Daily Brief

Nebulous Mantis, a Russian-speaking cyber espionage group, has been deploying RomCom RAT malware since mid-2022 targeting NATO-associated entities. Researchers from Swiss cybersecurity firm PRODAFT have identified the use of advanced evasion techniques by RomCom, including living-off-the-land tactics, encrypted command and control communications, and constant evolution of infrastructure using bulletproof hosting. The malware distributes through spear-phishing emails containing links to weaponized documents, primarily focusing on critical infrastructure, government sectors, and political leaders. Attack infrastructures are managed by a threat actor known as LARVA-290, with command-and-control servers hosted on services like LuxHost and Aeza. The RomCom RAT malware framework facilitates system reconnaissance, lateral movements, data theft such as web browser information, files, credentials, and Microsoft Outlook backups. The malware additionally conducts system environment discovery to align attack timings with the victim's operational hours, enhancing the stealth and effectiveness of the attacks. Nebulous Mantis employs a multi-stage attack methodology aiming at initial access, execution, persistence, and exfiltration while maintaining a minimally invasive presence to avoid detection.

Ascension, a major U.S. healthcare network, has alerted patients of a data breach involving a former business partner following a December 2024 hacking incident. Sensitive patient data compromised includes names, addresses, Social Security numbers, and detailed medical information. The data breach was linked to a vulnerability in third-party software, which was likely exploited in a series of Clop ransomware attacks. Ascension, which operates 142 hospitals and employs over 142,000 people, discovered the breach on December 5, 2024, and confirmed the exposure by January 21, 2025. The specific number of affected individuals has not been fully disclosed, although at least 96 residents in Massachusetts were confirmed impacted. In response to the breach, Ascension is offering two years of free identity monitoring services to the affected patients. This incident is part of a recurring pattern, following a previous notification last year where nearly 5.6 million patients and employees were affected by a ransomware attack enabled by an employee's error.

The upcoming webinar by Beyond Identity and Nametag aims to educate on securing identity systems against AI-powered threats. Traditional security measures are insufficient as attackers utilize deepfakes, impersonation, and AI-driven social engineering to bypass them. Attackers can easily infiltrate systems not by hacking, but by appearing as legitimate users, taking over accounts and causing significant, undetected damage. The webinar will highlight the overlooked gaps in the identity lifecycle including user enrollment, recovery, and routine access which are often unprotected. It will provide actionable steps to secure these vulnerabilities and protect data and business operations. This session is particularly geared towards professionals managing identity systems, security operations, and designing access controls. Participants will learn strategies to close security gaps and enhance defenses before attackers exploit them.

A China-aligned APT group, TheWizards, uses Spellbinder to facilitate AitM attacks via IPv6 SLAAC spoofing, intercepting software traffic for malicious downloads. Spellbinder allows attackers to hijack the update process of Sogou Pinyin, pushing a malicious downloader that installs a backdoor called WizardNet. Similar tactics were previously used by other Chinese hacking groups, exploiting software update mechanisms of well-known Chinese software. TheWizards targets individuals and sectors across Hong Kong, Cambodia, mainland China, the Philippines, and UAE using Spellbinder since at least 2022. Attack methodology involves malicious ZIP files containing a rigged executable and DLL file to sideload malware, leveraging IPv6 protocol vulnerabilities. In a specific 2024 attack instance, the DNS query of Tencent QQ was manipulated to deploy a trojanized update, indicating a pattern of software update hijacking. Another tool named DarkNights, linked to a different Chinese group and supplied by Sichuan Dianke Network Security, involves coordination across multiple APTs. This strategic continuity in exploiting software updates and IPv6 networking highlights a sophisticated, persistent threat from Chinese-affiliated cyber operatives.

Account takeover (ATO) incidents occur when attackers gain unauthorized access to customer accounts, often reselling the credentials on the digital black market. Flare's report indicates a significant impact of ATOs on industries like e-commerce, gaming, and streaming, with over 100,000 accounts compromised monthly. A key technique used by attackers is session hijacking, which bypasses multi-factor authentication (MFA) by stealing and using session cookies. The economic impact of ATOs includes costs associated with labor, fraud, and customer churn, significantly affecting business revenue. Flare’s data shows a 26% increase year-over-year in credential theft and session cookie exposures. Recommendations for preventing ATOs include monitoring the infostealer ecosystem, detecting and remediating exposed accounts, and adopting a security-first approach with clear communication to customers. Many victims of ATOs are not notified by their companies, undermining trust and potentially increasing customer churn.

