Daily Brief

Chrome extensions totaling 57 were found with tracking code, impacting over 6 million users. Discovered by John Tuckner of Secure Annex, these extensions have the capability to monitor user browsing, access cookies, and execute remote scripts. These 'hidden' extensions do not appear in Chrome Web Store searches and can only be installed via direct URL. Despite claims of providing ad-blocking and privacy services, the extensions request overly broad permissions, posing significant privacy risks. Tuckner's investigation highlighted potential spyware characteristics due to their obfuscated code and hidden functionalities. Following Tuckner’s report, several extensions have been removed from the Chrome Web Store, yet some remain. Google has acknowledged the issue and is conducting an investigation into these risky extensions. Users of these extensions are advised to remove them immediately and reset passwords as a precaution.

China-linked Mustang Panda has launched a sophisticated cyberattack on an organization in Myanmar using advanced malware tools. The updated malware includes a new backdoor named TONESHELL, lateral movement tool StarProxy, and keyloggers PAKLOG and CorKLOG. TONESHELL has enhanced capabilities in command-and-control communication and client identifier management. StarProxy, which uses DLL side-loading, facilitates encrypted traffic proxying between infected devices and command-and-control servers. Newly implemented keyloggers capture and store keystroke and clipboard data, lacking independent data exfiltration functionalities. SplatCloak, a new EDR evasion tool, helps the malware evade detection from security systems like Windows Defender and Kaspersky. These updates signify Mustang Panda's ongoing efforts to refine their techniques and maintain operational security for prolonged effectiveness in their cyber espionage activities. Concurrently, another China-nexus cyber espionage group, UNC5221, has been updating their BRICKSTORM malware targeting Windows environments in Europe.

Ahold Delhaize, a major food retail company, affirmed data theft from its U.S. systems following a cybersecurity incident in November 2024. The incident led to certain files being extracted from some of the company's internal U.S. business systems, as confirmed by a company spokesperson. Following the cyberattack, Ahold Delhaize took several of its IT systems offline to prevent further damage, affecting some U.S. brands, pharmacies, and e-commerce operations. The ransomware group INC Ransom claimed responsibility for the attack, posting evidence of the data theft on a dark web extortion site. Although the details of stolen information are still under investigation, Ahold Delhaize pledged to notify affected individuals if personal data was compromised. Law enforcement has been updated about the situation, and the company continues to keep all its stores and online services operational. The ongoing investigation is part of broader efforts to understand the scope of the incident and secure affected systems.

CTM360 reports a significant increase in SMS-based phishing via PointyPhish and TollShark campaigns, focusing on false reward claims and fake toll charges. PointyPhish involves over 3,000 domains, using urgency of expiring rewards to direct victims to malicious sites where payment details are stolen. TollShark uses more than 2,000 domains banking on fears of unpaid tolls to gather personal information. Both campaigns utilize Darcula Suite, a Phishing-as-a-Service (PhaaS) platform, to quickly create and scale phishing operations globally. These scams impact a wide geographical area and target customers of various brands on a large scale, ensuring a broad capture of sensitive financial data. Darcula Suite supports advanced features like multi-channel SMS delivery to enhance the efficacy and reach of these phishing attacks. CTM360 identified an escalation of related phishing activity, including over 16,000 impersonation sites aligned with various malware variants.

State-sponsored hacking groups from Iran, North Korea, and Russia utilized the ClickFix technique for malware deployment over recent months. ClickFix, a social engineering tactic originally used by cybercriminals, manipulates users into executing malicious commands under the pretext of solving an issue or completing verification. Notable hacking clusters such as TA427 (Kimsuky), TA450 (MuddyWater), and UNK_RemoteRogue (associated with Russia) have adopted ClickFix to improve their phishing campaigns and malware distribution. The deployment strategies include sending phishing emails that mimic credible entities, directing victims to attacker-controlled sites, and tricking them into installing malware like Quasar RAT or RMM software. Attacks targeted sectors like finance, government, health, education, and transportation, particularly focusing on geopolitical hotspots such as the UAE, Saudi Arabia, Canada, Germany, Switzerland, and the US. Proofpoint’s report highlights the evolution of the ClickFix technique from a niche method into a commonly used tool by nation-state actors, supporting espionage and data exfiltration efforts. The rapid adoption of ClickFix by multiple state-sponsored groups underscores the need for heightened awareness and improved cybersecurity measures against sophisticated social engineering attacks.

