Daily Brief

Hackers conducted a phishing attack by misusing Google’s OAuth to send emails seemingly from Google’s own no-reply address. The phishing email passed the DomainKeys Identified Mail (DKIM) authentication, appearing legit but redirected recipients to a fraudulent Google account login page. Nick Johnson, ENS lead developer, identified the scam after noticing the support link directed to a sites.google.com URL rather than the official Google account page. The attackers utilized a clever ruse involving a registered domain, a Google Workspace account, and an application named with a deceptive message full of whitespace to hide true intentions. The email authenticated by Google due to valid DKIM signatures, was forwarded from the attacker’s address to potential victims, effectively bypassing typical email security checks. Similar phishing tactics were also attempted using PayPal accounts by manipulating the platform’s gift address feature to pass security verifications. Google has acknowledged the vulnerability after an initial dismissal and is currently working on a fix, while PayPal has not responded to inquiries.

ClickFix is a social engineering tactic where threat actors mimic legitimate platforms to execute malware via deceptive error messages and "Fix" buttons. Kimsuky, MuddyWater, APT28, and UNK_RemoteRogue—APT groups from North Korea, Iran, and Russia—have adopted ClickFix in recent espionage efforts. These attacks primarily utilized phishing or malvertising to lead targets to malicious sites, tricking them into manually executing harmful scripts. Notable incidents include MuddyWater targeting Middle Eastern organizations with fake Microsoft security updates and Kimsuky deceiving think tank members using emails posing as diplomatic correspondence from Japan. Russian group UNK_RemoteRogue targeted two firms linked to a major arms manufacturer with spoofed emails and a fake Microsoft Word interface to deploy JavaScript and PowerShell-based backdoors. APT28 impersonated Google Spreadsheet and reCAPTCHA interfaces to facilitate unauthorized remote access and control via custom SSH tunnels and Metasploit. General advice against such threats includes caution against running unsolicited commands, especially with administrator privileges, to prevent malware infection and unauthorized system access. Proofpoint and Microsoft's Threat Intelligence teams are actively monitoring these campaigns, highlighting the continued prevalence and success of ClickFix among nation-state actors.

APT29, a Russian state-sponsored threat actor, employs GRAPELOADER malware in phishing attacks aimed at European diplomatic entities. The campaign leverages wine-tasting event lures, sending malware-infected email attachments to diplomatic personnel. GRAPELOADER functions as an initial-stage tool for fingerprinting and delivering payloads, evolving from previous malware with enhanced anti-analysis capabilities. Associated malware, WINELOADER, identified for use in later stages, also spotted in campaign via sophisticated DLL side-loading techniques. The attacks focus primarily on Ministries of Foreign Affairs in various European countries and possibly target diplomats in the Middle East. GRAPELOADER facilitates persistent access to infected systems by modifying the Windows Registry, triggering malware launch at system reboot. The campaign's discovery correlates with heightened activities of Russian cyber operations across Europe.

Widespread account lockouts across various organizations following the rollout of a new security feature in Microsoft Entra ID. Microsoft Entra ID's "MACE Credential Revocation" app, intended for detecting leaked credentials, mistakenly locked users out. Administrators reported on Reddit that about a third of their accounts were affected, with protected accounts showing no prior signs of compromise. Lockouts triggered by false positive detections of credential leaks; leak notifications were not corroborated by services like Have I Been Pwned. An engineer attributed the issue to an error with the conditional access policy due to the MACE application's abrupt implementation. Microsoft has not publicly acknowledged the specific cause of the problem. Some admins were reassured after discussions with Microsoft support that the lockouts were due to a technical error rather than actual security breaches. High volume of false leak notifications reported by an MDR provider, affecting numerous customer accounts.

Cybersecurity researchers at Socket discovered three malicious npm packages pretending to be a popular Node.js Telegram bot API. These rogue packages, created to mimic 'node-telegram-bot-api', contain SSH backdoors and data exfiltration capabilities. The packages utilize a deceitful method known as 'starjacking' to boost perceived authenticity and trick developers into downloading them. Once installed, the malicious packages add SSH keys to Linux systems allowing attackers persistent, unauthorized remote access. In addition to SSH backdoor insertion, the scripts exfiltrate system usernames and IP addresses, maintaining contact with a C2 server. The impacted packages are still available for download, posing ongoing threats to unsuspecting users. Removing the malicious packages does not fully mitigate risks due to the persistently added SSH keys.

