Daily Brief

WhatsApp has launched a new AI feature called Message Summaries to help users preview unread messages quickly. The feature uses Meta AI to provide summaries and is initially available in English to U.S. users, with future plans for global expansion. Message Summaries is optional, disabled by default, and can be activated or customized with "Advanced Chat Privacy" settings. The technology, Private Processing, ensures AI processing is done securely without exposing message contents to third parties, including Meta. Private Processing operates within a confidential virtual machine (CVM) and establishes a secure link between the user's device and the Trusted Execution Environment (TEE) using Oblivious HTTP (OHTTP). WhatsApp and Meta cannot access the actual messages due to this technology, enhancing user privacy. The introduction coincides with heightened security scrutiny, evidenced by the U.S. House of Representatives banning WhatsApp on government-issued devices.

British national Kai West, alias "IntelBroker," charged in the U.S. for cybercrimes causing $25 million in damages. West allegedly stole and sold sensitive data from government agencies, companies, and critical infrastructure globally. The data included health records, telecommunications, and cybersecurity firms’ internal files, among others. Breaches linked to West include major entities like Europol, General Electric, and AMD. U.S. Department of Justice claims the damages affected dozens of victims; IntelBroker faces a potential 25-year prison term. West's identity was confirmed by an FBI agent purchasing a stolen API key, which led to tracing his financial transactions. The FBI's investigation tied West to the IntelBroker persona using digital and physical evidence, including invoices and a UK driver's license. IntelBroker had administrative roles at BreachForums, a notable hacking forum, before stepping down recently.

Threat actors have modified the authenticode signature of ConnectWise ScreenConnect installers to create signed malware capable of remote access. The altered configurations within the software's certificate table allow the malware to retain its valid digital signature. G DATA cybersecurity researchers identified these malicious binaries, noting only the certificate table varied across files with the same hash values. Victims reported falling for phishing tactics involving PDFs or links on Canva that directed to the malicious executable hosted on Cloudflare’s R2 servers. The infected ScreenConnect client was disguised with UI elements like a fake Windows Update screen to deceive users. ConnectWise revoked the certificates used in these attacks following contact from G DATA, who labeled the malware under two classifications: Win32.Backdoor.EvilConwi.* and Win32.Riskware.SilentConwi.*. Another similar misuse involved trojanized SonicWall NetExtender VPN clients aimed at stealing login credentials. ScreenConnect and SonicWall users are urged to download software exclusively from official sources to avoid such security risks.

Citrix released emergency patches for two critical vulnerabilities affecting NetScaler ADC and Gateway products, with one already exploited as a zero-day. The new vulnerability, tracked as CVE-2025-6543, features a 9.2 severity score and allows for unintended control flow and potential denial of service. CVE-2025-6543 exploitation led to unauthorized access before Citrix could distribute fixes, indicating attacks beyond simple denial-of-service outcomes. Security experts observed that patching might not remove potential backdoors installed during the exploitation period, posing ongoing risks. The earlier vulnerability, CVE-2025-5777, also critical, could permit attackers to read session tokens or sensitive data without authentication. Charles Carmakal from Mandiant Consulting emphasized the necessity of not only patching but also terminating active sessions to fully mitigate risks, learning from past exploitations leading to espionage or ransomware deployment. Citrix has been slow to respond to inquiries about the specifics of the exploits and the extent of the breaches or the measures needed beyond patching.

Hackers use Microsoft's ClickOnce tool and AWS services in a malicious campaign called OneClik targeting the energy sector. OneClik campaign uses custom Golang backdoors and .NET-based loaders to deploy malware and maintain stealth. The malware, named RunnerBeacon, utilizes AWS Cloudfront, API Gateway, and Lambda to mask command and control communications. Researchers at Trellix traced the malware’s evasion techniques and sophisticated payloads designed to avoid analysis and detection. OneClik campaign likely linked to a China-affiliated state actor, based on techniques and similarities to past campaigns. The malware design and operations mirror tactics in previous China-linked attacks involving cloud services and custom malware. Trellix has released indicators of compromise to aid detection and defense against OneClik and similar threats.

