Daily Brief

Ransomware groups are exploiting unpatched SimpleHelp Remote Monitoring and Management (RMM) vulnerabilities to launch double extortion attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) emphasized the exploitation of SimpleHelp RMM in attacks related to an unnamed utility billing software provider. Sophos reported that threat actors accessed a Managed Service Provider's SimpleHelp deployment, enabling attacks on multiple downstream customers. Mitigation recommendations issued by CISA include updating software and avoiding payment of ransoms to discourage further criminal activities and funding of illicit activities. The Fog ransomware attack combined the use of legitimate employee monitoring software and open-source penetration testing tools for targeting a financial institution in Asia. Trend Micro identified a significant number of victims across various sectors claimed by Fog ransomware actors. LockBit ransomware activity continues robustly, with recent leaks revealing China as a primary target among other global entities. Despite ongoing challenges, LockBit plans to innovate with the next iteration of its ransomware, incenting information on leak sources and reactivating operations.

Traditional Security Operations Centers (SOCs) are challenged by outdated models and overwhelming alert volumes, leading to inefficiency in threat management. Continuous Threat Exposure Management (CTEM) offers an evolved approach, focusing on managing risks rather than reacting to alerts, thereby transforming security strategies. CTEM employs a framework that prioritizes real-world impact assessments over theoretical threat models, enhancing the relevance and efficiency of security responses. The conventional alert-centric approach in SOCs leads to a misallocation of resources, as many alerts do not correlate with actual threats or business impact. CTEM is designed to identify and mitigate exposures before they are exploited, integrating business context into security operations to streamline efforts and prioritize actions. This new model doesn't necessarily reduce the number of security tools used but changes their application to focus on strategic, data-driven risk reduction connected to business impacts. With CTEM, security operations transition from passive monitoring to active, precision-driven risk management, aligning closely with business outcomes and objectives. The evolution towards CTEM indicates a significant shift in security paradigms, focusing on preemptive measures and effective control validations, signaling a fundamental change in the role and function of SOCs.

Cloudflare's recent widespread service outage was confirmed not to be due to a cybersecurity incident, and no data was compromised. The outage was caused by a failure in the underlying storage infrastructure of their Workers KV system, managed by a third-party cloud provider. The disruption lasted for approximately 2.5 hours and affected multiple Cloudflare services, including edge computing and AI platforms. Google Cloud Platform and other major services were also impacted by this service disruption. Cloudflare has announced plans to enhance resilience by reducing reliance on third-party providers for its backend storage. The company will transition its Workers KV storage to its own R2 object storage and implement cross-service safeguards to prevent future outages. New tools are being developed to enable systematic restoration of services during similar disruptions, aiming to prevent secondary issues caused by traffic surges during recovery.

Four Financial Conduct Authority (FCA) employees received warnings for sending regulator data to personal email accounts. Three of these individuals were given their first written warning, while one was on a final warning for similar misconduct. The incidents, which occurred during the 2022/23 financial year, involved unspecified data whose details were not fully disclosed. The FCA, responsible for overseeing UK's financial services, takes breaches of its email security policies seriously and has set measures for handling such violations. The regulator previously fined Equifax £11 million for a data breach, indicating its strict stance on data security within the sector it monitors. Historical context includes a 2020 incident where the FCA accidentally leaked personal information of complainants in a Freedom of Information Act response. Security experts highlighted the broader risk of using personal email for corporate matters, stressing the importance of robust data protection policies. No further incidents necessitating disciplinary actions were reported in the fiscal years following 2023/24 and 2024/25.

Apple recently patched a zero-click flaw in the Messages app that was exploited using Paragon's Graphite spyware to spy on journalists. The security flaw, identified as CVE-2025-43200, allowed attackers to send a malicious iCloud Link to trigger the vulnerability without user interaction. The exploit specifically targeted Italian journalist Ciro Pellegrino and another prominent European journalist, infecting their devices to access sensitive data discreetly. Updates were issued in February 2025 for various Apple operating systems, resolving this vulnerability alongside another critical zero-day flaw. This pattern of attack underlines issues with the accountability of spyware use and highlights the ongoing risk to journalists and individuals in the civil sector. Apple has started issuing threat notifications to users suspected of being targeted by state-sponsored attacks since November 2021. The Italian government and Paragon ended their contract amid allegations of illegal use of the spyware, as confirmed by Italy’s Parliamentary Committee acknowledging the usage of Graphite under legal approval for national security. The exposure of these vulnerabilities and exploits is likely to increase calls for stricter regulations on the use of commercial spyware both nationally and within the EU.

