Daily Brief

SonicWall and Microsoft discovered a fake SonicWall SSL VPN app designed to steal user credentials. The fraudulent app distributed a Trojanized version of the official SonicWall NetExtender software. Malicious actors used a digitally-signed but fake certificate from "CITYLIGHT MEDIA PRIVATE LIMITED" to lend credibility to the installer. Users were tricked into downloading the app from spoofed websites that mimicked legitimate download portals. The tampered app bypassed digital certificate validation checks and installed malware that collected VPN configurations—usernames, passwords, domains—and sent this data to a remote server controlled by attackers. Two modified files within the app, NeService.exe and NetExtender.exe, were specifically designed to execute the malicious operations. Despite takedowns of the fake sites and revocation of the fraudulent digital certificate, the threat persists due to the simplicity of creating new malicious domains. SonicWall advises downloading software directly from official vendor sites to avoid such security risks.

Trezor's automated support system is being used to send phishing emails that appear to be from legitimate company addresses. Attackers create support tickets with urgent phishing messages as titles, which are then automatically emailed to users. The phishing emails direct users to a fake site where they are prompted to input their wallet seed phrase. Possession of a seed phrase allows unauthorized users to gain full access to a victim’s cryptocurrency assets. Trezor has issued warnings to users never to share their seed phrases and is working on measures to prevent future incidents. This exploitation of Trezor’s support system follows several previous security breaches and phishing campaigns targeting Trezor users. Details on the ongoing situation and defense tips against phishing are available on Trezor's dedicated online guide.

Organizations often misunderstand the completeness of their vulnerability scans, missing 10-20% of devices that never get scanned. Vulnerability management platforms can mislead with clean metrics, while significant asset visibility issues and gaps remain. Detected devices may still have incomplete scans due to missing agents or credentials, leaving unassessed vulnerabilities. Common platform features lack mechanisms to natively identify never-scanned devices, impacting overall security posture. Case studies highlight the severe impacts of these gaps, including unpatched systems leading to breaches in financial and healthcare sectors. Continuous inventory assessments and cross-referencing data from multiple systems are recommended for accurate coverage verification. The article encourages a shift from reliance on platform-native reports to continuous validation and monitoring of asset inventories for real-time security management. Prelude Security suggests that organizations should not solely depend on vendor reports but should proactively identify and address visibility gaps.

A cybersecurity researcher named mr.d0x has developed a new attack variant called FileFix, which manipulates the address bar in Windows File Explorer to execute malicious commands. FileFix is derived from ClickFix, a social engineering technique that previously used browsers to trick users into executing harmful PowerShell commands. Unlike ClickFix, FileFix utilizes a more familiar and trusted component of Windows, the File Explorer, to deceive users into pasting malicious commands under the guise of handling shared files. By misrepresenting the functionality of buttons and links, the phishing page conceals the harmful commands within what appears to be legitimate user interactions, thus increasing the likelihood of user compliance. The method of hiding malicious code within seemingly benign commands in File Explorer potentially increases the attack's stealth and effectiveness. FileFix could be used by cybercriminals to deploy malware, ransomware, and conduct targeted phishing attacks due to its simplicity and the ubiquity of Windows File Explorer. mr.d0x believes that, similar to his previous discoveries, FileFix will likely be quickly adopted by malicious actors for its straightforwardness and the trust placed in standard Windows utilities by users. The researcher has demonstrated the viability of FileFix with a proof-of-concept, which he discussed with the tech media outlet BleepingComputer, emphasizing its potential for harm if leveraged by cyber attackers.

Akamai researchers have developed two new methods to counteract cryptocurrency mining botnets by exploiting mining protocols. These techniques manipulate mining topologies and pool policies, drastically reducing the effectiveness of cryptomining botnets and potentially leading to their shutdown. The first method, known as "bad shares," involves submitting invalid mining results to get a mining proxy banned from the network, which halts the botnet's operation. The second technique utilizes the direct connection of a miner to a pool to initiate over 1,000 login requests with the attacker's wallet, temporarily banning it for an hour. Both strategies are designed to exploit vulnerabilities in the Stratum mining protocol used in common topologies, causing significant disruption to malicious mining operations. The methods currently target Monero miners but can be adapted to other cryptocurrencies as well. These defensive tactics enable the rapid recovery of legitimate miners from attacks, contrasting with the challenging recovery process for malicious operations.

