Daily Brief

Cybersecurity researchers at Tenable identified a critical vulnerability in Google Cloud Platform's Cloud Composer service, nicknaming it ConfusedComposer. ConfusedComposer could let attackers with edit permissions escalate access to GCP’s default Cloud Build service account, granting them high-level permissions. Attackers could exploit the vulnerability by injecting malicious Python Package Index (PyPI) packages into a Cloud Composer environment. This flaw demonstrates how interaction between cloud services can lead to inherited security issues, known as the "Jenga" effect. Successful exploitation would allow attackers access to sensitive GCP services like Cloud Storage and Artifact Registry, potentially leading to data theft or service disruption. Google has patched this vulnerability by altering how PyPI packages are installed, using the environment's service account instead of the Cloud Build account. The update affects existing Cloud Composer 2 environments and is already implemented in new Cloud Composer 3 setups. This disclosure follows another recent vulnerability identified in Microsoft Azure and a bug in Microsoft Enra ID, highlighting ongoing security challenges in major cloud platforms.

The web browser is now a primary endpoint in enterprise environments, heavily utilized but largely unmonitored. Over 70% of recent malware attacks originate from activities within browsers, exploiting their lack of visibility to security tools. Phishing attacks and malware can bypass conventional defenses like firewalls and endpoint detection by operating directly within the browser environment. Generative AI tools and third-party browser extensions are introducing new security vulnerabilities, often without clear boundaries or sufficient oversight. Traditional Data Loss Prevention (DLP) systems are inadequate for modern, browser-intensive workflows, failing to detect the nuanced data movement within applications. Shadow IT is proliferating through browsers as employees adopt unsanctioned SaaS applications and AI tools, significantly increasing enterprise security risks. The Keep Aware report highlights the urgent need for security strategies that incorporate browser-native visibility and control mechanisms to effectively protect enterprise data and operations.

Threat actors orchestrated an advanced phishing scheme leveraging Google Sites and DKIM replay to bypass email security and harvest credentials. Emails, appearing legitimate and signed, misled recipients by directing them to a fraudulent Google Sites URL under the guise of legal subpoenas. The counterfeit Google Support page on this URL tricked users into entering their Google account information on a fake sign-in page. Attackers cleverly maintained the legitimacy of the emails by manipulating "Signed by" headers, despite having unrelated "Mailed by" headers. The phishing technique involved creating a Google OAuth application with deceptive permissions, making forwarded emails bypass security checks. Despite Google's efforts to mitigate such threats by updating security measures, the incident highlights ongoing vulnerabilities in email communication systems. Google recommends users bolster their security by adopting two-factor authentication and passkeys to defend against such phishing attacks. This attack points to a broader trend of increasing sophistication in phishing techniques, including misuse of various attachment formats like SVG.

Microsoft has transitioned its Microsoft Account (MSA) and Entra ID signing services to Azure confidential virtual machines to improve security. This security upgrade responds to vulnerabilities exploited by the Storm-0558 China-based nation-state actor, which resulted in the breach of numerous companies. Since the attack, Microsoft has enhanced MSA and Entra ID with Azure Managed HSM service to rotate access token signing keys securely. Over 90% of Microsoft Entra ID identity tokens are now validated by a hardened identity SDK, and 92% of employee accounts use phishing-resistant MFA. The company is isolating production systems, enforcing two-year retention for security logs, and protecting production code branches with MFA protocols. A pilot project is ongoing to isolate customer support workflows into a dedicated tenant to further secure sensitive operations. These changes are part of the Secure Future Initiative (SFI), described by Microsoft as the largest cybersecurity engineering project in its history. This initiative followed a critical report by the U.S. Cyber Safety Review Board on Microsoft's security lapses, which facilitated the 2023 Storm-0558 attacks.

Lotus Panda, identified as a China-linked cyber espionage group, compromised various organizations in Southeast Asia from August 2024 to February 2025. The targeted entities included governmental ministries, air traffic control, a telecom operator, and a construction company, revealing a broad scope of interest. Symantec reported the use of novel customized tools like loaders, credential stealers, and a reverse SSH tool in these sophisticated attacks. Other targets spanned across Southeast Asia, impacting a news agency and an air freight organization in neighboring countries. Previous disclosures link Lotus Panda to widespread campaigns targeting sectors such as government, manufacturing, telecommunications, and media across multiple Asian regions. The recent campaign utilized legitimate executables from known software like Trend Micro and Bitdefender to sideload malicious DLLs, facilitating further exploits. Advanced tools deployed in the operations included ChromeKatz and CredentialKatz for stealing browser credentials, and a tool called Zrok for remote access, showcasing a high level of technical sophistication. This consistent pattern of cyber espionage highlights Lotus Panda's ongoing threat to national security and critical infrastructure in the region.

