Daily Brief

A comprehensive phishing campaign has been dispatching the DarkWatchman malware across various Russian industries, including media, tourism, finance, and energy. The financially motivated group Hive0117, known for its past activities in the Baltic region, has been identified as the orchestrator of these attacks. Enhanced versions of DarkWatchman demonstrate advanced evasion techniques, using JavaScript for malicious activities like keylogging and deploying secondary payloads. A new threat, Sheriff backdoor malware, specifically targets Ukraine's defense sector using compromised local news portals for dissemination. Sheriff malware is capable of executing remote commands, taking screenshots, and covertly exfiltrating data, maintaining a low detection footprint for prolonged espionage. IBM links technical elements of the Sheriff backdoor to known malware families such as Turla's Kazuar, highlighting a sophisticated level of threat actor cooperation or development overlap. Ukraine has experienced a significant increase in cyber incidents in 2024, although the severity of these incidents has seen a considerable decrease.

Commvault has confirmed a breach in its Microsoft Azure environment by an unidentified nation-state actor exploiting CVE-2025-3928. The zero-day vulnerability was utilized to access the environment, though no unauthorized data access or customer data theft occurred. Immediate security enhancements and credentials rotation were implemented following the detection of the breach. The U.S. CISA has recognized CVE-2025-3928 as a known exploited vulnerability, urging timely patching by May 19, 2025. Commvault advises customers to implement Conditional Access policies, rotate secrets, and monitor sign-ins to prevent further exploits. Specific IP addresses linked to the malicious activity have been advised to be blocked and monitored for security.

SonicWall has confirmed the active exploitation of two security flaws in its SMA100 Secure Mobile Access appliances. Affected models include SMA 200, 210, 400, 410, and 500v, with patches already issued for these vulnerabilities. The exploited vulnerabilities could potentially allow unauthorized file access and session hijacking. SonicWall has urged customers to check their SMA devices for any signs of unauthorized access. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a related SonicWall SMA 100 Series vulnerability to its KEV catalog due to active exploitation evidence. There are no specific details available yet on the attackers, the targeted entities, or the full impact of the exploitation.

A China-aligned hacker group, "TheWizards," has been actively exploiting an IPv6 feature to perform adversary-in-the-middle (AitM) attacks targeting software updates. The group employs a custom malware tool, "Spellbinder," which hijacks the IPv6 Stateless Address Autoconfiguration (SLAAC) protocol to reroute traffic to attacker-controlled servers. Victims of these attacks span various countries including the Philippines, Cambodia, UAE, China, and Hong Kong, affecting individuals and organizations like gambling companies. The attacks primarily target Windows environments where Spellbinder intercepts and manipulates network traffic to force devices to connect to malicious domains instead of legitimate update servers. These malicious activities lead to the installation of the "WizardNet" backdoor, which facilitates persistent access and further malware deployment on compromised devices. ESET, the cybersecurity firm, provided the detailed analysis and suggested monitoring or disabling IPv6 traffic where it is not essential to mitigate such threats. Similar tactics were identified earlier in the year by another hacking group exploiting WPS Office update features, underscoring a broader trend in cyber attack strategies targeting software updates.

Former NSA cybersecurity director Rob Joyce predicts AI will soon excel in finding bugs and developing exploits. Joyce noted AI's capabilities are advancing quickly, with AI models already outperforming humans in coding competitions. During recent capture-the-flag contests, AI-powered teams performed comparably to human teams, showcasing significant problem-solving abilities. AI is expected to enhance both offensive and defensive cyber operations by automating tasks and scaling operations. LLMs (large language models) are aiding in the creation of more sophisticated and culturally relevant phishing campaigns. AI's role in defense is also highlighted, with examples of AI performing complex code reverse-engineering significantly faster than human counterparts. Joyce shared insights on an unconventional ransomware attack on a Linux-based video camera, showcasing innovative criminal adaptability in bypassing security measures.

