Daily Brief

Gartner has named SentinelOne a leader in the 2025 Magic Quadrant for Endpoint Protection Platforms for the fifth consecutive year. SentinelOne's Singularity Platform utilizes AI and machine learning to offer advanced cybersecurity across all devices and operating systems. The platform integrates EDR, CNAPP, Hyperautomation, and AI SIEM, and is authorized at FedRAMP High, ensuring top-level U.S. federal cloud security. SentinelOne's innovations in AI-driven security allow faster detection and response times, reducing manual triage and integrating seamlessly with existing tools. The platform's capabilities are crucial for sectors like healthcare and finance where rapid response can prevent significant regulatory penalties or breaches. SentinelOne provides a single-agent, single-console solution, simplifying deployment and management while maximizing operational continuity. Customer feedback highlights significant improvements with a 338% ROI over three years and major reductions in incident response times during critical threats. The company's enduring commitment to AI and automation has transformed SOC operations and set new standards in endpoint security resilience and effectiveness.

UNC2891, a financially motivated threat actor, used a Raspberry Pi with a 4G connection to breach ATM networks and perform unauthorized transactions. The Raspberry Pi was discreetly connected to the bank's network, allowing the cybercriminals to bypass traditional security measures such as perimeter firewalls. The attackers employed TINYSHELL, a backdoor for establishing a command-and-control channel, and CAKETAP, a rootkit designed to manipulate ATM transactions and hide malicious activities. The group has been associated with previous attacks targeting ATM infrastructure, indicating extensive knowledge of Linux and Unix-based systems. Group-IB identified additional backdoors on the network monitoring server, which maintained persistent access even after the initial breach hardware was removed. The attack was ultimately disrupted before significant financial damage could occur, although the attackers maintained access through compromised internal systems. This incident underscores the growing trend of cyber-physical attacks and the potential dangers of devices with remote access capabilities within sensitive financial environments.

Security Operations Centers (SOCs) face increasing challenges with rising log volumes, complex threats, and staff shortages. Traditional SIEMs struggle with the massive influx of data, leading to bottlenecks, especially in cloud and OT environments. Many SOCs report significant time wasted on false positive alerts due to the inability of SIEMs to provide sufficient context for security events. Transitioning to SaaS-based SIEMs does not always solve these issues and introduces new problems such as increased costs during high data events and compliance concerns. Modern detection alternatives focus on metadata and behavioral analysis rather than raw log data, reducing false positives and focusing alerts. Newer Network Detection & Response (NDR) platforms cater to modern hybrid IT and OT environments by utilizing adaptive machine learning. A shift to modular, scalable SOC architectures incorporating behavior analytics and decentralized logging is necessary for effective modern cybersecurity management. Emphasizing intelligent data use and automated processes in SIEM-independent platforms can enhance security operations and reduce analyst fatigue.

Proton has introduced a new two-factor authentication app, Proton Authenticator, available for multiple platforms including Windows, macOS, Linux, Android, and iOS. The app generates time-based one-time passwords (TOTPs) that enhance security by expiring every 30 seconds, avoiding common security issues like phishing or SIM swapping. Proton Authenticator is designed to be privacy-centric, free of ads, trackers, and does not enforce vendor lock-in or require a Proton account to use. Unlike many competitors, Proton's solution is open-source, though the source code release is pending a few weeks post-launch. The application supports secure syncing across devices and allows for easy migration through import and export functions – a feature not available in many other popular 2FA apps. Features of the app include automatic encrypted backups and additional security measures such as biometric or PIN app locking. This initiative aligns with Proton's commitment to privacy and security, distinguishing itself from other tech giants' 2FA solutions that integrate with broader surveillance ecosystems. The Authenticator app positions itself as a more secure alternative to 2FA methods that rely on SMS or email, which are vulnerable to several types of cyber threats.

The UK's Online Safety Act (OSA) has prompted a significant increase in VPN usage, with companies reporting a 1,400% rise in sign-ups, as younger users seek ways to bypass new age verification systems. Experts argue that a complete ban on VPNs, as considered by the government, is unenforceable and unrealistic, likening it to banning smoking in private homes. Such a ban could push VPN usage underground, creating a black market, and force ISPs to block legitimate encrypted traffic, which could potentially regulate an entire industry out of existence. The UK's largest mobile network operator, EE, has launched SIM cards for under-18s blocking access to inappropriate content, despite already offering parental controls. Other methods of controlling VPN usage, such as traffic pattern analysis, are deemed expensive and impractical, with many VPNs capable of disguising their traffic as regular HTTPS. Banning VPNs could negatively impact legitimate uses such as enhancing privacy on public networks, with a substantial number of UK citizens using VPNs for personal security. Countries that currently ban VPNs include authoritarian regimes like Russia and China, putting the UK's proposal in a controversial light. There is a strong public backlash against the OSA, evidenced by over 423,000 signatures on a digital petition demanding a repeal, which will trigger a Parliamentary debate.