North Korean operatives target job seekers, especially developers, with malware-laden npm packages. The malware campaign, dubbed 'Contagious Interview', involves attackers posing as recruiters on LinkedIn. Malicious npm packages have been downloaded over 4,000 times, with six still available. These packages install the BeaverTail info-stealer and InvisibleFerret backdoor along with other payloads. The malware executes multiple stages, starting from HexEval Loader to a complex keylogger only in specific cases. IT professionals are advised to execute unfamiliar code in isolated environments like containers to mitigate risks. Past incidents indicate that this type of targeted malware distribution has been a recurring strategy by the DPRK.

Amazon has integrated AI in Ring devices to optimize home security notifications via a new feature called Video Descriptions. This beta feature is available for Ring Home Premium subscribers in the US and Canada and is designed to generate text descriptions detailing the motion activities monitored by Ring cameras and doorbells. Users must manually activate this feature through the Ring app to receive enhanced notifications, such as specific descriptions of individuals and activities around their property. The AI is configured to learn users' home routines, identify anomalies, and notify homeowners only when unusual activities occur, aiming to reduce frequent, irrelevant alerts. However, there are significant privacy concerns associated with this technology, particularly regarding how it stores and secures these detailed descriptions of daily routines and potential misuse by unauthorized parties. Previous incidents have involved unauthorized access to Ring accounts and misuse of the device's cameras, raising skepticism and further questioning the privacy measures implemented by Ring. Additionally, Ring has faced legal consequences in the past, including a substantial payout to settle allegations of inadequate security measures that allowed unwanted spying through its cameras.

A recent study highlights a significant increase in academic computer vision research contributing to surveillance technology, with a fivefold rise in relevant patents since the 1990s. Analysis conducted by researchers from Stanford University and Trinity College Dublin involved over 19,000 research papers and 23,000 patents. Approximately 90% of the analyzed academic papers and 86% of the patents involved human data extraction, often referring to humans as "objects." The study, published in Nature, indicates that the normalization of human surveillance is widespread across the field, with a tendency to use ambiguous language that masks surveillance implications. Jathan Sadowski emphasizes that the advancement of computer vision in surveillance is influenced by substantial corporate and military interests rather than coincidental. Sadowski calls for more critical inquiry and policy-making to address the ethical and political dimensions of this technology, suggesting it fuels the military-industrial surveillance complex. The findings suggest a need for a shift in how computer vision research is conducted and utilized, with an emphasis on ethical considerations and transparency.

88% of surveyed security leaders express concern over supply chain risks, but less than half adequately monitor their external suppliers’ security. Roughly 79% of organizations oversee less than half of their nth-party supply chain through cybersecurity programs, leading to significant blind spots. 36% of businesses have only 1-10% of their supply chain protected, despite experiencing a material impact from incidents within the past year. Third-party breaches doubled globally last year, representing 30% of total attacks, according to Verizon’s 2024 data breach report. Only 56% of organizations perform risk assessments on all supply chain members, and often struggle with getting reliable responses due to self-reporting inaccuracies. A common tactic to mitigate supply chain threats includes acquiring cyber insurance, with 63% of organizations covered for such events. Companies are advised to evolve from traditional third-party risk management to a more resilient approach, focusing on real-time risk identification and response. The report encourages organizations to invest in comprehensive supply chain cybersecurity strategies to combat growing external threats.

Citrix has issued a warning about a critical vulnerability, CVE-2025-6543, in NetScaler appliances that is currently being exploited. The vulnerability affects NetScaler ADC and NetScaler Gateway versions and can cause denial of service (DoS) when exploited. Attackers are exploiting this flaw through unauthenticated, remote requests that force the appliance offline. Specific NetScaler configurations vulnerable to this attack are those set as Gateway or AAA virtual servers. Citrix has released patches for affected versions to mitigate the vulnerability. Another related vulnerability, CVE-2025-5777 or CitrixBleed 2, has also been identified, allowing attackers to hijack user sessions. Citrix advises administrators to update their systems immediately and monitor for any signs of compromise.

