Daily Brief

CISA has added two critical vulnerabilities in Broadcom Brocade Fabric OS and Commvault Web Server to its KEV catalog due to active exploitation. The Broadcom vulnerability, identified as CVE-2025-1976, allows code execution with root access if exploited by a locally authenticated admin user. This particular flaw affects Fabric OS versions from 9.1.0 to 9.1.1d6 and has been fixed in the subsequent version 9.1.1d7. The Commvault vulnerability necessitates an attacker having authenticated user credentials, meaning the exploit is not feasible with unauthenticated access. Affected systems must be internet-accessible and previously compromised through different means for the Commvault vulnerability to be exploitable. The exact details of how these vulnerabilities have been exploited in the wild have not been disclosed. CISA advises Federal Civilian Executive Branch agencies to patch the identified vulnerabilities by specific deadlines in May 2025 to mitigate risks.

Researchers at Citizen Lab discovered a phishing campaign and supply chain attack aimed at the Uyghur diaspora, likely instigated by Beijing. The attack involved emails that appeared to be from trusted sources, offering links to download a compromised Uyghur text editor, UyghurEditPP. This malware-infected program included capabilities for remote access, information upload to a server, and the installation of additional malicious files. The targeting of Uyghur language software fits into broader patterns of cultural suppression and human rights violations by Chinese authorities against the Uyghur minority. Despite the high level of social engineering involved in the attack, affected members of the World Uyghur Congress (WUC) were forewarned by Google and did not fall for the trap. The failed phishing attempt highlights the need for constant vigilance by targeted communities against future, potentially more sophisticated threats. Citizen Lab's report underscores ongoing concerns about the safety and security of software developed within persecuted or high-risk groups.

Michael Scheuer, a former Disney employee, was sentenced to 36 months in prison for unauthorized access to Disney's IT systems and identity theft. Scheuer modified the fonts and content on Disney’s Menu Creator application, leading to operational disruptions for up to two weeks. Unauthorized alterations included dangerous changes to allergen information and offensive imagery on the menu items. Post-termination, Scheuer executed a denial of service (DoS) attack, affecting the login capabilities of 14 Disney employees. The use of a commercial VPN and previous IP ranges linked to Scheuer helped investigators trace the unauthorized activities back to him. Scheuer also accessed and modified data on secure file transfer protocol (SFTP) servers of a third-party vendor used by Disney. Following FBI intervention and the seizure of Scheuer's computer equipment, the malicious activities ceased. Post-imprisonment, Scheuer will undergo three years of supervised release, including a prohibition on any contact with Disney or the affected individuals.

Jeffrey Bowie, a cybersecurity CEO, is charged with installing malware on a hospital PC in Oklahoma City. Bowie admitted on LinkedIn to creating and deploying software that captured screenshots every 20 minutes, sending them to a remote host. The malware was discovered on a PC at St. Anthony's Hospital during a forensic review but was promptly removed without compromising patient information. Bowie claimed the software was developed "on the fly" using PowerShell and was meant for use on a guest computer in the hospital waiting area. He also revealed his recent mental health issues and psychosis, linking them to his actions during the incident. Despite his claims, court records indicate a warrant for his arrest was issued, though Bowie contests he was never actually detained. Bowie argues that mishandled mental health treatment and fears about data safety, fueled by a recent IT breach at a related hospital, led to his actions. Bowie faced significant backlash on LinkedIn, with many advising him to cease communication and seek legal advice.

CISOs should negotiate for personal liability insurance and a golden parachute before joining a new company to protect themselves in cases of scapegoating or misconduct accusations. A former CISO shared an experience of being fired for refusing to approve fraudulent invoices, highlighting the importance of integrity and strong internal relationships. Panelists at the RSA Conference advised CISOs against suing employers after whistleblowing to avoid industry blacklisting and ensure future career opportunities. It was recommended that security officers ensure their bosses fund both Directors and Officers (D&O) insurance and personal legal liability insurance (PLLI) for protection during and after tenure. One panelist emphasized the need for documenting all decisions and communications to create an evidence trail that can be crucial during disputes or investigations. The discussion also covered the risks associated with communicating whistleblowing incidents to the media, which could lead to an even higher chance of being blacklisted. Trusting HR or ethics panels is cautioned against, as these bodies often prioritize the interests of the company over individual employees during internal conflicts.