The evolution of penetration testing has led to various models including Point-in-Time Pentests, PTaaS, Bug Bounty Programs, and Automated Tools, with Continuous Penetration Testing (CPT) proving most effective. Legacy pentests offer a static and periodic snapshot that fails to match the dynamic nature of modern threats; CPT offers always-on, real-world attack simulation. CPT integrates human expertise with automation, providing continuous coverage, real-time alerts, unlimited retesting, and faster remediation times, which proves crucial against the fast pace at which new vulnerabilities are weaponized. While CPT requires a higher initial investment, it offers significant long-term benefits by aligning closely with modern development practices and persistent threat landscapes. Various penetration testing models were compared, highlighting Continuous Penetration Testing as a superior method due to its comprehensive and proactive approach in a fast-evolving threat environment. The shift from annual or periodic testing to continuous testing models enables organizations to stay ahead of threats and more effectively protect sensitive data. Sprocket Security provides these services, emphasizing the strategic, operational, and cost benefits of transitioning to a continuous penetration testing model.

The U.S. House of Representatives has implemented a ban on WhatsApp for use on all government-issued devices among congressional staff due to security concerns over its data encryption and storage processes. Staffers can still use WhatsApp on their private devices, but these devices are prohibited in secure areas like classified briefings or secure facilities. The ban extends to numerous device types, including mobile phones, laptops, desktop computers, and additionally any web browsers on such devices. The Chief Administrative Officer (CAO) of the House, Catherine Szpindor, emphasized that the priority is to safeguard the House and its members from potential cybersecurity threats. Alternatives recommended by the House CAO include Microsoft Teams, Wickr, Signal, iMessage, and FaceTime, all of which are considered to have acceptable security features for official communications. WhatsApp responded strongly against the ban, arguing that the app's default end-to-end encryption provides better security compared to many apps on the House's approved list. The news surfaces amid broader efforts by the House to limit use of potentially risky technology platforms and applications, including ByteDance apps like TikTok and certain AI tools like ChatGPT.

Unidentified hackers are targeting Microsoft Exchange servers globally to insert keyloggers on login pages and steal credentials. Analysis by Positive Technologies revealed two types of JavaScript keylogger codes affecting servers in 26 countries across various sectors including government, finance, IT, and education. The campaign, first documented in May 2024, exploits known Exchange Server vulnerabilities such as ProxyShell to deploy malicious code. Compromised data includes user credentials and cookies, transmitted discreetly to avoid detection using methods like local file storage and external Telegram bots. The attacks initially detected in Africa and the Middle East, have now expanded worldwide with significant concentrations in Vietnam, Russia, Taiwan, China, and several other countries. Researchers warn many Exchange servers are still susceptible to older vulnerabilities, allowing attackers to remain undetected for extended periods. 22 government servers have been notably compromised, highlighting the significant impact on state operations.

Four members of the notorious REvil ransomware group were released from Russian detention after serving most of their five-year sentences since their 2022 arrest. The individuals, convicted for crimes including the use of malicious programs and illegal financial activities, were freed due to time considered served in pre-trial detention. The released members had complied with legal demands, including forfeiting luxury assets like BMWs and a significant sum of money. In contrast, four other members who did not plead guilty received harsher sentences ranging from 4.5 to six years, demonstrating a discrepancy in sentencing based on plea decisions. REvil, known for high-profile ransomware attacks including against US nuclear contractors and international businesses, was effectively dismantled in a joint FBI-led operation in 2021. While convictions continue in Russia, extradition efforts by the US have seen limited success, notably with the extradition and sentencing of a Ukrainian REvil member in the US. The case highlights ongoing international efforts and challenges in managing cybercrime and the varied outcomes based on judicial and geopolitical dynamics.

Cybersecurity leaders from diverse sectors discussed the challenges of implementing Continuous Threat Exposure Management (CTEM) at the Xposure Summit 2025. Key strategies include starting with asset inventory and identity management, and validating internal and external-facing assets frequently to adapt to rapidly changing environments. The discussion highlighted the importance of converting cybersecurity issues into risk management language that boards and regulators can understand. Success in CTEM is measured not by counting vulnerabilities but by the reduction of exploitable attack paths and effectively conveying risk levels to company leadership. The panel emphasized the difference between traditional vulnerability management and CTEM, focusing on real-world threat simulations and testing defense mechanisms beyond mere patching. The conversation also touched on the necessity of threat intelligence as a backbone for security testing programs, emphasizing understanding and simulating adversary tactics, techniques, and procedures (TTPs). Frequent validation of security measures is crucial, with weekly checks for internal assets and daily for external ones, to maintain control over security environments continuously.

