Daily Brief

A critical flaw in SAP NetWeaver was exploited using a zero-day attack for unauthorized file uploads and remote code execution. Threat actors utilized the Brute Ratel C4 framework and Heaven's Gate technique to evade endpoint security. The cybersecurity landscape is transitioning towards AI-driven threats, emphasizing the inadequacy of traditional defenses like firewalls. New vulnerabilities disclosed include issues in Craft CMS, Commvault Command Center, Microsoft Windows, and multiple others, intensifying the patch urgency. Attackers leverage video call platforms, such as Zoom, using fake meeting invites to gain remote access and control over targets' systems. Recommendations include disabling unnecessary remote control features, verifying identities in video calls, and using browser-based communication tools for increased security. Highlighted the importance of beyond-technology defenses, focusing on human factors, trust, and behavior insights to shield against sophisticated cyber attacks.

Intruder's bug-hunting team illustrates how small flaws can result in significant security breaches. Example given of SSRF attack exploiting AWS credentials via a home-moving app, exposing sensitive metadata and IAM permissions. An exposed .git repository allowed attackers to bypass authentication and access a university's database, putting private data at risk. A document signing app was found vulnerable to remote code execution due to an outdated version of ExifTool. Site-wide account takeover was possible through a combined Self-XSS and cache poisoning vulnerability in an auction application. API weaknesses, such as IDOR vulnerabilities, were exploited by modifying request identifiers, leading to unauthorized data exposure. Intruder emphasizes proactive security measures, including continuous scanning for unknown assets and vulnerabilities to prevent attacks.

Earth Kurma, an advanced persistent threat (APT) group, has been active since June 2024, targeting Southeast Asian government and telecommunication sectors using sophisticated cyber espionage tactics. Rootkits and cloud storage services like Dropbox and Microsoft OneDrive are employed for stealthy data exfiltration, including sensitive data siphoning through malware tools such as TESDAT and SIMPOBOXSPY. Affected countries include the Philippines, Vietnam, Thailand, and Malaysia, with attacks posing significant risks like credential theft and persistent access through kernel-level rootkits. The campaign involves using living-off-the-land (LotL) techniques for installing malware, utilizing legitimate tools to maintain stealth. Keyloggers and several custom malware families—including KRNRAT and Moriya rootkits—are used for data gathering and maintaining long-term access within infected networks. Overlaps in tactics and tools suggest potential, although unconfirmed, links to other known APT groups like ToddyCat. The security firm Trend Micro highlights the ongoing threat posed by Earth Kurma, emphasizing their adaptability and continued evolution of attack methods. Security preparations in targeted sectors need urgent reassessment to mitigate threats from sophisticated actors like Earth Kurma.

A large-scale phishing campaign has been directed at users of WooCommerce, exploiting fears about security vulnerabilities. Cybersecurity firm Patchstack reported the phishing emails prompt users to download what is claimed to be a critical security patch from a disguised phishing site. The fake site uses an IDN homograph attack to mimic the legitimate WooCommerce website, deceiving recipients into believing it is authentic. Downloading and installing the fake patch results in the installation of a backdoor allowing attackers remote control over affected websites. The cybercriminals behind this scheme are possibly the same group or a new cluster replicating a similar phishing tactic observed in a previous campaign in December 2023. Consequences of the attack include potential server encrypting for extortion, addition of systems to botnets for DDoS attacks, and redirection of site visitors to malicious sites. Users are advised to conduct thorough scans for any unusual plugins or admin accounts and to keep their software rigorously updated to prevent such breaches.

Threat actors exploited two critical vulnerabilities in Craft CMS, affecting hundreds of servers. The zero-day attacks were first noticed on February 14, 2025, by Orange Cyberdefense SensePost. Vulnerabilities allowed unauthenticated POST requests to exploit the image transformation feature of Craft CMS. Attackers used Python scripts to automate testing for vulnerable servers and deployed malicious PHP files. Approximately 13,000 Craft CMS instances were identified as vulnerable, with nearly 300 confirmed compromises. Craft CMS issued an advisory suggesting enhanced security measures including key refreshes and credential resets. Separate but related, a high-severity vulnerability in Active! Mail was also actively exploited in Japan around the same time.

