Daily Brief

Kerberoasting remains a significant threat in Windows Active Directory environments, exploiting the Kerberos authentication protocol. Traditional detection methods, such as heuristic-based approaches, struggle with high false positives and miss subtle, low-and-slow attack tactics. The BeyondTrust research team has developed a statistical model aiming to enhance detection accuracy by analyzing patterns and reducing false positives. This new model groups similar Kerberos ticket-request patterns into clusters, analyzing frequency and behavior to establish what 'normal' looks like for each group. Initial testing across 1,200 hours demonstrated promising results, enhancing the ability to detect anomalies while understanding typical user behaviors. Collaboration between security researchers and data scientists proved crucial, blending contextual security insight with advanced data analysis techniques. While improving detection, it's also recommended to implement proactive identity security measures to mitigate risks associated with Kerberoasting. The research team's efforts indicate that even well-known attack methodologies like Kerberoasting can be countered more effectively with innovative detection models.

Google has launched OSS Rebuild, aiming to enhance the security of open-source packages and protect against software supply chain attacks. OSS Rebuild provides security metadata to validate the origin of packages and confirm that they have not been altered, contributing to safer software dependencies. The project targets packages from major registries such as the Python Package Index, npm, and Crates.io, with plans to expand further. It employs declarative build definitions, build instrumentation, and network monitoring to recreate package builds and compare them with existing artifacts. OSS Rebuild uses SLSA Provenance to publish build definitions and outcomes, allowing for the verification of package origins and the repeatability of secure builds. The solution aids in detecting compromises within the supply chain, enhancing Software Bills of Materials, accelerating vulnerability responses, and reinforcing trust in packages. Whenever automatic reproduction of a package fails, OSS Rebuild provides a manual build specification to maintain security standards. This initiative reduces the dependency on CI/CD platforms for managing package security, shifting the control back to security teams and developers.

CISA has added two newly exploited SysAid software vulnerabilities to its Known Exploited Vulnerabilities catalog. These vulnerabilities involve potential for Server-Side Request Forgery (SSRF) and unauthorized remote file access. Research by watchTowr Labs uncovered these flaws alongside CVE-2025-2777, a critical pre-authenticated XXE vulnerability. SysAid addressed these vulnerabilities in March 2025 with an updated software release (version 24.4.60 build 16). The specifics of the threats, including attacker identities and intents, remain unclear. Federal Civilian Executive Branch agencies are mandated to implement the updates by August 12, 2025, to mitigate risks. Attackers could also potentially execute remote code when exploiting these vulnerabilities in combination with another flaw from CyberArk.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has required all Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft SharePoint vulnerabilities CVE-2025-49704 and CVE-2025-49706 by July 23, 2025, due to evidence of active exploitation by Chinese hacking groups. Chinese groups identified as Linen Typhoon and Violet Typhoon have been exploiting these vulnerabilities since July 7, 2025, to gain unauthorized access to on-premises SharePoint servers. The vulnerabilities involve a spoofing and a remote code execution (RCE) vulnerability chain, collectively named ToolShell. Microsoft's assessments indicate that CVE-2025-53770, an authentication bypass and RCE bug, is key to exploiting these vulnerabilities. Microsoft has confirmed that CVE-2025-53771 and related flaws serve as patch bypasses, complicating mitigation strategies. Despite mitigation efforts like the Antimalware Scan Interface (AMSI), watchTowr Labs successfully devised methods to bypass these protections, indicating the severe limitations of relying solely on AMSI without patching. CISA, continuing to update its Known Exploited Vulnerabilities Catalog with assistance from Microsoft, emphasizes the importance of compliance with the patching directive given the sophistication of the attacks and potential for significant breaches.

The Chinese Ministry of State Security has issued warnings about backdoored devices and supply chain attacks, particularly targeting foreign technologies. The Ministry advises against using foreign tech products and encourages purchasing domestic technology to mitigate information security risks. Concerns are also raised over potential foreign espionage in China’s territorial waters, using covert backdoored undersea devices. A recent incident involved Chinese fishermen discovering a device suspected of gathering hydrological data and monitoring ship activities covertly. The Ministry suggests that foreign intelligence agencies and possibly international organizations may be involved in undersea surveillance and data theft. These actions by foreign entities are described as threats to China’s national security. Chinese citizens are urged to educate themselves about cybersecurity risks, maintain vigilance, and report any suspicious activities to authorities.

