Daily Brief

APT41, a Chinese cyber espionage group, has launched a new espionage campaign against government IT infrastructures in Africa. Researchers uncovered the campaign after detecting suspicious activities on multiple workstations of an affected IT infrastructure. The attackers used malicious techniques, such as hardcoded service names, IP addresses, and proxies within malware to maintain communication with their control servers. Key tools used in the campaign include Cobalt Strike and custom C# trojans, revealing a sophisticated level of attack execution tailored to non-East Asian systems. The campaign employed hacked SharePoint servers for control commands and Cobalt Strike for command-and-control communication via DLL side-loading. APT41 utilized credential harvesting and lateral movement within the networks to gain higher privileges and access sensitive areas. Impersonation of legitimate domains, like a GitHub-like URL, aided in avoiding detection while facilitating the deployment of additional payloads. This shift marks the first significant targeting of African nations by this group, suggesting a strategic expansion of their operations.

ExpressVPN has resolved a flaw in its Windows client where Remote Desktop Protocol (RDP) traffic leaked users' real IP addresses, bypassing the VPN tunnel. The issue, identified by a security researcher on April 25, 2025, was attributed to debug code accidentally left in production builds from version 12.97 to 12.101.0.2-beta. This vulnerability did not affect the encryption of the tunnels but could expose that a user was connected to specific remote servers via RDP. The problem was patched in the release of ExpressVPN version 12.101.0.45 on June 18, 2025. ExpressVPN advises users to update to this version for optimal security. ExpressVPN noted that this bug generally impacted a smaller segment of their user base since RDP is less frequently used by individual consumers. This issue reflects the ongoing challenges even top-rated privacy firms face in ensuring total security and anonymity online. ExpressVPN plans to enhance its internal build checks to prevent similar errors in future releases, including automatic advancements in development testing.

Dior has begun issuing data breach notifications to its U.S. customers following a cybersecurity incident that occurred on January 26, 2025. Personal information stored in a Dior database was accessed by an unauthorized party, but no payment details were compromised. The breach was detected on May 7, 2025, prompting internal investigations and immediate containment measures. Dior, a major French luxury fashion brand within the LVMH conglomerate, confirmed the breach after similar incidents affected other LVMH brands. Affected customers are being offered 24 months of free credit monitoring and identity theft protection. Customers are advised to stay vigilant for potential scams and phishing attempts following the breach. This data breach is linked to other LVMH brand breaches, potentially orchestrated by the ShinyHunters group via a third-party vendor.

Iranian Ministry of Intelligence and Security (MOIS) allegedly behind four new Android spyware samples found by Lookout security researchers. Malware disguised as VPN apps called Earth VPN and Comodo VPN, targeting WhatsApp data, and audio and video recordings. Discovered shortly after Israel launched missiles at Iranian nuclear sites, with one sample including "Starlink" in its name, potentially using it as a lure. Lookout attributes the malware to MuddyWater, an espionage group sanctioned by the US in 2022 for cyber activities against the US and allies. The campaign likely targets Iranian dissidents, activists, and journalists both within and outside Iran. New DCHSpy capabilities include enhanced data collection from WhatsApp, sensitive file searches, and exfiltration. Information collected via spyware is encrypted and uploaded to an attacker-controlled SFTP server.

Microsoft has patched two critical vulnerabilities (CVE-2025-53770, CVE-2025-53771) in SharePoint Server, previously exploited in the wild. The vulnerabilities were linked to earlier flaws (CVE-2025-49704, CVE-2025-49706) and are instrumental in a remote code execution exploit chain named ToolShell. Numerous organizations worldwide reported breaches, prompting a swift security advisory and patch release by Microsoft. The threat landscape includes several high-risk vulnerabilities across different platforms, including HPE, Cisco, Google Chrome, and NVIDIA. LLMs (Large Language Models) are increasing in corporate environments, raising new security risk concerns not fully addressed by existing security protocols. Unknown attackers are utilizing obscure techniques and monitoring gaps to infiltrate systems, often leveraging legitimate yet vulnerable system tools. Essential practices recommended include reviewing CVE updates promptly and deploying patches to protect against potential exploitations. Continuous surveillance and advanced registry check techniques are advised to detect and mitigate hidden malicious tasks within system infrastructures.

