Daily Brief

French authorities have arrested five individuals linked to the operation of BreachForums, a platform used for trading and selling stolen data. The arrests, conducted by the BL2C unit of the Paris police, targeted known hackers in various regions including Paris, Normandy, and Réunion. Those detained include high-profile hackers known by aliases such as "ShinyHunters," "Hollow," "Noct," "Depressed," and "IntelBroker." The forum, known to facilitate illegal activities like data leaks and the selling of network access, had been relaunched as BreachForums v2 after its original shutdown in 2023. Key figures such as "ShinyHunters" and "IntelBroker" were reportedly managing the forum, playing significant roles in its operations and multiple high-profile data breaches globally. Notably, these cybercriminals were implicated in several breaches against French entities and were responsible for leaking sensitive information of millions, affecting organizations such as France Travail and the French Football Federation. BreachForums v2 went offline in April 2025 following a security breach exploiting a zero-day vulnerability in the MyBB platform, with no signs of revival.

Researchers have identified vulnerabilities in SAP GUI for Windows and Java that could allow unauthorized access to sensitive user data. Identified flaws in SAP GUI (CVE-2025-0055 and CVE-2025-0056) involve insecure storage of user input history, potentially exposing usernames, SSNs, and more. SAP GUI for Windows uses a weak XOR-based encryption for storing data, while the Java version stores data unencrypted. Citrix also patched a critical vulnerability (CVE-2025-5777) in NetScaler appliances that could allow attackers to steal valid session tokens. The Citrix vulnerability, if exploited, enables bypassing of authentication protections and has been compared in severity to a previous significant breach in 2023. Both SAP and Citrix have released patches for these vulnerabilities, and mitigation steps include disabling input history and upgrading outdated software versions. There is currently no evidence of active exploitation of the Citrix flaw, but experts suggest that its potential impacts could be severe.

Pro-Iranian hacktivist group Cyber Fattah leaked thousands of records from the 2024 Saudi Games. Leak includes IT staff credentials, government emails, personal information of athletes and visitors, and sensitive documents. Data believed to be extracted from the Saudi Games 2024 official website, published on a notorious cybercrime forum. Cybersecurity firm Resecurity links this leak to Iran's broader cyber propaganda against the US, Israel, and Saudi Arabia. Tensions in the Middle East escalate, with numerous hacktivist groups engaged in ideological cyber warfare. The incident adds to a series of cyber-attacks including a DDoS attack by 313 Team and data leaks by Predatory Sparrow against Iranian targets. Experts highlight this incident as part of a growing trend of hacktivism where cyberattacks serve as extensions of geopolitical disputes. Such cyber activities demonstrate the increasing integration of digital operations in political and military strategies.

Guest users can exploit Microsoft Entra's subscription handling to create and transfer subscriptions, retaining ownership, and escalating privileges. The risk lies in the fact that guest users can leverage billing permissions scoped at their home tenant's billing account to initiate control in a target tenant. Normal security models that focus on Entra Directory or Azure RBAC roles do not typically cover billing roles, leaving a blind spot in security protocols. Attackers can exploit this oversight by using compromised or federated guest accounts to gain unauthorized access and maintain persistence within a tenant. Most organizations are unaware of the elevated access threat posed by seemingly low-risk federated guest accounts. Microsoft provides Subscription Policies as a mitigation tactic, allowing organizations to block transfers by unauthorized users, enhancing control over guest permissions. BeyondTrust suggests regular reviews of guest access policies and subscription governance to prevent such exploits and offers tools for detecting unusual subscription activities by guest accounts. Simon Maxwell-Stewart highlights the importance of re-evaluating the security implications of identity misconfigurations and weak default settings in modern enterprise environments.

A website originally created for the UK Home Office's anti-encryption campaign was repurposed to advertise payday loans. The website cost over £500,000 and was part of the controversial "No Place to Hide" campaign which targeted encryptions like Facebook Messenger. Technically, the site still promoted government messages against encryption but included a section offering loans from Wage Day Advance, a firm flagged for potential scam activities. The altered content was first detected by tech policy expert Heather Burns and reported by the publication The Register. Wage Day Loans claimed no knowledge of the change and stated that their SEO services had been outsourced. Despite the removal of the payday loan content shortly after discovery, it reappeared later before finally being taken down again. This incident highlights a broader issue of trusted domains being hijacked for SEO purposes, as seen in other cases with entities like Nvidia and Stanford University.

