Daily Brief

A whistleblower at the US National Labor Relations Board (NLRB), Dan Berulis, blew the whistle on questionable practices by DOGE IT department at the agency. Berulis reported that DOGE staffers were improperly granted superuser access, allowing them to read, copy, and alter agency data. He observed gigabytes of data being exfiltrated and disabled security protocols, such as multi-factor authentication changes. A significant finding was login attempts from a Russian IP address to an account set up for a DOGE aide shortly after its creation. US-CERT was engaged to investigate but was subsequently instructed to halt all investigations and reporting on the matter. Following the public disclosure of these activities, Democratic lawmakers have called for investigations into DOGE's actions at the NLRB. The whistleblower's report raises serious concerns about data security and potential manipulation at a critical federal agency.

Microsoft's latest updates for Windows 11 24H2 have triggered blue screen crashes post-installation and system reboot. The problematic updates identified are April cumulative update KB5055523 and March preview update KB5053656, both causing severe operational disruptions. Users have experienced a specific blue screen error coded 0x18B, which signifies a SECURE_KERNEL_ERROR. No comprehensive fix has been provided yet, with Microsoft implementing a temporary workaround through a Known Issue Rollback (KIR). KIR mechanism, introduced in 2021, allows Microsoft to retract faulty updates silently and automatically for personal and unmanaged devices, generally within 24 hours. IT departments managing affected systems must manually install a Group Policy .msi file to implement the rollback, which requires a system restart to take effect. Microsoft is currently preoccupied with integrating Copilot into its services, possibly deprioritizing the immediate resolution of existing technical issues, including long-standing bugs in OneDrive synchronization.

CIA Director John Ratcliffe's Signal chats regarding a secret military operation were almost entirely deleted from his smartphone. A court order to preserve the chat, named Signalgate, was issued amid accusations of violating federal record-keeping rules by using auto-deleting messages. The only remnants found on Ratcliffe’s phone were the group’s name and some member profiles, lacking substantive message content. These chats included highly sensitive information about an imminent military strike in Yemen, which was mistakenly shared with a journalist. American Oversight, a watchdog, claims the Trump administration systematically destroyed evidence, potentially breaching the Federal Records Act. Various government agencies were faster than the CIA in complying with the court's order to preserve these communications. The incident raises significant concerns about the transparency, accountability, and security practices of government officials handling classified information. The misuse of personal accounts and unsecured apps for discussing classified operations points to a disregard for established protocols and security measures.

Over 16,000 Fortinet devices were found compromised with a symlink backdoor, enabling read-only access to sensitive files. This security issue was identified and reported by The Shadowserver Foundation, which noted an increase from 14,000 to 16,620 affected devices. Fortinet had earlier alerted customers about the new persistence mechanism leveraged by attackers to maintain remote access on FortiGate devices, despite patches to the original vulnerabilities. Attackers used zero-day vulnerabilities to initially compromise the devices and then implanted symbolic links in the language files folder. These links provided ongoing access to the root filesystem of SSL-VPN enabled devices, even after vulnerabilities were addressed in new FortiOS versions. Fortinet has informed affected customers via email and released an updated AV/IPS signature to remove the malicious links and prevent similar future exploits. Customers are advised to reset all credentials and follow suggested security measures to protect against potential information breaches due to this exposure.

Security teams are currently overwhelmed by the sheer volume of security alerts and vulnerabilities, making it difficult to distinguish serious threats from less significant ones. True resilience in cybersecurity is not about addressing every vulnerability but focusing on those that are genuinely exploitable and pose real-world risks. Adversarial Exposure Validation offers a structured approach by mimicking real attacker behaviors to identify and prioritize the most significant exposures. This method not only tests vulnerabilities for exploitability but also evaluates the contextual risk they pose, moving beyond simplistic severity scores. Advanced tools such as Breach and Attack Simulation (BAS) and Automated Penetration Testing are critical, as they simulate real-world attack scenarios to discover actionable vulnerabilities. Consistent use of these tools helps organizations transition from periodic vulnerability assessment to continuous, proactive security improvements. Adversarial Exposure Validation is essential for modern security operations, shifting from reactive measures to proactive risk management, aligning defensive strategies more closely with actual threat landscapes. Security practitioners are encouraged to consult resources like the comparison whitepaper on Breach and Attack Simulation versus Automated Penetration Testing to choose the most suitable tools for their needs.

