Daily Brief

ConnectWise confirmed a cyberattack by suspected state-sponsored actors, affecting a limited number of ScreenConnect customers. The attack was identified as suspicious activity in ConnectWise's environment, leading to an investigative partnership with Mandiant and coordination with law enforcement. The breach specifically impacted cloud-based ScreenConnect instances, discovered following ConnectWise's proactive security enhancements including increased monitoring and network security hardening. Customers discussed the incident and linked it to a CVE-2025-3935 vulnerability in ScreenConnect, a high-severity ViewState code injection flaw patched in April 24. The breach reportedly occurred in August 2024 but was not detected until May 2025, with threat actors potentially exploiting the system via stolen machine keys allowing remote code execution. ConnectWise has patched the vulnerability on its cloud-hosted platforms and has not observed further suspicious activity post-enhancements. The full extent of the data compromised and the specific number of affected customers remain undisclosed by ConnectWise.

Threat actors exploit Google Apps Script to create convincing phishing pages within Google's trusted domain. Cofense security researchers uncovered the attack scheme which mimics legitimate Google login screens to steal credentials. The phishing tactics involve emails that mimic invoices or tax communications, directing victims to these malicious pages. Once credentials are entered on the fake login page, victims are redirected to the actual service to reduce suspicion. The open nature of Google Apps Script allows attackers to change their phishing script remotely without issuing new links. Effective defense measures suggested include stricter email security settings and potentially blocking or flagging Google Apps Script URLs. This method of attack capitalizes on the trust afforded to Google’s domain, making it harder for typical security measures to flag the phishing attempt. Google has yet to respond to inquiries about implementing specific anti-abuse measures following these findings.

Thousands of Asus routers are compromised by a botnet named AyySSHush, as detected by the threat monitoring firm GreyNoise. The botnet exploits vulnerabilities in the routers to disable Trend Micro security features and gain backdoor access. Attackers are using brute-force attacks and authentication bypass bugs to achieve initial router access and execute arbitrary commands. Compromised routers have an SSH backdoor installed, making the botnet nearly invisible and persistent even after firmware updates. GreyNoise worked closely with governments and industry partners before disclosing these vulnerabilities months after their discovery. The specific router models affected are popular ones, namely RT-AC3100, RT-AC3200, and RT-AX55. GreyNoise notes similarities between this botnet and another campaign named ViciousTrap, mentioned by French research group Sekoia. Asus issued patches for the vulnerabilities, but affected devices still require a factory reset to completely eradicate the threat.

A flaw in Apple's Safari web browser enables fullscreen browser-in-the-middle (BitM) attacks, posing significant credential theft risks. Attackers exploit the Fullscreen API in Safari, allowing them to obscure browser guardrails and deceive users into revealing sensitive information. SquareX researchers observed that these attacks particularly endanger Safari users due to the browser's insufficient alert mechanisms when entering fullscreen mode. The technique involves tricking users via legitimate-looking but malicious websites, using tools like noVNC to superimpose an attacker-controlled browser window over the legitimate session. This type of attack does not trigger security alerts from endpoint detection and response systems (EDRs) or secure access service edge (SASE/SSE) because it abuses standard browser functionalities. Unlike Safari, browsers like Firefox and those based on Chromium signal to users when full screen mode is activated, adding a layer of security that Safari lacks. SquareX's disclosure to Apple received a "wontfix" response, with Apple suggesting their current fullscreen animation is an adequate indication for users. Apple has yet to offer a detailed public response to SquareX's findings or BleepingComputer's inquiry about their stance on the issue.

Cybercriminals are distributing malware through fake installers of popular AI tools like OpenAI ChatGPT and InVideo AI. Malware variants linked to this scam include CyberLock ransomware, Lucky_Gh0$t ransomware, and a destructive malware named Numero. CyberLock encrypts files by escalating privileges and demands a $50,000 ransom in Monero, whereas Lucky_Gh0$t targets files under 1.2GB, erasing backups. Numero malware disrupts the graphical user interface of Windows, making systems unusable by continuously running malicious processes. Fake websites, such as "novaleadsai[.]com," are promoted using SEO poisoning to look authentic, tricking users into downloading malicious software. Victims are lured with offers like free access for a year, followed by a hefty monthly subscription fee, only to receive malware in place of the promised software. Talos and Mandiant reports highlight an uptrend in the misuse of AI tool popularity for spreading various malware targeting business and marketing professionals. Malvertising campaigns also direct users from reputable platforms like Facebook and LinkedIn to malware-infected websites, further emphasizing the broadened threat landscape.