Ransomware attackers targeted utilities by exploiting a vulnerability in the SimpleHelp remote management tool. The security flaw, identified as CVE-2024-57727, affected versions of SimpleHelp up to 5.5.7, allowing unauthorized remote access. Despite a patch released in January, many users failed to update, leaving systems exposed to ransomware attacks. Incidents involved service disruptions and double extortion tactics, where attackers stole sensitive data before encrypting files. CISA issued an alert highlighting the ongoing risk and urged organizations to patch affected systems immediately. The Play ransomware group was noted for similar attacks targeting critical infrastructure using this vulnerability. Additional threats included DragonForce ransomware exploiting the same flaw to attack managed service providers and their clients. The series of attacks underline the critical importance of timely software updates in preventing ransomware incidents.

Trend Micro has issued updates to fix critical vulnerabilities in Apex Central and Endpoint Encryption PolicyServer products. The identified vulnerabilities include remote code execution and authentication bypass issues. No evidence of active exploitation has been reported, yet immediate update implementation is strongly advised. The critical flaws impact products used in enterprise environments, particularly in regulated industries requiring strict data protection compliance. The updated versions provide solutions to both high severity and critical vulnerabilities, addressing remote code execution and potential SQL injection and privileges escalation. Both pre-authentication remote code execution vulnerabilities found in Apex Central were resolved in their respective patches. Patch management shifts towards automation are discussed, emphasizing the need for efficient, script-free patching methods in modern IT environments.

VexTrio operates a sophisticated cybercriminal network utilizing various Traffic Distribution Services (TDS) like Help TDS and Disposable TDS to redirect web traffic to scam and malware distribution sites. These TDS systems, supported by adtech companies such as Los Pollos and Taco Loco, encourage the participation of malware and advertising affiliates by offering financial incentives for scam activities including gift card fraud and phishing. The criminal network extensively targets and compromises WordPress websites, injecting malicious code that initiates the redirection to VexTrio's infrastructure, eventually landing users on scam pages. Infoblox's analysis revealed over 4.5 million DNS TXT record responses pointing to domain sets with distinct command-and-control servers based in Russia, showing how VexTrio and affiliates manipulate DNS responses for redirecting traffic. The VexTrio network experienced a significant disruption in November 2024 when Los Pollos was exposed as a participant, facing substantial affiliate withdrawals and redirection shifts to other TDS services. Malicious campaigns utilized by VexTrio and related TDS networks employ Google Firebase Cloud Messaging and custom-developed scripts to send push notifications directing users to fraudulent content. Despite being registered in countries with KYC regulations, VexTrio and its affiliate adtech firms manage to elude full accountability by insufficiently vetting publishing affiliates.

Citizen Lab confirmed zero-click attacks via Graphite spyware against European journalists. Victims included a European journalist and Ciro Pellegrino of Fanpage.it. Attackers exploited a zero-day vulnerability, CVE-2025-43200, in iOS 18.2.1 using crafted iCloud Link photos/videos. Apple patched the vulnerability in iOS version 18.3.1, introducing additional security checks. Spyware was delivered through iMessage without user interaction and left minimal traces on devices. Infected devices contacted a C2 server linked to Paragon's infrastructure hosted by EDIS Global. Attack details align with previous uses of Graphite spyware in zero-click attacks targeting other Italian figures.

Over 80,000 Microsoft Entra ID accounts at various organizations worldwide were targeted using password-spraying attacks. The attacks were orchestrated through the TeamFiltration pentesting framework, a tool designed for large-scale intrusion attempts. The threat actor, identified as UNK_SneakyStrike, initiated the campaign in December and peaked activity on January 8 with 16,500 accounts attacked in one day. Researchers from Proofpoint discovered the campaign and linked the malicious activity to specific tools and tactics used by UNK_SneakyStrike. TeamFiltration was instrumental in account enumeration, credential spraying, and exploiting Microsoft Teams API via "sacrificial" accounts. The attackers primarily used AWS servers and targeted IP addresses predominantly in the United States, Ireland, and the UK. Proofpoint recommends organizations enhance security measures such as enabling multi-factor authentication, enforcing OAuth 2.0, and using conditional access policies. The indicators of compromise and specific detection rules suggested by researchers include blocking certain IPs and monitoring for unique user agent strings associated with TeamFiltration.

