Daily Brief

Akamai researchers have developed two new methods to counteract cryptocurrency mining botnets by exploiting mining protocols. These techniques manipulate mining topologies and pool policies, drastically reducing the effectiveness of cryptomining botnets and potentially leading to their shutdown. The first method, known as "bad shares," involves submitting invalid mining results to get a mining proxy banned from the network, which halts the botnet's operation. The second technique utilizes the direct connection of a miner to a pool to initiate over 1,000 login requests with the attacker's wallet, temporarily banning it for an hour. Both strategies are designed to exploit vulnerabilities in the Stratum mining protocol used in common topologies, causing significant disruption to malicious mining operations. The methods currently target Monero miners but can be adapted to other cryptocurrencies as well. These defensive tactics enable the rapid recovery of legitimate miners from attacks, contrasting with the challenging recovery process for malicious operations.

The evolution of penetration testing has led to various models including Point-in-Time Pentests, PTaaS, Bug Bounty Programs, and Automated Tools, with Continuous Penetration Testing (CPT) proving most effective. Legacy pentests offer a static and periodic snapshot that fails to match the dynamic nature of modern threats; CPT offers always-on, real-world attack simulation. CPT integrates human expertise with automation, providing continuous coverage, real-time alerts, unlimited retesting, and faster remediation times, which proves crucial against the fast pace at which new vulnerabilities are weaponized. While CPT requires a higher initial investment, it offers significant long-term benefits by aligning closely with modern development practices and persistent threat landscapes. Various penetration testing models were compared, highlighting Continuous Penetration Testing as a superior method due to its comprehensive and proactive approach in a fast-evolving threat environment. The shift from annual or periodic testing to continuous testing models enables organizations to stay ahead of threats and more effectively protect sensitive data. Sprocket Security provides these services, emphasizing the strategic, operational, and cost benefits of transitioning to a continuous penetration testing model.

The U.S. House of Representatives has implemented a ban on WhatsApp for use on all government-issued devices among congressional staff due to security concerns over its data encryption and storage processes. Staffers can still use WhatsApp on their private devices, but these devices are prohibited in secure areas like classified briefings or secure facilities. The ban extends to numerous device types, including mobile phones, laptops, desktop computers, and additionally any web browsers on such devices. The Chief Administrative Officer (CAO) of the House, Catherine Szpindor, emphasized that the priority is to safeguard the House and its members from potential cybersecurity threats. Alternatives recommended by the House CAO include Microsoft Teams, Wickr, Signal, iMessage, and FaceTime, all of which are considered to have acceptable security features for official communications. WhatsApp responded strongly against the ban, arguing that the app's default end-to-end encryption provides better security compared to many apps on the House's approved list. The news surfaces amid broader efforts by the House to limit use of potentially risky technology platforms and applications, including ByteDance apps like TikTok and certain AI tools like ChatGPT.

Unidentified hackers are targeting Microsoft Exchange servers globally to insert keyloggers on login pages and steal credentials. Analysis by Positive Technologies revealed two types of JavaScript keylogger codes affecting servers in 26 countries across various sectors including government, finance, IT, and education. The campaign, first documented in May 2024, exploits known Exchange Server vulnerabilities such as ProxyShell to deploy malicious code. Compromised data includes user credentials and cookies, transmitted discreetly to avoid detection using methods like local file storage and external Telegram bots. The attacks initially detected in Africa and the Middle East, have now expanded worldwide with significant concentrations in Vietnam, Russia, Taiwan, China, and several other countries. Researchers warn many Exchange servers are still susceptible to older vulnerabilities, allowing attackers to remain undetected for extended periods. 22 government servers have been notably compromised, highlighting the significant impact on state operations.

Four members of the notorious REvil ransomware group were released from Russian detention after serving most of their five-year sentences since their 2022 arrest. The individuals, convicted for crimes including the use of malicious programs and illegal financial activities, were freed due to time considered served in pre-trial detention. The released members had complied with legal demands, including forfeiting luxury assets like BMWs and a significant sum of money. In contrast, four other members who did not plead guilty received harsher sentences ranging from 4.5 to six years, demonstrating a discrepancy in sentencing based on plea decisions. REvil, known for high-profile ransomware attacks including against US nuclear contractors and international businesses, was effectively dismantled in a joint FBI-led operation in 2021. While convictions continue in Russia, extradition efforts by the US have seen limited success, notably with the extradition and sentencing of a Ukrainian REvil member in the US. The case highlights ongoing international efforts and challenges in managing cybercrime and the varied outcomes based on judicial and geopolitical dynamics.