The U.S. Treasury Department sanctioned Funnull Technology, a Philippines-based firm, for supporting large-scale cyber scams causing over $200 million in American losses. Funnull Technology facilitated various online scams, including romance baiting and pig butchering, by providing IP addresses and hosting services to cybercriminals. These criminals built trust with victims via social platforms then lured them into fraudulent investment schemes, eventually diverting invested funds to their own accounts. The sanctioned firm also used domain generation algorithms and web design templates to help cybercriminals impersonate legitimate brands and evade takedown attempts. U.S. entities are now prohibited from conducting any transactions with Funnull or its Chinese administrator, Liu Lizhi, and all their U.S. assets are frozen. Additional penalties could apply to international financial institutions engaging in transactions with the blacklisted entities. The FBI issued a flash alert detailing technical aspects of Funnull's operations, including IP addresses and domain patterns indicative of their scam operations. Cybercrime losses in the U.S. hit a record $16.6 billion in 2024, with over $6.5 billion attributed to investment scams.

Cybercriminals are increasingly exploiting the popularity of AI tools to spread ransomware and malware, with incidents involving deepfake content generators and fake AI tool websites. Notable ransomware groups like CyberLock and Lucky_Gh0$t, along with new malware like Numero, exploit SEO poisoning and malvertising to appear prominently in search engine results. CyberLock ransomware, disseminated through a counterfeit AI tool site, demands a $50,000 ransom in Monero, claiming the funds support humanitarian efforts. Lucky_Gh0$t, a derivative of Chaos ransomware, masks itself as a ChatGPT installer, targeting files under 1.2GB for encryption, with larger files replaced by junk data. The novel malware, Numero, primarily disrupts the visual interface of Windows systems, locking the graphical elements in a dysfunctional loop without data encryption. Organizations are urged to download AI tools exclusively from reputable, official sources to avoid these increasingly sophisticated attacks leveraging AI technology fascination.

Threat landscapes are rapidly expanding, exposing new vulnerabilities that attackers are eager to exploit using sophisticated techniques such as Attack Surface Management (ASM). Sprocket Security's Attack Surface Management Tool focuses on understanding attacker behavior and provides capabilities for real-time asset mapping and change detection. Attackers utilize publicly available tools and automation to discover assets, highlighting the necessity for organizations to continuously monitor and protect their digital infrastructures. A highlighted case within the article is the mass exploitation of VMware ESXi servers, demonstrating the critical need for timely patches and proactive security measures. Sprocket Security emphasizes the importance of seeing an organization’s digital infrastructure from an attacker's perspective to effectively prevent breaches. The article encourages the integration of ASM tools into daily security workflows to enhance visibility, proactive defense, and efficiency in testing and validation phases. Sprocket ASM provides free tools that offer continuous penetration testing capabilities, notifications on new discoveries, and the ability to track manually added assets not visible on the internet.

Cybersecurity researchers identified a new remote access trojan (RAT) exploiting corrupted DOS and PE headers to avoid detection on Windows systems. The malware was discovered by Fortinet's FortiGuard Incident Response Team after persisting undetected for several weeks on a compromised machine. Fortinet acquired memory dumps from the machine to analyze the malware, which concealed its operations within a dllhost.exe process. The malware decrypts C2 server information from memory and establishes secure communication over TLS, enhancing its stealth and persistence. Despite corrupted headers obstructing direct payload analysis, Fortinet successfully deconstructed the malware in a controlled environment after multiple attempts. The RAT has capabilities for capturing screenshots, managing system services, and handling incoming connections, effectively turning the infected host into a multipurpose remote-access platform. The communication with the C2 server and the complex multi-threaded architecture of the RAT support simultaneous operations and evolving attack strategies.