Over 1,000 online CrushFTP instances are susceptible to hijack attacks exploiting a critical security flaw identified as CVE-2025-54309. The vulnerability allows unauthorized admin access via mishandled AS2 validation, affecting all CrushFTP versions prior to 10.8.5 and 11.3.4_23. The issue, marked as actively exploited since July 19th, affects unpatched servers, although some started noticing it as early as July 18th. CrushFTP recommends regular patching, monitoring of logs for unusual activities, enabling automatic updates, and IP whitelisting to mitigate risks. According to Shadowserver scans, around 1,040 CrushFTP servers remain unpatched and exposed to potential data theft. The nature of the ongoing attacks remains unclear; however, high-value targets like CrushFTP have previously been targets for ransomware and data theft groups. CrushFTP's history includes patching a similar zero-day vulnerability targeted for espionage against U.S. organizations in April 2024.

By 2025, Zero Trust has transitioned from theory to a fundamental security requirement for organizations. AI greatly enhances Zero Trust by automating adaptive trust and continuous risk evaluations, managing large data volumes generated. Predictive AI models, like machine learning and deep learning, help detect threats early by analyzing historical data for patterns and anomalies. Generative AI and agentic AI assist in streamlining security operations, offering query generation, scripting, and automating complex tasks. Human-machine teaming remains crucial; AI supports but does not replace human decision-making in Zero Trust environments. AI risks, including model poisoning and inference tampering, highlight the necessity for human oversight. SANS SEC530 course emphasizes human-machine collaboration in implementing Zero Trust to secure hybrid enterprises effectively. SANS live training event in Fall 2025 will explore practical applications of AI in Zero Trust, enhancing hands-on security skills.

StackSocial presents an exclusive deal on Babbel, offering a lifetime subscription for $159, reduced from $599. Babbel provides access to language learning in 14 different languages, facilitating practical learning focused on conversational skills. The program structures its lessons around real-world applications such as navigating cities, ordering food, and other social interactions. Each lesson is designed to be short and flexible, approximately 10 to 15 minutes long, easily fitting into daily routines. Babbel enhances learning with an AI conversation partner and speech recognition for real-time practice and feedback. Additional personalized review sessions help reinforce learning and assist in continuous language skill improvement. The deal is available through a partnership between StackCommerce and BleepingComputer.com, requiring account registration at StackCommerce’s store. Special promotional code "LEARN" must be used by July 24 to take advantage of the offer.

Dell confirmed that the World Leaks extortion group breached its Customer Solution Centers platform, which shows product demos. This breach involved mainly synthetic or publicly available data used for product demonstrations — including fabricated sample medical and financial records. World Leaks, formerly known as Hunters International, shifted from ransomware to data extortion, focusing on stealing rather than encrypting data. The only legitimate data extracted was an old contact list; the platform is isolated from Dell’s main customer and partner systems. Dell has not disclosed details on how the breach occurred and remained tight-lipped about the ransom demands due to ongoing investigations. The World Leaks group claims to have attacked over 280 organizations globally since its inception; however, Dell’s data has not been publicly disclosed by the group. The breach reflects an ongoing trend where cybercriminals move away from ransomware toward direct data extortion.

Alaska Airlines has temporarily grounded its entire fleet due to an IT outage. The airline has not specified the cause, raising suspicions of potential cybercrime involvement. A notable ransomware gang, known for recent attacks on airlines, may be implicated. Only 11 of Alaska's 325 aircraft were operational, primarily due to the timing of the incident late at night. The airline is actively working to resolve the IT system issues and has advised passengers to check flight statuses. Recent similar incidents at other airlines have heightened cybersecurity concerns in the aviation sector. This ongoing situation continues to evolve with developments expected.

