Daily Brief

Security researchers identified a malicious package named "discordpydebug" on the Python Package Index that acts as a remote access trojan. Although appearing as a tool for Discord bot developers, the disguise actually conceals malware capable of serious cyber activities. Installed over 11,500 times, the RAT can manipulate files, execute commands, and exfiltrate sensitive data. The RAT manipulates outbound HTTP polling to avoid detection and can bypass most traditional security defenses. Reflecting broader security issues, over 45 related hazardous npm packages were also found, all linked to a singular cyber threat actor. The findings highlight a significant and ongoing software supply chain vulnerability, suggesting heightened scrutiny is necessary for software developers and the platforms hosting such packages.

A federal jury mandated NSO Group to pay approximately $168 million to WhatsApp for deploying Pegasus spyware, affecting over 1,400 global individuals. The lawsuit, initiated by WhatsApp against NSO Group in 2019, highlighted the targeting of journalists, activists, and dissidents using the Pegasus spyware. Victims included 456 individuals in Mexico, with significant numbers also in India, Bahrain, Morocco, and Pakistan, spanning 51 different countries. The spyware exploited a critical zero-day vulnerability in WhatsApp’s voice calling feature to disseminate. U.S. District Judge Phyllis J. Hamilton emphasized NSO's violation of both federal and state laws, and the contradictory claims of NSO regarding its users' activities and intents. WhatsApp plans to seek a permanent injunction against NSO's operations targeting its platform and will donate to digital rights organizations to combat similar vulnerabilities. In total, punitive damages were set at $167,254,000, with an additional $444,719 in compensatory damages for the efforts involved in mitigating the attack vectors. This ruling represents a significant victory for privacy advocates and has further legal and ethical implications for the global surveillance software industry.

New Zealand’s government endorses a bill to ban social media access for users under 16, though not as a formal government initiative. The proposal, introduced by MP Catherine Wedd, requires social media companies to verify the age of new users. Incidents of cyber-bullying, exposure to inappropriate content, and social media addiction are key concerns driving the bill. Prime Minister Christopher Luxon emphasizes the need for safety measures online, similar to those in the physical world. The legislation suggests penalties up to NZ$2 million for platforms that fail to accurately verify user ages. There is uncertainty about the bill’s progression, as it needs advocacy without direct support from the party machinery. The bill is met with interest from the opposition and aligns with global trends towards protecting children online, mirrored by similar movements in Australia and the UK.

In May 2019, WhatsApp engineers uncovered a zero-day flaw allowing NSO's Pegasus spyware to install via a phone call, compromising around 1,400 accounts. The jury awarded Meta over $167 million in damages after NSO used the flaw for spying, affecting the privacy of WhatsApp users. Pegasus spyware provided NSO's clients unchecked access to phone and data actions, including activating cameras and microphones for covert surveillance. NSO had tried various legal defenses, including claiming sovereign immunity and asserting they only served government entities. The court proceedings revealed NSO spent significant amounts on developing malicious technology, capable of breaching both iOS and Android systems. Meta intends to donate any received damages to digital-rights groups, emphasizing their commitment to privacy and security. Post-verdict, NSO Group is considering further legal actions, maintaining their technology aids in preventing serious crimes and terrorism.

James Papa, a former service delivery manager at Computacenter, was dismissed from his role after he reported unauthorized access to Deutsche Bank’s server rooms. Papa claimed a Computacenter employee granted his girlfriend, Jenny, multiple unauthorized entries into Deutsche Bank's server rooms, where she had access to sensitive banking data. CCTV footage confirmed that Deutsche Bank's security team allowed Jenny to enter the server rooms without proper authorization, despite repeated warnings from Papa. Computacenter and Deutsche Bank allegedly interrogated Papa aggressively after he raised concerns about the security lapses and advised notifying the SEC. Papa was suspended and later terminated by Deutsche Bank under purported pressure, despite him being the only one fired for the incident. He has filed a lawsuit against Computacenter, Deutsche Bank, and its veep of datacenter operations for wrongful termination, violating whistleblower protection laws, and negligence, seeking over $20 million in damages. The incident raises significant concerns about security protocols and corporate accountability at Deutsche Bank’s U.S. facilities.