Billions of stolen cookies are actively sold on the dark web and Telegram, with 7-9% still exploitable. Stolen cookies, often underestimated in danger, can allow cybercriminals access to sensitive personal and financial data without needing passwords. The majority of these cookies carry ID data for user identification and ad targeting; only a minor portion contains critical information such as passwords. Cybercriminals use stolen session cookies to impersonate users, bypass multi-factor authentication, and potentially access corporate systems and data. Infostealer malware like Redline, Vidar, and LummaC2, although targeted by law enforcement, facilitate the theft and sale of these cookies. NordVPN advises careful consideration before accepting website cookies and recommends regular updates and cleaning of browser data to mitigate risks.

Victoria's Secret has temporarily shut down its website and certain in-store services due to a security incident. The fashion retailer operates around 1,380 stores globally and reported annual revenues of $6.23 billion for the fiscal year ending February 2025. Stores under the Victoria's Secret and PINK brands remain open as the company works to restore full operations. CEO Hillary Super communicated to employees that the recovery process from the incident would be prolonged. Specific details regarding the nature of the cyberattack, such as whether it involved ransomware or if a ransom was demanded, have not been confirmed. The incident at Victoria's Secret is part of a larger trend, following recent cybersecurity breaches at other major retailers like Dior and Adidas. Recent attacks against UK retailers like Harrods, Co-op, and Marks & Spencer have been linked to the DragonForce ransomware group, with indications of similar tactics being used in the US.

DragonForce threat actors exploited security vulnerabilities in the SimpleHelp tool to deploy ransomware via a Managed Service Provider (MSP). Accessed data included device names, user info, and network configurations across multiple customer environments. Exploitation of three specific CVEs in SimpleHelp allowed unauthorized access, leading to data theft and ransomware attacks on various endpoints. Some MSP clients successfully blocked the attack, but others experienced significant impacts, including double-extortion tactics. Recent developments position DragonForce as a prominent ransomware cartel, often reshuffling within the cybercrime ecosystem. Cyberint suggests another group, Scattered Spider, may have facilitated initial access, highlighting complex alliances in ransomware operations. The attacks have prompted a reevaluation of security strategies around AI-driven malware and remote access tools. Sophos identifies ongoing risks and recommends enhanced employee training and stricter remote access controls to mitigate similar threats.

The European Commission has introduced the EU Startup and Scaleup Strategy to transform Europe into a leading global hub for technology startups, enhancing their development from inception to mature businesses. The strategy aims at reducing administrative burdens, facilitating financing through a proposed public-private fund of at least €10 billion, and improving cross-border operations within the Single Market. Key initiatives include the Scaleup Europe Fund to address financing gaps and the Lab to Unicorn program to boost university collaborations across Europe. The strategy seeks to attract and retain top talent by offering enhanced employee stock options and easing cross-border employment regulations. Measures include simplifying startup-related regulations across the EU to foster a more innovation-friendly atmosphere. Progress will be monitored through the European Startup and Scaleup Scoreboard and annual surveys, benchmarking Europe against global counterparts. This move aligns with the broader Choose Europe initiative, promising comprehensive updates on its progress by 2027. Despite current dominance by major US tech companies, the EU strategy represents a proactive step to nurture and retain homegrown tech enterprises, reducing reliance on American technology solutions.

LexisNexis Risk Solutions reported a data breach affecting 364,000 individuals, with personal information stolen. The breach originated from a compromised company account on GitHub, not affecting internal networks or systems. Data stolen includes names, contact details, Social Security numbers, and driver's licenses; financial data remained secure. The breach was discovered on April 1, 2025, but occurred on December 25, 2024. Affected individuals are advised to monitor their accounts for fraud and will receive two years of free identity protection. LexisNexis is a major global data broker with significant ties to Fortune 500 and Fortune 100 companies.

Chinese state-sponsored group APT41 used Google Calendar for malware command and control, utilizing a malware named TOUGHPROGRESS. Google discovered the activity involving compromised government websites and the targeting of multiple government entities in late October 2024. The campaign involved spear-phishing emails linked to a ZIP archive containing deceptive files and a malware-laden Windows shortcut disguised as a PDF. TOUGHPROGRESS malware employed evasion techniques, including memory-only payloads and encrypted commands in Google Calendar events. The malware was programmed to interact with Google Calendar, storing harvested data and command results in calendar events, cleverly hiding their activities. Google has dismantled the malicious operations by taking down the involved Google Calendar and terminating related Workspace projects. This incident is part of a wider pattern, with APT41 previously found using Google's services for attacks on industries and governments worldwide.