A critical vulnerability in the "Alone – Charity Multipurpose Non-profit WordPress Theme" identified as CVE-2025-5394, enables hackers to remotely install plugins and execute code. Security researcher Thái An discovered the flaw, which affects all theme versions up to 7.8.3. The exploit allows unauthorized users to upload arbitrary files through AJAX, achieving remote code execution for full site control. Attackers exploited the vulnerability starting July 12, 2025, two days prior to its public disclosure, suggesting pre-emptive monitoring by cybercriminals. Wordfence has recorded over 120,900 attempts to exploit this vulnerability, primarily using backdoors and rogue admin accounts. To safeguard against attacks, WordPress site owners should update to the latest theme version, monitor for unusual admin activity, and review relevant server logs. Common files uploaded during these attacks include "wp-classic-editor.zip" and "background-image-cropper.zip," which contain malicious PHP scripts.

Flavio Luciani, CTO of Namex, emphasizes the critical role of Internet Exchange Points (IXPs) in global internet infrastructure. IXPs facilitate network traffic exchange, reduce latency, lower costs, and enhance connectivity reliability by allowing direct peering among networks. The collective capacity of the 1,519 active IXPs is over 2 million Gbps, demonstrating their scale and the extent of their impact on global data flow. Despite their importance, IXPs often lack visibility in public and policy discourse, are excluded from national critical infrastructure protections, and may suffer from governance and security weaknesses. Luciani cites instances where robust IXP networks have mitigated the impact of major internet outages, contrasting with areas with weaker IXP presence that experienced severe disruptions. He proposes the establishment of an IXP Resilience Observatory in Europe and a coordinated incident response framework to enhance IXP governance and operational transparency. Luciani advocates for the inclusion of IXPs in national and regional cybersecurity and resilience strategies to ensure future-proof and decentralized internet infrastructure.

Tensions between Thailand and Cambodia escalated into a deadly clash near a disputed border area, resulting in over 30 fatalities and the evacuation of tens of thousands. The conflict has historical roots but was intensified by issues linked to cyber-scam operations purportedly involved in human rights abuses and located near the border. Cambodian camps accused of enslaving workers in cyber-scam activities reportedly generate significant revenue, supposedly up to half of Cambodia's GDP, with possible governmental collusion. Thailand threatened to sever utilities to Cambodia to disrupt these scam operations, aligning with its broader foreign policy goals and contributing to heightened tensions. International bodies and other nations, including China, have taken note and intervened, aiming to dismantle these scam networks and rescue affected individuals. Allegations of Cambodian governmental involvement in profiteering from these cyber-scam camps are under investigation. Global human rights groups and the United Nations are raising alarms about the inhumane conditions in the scam camps, influencing international diplomatic relations.

The TSA has implemented facial recognition technology in 250 US airports since 2017 to improve security and boarding processes. Despite technological accuracy, many passengers are uncomfortable with facial recognition, and the opt-out process isn't widely disclosed or facilitated by airport personnel. The Algorithmic Justice League reported that over two-thirds of passengers opting out receive negative treatment from airport staff. Recent studies reveal that over 60% of travelers fear their facial data might be misused by third parties, and 74% were uninformed about the technology's deployment. A bipartisan group of senators is pushing the Traveler Privacy Protection Act to preserve travelers' rights to opt out of facial scanning and to protect their data. Critics, including the Security Industry Association, argue that restricting facial recognition technology could undermine national security and hinder technological advancements in airport operations. TSA claims that the captured facial images are not stored except in specific testing scenarios aimed at evaluating tech efficacy. The ongoing legislative debates highlight profound concerns about privacy, efficacy, and the ethical implications of biometric surveillance at airports.

ShinyHunters, identified as UNC6040, orchestrated data theft from Salesforce CRM used by companies like Qantas, Allianz Life, and LVMH. The group utilized voice phishing attacks, impersonating IT support to trick employees into providing access via a malicious OAuth app. Google's Threat Intelligence Group reported these social engineering attacks targeting Salesforce customers using email and voice phishing. High-profile breaches involved third-party CRM systems, with unauthorized accesses reported at Adidas, Qantas, and subsidiaries of LVMH. Affected companies have not confirmed Salesforce as the compromised platform, but evidence implies its involvement. ShinyHunters attempted to extort affected companies privately; however, they may leak stolen data if these attempts fail. Confusion exists within the cybersecurity community regarding the overlap of tactics and members between ShinyHunters and other hacking groups such as Scattered Spider. Salesforce has emphasized the importance of customer vigilance and adherence to security best practices to mitigate such attacks.