The NSA's highly anticipated "State of the Hack" panel at the RSA Conference was canceled, with no participation from NSA Director Dave Luber. Federal cyber officials, usually prominent at the RSA Conference, have significantly reduced their presence this year, with the FBI being an exception. Only one representative from CISA spoke at the conference, focusing on critical infrastructure threats in light of the agency currently having no officially installed director. U.S. Senator Ron Wyden is blocking the nomination of the new CISA director, demanding the release of a report on the security of American telecommunication networks. Homeland Security Head Kristi Noem added last minute to the RSA agenda to share her vision of America's cyber defense future. Former CISA directors Jen Easterly and Chris Krebs, alongside other ex-government officials, continue to engage with the public at the conference. The conference also discussed broader implications of cyber threats on democracy and policy, with noticeable absences possibly linked to recent budget and personnel cuts across federal cybersecurity positions.

Marks & Spencer (M&S), a major British retailer, suffered a ransomware attack that disrupted its services, including contactless payments and online ordering. The attack, attributed to the hacking group Scattered Spider, involved encrypting M&S servers and ongoing outages, affecting operations and leading to warehouse staff being sent home. Initial breach reportedly occurred in February, when attackers stole sensitive files from M&S's Windows domain controller, facilitating later data theft and system access. The DragonForce decryptor was used on April 24 to encrypt virtual machines on VMware ESXi hosts, intensifying the impact on M&S's infrastructure. M&S has enlisted the help of cybersecurity firms CrowdStrike, Microsoft, and Fenix24 to manage the investigation and response to the cyberattack. Reports indicate that Scattered Spider, known for its diverse and sophisticated attack methods, initiated the breach through advanced social engineering and has been active in high-profile ransomware campaigns. The situation highlights ongoing vulnerabilities in corporate cybersecurity defenses, particularly against social engineering and advanced ransomware threats.

Hitachi Vantara was targeted by the Akira ransomware, resulting in a significant system disruption on April 26, 2025. The company took immediate action by taking affected servers offline and initiating incident response protocols to contain the breach. External cybersecurity experts were employed by Hitachi Vantara to assist in assessing the impact and to oversee the remediation process. The attack impacted various services, including Hitachi Vantara systems and manufacturing, though cloud services remained unaffected. Customers with self-hosted setups could still access data, indicating no complete shutdown of operational capabilities. It was reported that the Akira ransomware operation stole sensitive files and left ransom notes on compromised systems. According to the FBI, the Akira ransomware has accumulated around $42 million in ransoms since its emergence in March 2023, victimizing over 250 organizations. The ransom demands from Akira range significantly, reflecting the varying sizes and types of organizations affected.

AI is significantly enhancing cybersecurity by automating critical tasks such as threat monitoring, alert triage, and malware analysis. The use of AI in cybersecurity is creating an arms race, with both defenders and attackers leveraging AI to outmaneuver each other. Global investment in AI-enhanced cybersecurity solutions is expected to reach $135 billion by 2030, indicating its critical role in future defense strategies. AI technologies are pivotal in securing complex environments within critical sectors like energy and healthcare, particularly with operational technology and IoT systems. While AI improves speed and accuracy in threat detection and response, there is a risk of overconfidence that can lead to underestimating sophisticated cyber adversaries. Continuous refinement and human oversight are necessary to ensure AI cybersecurity tools remain effective against evolving threats. Compliance with tightening global regulations requires innovative AI solutions, such as differential privacy and federated learning, to protect data privacy while maintaining strong defenses. Successful cybersecurity approaches will integrate AI across all networks, workflows, and teams, emphasizing real-world threat intelligence and a culture of shared cyber resilience.

VeriSource Services, a Texas-based employee benefits administrator, reported a data breach affecting 4 million people. The breach, initially detected in February 2024 due to unusual system activity, wasn't fully assessed until April 2025. Sensitive personal information, including SSNs, names, addresses, and birthdates, was potentially compromised. The firm has taken steps to secure its network and engaged a digital forensics firm to investigate the breach. Affected individuals are being notified and offered 12 months of credit monitoring and identity restoration services. VeriSource had previously sent notifications to smaller groups in May and September 2024, totaling 167,000 people. Despite these notifications, the full extent of the breach was only disclosed recently, emphasizing the need for affected users to utilize the protection services offered.