Large Language Models (LLMs) are advancing in both defensive and offensive cyber operations, influencing sectors like security technologies and cybercrime. AI-powered malware, though still in early stages as reflected in examples from MIT and IBM, showcases potential future threats. There has been a noted increase in the use of AI for offensive strategies, including scams and AI-facilitated attacks; prominent instance involved a $25 million loss by Arup due to AI-based voice spoofing. Various nation-state actors including those from China and Iran are increasingly leveraging AI, like Generative AI chatbots, for malicious purposes such as disinformation campaigns and sophisticated spear-phishing attacks. The risks and costs of adopting LLMs in businesses are substantial and multifaceted, ranging from increased operational costs and security risks to ethical concerns and significant resource consumption. Security experts must remain vigilant and enhance traditional security practices to manage the new vulnerabilities introduced by LLMs, which expand potential attack surfaces considerably. Prompt injection vulnerabilities in GenAI applications have been identified as critical emerging threats, requiring ongoing attention and mitigation strategies to safeguard digital infrastructures.

CISA highlighted increased risks of breaches due to compromised Oracle Cloud legacy servers, warning about the exposure of sensitive credential material. Oracle confirmed the compromise involved "two obsolete servers," which did not affect current Cloud services or customer data directly. Leaked credential information included usernames, emails, passwords, authentication tokens, and encryption keys, posing a threat to enterprise environments. CISA advised implementing several security measures: resetting passwords, replacing hardcoded credentials, enforcing multi-factor authentication, and monitoring authentication logs. Oracle privately told clients that old client credentials were stolen from a legacy environment last active in 2017. Threat actors had posted data as recent as 2025 on hacking forums, indicating ongoing unauthorized access and data extraction. Oracle's breached servers included the use of a web shell and malware, with data theft occurring from the Oracle Identity Manager (IDM) database. A separate breach in January affected Oracle Health and led to the compromise of U.S. patient data across healthcare organizations and hospitals.

British soldiers successfully disabled drones using a Radiofrequency Directed Energy Weapon (RF DEW) that disrupts drones' electronics with high-frequency radio waves. The RF DEW system can engage airborne targets up to 1 km away and is particularly effective against multiple drone threats simultaneously due to its wide beam. According to the Ministry of Defence, the cost of operating this weapon is remarkably low, at just 10p per shot. The technology is part of a larger £40 million investment by the UK government in RF DEW research, aimed at further development for operational deployment. During trials, the RF DEW successfully tracked, engaged, and defeated over 100 drones, including handling two swarms in one go. Similar technologies, such as the US's THOR system, demonstrate international interest and investment in anti-drone warfare technologies. The weapon system is portable and can be mounted on a flatbed truck, making it a flexible solution for mobile operations.

Blockchain technology is lauded for its potential to revolutionize online authentication, promising significant security benefits over traditional passwords. Utilizing cryptographic keys for identity verification could reduce risks associated with password vulnerabilities and safeguard against data breaches by eliminating centralized databases. Examples in real-world applications include R3 Corda in financial services for secure KYC processes and blockchain in healthcare for secure patient data exchange. Despite these advantages, blockchain technology faces challenges including high operational costs, scalability issues, legal and regulatory hurdles, and a general lack of understanding and interoperability. Blockchain promises a decentralized approach to data handling and security, possibly complementing existing security measures like multi-factor authentication. Traditional passwords retain advantages such as simplicity, universality, and ease of reset, suggesting that they will not become obsolete in the near future. Effective security strategies should integrate robust password policies with advanced solutions like blockchain to strengthen both user authentication and overall system security. The ongoing reliance on passwords underscores the importance of maintaining strong password security practices alongside exploring innovative technologies like blockchain.

A dire security flaw was identified in Erlang/Open Telecom Platform (OTP) SSH, allowing potential unauthenticated arbitrary code execution. Designated CVE-2025-32433, the vulnerability received the highest severity rating (CVSS 10.0). Attackers can exploit the flaw by sending SSH protocol messages before authentication, leading to arbitrary code execution. If exploited, especially on systems where the daemon runs as root, attackers could fully control the device and manipulate or leak sensitive data. Affected versions impact all users with Erlang/OTP SSH servers; updating to versions OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20 is advised. Temporary protection can be achieved by restricting access to vulnerable SSH servers through firewall settings. The flaw is especially critical for high-availability systems and devices using Erlang, such as those manufactured by Cisco and Ericsson. Close attention and prompt action, including upgrades or access limitations, are necessary to mitigate risks associated with this vulnerability.