A security flaw in SSL.com's domain validation system enabled unauthorized issue of digital certificates. The vulnerability was exploited by creating a DNS TXT record with a false contact email, tricking SSL.com into issuing certificates for domains not owned by the requester. SSL.com has since revoked 11 mistakenly issued certificates, including one for Alibaba's cloud domain, aliyun.com. The exploit was demonstrated by a researcher using the handle "Sec Reporter," who was able to obtain certificates for domains without proper authorization. SSL.com has disabled the faulty domain control validation (DCV) method and is working on a fix, with a full incident report due by May 2. The issued certificates could have been used for malicious purposes such as spoofing legitimate sites and conducting man-in-the-middle attacks. SSL.com is treating the incident with high priority and thanked the researcher for highlighting the critical vulnerability.

Generative AI models can now develop proof-of-concept (PoC) exploit code within hours of vulnerability disclosure, significantly reducing the time defenders have to react. Matthew Keely from ProDefense used AI to create a working exploit for a critical SSH library vulnerability in Erlang, leveraging code from a recently published patch. AI's use in cybersecurity isn't new; similar technologies have been used to identify and exploit vulnerabilities by analyzing descriptions and commit changes. The initial AI-generated exploit code required fixes, demonstrating that while AI can speed up the process, it may still need human intervention for complex tasks. The capability of AI to shorten the attack cycle underlines the necessity for faster and more automated responses in cybersecurity defenses. Enterprises are advised to assume that any vulnerability disclosure could be immediately exploited, necessitating readiness for swift response and patch implementation. The increased speed of threat propagation and exploitation calls for higher levels of coordination among defenders, emphasizing the need for enhanced security strategies in modern DevOps environments.

On March 11, Microsoft issued patches including a fix for CVE-2025-24054, which was rated as low exploitability. Within just eight days, attackers had already weaponized the vulnerability to target entities in Poland and Romania. CVE-2025-24054 allows attackers to leak NTLM hash credentials, enabling them to impersonate users and access secured resources. Researchers identified that the initial attack vector was phishing emails containing a malicious Dropbox link to a ZIP file, which when opened leaked NTLM hashes. The leaked credentials were sent to SMB servers controlled by attackers across multiple countries, including Russia and Bulgaria. Security company Check Point emphasized the importance of quick patch application to prevent such rapid exploitation by attackers. Apple also released patches for two zero-day exploits observed in targeted attacks, enhancing security for iOS and iPadOS devices.

North Korean state-sponsored group Kimsuky employed the BlueKeep RDP vulnerability (CVE-2019-0708) to infiltrate systems in South Korea and Japan. The campaign, named Larva-24005, utilized phishing attacks and malware such as MySpy and RDPWrap to maintain access and escalate privileges. Security patches for the exploited vulnerabilities, including the critical BlueKeep flaw, had been released by Microsoft as early as May 2019. Attackers installed keyloggers, including KimaLogger and RandomQuery, to monitor and capture victim keystrokes. Victims primarily included entities within the software, energy, and financial sectors, indicating a strategic selection of targets. The operation signals ongoing cybersecurity risks posed by state-sponsored actors in the geopolitical landscape of East Asia. This incident underscores the importance of timely system updates and comprehensive cybersecurity defenses against complex threat vectors.

Microsoft recently confirmed that Entra account lockouts were due to improperly logged user refresh tokens. The issue started after a new enterprise application, "MACE Credential Revocation," was erroneously linked to the lockouts. Microsoft disclosed that it mistakenly logged actual account refresh tokens instead of just metadata, leading to unauthorized token invalidation. Alerts were triggered within Entra ID Protection, mistakenly indicating potential credential compromises. The mistaken logging and subsequent token invalidation occurred without any actual unauthorized access to the tokens. Affected users received instructions to mark their accounts as safe in Microsoft Entra to regain account access. Microsoft has rectified the internal logging error and plans to issue a Post Incident Review to all affected parties once their investigation is complete.