Cybersecurity leaders from diverse sectors discussed the challenges of implementing Continuous Threat Exposure Management (CTEM) at the Xposure Summit 2025. Key strategies include starting with asset inventory and identity management, and validating internal and external-facing assets frequently to adapt to rapidly changing environments. The discussion highlighted the importance of converting cybersecurity issues into risk management language that boards and regulators can understand. Success in CTEM is measured not by counting vulnerabilities but by the reduction of exploitable attack paths and effectively conveying risk levels to company leadership. The panel emphasized the difference between traditional vulnerability management and CTEM, focusing on real-world threat simulations and testing defense mechanisms beyond mere patching. The conversation also touched on the necessity of threat intelligence as a backbone for security testing programs, emphasizing understanding and simulating adversary tactics, techniques, and procedures (TTPs). Frequent validation of security measures is crucial, with weekly checks for internal assets and daily for external ones, to maintain control over security environments continuously.

Hackers are targeting misconfigured Docker APIs to infiltrate containerized environments and deploy cryptocurrency miners, exploiting Tor for anonymity. The attack commences by probing vulnerable systems to list or create Docker containers, utilizing the "alpine" Docker image and mounting crucial directories. This setup allows attackers to execute a Base64-encoded script to install Tor, enabling them to mask their activities and fetch remote scripts from a .onion domain. Post-installation, attackers modify SSH configurations and insert their SSH key to facilitate unauthorized access, enhancing their control over the host system. Additional tools such as masscan, libpcap, zstd, and torsocks are installed by the attackers for further actions and communication with their C&C server. The final payload includes the XMRig miner, set up with specific configurations and wallet addresses, primarily targeting the technology, finance, and healthcare sectors. Trend Micro's research signals an ongoing trend where attackers exploit vulnerabilities in cloud environments for cryptojacking operations.

The U.S. House of Representatives has banned the use of WhatsApp on all government-issued devices among congressional staff due to security and data protection concerns. This decision follows reports by the House Chief Administrative Officer (CAO) labeling WhatsApp as a "high-risk" application due to its inadequate data protection practices, including a lack of transparency and absence of stored data encryption. WhatsApp, owned by Meta, has countered these allegations, asserting that its platform ensures end-to-end encryption on all messages and provides a high level of security. Meta's Communication Director, Andy Stone, expressed strong disagreement with the CAO's claims and highlighted the widespread use of WhatsApp by congressional members and staff. The CAO suggested alternative communication apps deemed more secure, such as Microsoft Teams, Amazon's Wickr, Signal, and Apple's iMessage and FaceTime. The prohibition of WhatsApp follows recent bans on other apps like TikTok, OpenAI ChatGPT, and DeepSeek by the House. WhatsApp has also been in the news for integrating advertisements into its platform, a move that the company asserts does not compromise user privacy.

CERT-UA disclosed a campaign by Russian-linked APT28 using Signal chat to deliver malware in Ukraine. Two new malware types, BEARDSHELL and COVENANT, were identified, employing techniques like downloading and executing PowerShell scripts. BEARDSHELL was first spotted in March-April 2024 in a Windows system, initially without clear infection vectors. Traces of unauthorized access were later linked to a "gov.ua" email and exploitation of XSS vulnerabilities in webmail software. The malware distribution method involves a macro-laced Word document dropped through Signal, triggering payloads and registry modifications once opened. COVENANT framework downloads additional payloads to launch the BEARDSHELL backdoor. CERT-UA has advised monitoring network traffic related to specified malicious domains to mitigate risks, highlighting targeted attacks on outdated webmail applications.

Psylo, a new private browser, aims to enhance user privacy by isolating each browser tab with unique IP addresses and anti-fingerprinting measures. Developed by Mysk, a Canada-based software firm, Psylo uses WebKit to ensure that each tab operates in a separate "silo," making it challenging for marketers to track users. The browser includes features like canvas randomization and adjustments of browser's time zone and language per silo to guard against tracking. Uses Mysk Private Proxy Network to anonymize user IP addresses, and does not store any personally identifiable information or browsing data. Psylo's release coincides with a new report highlighting the extensive use of browser fingerprinting for ad tracking, despite privacy regulations like GDPR. Psylo offers encrypted TLS communications and blocks plain-text HTTP traffic, making it more secure than typical VPN solutions. Available on iOS and iPadOS, Psylo could expand to Android based on user reception; it's currently priced at $9.99 per month or $99 annually.