Microsoft is launching a subscription-based hotpatching service for on-prem Windows Server 2025, scheduled for July, priced at $1.50 per core per month. Hotpatching enables administrators to apply updates without necessitating system reboots, facilitating uninterrupted service and ease of maintenance. This service is anticipated to limit frequent reboots during Patch Tuesdays, with a plan to release eight hotpatches annually following a three-month cycle. While hotpatches are aimed at reducing downtime, traditional patches requiring reboots will still be necessary during baseline months (January, April, July, and October) and possibly during exceptional security scenarios. The service, which will need the servers to be managed via Microsoft's Arc tool, will not incur additional costs for using Arc. Subscribers from the initial preview of hotpatching will be automatically transitioned to the paid service unless they opt out by June 30. The Azure Edition of Windows Server will continue to receive hotpatching benefits without extra costs, in contrast to the new subscription model for on-prem servers.

Samsung has acknowledged that its Galaxy devices store passwords in plaintext due to clipboard behavior, leading to potential security risks for sensitive information. User complaints about the clipboard saving data in plain text with no expiration prompted Samsung to consider security enhancements. Cybernews reported over 21 million screenshots from employee monitoring software were found unsecured on an AWS S3 bucket, raising significant privacy concerns. Microsoft has updated its security measures in response to vulnerabilities exploited by Chinese cybercriminals, improving key management and access token operations. Recent scams exploiting the death of Pope Francis involve tricking users into providing personal information through fake news and Google page scams. Cisco's Talos has identified a new initial access broker, "Toymaker," who compromises corporate systems to steal and sell credentials. Rapid exploitation of newly disclosed vulnerabilities continues, with threat actors often attacking within a day of public disclosure. Mitre has released version 17 of its ATT&CK framework, adding new techniques related to VMware ESXi attacks and detailing tactics used in North Korean remote work scams.

Coinbase resolved a bug that mislabeled failed login attempts as two-factor authentication (2FA) failures in user account activity logs. Users were misled into thinking their accounts had been compromised, causing widespread concern and unnecessary panic among the platform's clientele. The erroneous log entries suggested that correct usernames and passwords were used, but were blocked by 2FA, causing users to believe their secure credentials were at risk. This glitch led to users resetting passwords and spending significant time investigating potential security breaches on their devices. The mislabeled entries could potentially have been exploited in social engineering attacks, misleading users about the security status of their accounts. Coinbase pushed an update to correct the log labels to accurately reflect "Password attempt failed" instead of suggesting a 2FA error. Coinbase continues to caution its users against SMS phishing and voice call scams claiming to require sensitive information or security verification. The company reassures that it never requests password changes or 2FA resets via unsolicited calls or texts, urging customers to treat such communications as fraudulent.

Brave has released an open-source tool called "Cookiecrumbler," which utilizes AI to identify and block cookie consent notices on websites without disrupting site functionality. The tool leverages large language models (LLMs) for detecting cookie banners and involves community feedback to ensure essential website features remain operational. Brave has been blocking cookie notices by default since 2022 but faced challenges with site usability issues such as broken layouts and non-functional pages. Cookiecrumbler’s mechanism includes using proxies and automated crawlers to simulate regional browsing, which enhances detection accuracy while preserving user privacy. All processing occurs on Brave's backend rather than on user devices, ensuring personal information is not compromised during cookie banner detection. The tool is currently used internally for backend analysis and will be integrated into the Brave browser following a thorough privacy review. Cookiecrumbler is available on GitHub for other developers and privacy advocates to use and enhance their own website privacy measures.

Microsoft's threat intelligence team identified a cybercrime group, Storm-1977, targeting educational institutions by deploying password spraying attacks. The attackers utilized a tool named AzureChecker.exe for conducting these attacks, aiming to compromise cloud accounts within the education sector. An external server described as "sac-auth.nodefunction[.]vip" was used to retrieve AES-encrypted target data for the password spraying. Storm-1977 successfully compromised accounts by leveraging leaked credentials and subsequently exploited guest accounts for further malicious activities. Once inside the compromised systems, the attackers orchestrated the creation of over 200 crypto mining containers to mine cryptocurrency illicitly. Microsoft advises enhancing security measures for containerized assets and monitoring for abnormal Kubernetes API requests to defend against such compromises.