The Lumma infostealer malware operation has resumed after a major law enforcement crackdown in May, involving the seizure of 2,300 domains. Despite considerable disruptions, Lumma's malware-as-a-service (MaaS) was not completely shut down; restoration began almost immediately post-seizure. The malware network has almost returned to its original activity level before the crackdown, facilitated by new infrastructure and trust rebuilding within the cybercrime community. Trend Micro reports a swift resurgence in operations, with network telemetry showing rapid infrastructure rebuilding by Lumma operators. Lumma now utilizes alternative legitimate cloud providers, including Russian-based Selectel, to evade further takedowns. The malware is distributed through four main channels, indicating a robust and diversified infection strategy. The persistence and recovery of Lumma indicate that current law enforcement strategies may need revisions, as arrests or indictments are essential to curb such resilient cybercrime activities.

U.S. government failed to renew funding for the CyberSentry program, ceasing its operations at Lawrence Livermore National Laboratory (LLNL). CyberSentry aims to detect emerging cyber threats on critical infrastructure networks, focusing on sectors like energy, healthcare, and water. The program identified and monitored foreign espionage activities and potentially harmful malware targeting operational technologies. The halt in funding means LLNL can no longer analyze data from network sensors, decreasing visibility into ongoing cyber threats. Testimonies reveal cybersecurity weaknesses in U.S. critical infrastructure, with calls for urgent preparation against potential major attacks. LLNL had success in the past, such as detecting intrusive Chinese surveillance cameras embedded in U.S. infrastructure. The program's cessation is part of a broader issue of unstable funding and staffing challenges at the Cybersecurity and Infrastructure Security Agency (CISA). Officials express concerns over national security risks due to the funding gap, echoing previous issues with the CVE program run by MITRE.

A newly evolved variant of the Coyote banking trojan is now exploiting the Microsoft UI Automation (UIA) framework to potentially steal credentials from users of banking and cryptocurrency exchange websites. Microsoft UIA is an accessibility framework that interacts with UI elements in applications, which malware uses to inspect and control user interfaces covertly. This technique allows the malware to evade traditional endpoint detection and response (EDR) systems, posing a significant challenge to current cybersecurity defenses. Initially detected in February 2024, Coyote has targeted 75 specific financial and cryptocurrency services, primarily focusing on Brazilian institutions. The malware identifies targeted sites by extracting web addresses from browser UI elements like tabs or address bars, checking them against a predefined list of services. Besides using keylogging and phishing overlays, Coyote's latest variant leverages UIA for data theft, marking an advancement in its capabilities. Microsoft has yet to respond to queries about potential updates or safeguards against such misuse of their accessibility features.

Arch Linux issued a security alert advising users to uninstall and reinstall Firefox, LibreWolf, and Zen browsers due to compromised packages in the Arch User Repository (AUR). The compromised packages, identified as librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin, contained a Remote Access Trojan (RAT). The malicious packages were available on AUR on July 16 and were promptly removed less than two days after discovery. Users are advised to take further precautions to ensure their systems were not compromised by checking for unknown processes and unusual network traffic. The AUR, while providing extensive software options for Arch users, is often less regulated and has historically been susceptible to similar malware incidents. Arch Linux’s infrastructure, relying on community contributions to AUR, poses both strengths in diversity of available software and risks in security. The Register has reported similar malware issues affecting other software repositories, emphasizing the ongoing challenge of securing software supply chains. This incident underscores the necessity for users to maintain vigilance and practice robust security hygiene, especially when utilizing community-supported repositories.

CISA, FBI, and other agencies issued a warning regarding rising Interlock ransomware activities, affecting businesses and critical infrastructure. Interlock ransomware, identified in September 2024, has increasingly targeted various sectors worldwide, particularly healthcare. These ransomware attacks involve data theft and subsequent encryption, pressuring victims to pay ransoms to regain access and prevent data leaks. Notable breaches include DaVita and Kettering Health, with significant data theft and operational disruptions reported. Interlock leverages unique tactics like drive-by downloads from compromised legitimate sites and double extortion schemes. Recent methods also include using the FileFix technique, manipulating Windows UI elements to execute harmful scripts. Recommended defenses include DNS filtering, web access firewalls, routine updates, network segmentation, ICAM policies, and mandatory multifactor authentication. The advisory provides network defenders with latest indicators of compromise and strategic mitigation measures to thwart such ransomware attacks.