SuperCard X, a new Android malware-as-a-service, enables NFC relay attacks to facilitate contactless fraud at ATMs and PoS terminals. Cybercriminals use social engineering, including smishing and deceptive calls, urging victims to install malicious applications masquerading as security tools. The malware captures payment card data by tricking victims into bringing their payment cards near their infected mobile devices. Harvested card details are relayed to a threat actor-controlled device, allowing unauthorized transactions through emulated cards. The scheme involves custom-built "Reader" apps on victims' devices and "Tapper" apps on attackers’ devices, coordinating via HTTP for command and control. Communication security is enhanced via mutual TLS, with affiliates creating tailored malware versions for specific campaigns. Google is developing Android features to block installations from unknown sources and disable permissions to enhance security against such threats. The campaign poses a significant financial risk, targeting not just banking institutions but also payment providers and card issuers directly.

Traditional device management tools such as MDM and EDR provide essential security but are not sufficient alone due to their inability to manage unenrolled devices and gaps in operating system coverage. Unmanaged devices like personal laptops and contractor devices pose significant security risks as they often bypass organizational security policies and remain out of the security purview, making them prime targets for attackers. Device trust offers a more comprehensive approach by ensuring visibility and security compliance across all devices, including those not managed by the organization, using a privacy-preserving authenticator. Integration issues between device management tools and access management systems can lead to security lapses; device trust addresses this by incorporating real-time device risk assessments into access decisions. Misconfigurations in device management tools can create security vulnerabilities; device trust can help ensure these tools are properly configured and integrated, enhancing overall security defenses. Device trust provides broader coverage across multiple operating systems, including those less commonly supported by traditional MDM and EDR tools, improving security for diverse organizational environments. Adopting a device trust framework allows organizations to enforce stricter compliance and security measures, effectively mitigating advanced threats and reducing the risk of data breaches.

A recently identified Windows flaw, CVE-2025-24054, initially patched in a Microsoft update, has been actively exploited by threat actors to access NTLM hash passwords. Attackers leverage vulnerabilities in software like the ASUS system, Microsoft Windows, and various other platforms including Apple iOS and macOS systems, highlighting the week's critical security weaknesses. High-profile malware campaigns targeting systems in Ukraine and Colombia were linked to known hacking groups UAC-0194 and Blind Eagle. The article emphasizes the importance of timely software updates to mitigate risk, showcasing several newly discovered CVEs that pose potential threats to system security. Cybersecurity solutions are evolving to focus on zero trust architectures and AI-driven protection strategies to counteract sophisticated AI-powered threats. Practical advice for individual cybersecurity hygiene includes using burner emails to manage spam and track data breaches effectively. General cybersecurity recommendations include staying vigilant about minor security settings and endpoint management to prevent accidental breaches. The narrative concludes by underscoring that many cybersecurity breaches stem not from forceful attacks, but from exploiting overlooked or minor vulnerabilities.

Cybersecurity researchers identified a spike in malicious activities from Proton66, a Russian bulletproof hosting service, targeting global organizations since January 8, 2025. Proton66 IP addresses were involved in mass scanning, credential brute-forcing, and exploitation attempts, with some IPs previously inactive or unseen in malicious contexts. Malicious actors utilized the Proton66 network to host command-and-control servers for malware families such as GootLoader and SpyNote, and orchestrate phishing operations. Compromised WordPress sites linked to Proton66 redirected Android users to fake Google Play pages, tricking them into downloading malicious APK files targeting French, Spanish, and Greek speakers. Trustwave's analysis detailed the deployment of malware like XWorm, StrelaStealer, and WeaXor ransomware via phishing emails and malicious downloads from Proton66-linked IPs. Proton66 connections were also established with Chang Way Technologies, a Hong Kong-based provider, suggesting wider network implications. Organizations are advised to block CIDR ranges associated with Proton66 and associated entities to mitigate the threats.

Hackers conducted a phishing attack by misusing Google’s OAuth to send emails seemingly from Google’s own no-reply address. The phishing email passed the DomainKeys Identified Mail (DKIM) authentication, appearing legit but redirected recipients to a fraudulent Google account login page. Nick Johnson, ENS lead developer, identified the scam after noticing the support link directed to a sites.google.com URL rather than the official Google account page. The attackers utilized a clever ruse involving a registered domain, a Google Workspace account, and an application named with a deceptive message full of whitespace to hide true intentions. The email authenticated by Google due to valid DKIM signatures, was forwarded from the attacker’s address to potential victims, effectively bypassing typical email security checks. Similar phishing tactics were also attempted using PayPal accounts by manipulating the platform’s gift address feature to pass security verifications. Google has acknowledged the vulnerability after an initial dismissal and is currently working on a fix, while PayPal has not responded to inquiries.