SuperCard X is a malware-as-a-service (MaaS) targeting Android through NFC relay attacks exploiting stolen payment card data. The malware is linked to Chinese-speaking cybercriminals and integrates techniques from NFCGate and its derivative, NGate. Distributed through Telegram, SuperCard X allows attackers to conduct fraudulent transactions at point-of-sale terminals and ATMs. Scams start with a fake message urging the victim to install a malicious "security" app, which then reads NFC payment data when a card is tapped on the phone. The malware remains undetected by antivirus tools on VirusTotal and avoids detection through minimal permission requests and lack of aggressive features. Payment data is securely transmitted to attackers using mutual TLS, enabling them to emulate the victim's card for small, seemingly legitimate transactions. Despite its evasion techniques, no apps containing SuperCard X have been found on Google Play, as per Google's response citing the protection measures of Google Play Protect.

Public exploits released for a critical SSH vulnerability in Erlang/OTP, enabling remote code execution by unauthenticated attackers. Vulnerability tracked as CVE-2025-32433 and recently disclosed by researchers at Ruhr University Bochum, affects all devices running the affected Erlang/OTP daemon. Erlang/OTP platform is notably used in telecommunications, databases, and high-availability systems, complicating immediate updates. Researchers and groups such as Zero Day Initiative and Horizon3 have developed functional exploits, highlighting ease of exploitation. PoC exploits circulating publicly on platforms like GitHub and Pastebin, raising the urgency for protective measures. High usage of SSH protocol in critical infrastructure makes this vulnerability particularly alarming, with potential targeting by nation state actors. Over 600,000 IP addresses possibly affected, with many related to CouchDB instances running on Erlang/OTP. Immediate patching of affected systems recommended to mitigate potential threats from widespread exploit availability.

Crosswalk buttons in various US cities were hacked to emit AI-generated voices of well-known billionaires like Jeff Bezos, Elon Musk, and Mark Zuckerberg. The audio messages, which included parodies and social commentary, caused disruptions especially for visually impaired pedestrians relying on standard audio cues. Simple and poorly secured access via a freely available mobile app allowed unauthorized users to manipulate the crosswalk systems. The default passcode, "1234," widely remained unchanged, making the systems susceptible to such pranks. Following the incidents, the mobile configuration app was removed from public app stores to prevent further unauthorized access. Cities are working to enhance security measures and changing default PINs to safeguard the crosswalk systems against future exploits. The manufacturer, Polara, clarified that their system's network was not compromised but unauthorized access was indeed gained using default or valid credentials. These pranks have highlighted the vulnerabilities associated with using default credentials in production environments and brought attention to potential cybersecurity oversights in public infrastructure.

ASUS has reported a critical security flaw in routers with AiCloud capability, identified as CVE-2025-2492. The vulnerability has a high severity with a CVSS score of 9.2, allowing remote unauthorized function execution through crafted requests. Users are strongly urged to update their router firmware to the latest version to mitigate risks associated with this security flaw. ASUS advises strengthening security by using distinct, robust passwords for different devices and services, avoiding consecutive sequences. The company also recommends disabling AiCloud and related services that are internet-facing if firmware updates are not feasible or if devices are at end-of-life. Additional precautionary measures include disabling remote access features, such as DDNS, VPN, DMZ, and port forwarding.

A group of 48 House Democrats expressed concerns about the potential security risks of using unapproved AI systems to manage federal data, highlighting the use of Elon Musk's Grok-2 AI model. Led by Representatives Don Beyer, Mike Levin, and Melanie Stansbury, the group criticized the Department of Government Efficiency (DOGE) for potentially violating federal laws and OMB AI directives. Concerns were raised about AI-assisted inefficiencies and privacy breaches involving sensitive information, including government employee details and financial data. Instances of conflict of interest were noted, such as a dual-role White House aide using a SpaceX-hosted AI to analyze governmental operations. The Democrats' letter to the OMB insisted on halting the use of all non-compliant AI technologies and strictly adhering to existing legal standards. Rep. Gerald Connolly has also taken action, sending letters to federal agencies to investigate DOGE's adherence to the Privacy Act, the Federal Information Security Management Act, and the E-Government Act. The letter ended with a series of pointed questions about the specific AI models and their applications within DOGE, reflecting ongoing scrutiny and potential for further legislative action.