Unknown attackers distributed a trojanized SonicWall SSL VPN NetExtender application, designed to pilfer credentials from users by appearing legitimate. The infected application, dubbed SilentRoute by Microsoft, was distributed through fake websites and mimicked the appearance of SonicWall's original software. The malicious code in the NetExtender application enabled data theft by bypassing digital certificate validations and exfiltrating VPN configuration details to a hacker-controlled server. Alongside this, a spike in attacks leveraging ConnectWise using authenticode stuffing to insert malware was observed, primarily facilitated through phishing, malvertising, and fake AI tool advertisements on social media platforms. The ConnectWise exploits involve modifying the settings within the software's digital signature to create malicious configurations, allowing consistent remote access while presenting fake update screens to prevent system shutdowns. Both schemes underline the sophisticated techniques used by hackers to exploit digital signatures and trusted software processes to conduct their operations undetected.

Cybersecurity researchers have identified 35 malicious npm packages as part of the North Korea-linked Contagious Interview operation. The npm packages were found embedded in projects shared via LinkedIn job offers, exploiting developers' trust during the hiring process. Each package contains a hex-encoded loader, HexEval, that collects host information and delivers a JavaScript stealer tool called BeaverTail, which can download a Python backdoor named InvisibleFerret. The campaign’s tools enable remote control and data theft, specifically targeting cryptocurrency-related information. The malware avoids detection using complex, multi-layered techniques that bypass traditional security scans and manual reviews. Keylogger functionalities are included in one npm alias, enhancing threat actors’ surveillance capabilities. Recent versions of the campaign also use social engineering tactics, like fake interviews, to distribute malware. The ongoing nature and evolution of this campaign show North Korean threat actors refining their methods for sophisticated infiltrations into developer environments and systems.

Microsoft has announced an extension of the Windows 10 Extended Security Updates (ESU) program for an additional year until October 2026. The extension will provide critical security updates for users who choose to pay a fee or synchronize their PC settings with the cloud. This decision comes as the originally scheduled end of support for Windows 10 on October 14, 2025, approaches. Users can enroll in the ESU program through a new enrollment wizard in the Windows 10 Settings app, with options available for personalization. The ESU program is considered a temporary solution for users needing to operate on the legacy platform while transitioning to newer supported versions. ESUs are focused solely on security updates and will not include new features, non-security updates, or any design changes. Enrolled devices under this program will continue receiving updates through the extended period without requiring additional upgrades or changes.

Citrix addressed a critical vulnerability in its NetScaler ADC and NetScaler Gateway products, comparable to the previous CitrixBleed flaw exploited in significant ransomware attacks. The newly identified bug, nicknamed "CitrixBleed 2" by security analyst Kevin Beaumont, received a 9.3 severity rating and allows attackers to bypass multi-factor authentication. Affected versions include NetScaler ADC and Gateway versions 12.1 and 13.0, which are end-of-life and will not receive updates—upgrading is recommended. The flaw, an out-of-bounds read issue tracked as CVE-2025-5777, permits unauthorized remote attackers to read session tokens and other sensitive data, mainly affecting setups commonly used in large organizations. Citrix advises customers to update their systems urgently to the supported versions and execute specific commands to kill active sessions for enhanced security. No reports confirm the in-the-wild exploitation of CVE-2025-5777 yet, but experts like Beaumont and Benjamin Harris from watchTowr suggest that it is only a matter of time before it gets exploited, given its severity and nature. Modifications in the National Vulnerability Database regarding the exposure level of the management interface indicate an increased risk factor for this vulnerability. Organizations are warned to treat this as an imminent IT security incident to avoid potential future attacks that could exploit this vulnerability.

SonicWall has issued a warning about a trojanized version of its NetExtender SSL VPN client that is designed to steal VPN credentials. The fake NetExtender installer mimics version 10.3.2.27 and is hosted on a website crafted to deceive users into believing it's the legitimate SonicWall site. The installer, while not signed by SonicWall, uses a signature from "CITYLIGHT MEDIA PRIVATE LIMITED" to evade basic security checks. Modifications in the malware include altered binaries in NeService.exe to bypass certificate verifications and added malicious code in NetExtender.exe to exfiltrate VPN credentials. The stolen data, including usernames and passwords, is sent to a remote server once the user attempts to connect via the malicious VPN client. SonicWall advises downloading software only from its official websites and highlights that their security tools, along with Microsoft Defender, now block these malicious installers. Users are advised to avoid downloading software from promotional links and to always verify files with updated antivirus software before installation.