AMEOS Group, a large healthcare network in Central Europe, reported a security breach impacting customer, employee, and partner data. The breach involved unauthorized access to the healthcare provider's IT systems, despite extensive security measures. AMEOS operates over 100 healthcare facilities, employs around 18,000 staff, and generates more than $1.4 billion in annual revenue. All IT systems were shut down, and network connections were severed to mitigate the breach; external IT and forensic experts were enlisted for aid. Data protection authorities in Switzerland, Germany, and Austria were notified, and a criminal complaint has been filed. AMEOS has advised individuals associated with their facilities to be cautious of potential phishing and scam attempts. While no data has purportedly been disseminated online yet, ongoing investigations continue without evidence of data exposure. Updates will be provided through AMEOS's website as the investigation progresses and new details emerge.

Chinese state-backed groups, Linen Typhoon and Violet Typhoon, are exploiting recently identified vulnerabilities in on-premises Microsoft SharePoint servers. Linen Typhoon primarily targets entities involved in government, defense, and human rights, focusing on stealing intellectual property. Violet Typhoon engages in espionage, aiming at former government and military personnel, NGOs, think tanks, and sectors like education and media across US, Europe, and East Asia. A third group, Storm-2603, possibly China-based but not confirmed as state-sponsored, has been using these vulnerabilities for unclear purposes. Microsoft has released patches for the identified vulnerabilities affecting all versions of SharePoint Server—including Subscription Edition, 2019, and 2016. The presence of multiple proofs of concept for exploiting these vulnerabilities on GitHub indicates a high risk of further attacks by various cybercriminal groups. Organizations are strongly urged to apply these security updates immediately to prevent potential breaches and data theft. Microsoft continues to investigate the activities of additional threat actors exploiting these vulnerabilities.

Chenguang Gong, a dual Chinese-American citizen, admitted to downloading over 3,600 documents containing trade secrets valued in the hundreds of millions of dollars, from two prominent electronics manufacturers. The stolen documents included sensitive information on military technology, such as infrared sensors and radiation-hardened cameras for detecting rocket launches. Gong’s theft was motivated by opportunities in Chinese tech talent programs that offer substantial financial incentives for sharing foreign tech knowledge. The FBI uncovered that Gong had transferred the stolen files between various personal storage devices after accepting a position with a direct competitor in the U.S. Gong’s actions began shortly after he moved to the U.S., and he intensified these activities after transferring to a company that compiles circuits for missile tracking. The engineer has been charged, pleaded guilty, and now faces up to 10 years in prison, highlighting significant concerns about economic espionage and national security. The breach was discovered by Gong's last employer during an IT security audit, which was critical in preventing the wider dissemination of the stolen information.

Microsoft identified three Chinese hacker groups exploiting vulnerabilities in SharePoint servers as of July 7, 2025. The groups, named Linen Typhoon, Violet Typhoon, and Storm-2603, utilized these security flaws to gain initial access to target organizations. The vulnerabilities in question were related to spoofing (CVE-2025-49706) and remote code execution (CVE-2025-49704), with new bypass identifiers CVE-2025-53771 and CVE-2025-53770. Attack tactics include using a POST request to the ToolPane endpoint of SharePoint servers, allowing authentication bypass and remote code execution. The attackers deploy a web shell named "spinstall0.aspx" to retrieve and steal critical MachineKey data. Microsoft strongly recommends updating SharePoint systems, rotating ASP.NET machine keys, rebooting Internet Information Services, and deploying enhanced antimalware defenses like Microsoft Defender for Endpoint. Further risks are anticipated if organizations fail to implement recommended security measures and updates promptly.

Researchers at La Sapienza University in Rome have developed "WhoFi," a method to identify individuals based on how their bodies affect Wi-Fi signals. This approach uses Wi-Fi Channel State Information (CSI) to create a unique biometric pattern for each person. WhoFi can track individuals across different locations without the need for them to carry any electronic devices. The technique offers potential advantages over traditional surveillance methods, including privacy preservation and the ability to operate in various light conditions and through obstacles. The system has achieved up to 95.5% accuracy in identifying individuals using a public dataset. The researchers highlight the use of deep neural networks and transformer encoding to process CSI data, making the unique identification more reliable. These findings could influence future developments in security and surveillance technologies using non-visual biometric data.