Over 1,200 internet-exposed SAP NetWeaver servers are susceptible to a severe unauthenticated file upload vulnerability, designated as CVE-2025-31324. The vulnerability allows remote attackers to upload and execute arbitrary files on affected servers without needing authentication, leading to potential full system compromise. Multiple cybersecurity entities, including ReliaQuest and Onapsis, have confirmed ongoing active exploitation, with attackers deploying web shells on compromised servers. SAP has responded by releasing a workaround on April 8, 2024, and a subsequent security update on April 25 to mitigate the vulnerability. The Shadowserver Foundation and Onyphe's findings highlight the broad exposure and severe potential impact of the flaw, reporting hundreds of compromised servers and many belonging to major global companies. A SAF spokesperson noted no reported incidents of the vulnerability affecting customer data or systems directly. Recommendations for affected organizations include applying SAP's security update promptly or employing other mitigation strategies if immediate updating isn't feasible.

Offensive Security announces that Kali Linux users may face update failures due to a lost repository signing key. Users urged to manually install a new Kali repository signing key to avoid disruption, as the old key was lost but not compromised. The new key (ED65462EC8D5E4C5) is available on the Ubuntu OpenPGP key server and signed by Kali developers. Systems using the outdated key display a "Missing key" error message when attempting to update software packages. The Kali Linux repository was temporarily frozen on February 18th to prevent issues until the new key was ready. For users wary of manual updates, reinstallation of Kali using updated images is recommended. Similar incidents occurred in 2018 when Kali developers had to ask users to manually update the GPG key due to expiration.

Cloudflare mitigated a record 21.3 million DDoS attacks in 2024, a 358% increase from the previous year, with 2025's first quarter already seeing 20.5 million attacks. The majority of attacks in 2025 targeted Cloudflare's own infrastructure, specifically through a 6.6 million attack-strong 18-day multi-vector DDoS campaign. Key attack methods included SYN flood attacks, Mirai-generated DDoS attacks, and SSDP amplification attacks, with network-layer attacks seeing a 509% growth year-over-year. Cloudflare tackled over 700 hyper-volumetric attacks in early 2025, with attacks exceeding 1 Tbps bandwidth or 1 billion packets per second. Two new threats identified in 2025 Q1 were CLDAP and ESP reflection/amplification attacks, registering unprecedented quarter-over-quarter increases of 3,488% and 2,301% respectively. A notable attack disrupted services for multiplayer gaming servers for popular games like Counter-Strike GO and Team Fortress 2, involving hyper-volumetric tactics reaching 1.5 billion packets per second. The CEO of Cloudflare announced a record-breaking DDoS attack peaking at 5.8 Tbps, hinting at even larger attacks that occurred concurrently.

VeriSource Services, a Houston-based tech firm providing employee benefits administration, was breached in February 2024, impacting 4 million individuals. Initial estimates from the company suggested only 112k were affected, but recent findings indicate a much larger scale of data compromise. Compromised data includes names, addresses, social security numbers, dates of birth, and genders, although not every individual's data set includes all data points. VeriSource has been working with affected client companies to determine the full extent of the breach, with their investigation concluding on April 17. The company has been in contact with the FBI since the incident and has offered credit monitoring and identity theft protection to all victims. There is no current evidence that the stolen data has been misused, nor has any specific cybercrime group claimed responsibility for the attack. This incident represents a significant escalation in the severity and impact of cybersecurity breaches reported over recent years.

A cyberattack on 4chan earlier this month was confirmed to be catastrophic, resulting in significant data theft. The attack utilized an outdated software package exploited through a bogus PDF upload, leading to unauthorized access to 4chan’s servers. Critical data, including database tables and source code, were extracted, and the site suffered intentional vandalism. The attack highlighted longstanding issues with updating 4chan’s technology, attributed to financial constraints and insufficient technical staff. After the attack, 4chan upgraded to new servers and disabled PDF uploads to prevent similar exploits. Financial and technical challenges persist for 4chan, with ongoing dependence on volunteer tech support. Despite setbacks, 4chan vows to continue operations, underscoring the unique community it hosts.