A new malware campaign targets WordPress websites using a deceptive plugin that pretends to be a security enhancement. The crafted plugin, once installed, allows attackers persistent site access, capability to execute remote code, and JavaScript injection while avoiding detection. Wordfence researchers discovered altered WordPress core files which autonomously recreate the malicious plugin if deleted. The entry point for the infection is believed to be compromised hosting accounts or FTP credentials, with the exact method still unclear. The malware provides unauthorized administrator access and can modify site contents by embedding PHP code or malicious JavaScript in site headers. Warning signs of infection include specific changes to 'wp-cron.php' and 'header.php' files, and suspicious administrator actions traceable via access logs. The command and control server of this malware is based in Cyprus, with operational characteristics similar to previously seen supply chain attacks.

Jen Easterly, former head of CISA, highlighted the negative impact of budget and personnel cuts on U.S. cyber defense at an RSA Conference event. Easterly criticized the prioritization of loyalty to President Trump over allegiance to the U.S. Constitution within the agency. She asserted that cybersecurity is an imperative national security issue, urging that it should remain non-partisan. The cutbacks are seen as diminishing America's ability to combat evolving and serious cyber threats, including those from state actors. CISA's role in election security, which represents a small fraction of the overall budget, was defended as vital to protecting the integrity of U.S. elections. Claims against former CISA director Chris Krebs by Trump were mentioned as examples of the administration's undermining of truthful election security information. Easterly expressed concerns over the long-term impacts on national security due to the weakening of CISA's operational capabilities.

WhatsApp has launched 'Private Processing', a new feature allowing users to utilize AI capabilities without compromising privacy. The feature is optional and leverages privacy-preserving cloud servers to handle compute-intensive AI tasks like message summarization. Private Processing includes several layers of security: anonymous authentication, public encryption keys for anonymity, and connections through third-party relays to mask IP addresses. Data is processed in a Confidential Virtual Machine (CVM) at Meta, with assurances that it remains stateless and all user data is deleted post-processing. Meta will provide transparency by sharing the CVM binary and some source code, and will publish a detailed white paper outlining the feature's secure design. Despite robust security measures, there is inherent risk involved when sensitive data is processed outside the device, hence the feature remains non-mandatory.

Minh Phuong Ngoc Vong, a Vietnamese-born naturalized US citizen, admitted to conspiracy to commit wire fraud, involving a scheme that grossed over $970,000 by falsely obtaining IT contract work. He outsourced his contract work, intended for the Federal Aviation Administration and other federal entities, to a developer in China claiming to be North Korean. Vong misrepresented his qualifications and used another person's credentials to secure jobs with US companies, including projects concerning national defense. The fraudulent activities included installing remote software on a company-issued laptop to allow the overseas developer undisclosed access to sensitive US government systems. Vong's actions led to unauthorized foreign access to confidential government data, risking national security. The revelation highlights broader issues of foreign nationals posing as US IT workers, potentially for motives of financial gain or espionage. This case is part of a worrying trend where foreign IT professionals, aided by locals, use elaborate schemes to penetrate national systems. Vong is facing up to 20 years in prison, with his sentencing scheduled for August.

SonicWall issued warnings about active exploitation of vulnerabilities in its SMA appliances. The vulnerabilities, CVE-2023-44221 and CVE-2024-38475, affect SMA 200, 210, 400, 410, and 500v models. CVE-2023-44221 allows command injection with admin privileges, while CVE-2024-38475 enables unauthenticated code execution. Both security flaws are deemed severe, with CVE-2024-38475 identified as critical and potentially used for session hijacking. Firmware version 10.2.1.14-75sv and later patches these vulnerabilities. SonicWall's PSIRT urges customers to check SMA devices for unauthorized access and ensure firmware is updated. Historical context includes the exploitation of another high-severity flaw, CVE-2021-20035, affecting SMA100 VPN appliances. CISA has highlighted the continuous risk by adding CVE-2021-20035 to its Known Exploited Vulnerabilities catalog.

