEs are formally published. Google’s Project Zero aims to shorten the “patch gap” by announcing discovered vulnerabilities within a week to assist system administrators in preemptive defense strategies.

NRS Healthcare, a key provider of disability equipment to the NHS and local councils in the UK, is facing potential compulsory liquidation 16 months post-cyberattack. The company, instrumental for delivering urgent healthcare equipment, has initiated the transfer of its services to other providers, aiming to preserve jobs and service continuity. Fiscal reports revealed that although the cyberattack (claimed by RansomHub) had minimal immediate fiscal impact, significant financial strain manifested in the following year, complicating recovery efforts. In response to the cyber incident, NRS Healthcare expedited a digital transformation project, completing it in three weeks instead of six months, which included major updates to cybersecurity standards. Increasing financial pressures have led to unsuccessful attempts by NRS Healthcare to secure a buyer through PricewaterhouseCoopers, pushing the company towards liquidation. Local councils have expressed concerns about meeting statutory service obligations if NRS Healthcare collapses, highlighting the urgent requirement for same-day service provisions for hospital leavers. The DHSC is actively coordinating with multiple partners to mitigate potential service disruptions and is considering requests from local councils for financial support during the transition.