Apple released emergency updates for two zero-day vulnerabilities found in various operating systems including iOS, macOS, and others. The vulnerabilities, identified as CVE-2025-31200 and CVE-2025-31201, were utilized in highly sophisticated, targeted attacks on specific individuals. CVE-2025-31200 allows execution of remote code via a maliciously crafted media file affecting CoreAudio, discovered jointly by Apple and Google's Threat Analysis team. CVE-2025-31201 involves a security bypass in RPAC, which compromises Pointer Authentication, a feature defending against memory exploits. Apple promptly issued fixes for these vulnerabilities in updates iOS 18.4.1, iPadOS 18.4.1, and other affected systems. These security flaws impact a broad range of devices, both new and old, underlining the need for all users to update their devices swiftly. This patch marks Apple's continued effort to mitigate zero-day exploits, with five critical fixes already released in the same year.

The U.S. government secured funding for the CVE (Common Vulnerabilities and Exposures) Program just before the existing contract was set to expire. The funding extension prevents any interruption in the CVE services, which are crucial globally for identifying and managing security vulnerabilities in technology products. MITRE, a nonprofit that has been managing the CVE database, disclosed uncertainties about continuing federal support, prompting concerns about the program's future. In response, CVE board members announced plans to establish the CVE Foundation to maintain and enhance the program's independence and sustainability without sole reliance on federal funding. The newly formed CVE Foundation aims to address the vulnerability management ecosystem's vulnerabilities by reinforcing the program's global trust and community-driven approach. Despite the funding extension by CISA, there are ongoing discussions and concerns within the cybersecurity community about the need for a more globally collaborative approach to managing vulnerabilities. The situation has exposed potential risks, such as split-standards and reduced confidence in the CVE process, highlighted by reactions from international agencies and vendors.

Cybersecurity experts have identified four vulnerabilities within the Windows Task Scheduler that enable privilege escalation and log deletion. The flaws, found in a binary named "schtasks.exe," potentially allow local attackers to execute privileged commands and malicious payloads without user consent. One major vulnerability involves bypassing User Account Control to perform system-level operations covertly. Attackers could exploit known passwords—possibly obtained via credential cracking or other exploits—to register tasks that impersonate high-privilege users. The vulnerabilities also allow attackers to manipulate task logs and the Windows Event Log System to erase evidence of their activities. Defense evasion techniques associated with these flaws include overwriting and filling security logs, jeopardizing audit trails. The discovery underscores the importance of securing Task Scheduler and related components against potential abuse by attackers inside organizations.

DPP Law Ltd incurred a £60,000 fine for failing to promptly notify a data breach when personal client data was stolen and later found on the dark web. The breach occurred in June 2022, involving a brute-force attack on an underused administrator's account without multi-factor authentication in DPP Law's network. The attacker exploited access to a legacy case management system and extracted 32 GB of sensitive data, including details of identifiable individuals. The UK's Information Commissioner's Office (ICO) highlighted that DPP Law did not consider the incident a data breach initially and delayed reporting it for 43 days. DPP Law disputes the ICO's findings and is appealing the decision, asserting their compliance with legal and cybersecurity standards through Lexcel and Cyber Essentials certifications. ICO's investigation pointed out significant security lapses at DPP Law, stressing the importance of robust cybersecurity measures and timely incident reporting. ICO's enforcement director emphasized that data protection is a legal obligation, warning of substantial fines and reputational damage for non-compliance.

Atlassian is currently dealing with an 'active incident' leading to degraded performance across multiple Jira products. Affected services include Jira, Jira Service Management, Jira Work Management, and Jira Product Discovery. The issues began around 11:46 UTC today, resulting in errors and difficulty loading the Jira user interface and dashboards. Users globally are experiencing prolonged outages, with specific complaints about dashboard widgets failing to load or render. Atlassian teams are urgently investigating these disruptions, although the root cause has not been determined yet. The situation remains ongoing with updates promised as further information is available.