RansomHub, a prominent ransomware-as-a-service (RaaS) operation, went offline on April 1, 2025, causing affiliates to migrate to other RaaS entities like Qilin and DragonForce. The affiliates' transition may indicate a potential acquisition and integration of RansomHub by DragonForce, now rebranded as a "cartel" to attract more affiliates with flexible operational roles. Group-IB reports that RansomHub had rapidly ascended in the ransomware domain by integrating advanced features from acquired ransomware technologies and offering high financial rewards to affiliates. Affiliates are now facing an "uncertain environment" and are reportedly unsettled about their status within the rapidly shifting ransomware landscape. In addition to adopting established ransomware families, new entrants like Anubis are experimenting with innovative extortion methods, such as threatening to publish damaging investigative articles about the stolen data. Secureworks highlights that the rebranding and operational shifts within ransomware groups like DragonForce are indicative of evolving business models designed to maximize profits and adapt to increasing crackdowns on cybercrime. The latest developments stress the necessity for robust security measures and proactive defenses, particularly in high-risk sectors like healthcare, which are being targeted by sophisticated ransomware variants like ELENOR-corp.

A team of academics is developing methods for the static analysis of Unix shell scripts, aiming to improve their correctness and reliability before execution. The proposed techniques would offer pre-runtime guarantees and identify errors in shell programming environments like Bash and Zsh. Shell scripting, highly prevalent in Unix and Linux systems, has been notoriously difficult to secure and debug due to its dynamic and unstructured nature. Historical shell-related bugs have impacted major software and systems, including those from Nvidia, Apple iTunes, and Linux PCs involved in the 2015 Steam incident. The paper presented at the HotOS XX conference outlines the challenges and necessary advances for applying static analysis effectively to shell scripts. Success in this field could transform shell scripting, making it more predictable and safe, especially in critical infrastructure for continuous integration and deployment processes. This research marks a significant attempt, following previous failures, to address the nuances of shell script behaviors across various computing environments.

Dark Reading’s 2024 Strategic Security Survey shows significant concern among IT managers about cloud security, with nearly 50% worried about cloud service provider exploits. Intruder’s Cloud Security offers agentless security scans focusing on vulnerabilities in AWS environments, set to expand to other platforms. The platform identifies risks like insecure permissions, exposed secrets, and misconfigurations by integrating directly with AWS. Features include continuous risk monitoring, verification of encryption practices, and automatic asset detection for new services. Intruder provides remediation guidance and leverages a simplified user interface with transparent pricing. Upcoming features include support for Microsoft Azure, Google Cloud, and services using Kubernetes, enhancing its versatility. The service helps businesses prioritize risks using a signature noise reduction technique, improving focus on critical vulnerabilities.

Meta announced the launch of LlamaFirewall, a new open-source framework aimed at securing AI systems from threats like prompt injections and jailbreaks. LlamaFirewall includes features such as PromptGuard 2 for real-time detection of security breaches, Agent Alignment Checks for monitoring agent objectives, and CodeShield for preventing the generation of insecure code. The framework is described as flexible and modular, designed for layered defenses in both simple and complex AI applications. Alongside LlamaFirewall, Meta updated LlamaGuard and CyberSecEval to improve content violation detection and assess AI systems' cybersecurity defenses. The newly introduced AutoPatchBench within CyberSecEval 4 is built to evaluate AI-driven tools' effectiveness in repairing security vulnerabilities in C/C++ code found through fuzzing. Meta also launched Llama for Defenders, a program to aid organizations and AI developers in accessing AI solutions tailored for security challenges, including scam, fraud, and phishing detection. Concurrently, WhatsApp is developing a technology called Private Processing to enable AI feature use while maintaining user privacy by processing requests in a secure environment. Meta is engaging with the security community to audit and refine these technologies, planning further developments in collaboration with researchers.

