Daily Brief

Initial Access Broker (IAB) group Gold Melody, also known as Prophet Spider and UNC961, is exploiting leaked ASP.NET machine keys to gain unauthorized access to organizations across multiple industries globally. Attacks involve ViewState deserialization techniques allowing executable payloads within the server memory, reducing traceability and bypassing traditional endpoint detection. The abuse of ASP.NET machine keys for ViewState code injection attacks was first highlighted by Microsoft in 2025, noting over 3,000 publicly disclosed susceptible keys. The group’s operations, mainly targeting the U.S. and European financial services, manufacturing, and technology sectors, were first detected in October 2024. Techniques employed minimize on-disk presence, complicating detection due to lesser forensic artifacts and evading legacy EDR systems. Palo Alto Networks Unit 42 suggests the need for enhanced monitoring of anomalous IIS request patterns and .NET application behavior to counter such intrusions. Heightened activity noted between January and March 2025, involving deployment of post-exploitation tools and bespoke programs for network reconnaissance and privilege escalation. The campaign reveals significant gaps in cryptographic key management and emphasizes the critical need for comprehensive security frameworks around ASP.NET applications and server environments.

Organizations are increasingly investing in cyber resilience but are hampered by outdated technologies not suited for modern challenges. Cyber threats are evolving, with attackers utilizing advanced technologies like GenAI for malware creation and social engineering tactics aimed at compromising AI systems and breaching data perimeters. Regulatory pressures are escalating, demanding more refined data protection tools that provide granular control and auditable compliance without excessive manual intervention. The cost of data security is rising due to data sprawl across multiple platforms, requiring more extensive and expensive infrastructure and software tools. Legacy data protection methods are struggling under the pressure of new regulatory, cost, and threat landscapes, necessitating a fundamental change in strategy. Cloud-native solutions offer multi-cloud resilience with proactive threat hunting and AI-powered detection, ideally suiting modern needs and providing a unified response and recovery approach. Industry recognition, such as Druva’s leadership in the Gartner Magic Quadrant, highlights the increasing adoption and necessity of cloud-native cyber resilience platforms. With cyberattacks being an inevitable part of the digital age, adopting cloud-native solutions is essential for future-proofing data protection and ensuring enterprise resilience.

Ruckus Wireless Virtual SmartZone (vSZ) and Ruckus Network Director (RND) report multiple critical security flaws. Vulnerabilities could allow unauthorized remote code execution, use of hardcoded passwords, and exploitation of SSH keys. vSZ manages large-scale WiFi deployments, affecting potentially tens of thousands of connections. No patches available for identified security issues, with no response from Ruckus Networks or its parent company, CommScope. Carnegie Mellon University’s CERT Coordination Center (CERT/CC) and Claroty researcher Noam Moshe reported these vulnerabilities. Risk of full compromise of managed wireless environments and potential chaining of vulnerabilities for amplified attacks. Recommendations include isolating Ruckus management interfaces and ensuring secure protocol access. Attempted contacts by journalists to Ruckus have remained unanswered.

Ingram Micro suffered a significant ransomware attack by SafePay right before the July 4th holiday, affecting global operations. The attack led to the shutdown of their website and ordering systems, forcing employees to work remotely. Restoration efforts commenced on Monday, with order processing capabilities partially resumed via telephone and email in several countries, including the US and Canada. By Tuesday, Ingram Micro expanded service restoration, enabling subscription orders and modifications to be processed globally. The company implemented a comprehensive password and multi-factor authentication reset and began restoring VPN access for employees. Despite progress in system restoration, the recovery process is ongoing, with many internal systems related to ordering and logistics back online. The company is transitioning employees gradually back to office settings. It remains unconfirmed whether any data was exfiltrated during the attack; however, the possibility exists due to the SafePay ransomware group's known tactics.

Cybersecurity teams face increasing pressure to meet high expectations with limited budgets as indicated by a recent SANS survey where 47% cited budget concerns. Effective communication with boards requires aligning cybersecurity initiatives with business metrics such as risk, revenue, reputation, and regulatory compliance. Security investments must be framed as essential for long-term business resilience and value, not just immediate protection. Utilize data, risk assessments, and metrics to make a compelling, evidence-based case for security investments. Illustrating investment benefits through real-world case studies can enhance the persuasive power of your proposal. Detailing the plan for implementing and maximizing the value of security tools reassures board members about potential returns on investments. Reframing security spending as a crucial business enabler is key to securing executive buy-in and funding.