A security flaw in Microsoft’s Entra ID continues to pose a risk, affecting 9% of tested SaaS applications. Semperis discovered that the flaw allows attackers to manipulate the "mail" attribute in Entra ID accounts to take over a victim’s account. The vulnerability, known as nOAuth, was initially reported in June 2023 but still impacts multiple applications despite the disclosure. Attackers can exploit this flaw with minimal effort and without leaving significant traces, complicating detection for users and administrators. Microsoft recommunicated guidelines for application developers in response to Semperis' report to mitigate the risks associated with nOAuth. Properly implementing authentication and using immutable user identifiers are crucial for developers to shield applications from such vulnerabilities. The flaw not only allows data access within the SaaS application but also potentially enables attackers to access other Microsoft 365 resources.

WinRAR has fixed a critical directory traversal bug identified as CVE-2025-6218, which posed a high-severity threat with a CVSS score of 7.8. The vulnerability could allow the execution of malware when users extracted malicious archives using affected versions of WinRAR (version 7.11 and older) on Windows. The patch for this vulnerability has been included in WinRAR version 7.12 beta 1, released recently. The flaw allows for unintended extraction paths, causing malicious files to be dropped in sensitive system locations, potentially leading to unauthorized data access and remote control. These extracted malicious files could automatically execute upon startup, leveraging user-level access to steal sensitive information, install backdoors, or facilitate further attacks. Despite needing user interaction, the prevalent usage of outdated software versions heightens the risk of exploitation. This update also addresses other vulnerabilities including an HTML injection issue and minor concerns related to recovery volume testing and timestamp accuracy in Unix records. All WinRAR users, regardless of their operating system, are advised to update immediately to mitigate risks, though no exploits of CVE-2025-6218 have been reported to date.

Citrix warns of a new vulnerability, "CitrixBleed 2," impacting NetScaler ADC and Gateway, potentially allowing unauthorized session hijacking. The flaw, designated CVE-2025-5777, involves out-of-bounds memory access, enabling attackers to access session tokens and sensitive data. A related high-severity issue, CVE-2025-5349, affects the NetScaler Management Interface and could allow improper access control if exploited. Citrix advises users to upgrade to specified software versions and review active sessions for any irregularities before terminating them as a precaution. Devices still operating on unsupported software versions pose a significant security risk and require urgent upgrading. Over 56,500 NetScaler endpoints are exposed online, although the exact number vulnerable to these flaws remains unclear. Citrix has not confirmed active exploitation of these flaws but recommends immediate action to mitigate potential risks.

French cybercrime brigade (BL2C) arrested five suspected administrators of BreachForums, a notorious cybercrime discussion board. Initial arrests included an individual believed to be "IntelBroker" in February, with four more apprehended this week. The individuals are accused of involvement in various high-profile cyberattacks, including on companies like Snowflake and Ticketmaster. The suspects, all in their twenties, are linked to online ads for stolen data and the recruitment of criminal gangs. High-profile cybercriminals like Sebastien Raoult and Conor Brian Fitzpatrick were previously associated with BreachForums and have faced legal action in the US. BreachForums was shut down by the FBI in May 2024 but briefly resurfaced under a new domain before experiencing significant outages. Copycat sites have emerged since the takedown, using BreachForums' trusted PGP key, but their legitimacy remains questionable.

Citrix has published emergency patches for a critical vulnerability in NetScaler ADC, identified as CVE-2025-6543, which has been exploited in the wild. The flaw, rated 9.2 on the CVSS scale, involves a memory overflow that could disrupt service and alter control flow. Successful exploitation of the vulnerability requires specific configurations as a Gateway or AAA virtual server. Affected versions include both on-prem and hybrid deployments of Secure Private Access using NetScaler. Users are urged to update their NetScaler instances to the patches provided by Citrix to mitigate risk. This security issue follows closely another severe vulnerability patched recently in the same product series, highlighting ongoing security challenges. Citrix has not provided specifics on how the vulnerability has been exploited but confirmed observations of active exploits on unprotected systems.