Daily Brief

Researchers at ARMO identified a significant security gap in the Linux 'io_uring' interface that allows rootkits to evade detection. The proof-of-concept rootkit, named "Curing," exploits io_uring to perform malicious actions without triggering conventional security detections focused on syscalls. Google has disabled io_uring by default on platforms like Android and ChromeOS due to inherent vulnerabilities. Security tools such as Falco and Tetragon were unable to detect activities performed by the Curing rootkit under normal configurations. ARMO tested against multiple commercial security tools, which also failed to detect the malicious use of io_uring. ARMO advocates for the use of Kernel Runtime Security Instrumentation (KRSI) to enhance the detection of such threats. Curing rootkit has been made available on GitHub for organizations to test their security measures against this new exploit method.

Darcula, a phishing-as-a-service platform, has been updated to include generative artificial intelligence (GenAI) features, significantly reducing the technical knowledge required to create phishing campaigns. The GenAI capabilities enable the rapid development of customized phishing pages with multi-language support and automatic form generation, without needing programming skills. Initially identified in March 2024, Darcula has evolved from using smishing techniques with Apple iMessage and RCS to more sophisticated phishing site generation mimicking legitimate brands. The platform is operated by a threat actor known as LARVA-246 and is part of a broader cybercrime ecosystem linked to China, facilitating a variety of financial scams. The latest GenAI update was announced on April 23, 2025, enhancing the ability for attackers to generate phishing forms in different languages and customize form fields. Since its documentation, over 25,000 Darcula-linked phishing pages have been taken down by cybersecurity efforts, along with the blocking of nearly 31,000 IP addresses and flagging of over 90,000 domains. The ease of use introduced by GenAI in Darcula allows even novice cybercriminals to set up and deploy tailored phishing sites within minutes, underscoring an escalation in the tool's threat level.

Healthcare cybersecurity faces major challenges in 2025, with operational technology increasingly targeted and a convergence of IT and medical systems expanding the attack surface. Data breaches in 2024 exposed over 133 million patient records, marking the healthcare sector as the most costly for breaches, with an average cost of $11 million per incident. New regulatory measures, including revised HIPAA rules, now mandate stricter security controls such as network segmentation to protect electronic health information effectively. The divide between IT security teams and clinical/biomedical teams creates vulnerabilities, as medical devices often use outdated systems with limited security support. Integrated solutions like Armis Centrix™ and Elisity’s microsegmentation platforms are being employed to manage these challenges by providing comprehensive visibility and dynamic policy enforcement without network redesign. This approach allows for less intrusive deployment and robust security policy application, ensuring high availability and performance of healthcare networks. Main Line Health's successful implementation of this integrated solution has demonstrated significant improvements in compliance, risk management, and operational efficiency. The Elisity and Armis integration exemplifies the future direction of healthcare cybersecurity, focusing on advanced microsegmentation, AI-driven security responses, and tighter control over third-party network access.

Marks & Spencer (M&S) reported disruptions due to a cyber incident, affecting contactless payments and delaying orders. Click & Collect services at M&S have been suspended; home deliveries are also expected to face delays. The retailer hinted at a possible ransomware attack by stating some internal processes were moved offline. M&S has not confirmed the nature of the cyber incident but has taken measures to protect network and data. Stores remain operational, and customers can still place orders online or through the M&S app. The company is working with top industry experts to restore services and minimize customer inconvenience. M&S has been recognized for its transparent and effective communication regarding the incident. Public response has been generally positive towards M&S’s handling of the crisis, mirroring a shift towards better crisis communication in the UK.

In Q1 2025, 159 CVEs were identified as exploited, an increase from 151 in the previous quarter. Approximately 28.3% (45 CVEs) were exploited within 24 hours of their disclosure. Most exploited vulnerabilities were found in CMS, network devices, operating systems, and server software. Main products impacted included Microsoft Windows, Broadcom VMware, and other technology solutions. Of the vulnerabilities, 25.8% are still under review or analysis by NIST. Verizon's 2025 Data Breach Report noted a 34% rise in the use of exploits as the initial vector in intrusions. The global median dwell time for attackers increased slightly to 11 days from the previous year. Despite rising exploit trends, enhanced detection is helping reduce the duration of breaches.