The China-linked Salt Typhoon exploited a critical vulnerability in Cisco IOS XE software, CVE-2023-20198, to infiltrate a major Canadian telecommunications provider. Salt Typhoon's activities involved modifying network configuration files to create a GRE tunnel for collecting traffic, indicating espionage intent. The cyberattacks by Salt Typhoon have raised concerns beyond the telecommunications sector, potentially affecting multiple networks and leveraging further devices. The U.S. FBI and Canadian Centre for Cyber Security issued advisories highlighting the threat of Salt Typhoon targeting telecommunications networks as part of an espionage campaign. Investigations revealed that similar methods and vulnerabilities were used by Chinese state-sponsored actors to infiltrate telecom and internet firms in the U.S., South Africa, and Italy. The U.K. NCSC also reported the discovery of two malware families, SHOE RACK and UMBRELLA STAND, targeting Fortinet devices, with some links to Chinese threat actors. These incidents underscore the ongoing threat posed by state-sponsored cyber activities targeting critical infrastructure for espionage and data exfiltration purposes.

A sophisticated cyber campaign led by China's ‘Typhoon’ hacking groups has targeted over 1,000 devices, primarily in the US and Southeast Asia. Intruders use fake TLS certificates that appear to be issued by the Los Angeles Police Department to access critical infrastructure. Victims are mostly outdated routers and IoT devices, exploited to build a covert operational relay box (ORB) network to obscure cyberattack origins. These ORB networks allow traffic to appear as if it is coming from local IP addresses, complicating tracking efforts and facilitating cyberattacks on victims. Five key regions, including the US, Japan, South Korea, Taiwan, and Hong Kong, are heavily affected with these regions accounting for 90% of infected devices. Compromised devices, predominantly old and unpatched, include Linux-based systems from Ruckus Wireless and Buffalo Technology. The campaign deploys a custom backdoor named ShortLeash, allowing persistent control to facilitate future malicious operations possibly aimed at critical infrastructure disruption. Security analysts recommend heightened monitoring for unusual encrypted traffic from residential IPs at high port numbers to detect such malicious activities.

APT28, a Russian state-backed cyber group, employed Signal messaging to target Ukrainian government entities with new malware variants, BeardShell and SlimAgent. The threat was initially spotted by Ukraine's CERT-UA in March 2024, uncovering novel tactics involving Signal but limited info on the exact infiltration methods. May 2025 saw ESET discovering unauthorized activities in a gov.ua email, leading to further investigations that unearthed the exploitation of Signal for delivering malicious documents. The malware, delivered via an encrypted Signal message, includes a document that activates Covenant, a malware loader for further infections using complex payloads. BeardShell executes through DLL files and encrypted PowerShell scripts, ensuring persistence in the system and secretive communication via third-party API. SlimAgent, a separate screenshot capturing tool, secures data using AES and RSA encryption, indicating sophisticated data exfiltration techniques. APT28’s continuous targeting of Ukraine highlights ongoing cyberespionage, urging monitoring of specific data interactions such as those with app.koofr.net and api.icedrive.net. Despite its secure communication claims, Signal faced criticism from Ukrainian officials over perceived non-cooperation to mitigate such security threats.

The Department of Homeland Security (DHS) warns of increased cyberattacks from Iran and pro-Iranian hacktivists following U.S. airstrikes on Iranian nuclear facilities. Iranian government and hacktivists have previously targeted U.S. networks, mainly exploiting weak security to initiate disruptive attacks. Tehran's cyber capabilities involve sophisticated methods like using custom malware and default passwords to infiltrate U.S. water and fuel management systems, though their impact has often been overstated. Recent disruptions mirror potential future threats, including wiper and malware attacks on critical sectors like government, finance, and utilities, as anticipated by cybersecurity experts. Iran has dabbled in ransomware and is expected to escalate DDoS campaigns, alongside disinformation strategies including deepfake propaganda and social media manipulation. Cyberespionage remains a significant threat, with Iranian operatives targeting both institutional and personal accounts to gather sensitive geopolitical and personal information. U.S. citizens remain at risk of both cyber and physical threats linked to Iranian activities, with law enforcement continuously disrupting Iranian-backed lethal plots within the U.S.

A new malware, SparkKitty, identified on Google Play and Apple App Store, targets photos and cryptocurrency data. SparkKitty is likely an evolution of SparkCat, using optical character recognition (OCR) to detect and steal crypto wallet seed phrases from images. The malware has spread through legitimate app stores and affects both Android and iOS devices via apps and fake frameworks. Malicious activities involve stealing all images from device galleries, which could be used for crypto theft or potentially for extortion. Detection methods on mobile devices include requesting access to photo galleries and indiscriminately uploading images and text. The official response includes app removals from stores, developer bans, and protective measures like Google Play Protect. Recommendations for users include enhanced scrutiny of app permissions and avoiding storing sensitive wallet information on mobile devices.