Daily Brief

LameHug malware, discovered by Ukraine’s CERT-UA, leverages a large language model (LLM) to create real-time data-theft commands for attacking Windows systems. The malware has been linked to APT28, a Russian state-backed cyber threat group, also known under various aliases including Fancy Bear and Sednit. LameHug utilizes Hugging Face’s API and Alibaba Cloud's open-source LLM, Qwen 2.5-Coder-32B-Instruct, to convert natural language prompts into executable code. Initial malware distribution was identified through malicious emails with ZIP attachments impersonating Ukrainian ministry officials. Key functions of the malware include system reconnaissance and theft of sensitive documents from directories such as Documents, Desktop, and Downloads on compromised systems. LameHug transmits stolen data using SFTP or HTTP POST techniques, enhancing the stealthiness of data exfiltration. The implementation of AI for dynamic command generation represents a potential shift in attack strategies, providing adaptability and obfuscation advantages for malware operations. CERT-UA has reported with medium confidence that LameHug's activities are connected to the Russian-sponsored APT28, though the success of the generated commands remains unconfirmed.

Cisco has issued patches for a critical vulnerability in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), rated a perfect 10 in severity. The vulnerability, identified as CVE-2025-20337, allows an unauthenticated, remote attacker to execute arbitrary code with root-level privileges. This bug is related to another severe vulnerability (CVE-2025-20281) disclosed previously, both affecting ISE and ISE-PIC versions 3.3 and 3.4. There are no available workarounds, but Cisco has released software updates that address this and other related security issues. The vulnerabilities stem from insufficient validation of user-supplied input through crafted API requests. Security researchers and potential criminals are highly interested in such high-severity vulnerabilities, though there are no known exploits in the wild yet. It's crucial for users of the affected systems to apply the software updates immediately to prevent potential exploitations.

Threat actors are using public GitHub repositories to host and distribute malicious payloads, including Amadey malware and data stealers. Cisco Talos researchers identified fake GitHub accounts being employed for the bypass of web filtering and streamlined distribution mechanisms. The malware loader Emmenhtal (also known as PEAKLIGHT) is utilized to download Amadey, which in turn fetches additional payloads from GitHub. Similar tactics were observed in a previous phishing campaign that targeted Ukrainian entities using invoice-related lures to distribute SmokeLoader. Amadey not only downloads secondary payloads but also gathers system information and offers extended functionalities through DLL plugins for capabilities like credential theft. GitHub has taken down the identified accounts hosting malicious scripts, but researchers suggest this is part of a broader malware-as-a-service operation abusing the platform. Additional related threats like SquidLoader are targeting financial institutions in Asia, using sophisticated techniques to evade detection and facilitate remote control. The use of social engineering techniques, including QR codes and password-protected emails, continues to rise, complicating detection and response for security teams.

Cryptocurrency exchange BigONE was hacked, resulting in the theft of $27 million in various digital assets. The attack targeted BigONE's hot wallet, but private keys and user data were not compromised. BigONE has confirmed full reimbursement for all affected users from its available reserves. The company has identified and contained the attack method with the help of security firm SlowMist, which is now tracking the movement of the stolen funds across blockchains. No details have been disclosed about the specifics of how the hackers executed the theft, though it is attributed to a supply-chain attack. Following the cyberattack, BigONE quickly restored deposit and trading services and plans to re-enable withdrawal and OTC functions soon. Hackers involved have begun laundering the stolen assets, converting them into various cryptocurrencies including Bitcoin and Ether. BigONE's involvement in processing large amounts of funds from scams highlights broader concerns about security in the cryptocurrency industry.

Chinese state-sponsored hacking group Salt Typhoon breached a U.S. Army National Guard network and remained undetected for nine months in 2024. The hackers exfiltrated network diagrams, configuration files, administrator credentials, and personal information of service members. The stolen data includes network configurations linking every U.S. state and several territories, greatly increasing the risk of further breaches in government networks. Salt Typhoon is believed to be affiliated with China's Ministry of State Security and has previously targeted U.S. telecommunications and government entities. The Department of Homeland Security memo indicates the breach could facilitate future attacks on U.S. critical infrastructure by using the stolen data to compromise additional networks. The National Guard Bureau acknowledged the breach without disclosing specifics; operations were reportedly not disrupted. The DHS has urged cybersecurity teams in the National Guard and other government sectors to patch known vulnerabilities and enhance network security measures. The Chinese embassy responded to allegations by suggesting the U.S. has not provided substantial evidence of Salt Typhoon's links to the Chinese government.