41% of cyberattacks successfully bypass existing security controls in most organizations, as per findings from Picus Security. Traditional security assessments like annual penetration tests and periodic vulnerability scans are insufficient in today's rapidly changing threat landscape. Breach and Attack Simulation (BAS) and Automated Penetration Testing (APT) offer continuous, real-time testing and validation of security measures. These methods allow organizations to simulate real-world attacks, revealing vulnerabilities and ineffective security controls without risking system downtime. Adversarial Exposure Validation combines BAS and APT to provide a comprehensive view of both the effectiveness of security controls and potential attack paths. This approach helps organizations enhance their security by identifying and closing gaps, thus improving their defense against actual cyberattacks. Continuous testing enables proactive risk management, better preparation for potential breaches, and measurable improvements in security protocols.

CISA has extended funding to prevent disruptions in the Common Vulnerabilities and Exposures (CVE) program. The funding extension was crucial as MITRE had warned that existing government funding would expire, potentially causing industry-wide effects. Potential disruptions without the extension included compromised national databases, incident responses, and tool vendor operations. The CVE program, maintained by MITRE and funded by the U.S. DHS, aids clarity and standardization in discussing security vulnerabilities. The newly established CVE Foundation aims to secure program independence and remove reliance on a single government sponsor, ensuring its global neutrality and sustainability. The establishment of the CVE Foundation introduces a non-profit model to manage the CVE program going forward. ENISA has launched the European vulnerability database (EUVD), featuring a multi-stakeholder model, adding to the global cybersecurity infrastructure.

Google suspended over 39.2 million advertiser accounts in 2024 to prevent the dissemination of harmful ads. The company blocked a total of 5.1 billion bad ads and restricted another 9.1 billion, while also blocking or restricting ads on 1.3 billion pages. Top policy violations triggering these actions included ad network abuse, trademark misuse, and misrepresentation among others. Significant content categories flagged for ad restrictions included sexual content, hate speech, malware, and weapons promotion. Google employed AI tools to identify and act against emerging threats like AI-generated deepfakes and scam-related ad violations. More than 5 million accounts were specifically suspended for scam-related violations, some using AI-generated public figure impersonation. The tech giant has expanded its Advertiser identity verification to over 200 countries to enhance ad transparency, especially in election-related advertising. Google’s security measures reflect the continuously evolving challenges in ad safety, necessitating agile responses driven by technological innovations.

Russian cyber group Cozy Bear, also known as APT 29, targeted European diplomats with malware-infected invitations to a fake wine-tasting event. The phishing emails appeared to be from a legitimate European Ministry of Foreign Affairs, enticing diplomats with the exclusive event to ensure high engagement. Unresponsive targets received follow-up emails to increase the chance of malware deployment through repeated engagement. The emails contained a malicious link that, when clicked under specific conditions, initiated the download of a malware-infected file named wine.zip. The malware, named Grapeloader, infiltrates the system, altering the Windows Registry for persistence, scanning for sensitive information, and establishing regular communication with a command-and-control server. The cyber espionage efforts are presumably directed by the Russian government, leveraging Cozy Bear’s capacities to gather intelligence from Western political entities. Historical context indicates that Cozy Bear has been involved in significant cyber espionage activities against the US and its allies, including incidents like the SolarWinds hack and operations against the 2016 US national election.

Threat actors are utilizing the Gamma AI platform to carry out sophisticated phishing attacks, mimicking Microsoft SharePoint logins. The attack begins with a phishing email containing a PDF hyperlink, often sent from compromised legitimate accounts. Clicking the link redirects users to a Gamma-hosted presentation that prompts them to access "Secure Documents," leading them through several deceptive pages. An intermediate impersonation page uses Cloudflare Turnstile verification to boost perceived legitimacy and hinder automated security analysis. Users are eventually directed to a fake Microsoft SharePoint login page designed to harvest their credentials, employing real-time credential validation to enhance the illusion. This method, known as living-off-trusted-sites (LOTS), leverages trusted services to bypass traditional email security checks and obscure the phishing pages' true nature. Microsoft has flagged an increase in AI-driven fraud and falsified content, underlining the need for heightened vigilance against such threats. The findings imply a trend where attackers constantly evolve, using new tools and strategies to effectively target and exploit users.