Threat actors named PoisonSeed have devised a method to bypass FIDO key security using QR phishing and cross-device sign-in abuse. A phishing campaign targets users by mimicking company login portals, specifically exploiting the cross-device sign-in feature available with FIDO keys. The attack involves luring victims to a fake Okta portal through a phishing email, where credentials entered are used to facilitate unauthorized access. The phishing site prompts the legitimate login page to generate a QR code, which is then captured and relayed to the victim to scan, granting attackers access. This method does not exploit FIDO keys directly; instead, it abuses legitimate features to downgrade the authentication process, effectively breaking the security link. The attackers also demonstrated the ability to enroll their own FIDO key after compromising an account, highlighting the need for phishing-resistant authentication methods across all account activities. Researchers emphasize the ongoing battle between cybersecurity defenders and attackers in securing user accounts against sophisticated phishing tactics.

Japan's National Astronomical Observatory discovered a new celestial body, 2023 KQ14, with an orbit beyond Pluto using the Subaru Telescope. The object's unique orbit offers new insights and challenges the existing "Planet 9" theory, suggesting a potential reshaping of our understanding of the solar system's structure. Scientists now consider the possibility that an ancient planet may have been ejected from the solar system, giving rise to the observed unusual orbits of certain celestial bodies. Further observations and data analysis will be required to fully understand the implications of this discovery on the broader theories of planetary and solar system formation. The Australian political party Trumpet of Patriots suffered a significant data breach but chose not to notify affected individuals, raising concerns about data security and privacy. Indian mobile carrier Bharti Airtel's partnership with Perplexity AI grants 360 million customers access to advanced AI research tools, marking a significant expansion in user access to AI technology. Developments in infrastructure with NEC announcing construction of a new subsea cable linking Japan and Singapore to enhance connectivity and support high-bandwidth applications.

Microsoft released emergency patches for two zero-day vulnerabilities in SharePoint, identified as CVE-2025-53770 and CVE-2025-53771. These security flaws were exploited in the global "ToolShell" attacks, impacting at least 54 organizations. The vulnerabilities allowed attackers to bypass earlier patches released by Microsoft, posing serious threats to affected systems. Emergency security updates have been issued for Microsoft SharePoint Subscription Edition and SharePoint 2019. Microsoft is also working on patches for SharePoint 2016, which are currently not available. SharePoint administrators are advised to immediately install the updates and rotate the machine keys to mitigate any potential risks. Microsoft has provided a specific Microsoft 365 Defender query to help administrators check for signs of the exploit on their servers.

Researchers have identified a sophisticated cryptojacking campaign affecting more than 3,500 websites globally, using stealth JavaScript. Stealth miners deployed assess device computational power and use Web Workers to mine cryptocurrencies covertly to remain undetected. The cryptojacking script leverages WebSockets to dynamically receive mining tasks adjusted to device capabilities, optimizing stealth. Users of affected websites inadvertently mine cryptocurrency due to covert mining scripts, without their consent or awareness. The domains hosting these JavaScript miners have previously been associated with Magecart credit card skimming operations. This diversification of attack vectors includes both cryptocurrency mining and financial theft from unsuspecting website visitors. The tactics focus on staying hidden and slowly draining resources, described as a "digital vampire" approach by researchers. Coinciding Magecart campaigns have targeted East Asian e-commerce platforms to steal bank details using fake payment forms.

Hewlett-Packard Enterprise (HPE) has issued security updates for critical vulnerabilities in their Instant On Access Points. The main vulnerability, identified as CVE-2025-37103 with a CVSS score of 9.8, involved hard-coded credentials that could allow unauthorized administrative access. Another issue, CVE-2025-37102, is a command injection flaw rated with a CVSS score of 7.2, permitting command execution with elevated privileges. Both vulnerabilities could potentially be linked to create a chain exploiting the system’s administration controls and executing arbitrary commands. These security flaws were discovered and reported by the Ubisectech Sirius Team. The vulnerabilities have been addressed in the latest software update, version 3.2.1.0, for HPE Networking Instant On Access Points. HPE confirms that other devices, including Instant On Switches, are not impacted by these vulnerabilities. Users are urged to update their systems promptly to prevent possible exploitations, though there has been no active exploitation reported so far.