The Python Software Foundation alerts to phishing attacks aimed at Python developers using a counterfeit Python Package Index (PyPI) site. The phishing scheme involves emails purportedly from PyPI, asking users to verify their email addresses on a fraudulent website that mimics the legitimate PyPI portal. The attackers attempt to harvest credentials by misleading users into logging into the fake site, potentially compromising their accounts. The credentials stolen during these phishing attacks could be used to introduce malware into Python packages or to distribute malicious software on the platform. PyPI administrators have responded by adding a warning banner on the official site and are coordinating efforts with CDN providers and name registrars to shut down the phishing operation. Python Software Foundation advises developers who might have divulged their credentials to change their passwords and review their security history for any unusual activities. Recent related challenges include a temporary suspension of new user registrations and project creations in March 2024, following a malware campaign linked to uploaded malicious packages.

IBM's "Cost of a Data Breach Report 2025" highlights increasing security incidents in AI implementations due to inadequate security and governance measures. Out of 600 surveyed organizations, 13% reported security breaches involving AI, primarily due to insufficient AI access controls, affecting 97% of those impacted. The majority of breaches were linked to third-party vendor compromises, particularly in Software as a Service (SaaS) applications and associated supply chains. Common consequences of these AI-related security incidents included operational disruptions, unauthorized data access, financial losses, and reputational damage. Shadow AI, or the unauthorized use of AI tools within organizations, poses a significant security risk as it often goes undetected, making it a prime target for exploitation. Despite recurring security concerns, 87% of organizations lack proper governance to mitigate AI risks, with many also failing to conduct regular risk assessments or adversarial testing on their AI models. The report underscores a pressing need for better AI security practices as organizations prioritize rapid AI adoption over comprehensive security and risk management.

SafePay ransomware gang claims to have captured 3.5TB of data from IT distributor Ingram Micro and is threatening to leak it. Ingram Micro is a major global provider of IT solutions, including hardware, software, and logistical support. The SafePay ransomware operation, which started in September 2024, has become notable for stealing and potentially leaking victim’s data. The ransomware attack led to a global outage for Ingram Micro, prompting an operational shutdown with employees working remotely. Ingram Micro has responded quickly, managing to restore significant internal systems and functionalities within days of the attack. Despite recovery efforts, SafePay’s potential impact through data leakage remains a concern, with the actual data breach details not confirmed by Ingram Micro. SafePay filling the operational void left by other ransomware groups like LockBit and BlackCat, indicating a strategic and expansive threat landscape.

Hackers are actively exploiting a critical vulnerability in the WordPress 'Alone' theme, specifically in its version up to 7.8.3. The issue, identified as CVE-2025-5394, enables unauthorized file uploads leading to remote code execution and potential site takeovers. Wordfence, a WordPress security firm, has blocked over 120,000 attempts to exploit this flaw, which began before the flaw was publicly disclosed. The vulnerability allows attackers to upload webshells, install PHP backdoors, or create hidden admin accounts, gaining complete control over the affected websites. Several signs of compromise include new admin users, unexplained ZIP/plugin folders, and specific admin-ajax.php requests. Four IP addresses associated with the attack have been identified, suggesting that site administrators should block these immediately. Bearsthemes, the vendor for the Alone theme, released a patch in version 7.8.5 on June 16, 2025, after escalating the issue from early report submissions in May. The exploit comes shortly after a similar attack on another premium WordPress theme, indicating a pattern targeting premium theme vulnerabilities.

Dropbox is discontinuing its password manager, Dropbox Passwords, in phased steps ending October 28. Users should migrate data by the end of October as access will be completely revoked and data securely deleted. Dropbox Passwords will transition to view-only mode on August 28 and the mobile app will stop working on September 11. Dropbox has endorsed 1Password as an alternative, though it may involve a paid subscription post free trial. The decision to discontinue is aimed at refocusing efforts on enhancing other core features of Dropbox's product line. Dropbox faces substantial competition in the password manager market, influenced by offerings from LastPass, 1Password, and tech giants like Apple, Microsoft, and Google. Corporate changes continue as Dropbox has experienced staff layoffs, and the CEO announced cuts in over-invested or underperforming areas.