Multi-factor authentication (MFA) methods like SMS and authenticator apps remain fundamentally flawed, enabling cybercriminals easy access to personal and corporate accounts. High-profile breaches at companies like Aflac and Erie Insurance highlighted vulnerabilities, with attackers employing tactics such as MFA bypass requests or sophisticated phishing attacks. Phishing emails and spoofed websites deceive users into inputting credentials, exploiting the fact that traditional authenticator apps fail to verify the requester or the origin of authentication requests. Recent advisories from entities like the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urge against using SMS as a second authentication factor due to its vulnerability to interception and breaches. Emerging solutions like biometric hardware authenticators, such as Token Ring and Token BioStick, offer enhanced security by requiring physical presence and cryptographically verifying the domain requesting access. These biometric devices are designed to be tamper-proof and phishing-resistant, addressing the core security gaps of previous MFA tools by removing reliance on possibly compromised devices or intercepted codes. The urgent need for advanced authentication methods is underscored by the continuous evolution and sophistication of cyberattacks targeting conventional MFA systems.

Suspected India-linked APT group, DoNot Team, targeted a European foreign affairs ministry using LoptikMod malware to harvest sensitive data. Identified by Trellix Advanced Research Center, DoNot Team is also known by names such as APT-C-35 and Origami Elephant, active since 2016. Phishing campaign initiated via emails containing Google Drive links leading to the download of a malicious RAR archive, impersonating defense officials. The malware, disguised as a PDF, installs the LoptikMod remote access trojan, enabling data exfiltration and long-term access by establishing persistence through scheduled tasks. LoptikMod uses advanced evasion techniques including anti-VM measures and ASCII obfuscation, complicating analysis and detection efforts. Currently, the command-and-control server utilized by the attackers is inactive, hindering further investigation into ongoing operations and data communication specifics. This operation marks a strategic expansion of DoNot APT’s interests towards European targets, extending beyond their usual focus on South Asian governmental and defense organizations.

A vulnerability in ServiceNow, identified as CVE-2025-3648, enables low-privileged users to access sensitive data inappropriately. Discovered by Varonis Threat Labs in February 2025, the flaw exploits misconfigured Access Control Lists (ACLs). Even if one ACL condition is met, users could access protected resources, contrary to intended restrictions. ServiceNow has updated its ACL frameworks with the releases of its Xanadu and Yokohama versions to mitigate this issue. Organizations are advised to manually review ACL configurations to ensure data security. Despite the fixes, the manipulation of URL-based filters can still enumerate data character by character. Vulnerability could impact multiple industries using ServiceNow, including healthcare, finance, and public sectors. No current evidence suggests the flaw has been exploited in real-world attacks, but monitoring and updates are recommended.

Qantas disclosed a data breach impacting personal information of approximately 5.7 million customers following a cyber attack on a third-party platform used by the airline's contact center. Personal data accessed includes names, email addresses, frequent flyer numbers, customer tiers, status credits, and points balances. In particular instances amounting to around 1 million people, more sensitive information such as phone numbers and physical addresses were also compromised. Qantas has corrected initial reports, clarifying that the total number of affected customers is 5.7 million, not 6 million, due to duplicate records. The airline has implemented additional security measures for its IT systems and Qantas Frequent Flyer accounts to protect against unauthorized access. Affected customers, notably those over the age of 15, will be notified directly about the specifics of the data accessed and are advised to be vigilant against potential scams and phishing attempts. Qantas is actively monitoring for any signs of the leaked data appearing on the dark web, although none has been observed thus far. The breach follows similar recent incidents at other airlines, raising concern about targeted cyber activities against the aviation sector.

The U.S. Treasury sanctioned Song Kum Hyok of North Korea’s Andariel group for his role in a fraudulent remote IT worker scheme. Song allegedly used U.S. identities to create aliases for foreign IT workers to appear as American job seekers. The scheme, also termed Nickel Tapestry and Wagemole, involves North Koreans impersonating U.S. nationals to siphon salaries back to North Korea. Recent U.S. Department of Justice actions include arrests and seizures linked to this North Korean IT worker fraud. Additional sanctions were imposed on a Russian national and four entities participating in similar Russia-based operations involving North Koreans. The operations fund North Korea's weapons of mass destruction and missile programs through complex cryptocurrency transactions, contributing heavily to the country's illicit revenue. International efforts and awareness are increasing, with better collaboration and intelligence sharing highlighted as key to countering these activities. Concurrently, North Korea-aligned hackers continue targeting South Korea with spear-phishing and malware attacks.