A severe vulnerability in Cisco's Identity Services Engine (ISE), identified as CVE-2025-20337, allows unauthenticated attackers to execute commands and potentially gain root access. The security flaw, rated 10/10 in severity, arose due to insufficient validation of user-supplied input in certain API requests. The vulnerability was discovered by Kentaro Kawane and reported through Trend Micro's Zero Day Initiative. This vulnerability impacts Cisco ISE and ISE-PIC versions 3.3 and 3.4, but not earlier versions like 3.2. Cisco has released patches specifically for ISE versions 3.3 and 3.4 to address this critical issue and two other related vulnerabilities. No practical workarounds are available; system administrators are urged to apply the necessary patches immediately to mitigate risks. Although no exploits of this vulnerability have been detected in the wild, the potential for severe system compromise makes immediate action essential. Additional Cisco bulletins released address various security issues, but CVE-2025-20337 requires particular attention due to its critical nature and high potential impact.

Cybersecurity experts uncovered a new malicious campaign exploiting a vulnerability (CVE-2021-41773) in Apache HTTP Server to distribute a cryptocurrency miner named Linuxsys. The Linuxsys miner deployment utilizes compromised legitimate websites to remain undetected and leverages valid SSL certificates to evade security measures. Attackers host the malware on third-party sites, not directly on their command-and-control server, adding a layer of obfuscation. Additional payloads discovered include Windows executables, indicating that attackers are targeting multiple operating systems. The campaign uses a combination of compromised infrastructure and clever evasion techniques, enabling the long-term, stealthy operation of the cryptocurrency mining malware. Previous related attacks exploited critical vulnerabilities in other software, including OSGeo GeoServer GeoTools, pointing to a consistent pattern by the attackers. The threat actors carefully target victims, avoiding detection by security systems, which often overlook interactions from legitimate, compromised hosts.

Europol has disrupted the central server infrastructure of a pro-Russian hacktivist group known as NoName057(16), significantly hindering their capabilities. The operation, dubbed "Operation Eastwood," involved coordinated efforts across multiple countries, including France, Germany, and Spain, and resulted in two arrests. NoName057(16) has been active since March 2022, engaging in DDoS attacks against Ukraine and its allies following Russia's invasion. Participants were mobilized via Telegram and incentivized with cryptocurrency to carry out attacks using a bespoke program, DDoSia. The crackdown included issuing arrest warrants for six Russians and outreach to over 1,000 individuals involved, warning them of criminal liabilities. The group also developed a botnet consisting of several hundred servers to amplify their attack capabilities, utilizing gamified tactics to recruit and motivate participants. Recent activities have targeted a variety of entities in Sweden and Germany, involving multiple waves of cyber attacks on critical infrastructure and public institutions. The broader trend sees Russian hacktivist groups like Z-Pentest and Dark Engine focusing increasingly on strategic targets beyond typical ideological cyber vandalism.

Peter Gutmann, a computer science professor, dismisses the practicality of quantum cryptanalysis, calling it "nonsense" in a detailed presentation. The US National Institute for Standards and Technology (NIST) has been promoting the development of post-quantum cryptographic (PQC) algorithms since 2016 due to potential quantum computing threats. Gutmann argues that quantum computers, as they currently exist, are more like physics experiments and have not demonstrated the ability to effectively crack complex cryptographic algorithms. His skepticism extends to the hype around quantum computing's promise, comparing unfounded claims to other undelivered technological promises like fusion power. Gutmann challenges the efficacy of recent quantum achievements, noting that effective public key cracking would require quantum processors much larger than those currently available. He views the current shift towards PQC as premature and a diversion from addressing real issues in encryption and cybersecurity. The piece reflects an ongoing debate in the scientific community about the timeline and impact of quantum computing on encryption and security.

The cybersecurity landscape in 2025 demands proactive, adaptive, and actionable security measures. Continuous Threat Exposure Management (CTEM), Vulnerability Management (VM), and Attack Surface Management (ASM) are crucial, overlapping strategies. CTEM offers a systematic approach to constantly monitor, assess, and respond to security exposures across an organization. VM focuses on identifying, analyzing, and managing vulnerabilities within known assets proactively to prevent potential cyberattacks. ASM provides a broader approach by identifying both known and unknown assets, offering insights into critical attacker entry points. Effective CTEM programs incorporate VM and ASM tools along with advanced offensive security techniques like penetration testing. BreachLock offers a unified platform that integrates CTEM, VM, and ASM, simplifying comprehensive security management with a single source of truth. BreachLock's integrated approach helps elevate defense strategies by unifying security testing and validating attack paths.