A security flaw was disclosed in the Commvault Command Center, identified by CVE-2025-34028, with a high severity CVSS score of 9.0. The vulnerability allows remote attackers to execute arbitrary code on affected installations without requiring authentication. This flaw specifically impacts versions 11.38.0 through 11.38.19 of Commvault's 11.38 Innovation Release. The vulnerability is triggered by an SSRF issue in the "deployWebpackage.do" endpoint, marking a critical risk of unauthorized remote actions. Malicious actors could escalate the SSRF issue, enabling code execution through a ZIP archive that includes a malicious .JSP file. The vulnerability has been patched in subsequent versions released after the discovery. Detection tools have been developed to help organizations identify if their installations are vulnerable. The discovery underscores the increasing security challenges faced by backup and replication software, emphasizing the need for timely updates and patches.

The percentage of data breaches involving third-party vendors doubled from 15% to 30% last year according to Verizon's Data Breach Investigations Report. Cybercriminals are targeting weaker links in supply chains like software companies, accountants, and law firms to access larger, more secure networks. The extended median time of 94 days to address leaks of sensitive information, such as API keys found in public repositories, significantly increases vulnerability. High-profile breaches, including those affecting major organizations like Santander and Ticketmaster, were exacerbated by credential reuse and the absence of mandatory multi-factor authentication. Verizon highlights that 80 percent of Snowflake-affected accounts had previously exposed credentials, pointing to prevalent security lapses in credential management across the industry. The report stresses the importance of organizations ensuring cybersecurity measures are prioritized during the procurement process and continuous vendor management. Effective collaboration and transparency in information sharing among organizations can enhance structured frameworks for better threat modeling and decision-making to safeguard data.

Russian soldiers targeted by malicious version of the Alpine Quest Android app designed to exfiltrate sensitive data and geolocate users. Spyware, identified as Android.Spy.1292.origin, was embedded in an older version of the Alpine Quest app and distributed via a fake Telegram channel. The malware connects to a command-and-control server, can download further malicious modules, and accesses documents shared through messaging apps like Telegram and WhatsApp. Attribution of the spyware suggests possible involvement of Ukrainian state-backed actors, although this remains unconfirmed. In a separate incident, Kaspersky discovered a sophisticated backdoor in fake software update packages mimicking ViPNet updates, used by Russian governmental and financial sectors. Russian entities are also engaging in cyber espionage, using phishing campaigns to hijack Microsoft 365 accounts of Ukrainian officials and allies. The ongoing digital warfare includes various cyberattacks and espionage efforts reflecting the complex cyber landscape amidst the Ukraine conflict.

WhatsApp has introduced Advanced Chat Privacy, a feature designed to enhance user privacy by preventing content sharing outside the platform including chat and media exports. This new security setting blocks auto-download of media and the use of messages for artificial intelligence (AI) purposes, though users can still manually screenshot or download content. The feature is particularly recommended for sensitive conversations in group settings where not all members may be familiar to each other. The update is available for all users on the latest version of the WhatsApp application. Concurrently, Meta, WhatsApp's parent company, was fined €200 million by the European Commission for violation of the Digital Markets Act, specifically related to forcing users into a "pay or consent" model for personalized ads. The fine covers the period from the enactment of the DMA in March 2024 to November 2024, with potential for additional penalties if the newly revised ad model also fails compliance checks. In response to the fine, Meta criticized the European Commission for discriminating against American firms, claiming it suppresses personalized advertising which could harm European businesses and economies.

In 2024, ransomware and digital extortion scammers cost U.S. businesses and individuals a record $16.6 billion, marking the highest financial losses tracked by the FBI's Internet Crime Complaint Center (IC3) in its 25-year history. The FBI reported an increase in ransomware complaints by 9%, despite significant federal efforts to combat these cyber threats, including the disruption of major ransomware operations like LockBit. Extortion was the second most reported cybercrime, with the FBI receiving 86,415 complaints, whereas ransomware specific complaints totaled 3,156. The report highlights America's critical infrastructure sectors as being particularly vulnerable, with these sectors reporting nearly 4,900 cybersecurity threats, with ransomware topping the list at 1,403 complaints. Most active ransomware groups included Akira, LockBit, RansomHub, Fog, and PLAY, with LockBit noted as the most persistent ransomware-as-a-service group for the year. New and emerging ransomware variants continued to surface, with the IC3 recording 67 new types in 2024, indicating the dynamic nature of the threat landscape. Despite the rise in complaints and ongoing threats, the financial impact from ransomware decreased to $12.5 million in reported losses, down significantly from $59.6 billion in the previous year.