The Tines platform hosts a library with over 1,000 pre-built security workflows, freely available to security practitioners. Lucas Cantor developed a workflow leveraging tools like CrowdStrike, Oomnitza, GitHub, and PagerDuty to manage malware alerts efficiently. The workflow aims to simplify the process of security alert severity assessment and escalation based on the device owner's feedback. The integration of automated ticket creation, device identification, and threat triage helps security teams respond quickly and accurately to malware threats. By automating these processes, the workflow minimizes delays and reduces human errors in managing security incidents. The workflow is part of Tines Community Edition and can be easily imported and set up following step-by-step instructions provided. Users need to configure and test the workflow within the Tines platform before it can be fully operationalized.

Ingram Micro has partially restored its ordering processes globally after a significant ransomware attack caused a shutdown. The company believes it has contained the unauthorized access and has remediated the affected systems, implementing additional network safeguards. Although regional ordering capabilities are being reinstated daily, hardware and other technology orders continue to face restrictions. The attack, claimed by SafePay group via a ransom note, threatened data exposure unless ransom demands were met within seven days. Ingram Micro's customer communication has been criticized as insufficient, with customers experiencing long support wait times and automated responses. The financial impact is notable, with potential revenue losses each day of downtime and risks of orders moving to competitors. The security firm Huntress estimates the average cost of recovery from a ransomware attack at around $4.5 million.

Xu Zewei, a 33-year-old Chinese national, was arrested in Milan, Italy for his connections to the state-backed hacking group, Silk Typhoon, and conducting cyberattacks on U.S. entities. He faces charges including wire fraud, conspiracy, unauthorized access to protected computers, and aggravated identity theft, related to cyber intrusions from February 2020 to June 2021. Xu is implicated in exploiting vulnerabilities in Microsoft Exchange Server during the COVID-19 pandemic to target over 60,000 U.S. organizations, successfully compromising sensitive data from more than 12,700. These cyberattacks were reportedly directed by China’s Ministry of State Security’s Shanghai bureau and executed notably through the Hafnium campaign, due to which sensitive information was stolen globally. Xu, who reportedly worked for Shanghai Powerock Network Co. Ltd during the attack period, is resisting extradition, claiming mistaken identity due to a common surname and a stolen mobile phone in 2020. The Justice Department emphasized the systemic use of private firms by China to obscure government involvement in global espionage efforts. Despite the arrest, experts like John Hultquist of Google Threat Intelligence Group suggest that the capture is unlikely to deter ongoing government-backed cyber espionage or significantly reduce operations.

Privacy advocates criticize the Metropolitan Police's use of live facial recognition (LFR) technology, questioning both its effectiveness and impact on civil liberties. Data reveals that out of 715,296 arrests since 2020, only 1,035 were assisted by LFR, with 773 leading to charges—accounting for merely 0.15 percent of total arrests. Critics argue the technology's costs and privacy implications outweigh its benefits in preventing crime. Big Brother Watch emphasizes the need for more efficient use of policing resources amid other uninvestigated serious crimes. The Met defends the technology, citing its role in significant arrests and enhancing operational efficiency without always leading to arrests. Recent deployment includes setting up permanent LFR cameras in Croydon after a two-year trial amid ongoing concerns over surveillance expansion. The lack of specific legislation regulating the use of facial recognition by police in the UK adds to the controversy and calls for oversight. The Met insists on solid safeguards with LFR, ensuring non-targeted individuals' biometrics are immediately deleted, focusing only on those matched with a watchlist.

Microsoft's latest Patch Tuesday resolves 130 vulnerabilities, including critical flaws in SPNEGO and SQL Server. This update marks the first of 2025 with no actively exploited zero-day vulnerabilities being patched, ending an 11-month streak. The publicly known vulnerability disclosed this month relates to Microsoft SQL Server which could allow unauthorized access to uninitialized memory, potentially exposing sensitive data. A severe remote code execution vulnerability in Windows SPNEGO Extended Negotiation could allow attackers to remotely execute code via a network, raising concerns about potential self-propagating malware akin to WannaCry. Other significant issues addressed include vulnerabilities in Windows KDC Proxy Service, Windows Hyper-V, and Microsoft Office, which could allow for remote code execution without user interaction or privileges. Microsoft also patched multiple security feature bypasses in Bitlocker which, if exploited, could permit access to encrypted data by attackers with physical access to the device. The discontinuation of SQL Server 2012 support was also noted, urging users to upgrade to receive future security patches.