The US Department of Defense (DoD) is revamping its outdated software procurement systems to enhance security. Katie Arrington, DoD's CIO, launched the Software Fast Track (SWFT) initiative aimed at reforming the acquisition, testing, and authorization of software. The initiative will address cybersecurity and Supply Chain Risk Management (SCRM), making processes more agile and transparent in the face of complex software development challenges. Current procurement processes lack speed and visibility into software supply chains, which SWFT aims to improve significantly. Key goals include defining clear cybersecurity requirements, verifying software security, and expediting software adoption with an implementation plan expected within 90 days. The efforts align with broader objectives to equip military personnel with secure, high-quality software tools rapidly, enhancing both lethality and resilience. Challenges persist with securing government software, evidenced by recent malware attacks targeting the DoD and leaks of sensitive information. The DoD's use of unclassified communication tools like Signal for official business has raised concerns about security and the handling of confidential information.

A critical vulnerability in Apache Parquet, CVE-2025-30065, enables remote code execution through a deserialization flaw. F5 Labs released a proof-of-concept exploit tool after finding previous PoCs ineffective, proving the flaw's exploitability. The vulnerability impacts all Apache Parquet versions up to 1.15.0 and affects the parquet-avro module specifically. Although technically complex, the flaw's exploitation requires specific conditions and might only cause side effects during Java object instantiation. F5 Labs developed the tool to assist administrators in identifying vulnerable systems; it triggers an HTTP GET request to reveal susceptibility. Upgrading to Apache Parquet version 15.1.1 and configuring deserialization settings are recommended to mitigate risks. F5 Labs emphasizes the limited practical use of the CVE for attackers but acknowledges significant risks in environments that process unverified Parquet files.

Hackers are exploiting an RCE vulnerability (CVE-2024-7399) in Samsung MagicINFO 9 Server, allowing device hijacking and malware deployment. Samsung MagicINFO Server is a central management system used widely in sectors like retail and healthcare to manage multimedia content on digital signs. The vulnerability, disclosed and patched in August 2024, stems from improper file upload restrictions enabling attackers to upload malicious code. Security researchers recently published a proof-of-concept demonstrating how attackers achieve remote code execution by uploading a .jsp file and executing OS commands via the web. Arctic Wolf has reported active exploitation following the release of the proof-of-concept, predicting continued targeting due to the vulnerability's ease of exploitation. A variant of the Mirai botnet malware has been observed leveraging this vulnerability to take over affected devices. Urgent patching to version 21.1050 or later is recommended for system administrators to mitigate the risk associated with this vulnerability.

The UK Legal Aid Agency (LAA) has reported a cybersecurity incident potentially affecting financial records. Law firms partnered with LAA were alerted about the possibility of compromised payment information. Around 2,000 legal aid providers in England and Wales may be impacted by this security issue. The UK's National Crime Agency, alongside the National Cyber Security Centre, is assisting MoJ in investigating the cyber incident. This breach notification follows several high-profile cyberattacks on major UK retailers, indicating a larger trend of targeted cyber operations in the region. The LAA is currently assessing the extent of the incident and has implemented measures to mitigate further risks. The UK National Cyber Security Centre (NCSC) emphasized the urgency for all UK businesses to enhance their cybersecurity measures in response to recent events.

CISA has announced that the CVE-2025-3248 Langflow RCE vulnerability is actively exploited, prompting urgency in implementing security updates. The flaw allows unauthenticated internet-based attackers to gain control of affected Langflow servers via a flaw in an API endpoint. Langflow, an open-source tool used extensively for AI development, has a vulnerability in endpoint that improperly sanitizes user-input, enabling remote code execution. The vulnerability was resolved in Langflow version 1.3.0, with a recommendation for users to upgrade to mitigate risks. Horizon3 researchers have released a technical analysis of the CVE-2025-3248 flaw, noting at least 500 internet-exposed instances and demonstrating a proof-of-concept exploit. CISA mandates federal agencies to update or secure Langflow installations by May 26, 2025, or discontinue its use. Those unable to upgrade immediately should limit network exposure of Langflow by employing measures like firewalls or VPNs and avoid direct internet connections. The latest software version, Langflow 1.4.0, includes numerous fixes, further enhancing security postures for users.