Blue Shield of California shared sensitive health information of up to 4.7 million patients with Google's advertising services without their consent. Data shared may have included names, medical claim dates, insurance details, and other personal identifiers, potentially used by Google for targeted advertising. The information was passed to Google through a configuration error linking Google Analytics with Google Ads. This incident potentially violates HIPAA rules, raising serious privacy and ethical concerns about the handling and protection of patient information. Upon discovery, Blue Shield severed the data-sharing link between Google Analytics and Google Ads and initiated a review to ensure compliance. Blue Shield notified affected individuals and claimed that Google had not misused the information nor shared it further. The incident underscores broader issues regarding the use of tracking technologies by healthcare organizations and their partners.

The official NPM package for the Ripple ledger, used for cryptocurrency transactions and development, has been compromised with malware aiming to steal private keys. Security researchers from Aikido identified the attack on five specific versions of the xrpl package: 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. Users are advised to assume these versions are compromised. The malware's primary function within these versions is to access and steal users' cryptocurrency wallet private keys, which could result in unauthorized access to funds. Despite the discovery, the exact nature of the critical vulnerability, labeled CVE-2025-32965 with a score of 9.3, remains unclear beyond its association with the supply chain attack. Security advice includes rotating private keys and transferring funds to secure wallets to avoid potential financial losses from compromised accounts. The newly added malicious versions of xrpl were found signaling to a suspicious domain, implying a sophisticated method of concealment and execution by the attackers. This incident exemplifies the growing trend of targeting NPM for supply chain attacks, leveraging its open-source nature and popularity among developers. Organizations and developers are urged to enhance security protocols and continuously monitor supply chain activities to guard against similar sophisticated threats.

Security researchers have uncovered a new Android malware embedded within fake versions of the Alpine Quest mapping app. The compromised versions, which mirror the Alpine Quest Pro app, are distributed via Telegram channels and Russian mobile app repositories. Attackers use the promise of a free, premium app to lure Russian military personnel, exploiting the app's popularity in military and outdoor activities. The malicious software aims to steal documents and communication data from infected devices, potentially exposing sensitive military operational details. The malware functions by masquerading as a legitimate application, increasing the likelihood of download and use by unsuspecting users. The trojanized app was discovered by the Russian antivirus firm Doctor Web, who named the threat 'Android.Spy. 1292.origin' without attributing it to any specific origin. This event highlights a shift where Russian soldiers, traditionally seen as perpetrators of similar tactics, are now also victims in cyber-espionage campaigns.

The RSA Conference 2025 is anticipated to focus heavily on agentic AI, a type of task-oriented AI that acts semi-independently on top of large language models. Security professionals expect these AI agents to perform roles ranging from malware analysis to monitoring security operations centers (SOCs) and handling alerts autonomously. While promising to enhance efficiencies in sectors like security and payment processing, there are significant concerns around the use of agentic AI including potential misuse and the risk of data poisoning. Keynote speeches and vendor displays at the event will showcase the applications of agentic AI, demonstrating both real-world applications and conceptual potentials. Skeptics voice concerns about over-relying on agentic AI without thorough oversight, afraid that errors could lead to serious issues such as unintentional data leaks or denial of service. Security leaders urge caution, advocating for rigorous validation of AI actions to avoid operational disruptions and unintended consequences in sensitive environments like manufacturing. The article suggests that while agentic AI presents innovative possibilities, it equally necessitates careful scrutiny and regulation to mitigate privacy, security, and operational risks. The hype around agentic AI at RSAC is noted, with the implication that it may overshadow necessary discussions on the implications and safety of deploying these technologies in live environments.

WhatsApp has launched a new feature called Advanced Chat Privacy to enhance the security of private and group chats. The feature prevents the export of chat histories and limits the automatic downloading and external use of media. Users can activate this setting by accessing the chat options, ensuring higher confidentiality within the app. While the feature adds a layer of security, sensitive information can still be captured manually, e.g., through taking pictures of the screen. This development is part of ongoing efforts to bolster privacy on WhatsApp, following the introduction of end-to-end encryption and encrypted chat backups. Additional enhancements to Advanced Chat Privacy are being developed to increase its effectiveness further. These measures align with WhatsApp's broader strategy to secure user communications and ensure privacy in digital interactions among its two billion global users.