The U.S. Embassy in India announced new visa application guidelines requiring applicants to make their social media accounts public. The directive affects F, M, and J nonimmigrant visa categories, which include students and exchange visitors. Making social media profiles public is intended to assist in the vetting process for establishing identity and eligibility of applicants. Refusal to adjust privacy settings to public could lead to visa application rejection. This change is part of broader measures to ensure national security during the visa vetting process. Social media identifiers have been a required part of U.S. visa applications since 2019. The U.S. Department of State emphasizes the need to protect national interests and ensure applicants do not pose security threats. Other U.S. embassies worldwide have issued similar directives, including the necessity to provide historical social media usernames.

SonicWall and Microsoft discovered a fake SonicWall SSL VPN app designed to steal user credentials. The fraudulent app distributed a Trojanized version of the official SonicWall NetExtender software. Malicious actors used a digitally-signed but fake certificate from "CITYLIGHT MEDIA PRIVATE LIMITED" to lend credibility to the installer. Users were tricked into downloading the app from spoofed websites that mimicked legitimate download portals. The tampered app bypassed digital certificate validation checks and installed malware that collected VPN configurations—usernames, passwords, domains—and sent this data to a remote server controlled by attackers. Two modified files within the app, NeService.exe and NetExtender.exe, were specifically designed to execute the malicious operations. Despite takedowns of the fake sites and revocation of the fraudulent digital certificate, the threat persists due to the simplicity of creating new malicious domains. SonicWall advises downloading software directly from official vendor sites to avoid such security risks.

Trezor's automated support system is being used to send phishing emails that appear to be from legitimate company addresses. Attackers create support tickets with urgent phishing messages as titles, which are then automatically emailed to users. The phishing emails direct users to a fake site where they are prompted to input their wallet seed phrase. Possession of a seed phrase allows unauthorized users to gain full access to a victim’s cryptocurrency assets. Trezor has issued warnings to users never to share their seed phrases and is working on measures to prevent future incidents. This exploitation of Trezor’s support system follows several previous security breaches and phishing campaigns targeting Trezor users. Details on the ongoing situation and defense tips against phishing are available on Trezor's dedicated online guide.

Organizations often misunderstand the completeness of their vulnerability scans, missing 10-20% of devices that never get scanned. Vulnerability management platforms can mislead with clean metrics, while significant asset visibility issues and gaps remain. Detected devices may still have incomplete scans due to missing agents or credentials, leaving unassessed vulnerabilities. Common platform features lack mechanisms to natively identify never-scanned devices, impacting overall security posture. Case studies highlight the severe impacts of these gaps, including unpatched systems leading to breaches in financial and healthcare sectors. Continuous inventory assessments and cross-referencing data from multiple systems are recommended for accurate coverage verification. The article encourages a shift from reliance on platform-native reports to continuous validation and monitoring of asset inventories for real-time security management. Prelude Security suggests that organizations should not solely depend on vendor reports but should proactively identify and address visibility gaps.

A cybersecurity researcher named mr.d0x has developed a new attack variant called FileFix, which manipulates the address bar in Windows File Explorer to execute malicious commands. FileFix is derived from ClickFix, a social engineering technique that previously used browsers to trick users into executing harmful PowerShell commands. Unlike ClickFix, FileFix utilizes a more familiar and trusted component of Windows, the File Explorer, to deceive users into pasting malicious commands under the guise of handling shared files. By misrepresenting the functionality of buttons and links, the phishing page conceals the harmful commands within what appears to be legitimate user interactions, thus increasing the likelihood of user compliance. The method of hiding malicious code within seemingly benign commands in File Explorer potentially increases the attack's stealth and effectiveness. FileFix could be used by cybercriminals to deploy malware, ransomware, and conduct targeted phishing attacks due to its simplicity and the ubiquity of Windows File Explorer. mr.d0x believes that, similar to his previous discoveries, FileFix will likely be quickly adopted by malicious actors for its straightforwardness and the trust placed in standard Windows utilities by users. The researcher has demonstrated the viability of FileFix with a proof-of-concept, which he discussed with the tech media outlet BleepingComputer, emphasizing its potential for harm if leveraged by cyber attackers.