Hackers are targeting misconfigured Docker APIs to infiltrate containerized environments and deploy cryptocurrency miners, exploiting Tor for anonymity. The attack commences by probing vulnerable systems to list or create Docker containers, utilizing the "alpine" Docker image and mounting crucial directories. This setup allows attackers to execute a Base64-encoded script to install Tor, enabling them to mask their activities and fetch remote scripts from a .onion domain. Post-installation, attackers modify SSH configurations and insert their SSH key to facilitate unauthorized access, enhancing their control over the host system. Additional tools such as masscan, libpcap, zstd, and torsocks are installed by the attackers for further actions and communication with their C&C server. The final payload includes the XMRig miner, set up with specific configurations and wallet addresses, primarily targeting the technology, finance, and healthcare sectors. Trend Micro's research signals an ongoing trend where attackers exploit vulnerabilities in cloud environments for cryptojacking operations.

The U.S. House of Representatives has banned the use of WhatsApp on all government-issued devices among congressional staff due to security and data protection concerns. This decision follows reports by the House Chief Administrative Officer (CAO) labeling WhatsApp as a "high-risk" application due to its inadequate data protection practices, including a lack of transparency and absence of stored data encryption. WhatsApp, owned by Meta, has countered these allegations, asserting that its platform ensures end-to-end encryption on all messages and provides a high level of security. Meta's Communication Director, Andy Stone, expressed strong disagreement with the CAO's claims and highlighted the widespread use of WhatsApp by congressional members and staff. The CAO suggested alternative communication apps deemed more secure, such as Microsoft Teams, Amazon's Wickr, Signal, and Apple's iMessage and FaceTime. The prohibition of WhatsApp follows recent bans on other apps like TikTok, OpenAI ChatGPT, and DeepSeek by the House. WhatsApp has also been in the news for integrating advertisements into its platform, a move that the company asserts does not compromise user privacy.

CERT-UA disclosed a campaign by Russian-linked APT28 using Signal chat to deliver malware in Ukraine. Two new malware types, BEARDSHELL and COVENANT, were identified, employing techniques like downloading and executing PowerShell scripts. BEARDSHELL was first spotted in March-April 2024 in a Windows system, initially without clear infection vectors. Traces of unauthorized access were later linked to a "gov.ua" email and exploitation of XSS vulnerabilities in webmail software. The malware distribution method involves a macro-laced Word document dropped through Signal, triggering payloads and registry modifications once opened. COVENANT framework downloads additional payloads to launch the BEARDSHELL backdoor. CERT-UA has advised monitoring network traffic related to specified malicious domains to mitigate risks, highlighting targeted attacks on outdated webmail applications.

Psylo, a new private browser, aims to enhance user privacy by isolating each browser tab with unique IP addresses and anti-fingerprinting measures. Developed by Mysk, a Canada-based software firm, Psylo uses WebKit to ensure that each tab operates in a separate "silo," making it challenging for marketers to track users. The browser includes features like canvas randomization and adjustments of browser's time zone and language per silo to guard against tracking. Uses Mysk Private Proxy Network to anonymize user IP addresses, and does not store any personally identifiable information or browsing data. Psylo's release coincides with a new report highlighting the extensive use of browser fingerprinting for ad tracking, despite privacy regulations like GDPR. Psylo offers encrypted TLS communications and blocks plain-text HTTP traffic, making it more secure than typical VPN solutions. Available on iOS and iPadOS, Psylo could expand to Android based on user reception; it's currently priced at $9.99 per month or $99 annually.

The China-linked Salt Typhoon exploited a critical vulnerability in Cisco IOS XE software, CVE-2023-20198, to infiltrate a major Canadian telecommunications provider. Salt Typhoon's activities involved modifying network configuration files to create a GRE tunnel for collecting traffic, indicating espionage intent. The cyberattacks by Salt Typhoon have raised concerns beyond the telecommunications sector, potentially affecting multiple networks and leveraging further devices. The U.S. FBI and Canadian Centre for Cyber Security issued advisories highlighting the threat of Salt Typhoon targeting telecommunications networks as part of an espionage campaign. Investigations revealed that similar methods and vulnerabilities were used by Chinese state-sponsored actors to infiltrate telecom and internet firms in the U.S., South Africa, and Italy. The U.K. NCSC also reported the discovery of two malware families, SHOE RACK and UMBRELLA STAND, targeting Fortinet devices, with some links to Chinese threat actors. These incidents underscore the ongoing threat posed by state-sponsored cyber activities targeting critical infrastructure for espionage and data exfiltration purposes.