Threat actors have exploited obsolete GeoVision IoT devices through command injection flaws to build a Mirai botnet. These compromised devices are used for distributed denial-of-service (DDoS) attacks, detected first by Akamai SIRT in April 2025. Samsung MagicINFO 9 Server vulnerability, patched in August 2024, also targeted for Mirai botnet deployment using a path traversal flaw. Akamai identifies that outdated firmware on older devices with no available patches is a major vulnerability for such attacks. Exploited vulnerabilities include high-severity flaws in Hadoop YARN and a previously identified issue in DigiEver. Arctic Wolf recommends updating Samsung MagicINFO to version 21.1050 or later to mitigate risks associated with these vulnerabilities. Evidence links these incidents to a known campaign "InfectedSlurs," emphasizing the reuse of tactics and tools among cybercriminal networks.

Modern organizations struggle to secure their public-facing assets due to factors like shadow IT and third-party exposures. External Attack Surface Management (EASM) is increasingly crucial in mitigating vulnerabilities and enhancing digital resilience. EASM enables security teams to manage and comprehend complex digital attack surfaces, particularly in hybrid environments. It offers continuous visibility, crucial for proactive threat detection and risk prioritization, thus preventing potential cyberattacks. Digital Risk Protection (DRP) complements EASM by proactively identifying threats across an organization’s digital footprint, including social media and the deep web. EASM’s integration into DRP strategy should involve regular assessments, collaboration across departments, continuous improvement, and careful vendor selection. Outpost24’s EASM solution is highlighted as an effective tool combining cyber threat intelligence and attack surface management.

Cybersecurity researchers identify two groups, Reckless Rabbit and Ruthless Rabbit, using Facebook ads to promote investment scams with fake celebrity endorsements. Scammers employ Traffic Distribution Systems to manage and filter user traffic, enhancing the effectiveness of their schemes. The scams involve sophisticated data collection via web forms, then use HTTP GET requests to validate potential victims' geography and contact details. Victims passing initial screenings are led to platforms where they are deceived into transferring funds or entering financial data. Reckless Rabbit targets users in specific Eastern European countries, using domain generation algorithms to dynamically create credible yet fake platform domains. Scams leverage call centers to guide victims through the money transfer process, intensifying the scam's perceived legitimacy. U.S. and European authorities are taking action against similar scams, indicating a growing trend of sophisticated cybercrimes using social media platforms. Recent arrests in Spain and escalating scam operations worldwide emphasize the persistent and adaptive nature of cybercriminal strategies.

Google has issued security updates for Android, addressing 45 vulnerabilities, including an actively exploited FreeType 2 flaw. The critical vulnerability, identified as CVE-2025-27363, allows arbitrary code execution and affects all versions of FreeType up to 2.13. Facebook security researchers first discovered this high-severity bug in March 2025, with potential targeted exploitation noted. Exploitation involves an out-of-bounds write when parsing certain TrueType font files in vulnerable FreeType versions. Additional updates in the May 2025 bulletin cover high-severity issues in Android's Framework, System, Google Play, and Kernel, along with components from MediaTek, Qualcomm, Arm, and Imagination Technologies. The security updates are applicable to Android versions 13, 14, and 15, with older versions like Android 12 no longer supported or receiving fixes directly, though Google Play system updates may offer some mitigation. Android users with unsupported versions are advised to switch to third-party distributions or newer devices to maintain security.

The 2025 Verizon Data Breach Investigations Report highlights significant breaches driven by third-party exposure and machine credential abuse. Incidents linked to third parties doubled in one year, emphasizing the need for robust management of non-employee identities. Machine identities, such as service accounts and bots, are rapidly increasing and becoming prime targets for attackers due to poor oversight. Traditional security tools are insufficient for the growing complexity and scale of managing both human and machine identities in a unified way. SailPoint offers solutions that address these complex challenges by providing an enterprise-scale identity security platform that includes machine identities management. Organizations are advised to adopt a unified approach to identity governance to protect against vulnerabilities and enhance security across all user types. The DBIR urges businesses to extend identity security practices to encompass contractors, partners, and machine entities to avoid potential breaches.