Microsoft has identified a malvertising campaign that uses Node.js to install malware via fake cryptocurrency trading software installers. The malware, delivered through a rogue installer, uses a dynamic-link library to gather system information and ensures persistence on the infected device by setting up scheduled tasks. The malicious code evades detection by making exceptions in Microsoft Defender and initiates data theft by downloading additional payloads. Attackers mimic legitimate cryptocurrency trading platforms, like Binance and TradingView, to trick users into executing the malware. In one infection method, inline JavaScript is executed directly through a downloaded malicious Node.js binary, seeking out high-value network targets and masquerading C2 (Command and Control) traffic. The malware harvests detailed system, hardware, and application data, sending it back to the attackers in JSON format. Microsoft remarked on the ease with which Node.js allows the blending of malicious scripts with legitimate applications, complicating detection and enhancing persistence possibilities for attackers. Secondary attacks include phishing campaigns and social engineering tactics deploying other types of malware aimed at stealing sensitive data and unauthorized financial transactions.

CISA has issued an alert about active exploitation of a high-severity SonicWall VPN flaw, CVE-2021-20035, affecting federal agencies. The vulnerability allows remote attackers with low privileges to execute arbitrary code on SMA 100 series appliances. Originally discovered and patched in September 2021, this flaw was initially thought to facilitate only DoS attacks but has since been found to allow code execution. SonicWall recently updated the security advisory, boosting the CVSS score to 7.2 due to its exploitation in targeted attacks. U.S. Federal Civilian Executive Branch (FCEB) agencies are mandated to patch their systems by May 7th, per the Binding Operational Directive 22-01. Although the directive only applies to federal agencies, all network defenders are urged to prioritize fixing this flaw to avoid potential breaches. This alert follows recent warnings from SonicWall about other actively exploited vulnerabilities in their firewall products, underscoring ongoing security challenges.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in SonicWall SMA 100 Series to its KEV catalog due to active exploits. The vulnerability, known as CVE-2021-20035 with a CVSS score of 7.2, involves an operating system command injection that can lead to unauthorized code execution. Affected devices include SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v across various platforms such as ESX, KVM, AWS, and Azure. SonicWall issued an advisory in September 2021, describing the vulnerability as allowing remote authenticated attacks through improper neutralization in the SMA100 management interface. The flaw permits attackers to execute arbitrary commands as a 'nobody' user, escalating the potential for targeted code execution attacks. Details on the exact nature of the active exploitations remain undisclosed, but the threat is considered significant enough to warrant a required update by Federal Civilian Executive Branch agencies by May 7, 2025.

Apple has released security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to patch two actively exploited vulnerabilities. The vulnerabilities, identified as CVE-2025-31200 and CVE-2025-31201, were fixed by improving bounds checking and removing vulnerable code sections respectively. These security flaws were exploited in highly sophisticated attacks targeting specific individuals, demonstrating advanced exploitation techniques. Google Threat Analysis Group (TAG) reported one of these vulnerabilities, highlighting the collaborative efforts in cybersecurity. Users of affected Apple devices are urged to update their systems immediately to protect against these security risks. This incident marks the fifth instance of zero-day vulnerabilities in Apple's software being actively exploited since the beginning of the year. Persistent cyber threats emphasize the ongoing need for vigilance and regular updates in the tech industry to safeguard user data and privacy.

A whistleblower at the US National Labor Relations Board (NLRB), Dan Berulis, blew the whistle on questionable practices by DOGE IT department at the agency. Berulis reported that DOGE staffers were improperly granted superuser access, allowing them to read, copy, and alter agency data. He observed gigabytes of data being exfiltrated and disabled security protocols, such as multi-factor authentication changes. A significant finding was login attempts from a Russian IP address to an account set up for a DOGE aide shortly after its creation. US-CERT was engaged to investigate but was subsequently instructed to halt all investigations and reporting on the matter. Following the public disclosure of these activities, Democratic lawmakers have called for investigations into DOGE's actions at the NLRB. The whistleblower's report raises serious concerns about data security and potential manipulation at a critical federal agency.