Commvault reported a security breach in its Azure environment by a nation-state actor, confirmed on March 7, 2025. Microsoft alerted Commvault of suspicious activities on February 20, which led to the discovery of the breach. The incident affected a limited number of Commvault customers and did not disrupt overall business operations. No customer backup data was accessed or compromised during the attack. Commvault is working with cybersecurity firms and coordinating with the FBI and CISA to manage the situation. A recent zero-day vulnerability (CVE-2025-3928) in Commvault software was patched; however, this vulnerability was exploited in the attack. Commvault recommends customers enhance security by monitoring sign-in activities and rotating credentials every 90 days. CISA included the CVE-2025-3928 in its Known Exploited Vulnerabilities Catalog, mandating federal agencies to secure their Commvault software by May 19, 2025.

Critical vulnerabilities identified in the Model Context Protocol (MCP) and Agent2Agent (A2A) Protocol can lead to AI tool hijacking and data breaches. MCP, designed to integrate Large Language Models with external data, is susceptible to prompt injection attacks and tool poisoning, compromising the security of AI applications. Attackers could exploit MCP to instruct AI tools to perform unauthorized actions such as sending sensitive data to malicious entities. A2A protocol, enabling communication between AI agents, is prone to attacks where compromised agents exaggerate capabilities to hijack data requests. Such vulnerabilities could allow unauthorized data access and manipulation, posing significant risks to user privacy and data security. Research underscores the need for enhanced security measures and explicit user approvals before running AI tools in MCP host applications. Security communities and developers are urged to address these vulnerabilities to prevent potential exploitation and ensure the safety of AI integrations in data-sensitive environments.

The FBI has publicized a list of 42,000 phishing domains associated with the LabHost cybercrime platform following its takedown in April 2024. LabHost, launched in 2021, became a leading phishing-as-a-service provider by late 2023, targeting primarily U.S. and Canadian banks. The platform offered customized phishing kits with advanced features like two-factor authentication bypass and automatic SMS interactions for $179 to $300 per month. During its operation, LabHost accrued over 10,000 customers globally and was responsible for the theft of approximately one million user credentials and 500,000 credit card records. A coordinated international law enforcement operation involving 19 countries culminated in the arrest of 37 individuals connected to LabHost and the platform's shutdown. The disclosed domains are not currently active in cyber attacks but serve as valuable resources for cybersecurity professionals to enhance defense systems and detect potential past breaches. The list may contain errors and is not exhaustive, potentially leading to the discovery of further malicious domains linked to the same infrastructure.

The FBI launched an awareness campaign to address the spike in high-profile swatting incidents, following recent attacks targeting public figures and families involved in political and racial controversies. Swatting involves hoax calls to emergency services reporting severe crimes, prompting an immediate armed response against innocent individuals and places such as schools and hospitals. Incidents of swatting have had serious consequences, including the death of individuals like Andrew Finch in 2017 and Mark Herring in 2021 due to responses to false threats. Various swatting cases have been reported recently, including those affecting podcasters like Nick Sortor and Shawn Farash, and political figures such as Congresswoman Marjorie Taylor Greene. FBI Director Kash Patel emphasized that swatting is a serious crime, not a prank, and announced efforts to hold perpetrators accountable without political bias. Current U.S. laws treat swatting under general criminal offenses like stalking and fraud, with ongoing legislative efforts to enact more specific laws against it. The FBI provided guidelines on how the public can protect themselves from becoming victims of swatting, urging vigilance and immediate reporting of any threats.

British supermarket chain Co-op detected an unauthorized intrusion attempt on their network, prompting a partial shutdown of IT systems. The attack impacted back office and call center operations, but core store functions, quick commerce, and funeral homes remain unaffected. Co-op has not disclosed if the attempted hack was successful or the specific details of the intrusion. This incident is part of a larger pattern of cyberattacks targeting UK retailers, including a recent hack at Marks & Spencer. Following the attack, Marks & Spencer had to suspend online orders, attributing the disruption to the "Scattered Spider" group using DragonForce ransomware. Co-op has over 3,700 branches and an annual revenue of about $10 billion, with a membership base exceeding 6 million. No claims of responsibility for the Co-op attack have emerged from any cybercriminal groups yet.