Cybersecurity researchers have unveiled a novel attack, TokenBreak, which bypasses AI content moderation by altering a single character in a text. TokenBreak targets large language models (LLMs) by manipulating text tokenization, enabling the transmission of content that should be blocked. The attack uses slight modifications to words (e.g., "finstructions" for "instructions") which confuse AI without losing clarity for human readers. This technique capitalizes on the AI's statistical analysis of token relationships but does not trip its detection mechanisms, thereby not flagging the input as malicious. While effective against LLMs using BPE (Byte Pair Encoding) or WordPiece tokenization, the technique does not work against models utilizing Unigram tokenization. Researchers suggest defending against TokenBreak by opting for Unigram tokenizers, incorporating training with bypass scenarios, and aligning tokenization with model logic. The recent discovery adds to concerns about AI vulnerabilities, including the exploitation of Model Context Protocol and the Yearbook Attack tricking AIs into unsuitable responses.

Microsoft has launched a new feature in Edge for secure password deployment tailored for enterprise use. This functionality is designed to prevent unauthorized access and the inadvertent sharing of passwords in corporate environments. The feature is integrated into Microsoft Edge for Business and is available to users with Microsoft 365 Business Premium, E3, and E5 subscriptions. Secure password deployment involves encrypted sharing of passwords among specified users, enhancing security and compliance with Zero Trust principles. Managed passwords are automatically filled in on websites via Edge, and cannot be edited or exported to ensure security. The deployment and management of these passwords are controlled through the Microsoft 365 admin center, where admins can set and update access policies. Microsoft emphasizes the integration of its Information Protection SDK with Edge to extend data protection all the way to user endpoints. This move by Microsoft aims to streamline password management and bolster security measures for organizations.

Microsoft has introduced a new feature in Edge for securely sharing passwords within enterprise scenarios, now generally available to Microsoft Edge for Business users. The feature, known as secure password deployment, enhances security by minimizing risks related to unintentional password sharing among unintended recipients. Secure password deployment is available with Microsoft 365 Business Premium, E3, and E5 subscriptions and demands an Edge admin or Global admin role to configure. Through this feature, encrypted passwords can be deployed to specific user groups and automatically filled in on corresponding websites, promoting a secure auto-login experience. Administrators control the management and distribution of credentials through policies using the Microsoft Edge management service within the Microsoft 365 admin center. The feature extends Microsoft's data protection capabilities to endpoint security, with passwords encrypted by Microsoft Information Protection SDK and integrated with Entra identities for compliance adherence. Despite these security measures, passwords can be accessed through developer tools, though access can be restricted by admins using specific policies.

AI agents include non-human identities such as API keys, service accounts, and OAuth tokens, which operate silently. These AI-created identities, while powerful, often lack proper security measures, posing significant risks. Attackers have already started exploiting these vulnerabilities to gain access to critical systems. Traditional identity and access management tools are ineffective against threats posed by AI impersonation of users. The webinar led by Jonathan Sander focuses on identifying and securing these invisible AI identities. Security leaders, CTOs, DevOps leads, and AI development teams are the primary audience, emphasizing the urgency of securing such systems. The session aims to provide actionable insights and strategies to mitigate risks associated with AI identities in business environments.

GitLab released updates to rectify multiple serious vulnerabilities in its DevSecOps platform. Key issues patched include an account takeover vulnerability through HTML injection and a missing authorization flaw allowing injection of malicious CI/CD jobs. Affected GitLab versions were promptly updated to 18.0.2, 17.11.4, and 17.10.8, impacting both community and enterprise editions. GitLab.com has already been updated to the patched versions, while dedicated customers require no actions. The vulnerabilities, if exploited, could allow attackers to perform actions as a legitimate user or disrupt service through a denial of service (DoS) attack. GitLab emphasizes the immediate upgrade of all self-managed installations to secure sensitive data, noting that over 30 million users and 50% of Fortune 100 companies use their platform.