A Karnataka High Court ruling has mandated the blocking of Proton Mail in India due to a legal complaint alleging receipt of abusive content and AI-generated deepfake imagery. The complaint was initiated by M Moser Design Associated India Pvt Ltd, citing emails with obscene language and explicit content. Justice M Nagaprasanna directed the Indian government to proceed with blocking Proton Mail as per the IT Act, 2008, and associated rules. Although an immediate block of specific URLs is ordered, Proton Mail continues to be accessible in India as of this report. This legal development marks the second threat of a ban against Proton Mail in India, following previous misuse for hoax bomb threats. Proton Mail is subject to legal constraints under Swiss law, which prohibit data transmission to foreign authorities but require compliance with Swiss legal directives.

Microsoft to introduce paid subscriptions for Windows Server 2025 hotpatching starting July 2025. Hotpatching allows installation of security updates without the need for server restarts. Initially offered for free in a preview, the service will require a subscription at $1.50 USD per CPU core per month from July 2025. Users testing the preview must disenroll by June 30, 2025, to avoid automatic subscription charges. Hotpatching was first made available for Windows Server 2022 Datacenter: Azure Edition in February 2022. The service will be extended to multi-cloud environments and on-premises servers through Azure Arc. Regular Windows updates not included in the Hotpatch service still require server reboots. Hotpatching also becoming generally available for business customers of Windows 11 Enterprise 24H2 from April 2025.

The French foreign ministry has officially attributed 12 cyberattacks on French entities to APT28, a group linked to Russian military intelligence (GRU). Over the past four years, APT28 targeted a variety of organizations including government, aerospace, and financial sectors. France condemns these activities as destabilizing and contrary to the U.N. standards for responsible state behavior in cyberspace. The French National Agency for the Security of Information Systems (ANSSI) noted APT28's techniques include using low-cost infrastructure and phishing attacks through free web services. Since early 2024, APT28 has focused on gathering strategic intelligence primarily from France, Europe, Ukraine, and North America. This isn't the first time ANSSI has identified APT28; previous reports link the group to significant breaches in France since mid-2021. APT28 is known for high-profile global attacks, including breaches of the U.S. Democratic National Committee and the German Federal Parliament. France and its allies vow to use all available means to counteract Russian cyber threats effectively.

GreyNoise reports a significant rise in scans for exposed Git configuration files during April 20-21, 2025. Nearly 4,800 unique IP addresses participated in the scans, with Singapore being the prime source and target. The exposed Git configs contain sensitive data including credentials and authentication tokens. Such data can be used to compromise cloud services and source code repositories, posing substantial security risks. Previous similar scanning activities have led to major breaches, including the Internet Archive's "The Wayback Machine." The scans predominantly target Singapore, the USA, Spain, Germany, the UK, and India. Recommended mitigation strategies include blocking access to .git/ directories, monitoring for unauthorized access, and rotating exposed credentials.

A proof-of-concept malware named Curing uses Linux's io_uring interface to evade detection by monitoring tools designed to scan syscall activities. io_uring allows I/O operations to bypass traditional system calls, a fundamental method used by many antivirus systems to detect malicious activities. Popular antivirus tools, including Falco, Tetragon, and Microsoft Defender, failed to detect the malware in their default configurations. ARMO, the security company behind Curing, highlighted this method as a significant security oversight in Linux's security architecture. Google has deactivated io_uring in ChromeOS and limited its use in Android and production servers after spending $1 million on related bug bounties. While some antivirus vendors acknowledge the issue and are working on updates, ARMO suggests disabling io_uring when not in use to mitigate risks. This discovery calls for a reassessment of security practices and potentials for enhancements in antivirus technologies to address modern malware techniques.

Security vulnerabilities affecting Apple's AirPlay Protocol and SDK could enable remote code execution, MITM, DoS attacks, and sensitive data access. The vulnerabilities, termed "AirBorne," were disclosed by Oligo Security and patched by Apple in updates for iOS, macOS, and visionOS devices. Attackers exploiting these vulnerabilities could remotely take control of devices without user interaction, using the flaws for wormable zero-click RCE exploits. Specifically affected by CVE-2025-24252 and CVE-2025-24132, attackers can bypass standard user interaction requirements, facilitating more stealthy attacks. Apple has patched related vulnerabilities across its software ecosystem, including AirPlay audio and video SDKs and CarPlay Communication Plugin. Users and organizations are urged to update all Apple and third-party AirPlay-enabled devices immediately to mitigate risks. Potential threats from unpatched devices include malware proliferation across networks, espionage, ransomware, and supply-chain attacks. Apple's user base is extensive, with over 2.35 billion active devices potentially impacted, highlighting the critical nature of these updates.