DragonForce, a ransomware gang, has restructured its operations into a cartel, offering a white-label branding scheme to affiliates. This new model allows other ransomware operations to utilize DragonForce's infrastructure, such as negotiation tools, data storage, and malware administration, under their own brands. DragonForce charges a 20% commission on paid ransoms from the operations under its structure, providing a lower-cost, flexible option for ransomware deployment. The organization claims a moral stance by avoiding attacks on certain types of healthcare facilities, specifying they do not target cancer or heart-related treatments. Security experts at Secureworks suggest the model could attract a broader range of less technically skilled affiliates, increasing both the reach and potential profits of DragonForce. The operations model strictly enforces adherence to internal rules, with immediate expulsion for any affiliates breaking these guidelines. An example of a new ransomware gang adopting this model is RansomBay, showing early adoption and interest in DragonForce's revamped approach.

A phishing campaign is targeting WooCommerce users, prompting them to download a fake "critical security patch" that actually installs a malicious WordPress plugin. The phishing emails mimic WooCommerce support, using deceptive domain names that closely resemble the legitimate WooCommerce domain, employing homograph attack techniques. This malicious plugin creates hidden admin accounts, enables web shell payload downloads, and grants attackers persistent unauthorized access to the victim's website. This scheme is reminiscent of a previous phishing operation targeting WordPress users with fake patches for non-existent vulnerabilities. Once installed, the malicious software initiates cronjobs to maintain control, downloads further obfuscated malware payloads, and conceals its tracks by hiding its files and the new admin accounts from plain view. Threat actors could potentially use the access to inject ads maliciously, redirect visitors, participate in DDoS attacks, steal sensitive data, or deploy ransomware. Security firm Patchstack advises vigilance regarding unusual admin accounts, cron jobs, and specific, obscure directories but warns that specifics may change as attackers adapt to security measures being publicized.

Cybersecurity experts have identified an initial access broker (IAB) known as ToyMaker, involved in selling access to ransomware groups like CACTUS. ToyMaker uses a custom malware named LAGTOY, also referred to as HOLERUN, to infiltrate and control systems. Researchers from Cisco Talos attribute the malware's use to UNC961, also called Gold Melody or Prophet Spider, active since late March 2023. The IAB capitalizes on security vulnerabilities in internet-facing applications to gain initial access, perform reconnaissance, and collect credentials. After initial infiltration, ToyMaker facilitates the deployment of CACTUS ransomware by handing over stolen credentials to the ransomware operators. The malware LAGTOY communicates with a command-and-control server to execute commands, create reverse shells, and run processes with specific privileges on targeted machines. There is evidence of the use of tools like Magnet RAM Capture by attackers to extract memory dumps and gather more sensitive information from the compromised systems. CACTUS ransomware affiliates typically continue with their own reconnaissance, maintain persistence, and prepare for data exfiltration and encryption using methods such as OpenSSH and AnyDesk.

US Defense Secretary Pete Hegseth used Signal on personal devices to discuss sensitive military details. Multiple incidents involve senior White House officials using personal devices and apps to share classified information. National Security Council members reportedly used personal Gmail for communication about military operations. Incidents expose critical national security data to potential interception by foreign intelligence. Secure communication protocols established by Pentagon were bypassed, risking sensitive intelligence. Former tech advisor to the White House and encryption expert, John Ackerly, highlighted the ongoing risks from adversaries like China. The Trump administration neglected cybersecurity norms and dissolved the Cyber Safety Review Board amidst investigations. Continued underestimation of security lapses by officials, even after leaks were publicized, undermines US military and national defense.

The Common Vulnerabilities and Exposures (CVE) program, operated by MITRE under US government contract since 1999, faced a sudden notification of non-renewed funding. Board members, including founding member Kent Landfield, were unexpectedly informed via social media about the funding issue, highlighting communication failures within the governance structure. Despite historical funding challenges, this incident exposed significant weaknesses in the CVE's sustainability and dependence on single government sponsorship. Following the revelation, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed an extension of the funding contract until March 2026, alleviating immediate concerns but not securing long-term stability. Concurrently, discussions within the CVE board culminated in the formation of the CVE Foundation, aiming to diversify funding and maintain the program's neutrality and effectiveness in global cybersecurity. The CVE Foundation received quick positive feedback and support offers from various global entities, indicating widespread recognition of the program’s importance. Detailed planning and collaboration efforts are underway to ensure the CVE program’s transition to a more sustainable, diversified funding model and to enhance its role in global cybersecurity defense.