Three Chinese state-sponsored groups, UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp, engaged in spear-phishing campaigns against Taiwan's semiconductor sector between March and June 2025. UNK_FistBump used phishing emails targeting HR departments with fake resumes to deploy Cobalt Strike and custom malware known as Voldemort, previously linked to Chinese cyber-espionage group APT41. UNK_DropPitch focused on investment analysts within the semiconductor industry, using malicious DLL payloads via email to execute backdoor activities and gather intelligence. UNK_SparkyCarp attempted to capture credentials from a Taiwanese semiconductor company using phishing emails disguised as security alerts, employing a sophisticated adversary-in-the-middle (AitM) kit. The activity reflects China's strategic interest in achieving semiconductor self-sufficiency and reducing reliance on international technologies amid heightened US-Taiwan export controls. Proofpoint also reported evidence of shared infrastructure and tactics among these groups, suggesting a coordinated effort potentially directed by a centralized authority within China. The incidents are consistent with the targeting patterns and technical capabilities historically associated with Chinese cyber espionage aimed at gaining a competitive edge in critical technologies.

Microsoft announced a 6-month extension of security updates for Exchange Server 2016 and 2019, and Skype for Business 2015 and 2019, beyond their official support ending in October 2025. The extension allows users additional time to migrate from these older systems, acknowledging difficulties experienced by a significant customer base. Extended Security Updates (ESU) will only cover Critical-or-Important-rated security updates that may be issued after the support end date. Microsoft will not guarantee the release of updates during the extension and will not provide updates through regular channels like Windows Update. Access to these extended updates will require registration and purchase, details of which can only be obtained through direct communication with Microsoft’s account teams. Microsoft emphasized that this extension is a one-time offer and will definitely conclude on April 14, 2026, with no further extensions to be granted.

Cisco has revealed a critical vulnerability in Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC), allowing unauthenticated attackers to execute arbitrary code. The flaw, tracked as CVE-2025-20337, has a maximum CVSS score of 10.0, indicating a severe risk. Similar to previously patched CVE-2025-20281, this vulnerability involves insufficient validation of user-supplied input through a specific API. Attackers can exploit the flaw by sending a crafted API request to obtain root privileges without needing valid credentials. The issue affects ISE and ISE-PIC releases 3.3 and 3.4 and has been patched in subsequent versions. Releases prior to 3.2 are not impacted. No current evidence suggests this vulnerability has been exploited in malicious activities. The report follows another concerning series of attacks involved CVE-2025-25257, targeting Fortinet FortiWeb appliances for unauthorized access.

UK retailer Co-op confirmed a significant data breach affecting 6.5 million members, involving theft of personal data during a cyberattack in April. The breach included member contact information but did not expose financial or transactional details. CEO Shirine Khoury-Haq publically apologized, expressing the breach as a personal attack on the community of members and employees. The attack forced the shutdown of vital IT systems and led to the deployment of DragonForce ransomware, causing disruptions including food shortages. The breach initially began with a social engineering attack enabling attackers to reset an employee's password and access the network. Exposed data included a critical Windows Active Directory Services database, enhancing the threat actors' ability to spread within the network. The cyberattack was linked to known cybercriminal group Scattered Spider, also tied to similar attacks on other major companies. Following the cyber incidents, UK’s National Crime Agency arrested four individuals suspected of involvement in the attacks.

Former U.S. Army soldier, Cameron John Wagenius, pleaded guilty to hacking and extorting telecommunications and technology companies, including AT&T and Verizon. Wagenius, operating under aliases such as 'kiberphant0m', engaged in cybercrimes from April 2023 to December 2024. The charges include wire fraud conspiracy, aggravated identity theft, and extortion related to computer fraud, carrying a maximum potential sentence of 27 years. He and his co-conspirators used methods like SSH Brute for unauthorized access and discussed tactics in Telegram group chats. Their criminal activities involved SIM-swapping and selling stolen data on cybercrime forums, with ransom demands reaching up to $1 million. Wagenius's cybercrimes were conducted while he was on active duty, complicating the case and indicating security lapses in military personnel monitoring. The convicted hacker's sentencing is scheduled for October 6, considering this case and another involving unlawful transfer of phone records.