The Interlock ransomware gang has adopted ClickFix attacks to impersonate IT tools and deploy ransomware, starting January 2025. ClickFix attacks involve deceiving victims into running harmful PowerShell commands that install malware under the guise of fixing an error or authentication. Initially, Interlock used fake updates for browsers and VPN clients to infiltrate systems but has now switched to using fake CAPTCHA prompts on websites mimicking legitimate IT resources. The malware payload includes multiple malicious tools such as LummaStealer, BerserkStealer, keyloggers, and a configurable Interlock RAT (Remote Access Trojan). Following initial system compromise, the attackers employ stolen credentials to move laterally across the network, using methods like RDP and various remote access tools. Before executing the ransomware, the attackers exfiltrate valuable data via Azure Blobs, setting the stage for demanding ransom payments. Sekoia's investigation highlights the evolving nature of the ransom note focusing on legal consequences and regulatory implications if the breach is disclosed. Interlock’s operations have demonstrated the growing sophistication and variation in ransomware attack vectors, indicating a broader trend among cybercriminal gangs and state-sponsored groups, including North Korea's Lazarus Group.

CISA issued an alert regarding a data theft from Oracle’s public cloud infrastructure, urging Oracle users to enhance security measures. Oracle initially denied the breach but later acknowledged that customer data was stolen due to unpatched "obsolete" login servers. The stolen data may include emails, passwords, authentication tokens, and encryption keys, posing significant risks. Recommended actions include resetting passwords, monitoring authentication logs, and enforcing multi-factor authentication. The extent of the breach and its impact are still not fully determined, according to CISA. Oracle faces a lawsuit in Texas for not alerting affected users in a timely fashion about the breach. Oracle has not provided additional comments beyond their initial downplayed notification to affected customers.

The FBI reports an increase in scammers posing as employees of the FBI's Internet Crime Complaint Center (IC3), targeting individuals who have previously been defrauded. Over 100 incidents involving this scam have been reported between December 2023 and February 2025, with victims initially contacted through various methods including email, phone calls, and social media. Scammers, frequently creating fake female personas on social networks, infiltrate groups meant for fraud victims, deceitfully positioning themselves as victims too. The scammers encourage victims to contact a fictitious IC3 Chief Director, "Jaime Quin," through Telegram to assist in recovering their lost funds. Once contact is established, "Quin" claims to have retrieved the lost funds but uses this narrative as a façade to access victims’ financial information and exploit them further. The FBI emphasizes that genuine IC3 employees will never contact victims directly nor request payment in exchange for recovering stolen funds. Public is advised to safeguard personal information and scrutinize the legitimacy of individuals or entities offering fund recovery services.

ASUS has identified a critical authentication bypass flaw in routers with AiCloud, tracked as CVE-2025-2492 with a CVSS v4 score of 9.2. The vulnerability allows remote attackers to execute unauthorized functions on the device without needing authentication. AiCloud, a feature in ASUS routers, transforms these devices into private cloud servers, enabling remote file access, media streaming, and file syncing. The security flaw affects a wide range of router models, and ASUS has released firmware updates for multiple series including 3.0.0.4_382, 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102. Users are urged to update their firmware through the ASUS support portal or product finder page to mitigate risks. Additional security recommendations include using unique, complex passwords for wireless networks and router administration. End-of-life products impacted by the flaw should disable AiCloud and related internet access services to enhance security. No active exploitations or public exploits are reported yet, but the vulnerability could potentially be used for malware distribution or incorporating devices into DDoS attacks.

Cybersecurity experts have identified an extensive SMS phishing (smishing) campaign exploiting toll road users across eight U.S. states for financial gain. The campaign utilizes a smishing kit created by a person known as "Wang Duo Yu," marketed as part of a China-based service called Lighthouse. Fraudulent messages mimic U.S. toll collection systems like E-ZPass, directing victims to enter personal details on spoofed websites. Victims are deceived into enabling links via SMS, then face a fake CAPTCHA followed by requests for financial information on counterfeit payment pages. Analysis reveals that smishing kit affiliations extend to a group termed Smishing Triad, which conducts large-scale international scams involving postal service impersonations. The smishing kits are not only used for theft but also come with a "double theft" feature where stolen credit/debit card information is exfiltrated back to the creators. There is a growing concern as Wang Duo Yu’s kits are now targeting banks and financial institutions in the Asia-Pacific region, escalating global cybersecurity risks. The campaign's scale and complexity, supported by a vast infrastructure and human resources, challenge effective preventive measures by tech giants like Apple and Google.