Daily Brief

The Interlock ransomware gang has introduced a new remote access trojan, NodeSnake, aimed at infiltrating educational institutions. Researchers at QuorumCyber identified NodeSnake in at least two incidents involving UK universities in early 2025, with evidence of ongoing development to enhance its functionalities. Initial infection vectors include phishing emails with malicious attachments or links leading to the deployment of the NodeSnake RAT. NodeSnake utilizes sophisticated evasion techniques such as heavy code obfuscation, XOR encryption, and uses PowerShell or CMD scripts to mimic legitimate software updates. Once installed, NodeSnake gathers critical system information and can execute additional malicious activities, including process termination and loading further malware. The trojan modifies its command and control communication dynamically, complicating detection and mitigation efforts. The report by QuorumCyber details the indicators of compromise for NodeSnake, providing essential information for early detection and prevention of further attacks by the Interlock group. The discovery underscores Interlock's strategic shift towards sustained, stealthy operations within target networks, particularly in the education sector.

Sina Gholinejad, an Iranian national, has pleaded guilty to charges related to a ransomware attack utilizing Robbinhood ransomware. The attacks targeted multiple U.S. organizations, including significant disruptions in Baltimore, leading to over $19 million in losses. Gholinejad and co-conspirators encrypted files and demanded ransom in Bitcoin, significantly impacting city services in Baltimore and Greenville. The cybersecurity breach lasted from January 2019 to March 2024, involving data theft and ransomware deployment. Gholinejad was apprehended and pleaded guilty to computer fraud and conspiracy to commit wire fraud; faces up to 30 years in prison. The cybercrime group used sophisticated methods like cryptocurrency mixing and chain-hopping to launder the ransom payments. The sentencing is scheduled for August 2025, highlighting the long-term legal consequences of cyber attacks.

Over 9,000 ASUS routers compromised by a botnet named "AyySSHush," impacting models like RT-AC3100, RT-AC3200, and RT-AX55. The botnet also targeted routers from Cisco, D-Link, and Linksys, employing methods such as brute-forcing, authentication bypass, and exploiting older vulnerabilities. The attackers exploited a specific CVE (CVE-2023-39780) to implant an SSH backdoor, allowing persistent access even after device reboots and firmware updates. No malware was used; instead, tactics included disabling logging and security features to avoid detection, with only a few malicious requests needed for effective intrusion. The exact goals of the AyySSHush botnet remain unclear, but it shows potential for creating a substantial botnet for future operations. ASUS released security updates to mitigate CVE-2023-39780 and owners are urged to update their firmware promptly and check for signs of compromise. GreyNoise and other cybersecurity entities are tracking this campaign, highlighting the sophisticated nature of the threat likely linked to nation-state actors.

Dark Partners cybercrime gang uses fake AI, VPN, and crypto software download sites to distribute malware and infostealers like Poseiden and Lumma. The group impersonates legitimate apps, misleading users to download harmful software aimed at extracting cryptocurrency and sensitive data such as credentials and private keys. On Windows, malware is digitally signed with certificates from multiple companies; Poseidon Stealer specializes in macOS targeting wallet folders in web browsers. Law enforcement recently disrupted the distribution of Lumma Stealer by seizing thousands of linked domains and infrastructure components. Lumma Stealer, an electron-based application on Windows, includes modules for stealth and persistence, avoiding detection by terminating itself if analysis tools are detected. Payload delivery varies based on the operating system of the download request, with additional checks to prevent bot downloads. g0njxa, a cybersecurity researcher, highlights the technical tactics of Dark Partners, including detailed operation of Payload delivery and anti-sandbox features. The report concludes with a broad list of compromised domains and indicators of compromise, underlining the extensive reach of the campaign.

The Czech Republic formally attributed a 2022 cyberattack on its Ministry of Foreign Affairs to China-linked APT31. Described as a state-sponsored group, APT31 used diverse techniques, including leveraging public file-sharing sites for command and control operations. APT31, also known by multiple aliases such as Bronze Vinewood and Judgement Panda, operates under the auspices of China's Ministry of State Security. The specific breach involved an unclassified network and is part of ongoing investigations, with its full impact yet unknown. The US Department of Justice has indicted several individuals linked to APT31 for conducting espionage that served China's intelligence and economic motives. Recent reports by entities like Secureworks and ESET indicate APT31's continued focus on government and defense entities in Central Europe. The Czech government criticized China for contradicting its public commitments to responsible state behavior in cyberspace as defined by the UN. Czechia urged China to conform to international norms and cease such cyberattacks.

The Czech Republic has attributed a series of cyberattacks on its Ministry of Foreign Affairs to the China-backed APT31 group. These attacks have been ongoing since 2022 and also targeted other critical infrastructure within the Czech Republic. The European Union and NATO allies expressed their condemnation of these actions, urging China to comply with UN norms and international laws. Past incidents linked APT31 with significant cyber espionage, including an attack on Finland's parliament in 2021 and global Microsoft Exchange server hacks. APT31, also known as Zirconium or Judgment Panda, is connected to the Chinese Ministry of State Security and has been involved in espionage and data theft globally. The US and UK have imposed sanctions and filed charges against individuals associated with APT31 for various cyberattacks, including breaches into U.S. and U.K. critical infrastructures and government systems. The U.S. State Department is currently offering a reward for information that could lead to the arrest of the individuals linked to APT31 and their operations.

Cybersecurity researchers identified a critical flaw in Microsoft's OneDrive File Picker that could allow unauthorized access to a user's entire cloud storage. The vulnerability arises from overly broad OAuth permissions and unclear user consent screens, potentially leading to significant data breaches. Several commonly used applications, including ChatGPT, Slack, Trello, and ClickUp, might be affected due to their integration with OneDrive. The issue is exacerbated by the storage of OAuth tokens in plaintext within the browser's session storage, posing a further security threat. Insecure authorization workflows could lead to ongoing unauthorized access as apps can obtain new access tokens without user interaction. Microsoft has acknowledged the flaw but has not yet provided a fix; recommendations include avoiding the use of refresh tokens and enhancing token security. The flaw highlights the need for improved management of OAuth scopes and continuous security monitoring to protect sensitive data. Oasis Research Team stresses the importance of vigilance and regular security checks in preventing user data exposure and compliance violations.

PumaBot, a new botnet targeting Linux IoT devices, conducts brute-force attacks on SSH instances to expand and deliver malware. The malware obtains lists of potential victim IP addresses from a command-and-control server and checks systems for suitability and honeypot avoidance. Upon successful SSH credentials compromise, it establishes persistence using spoofed system service files like "redis.service" or "mysqI.service" to avoid detection. PumaBot is utilized for illicit cryptocurrency mining using commands like "xmrig" and "networkxm" on compromised devices. The botnet mimics legitimate system files and uses native Linux tools for persistence, demonstrating sophisticated evasion techniques against security defenses. Analysis highlights an increase in SSH brute-force attacks, suggesting a rise in IoT-related cyber threats. Recommendations for mitigation include monitoring SSH logs for unusual activity, maintaining strict firewall rules, and verifying system files and services for unauthorized changes.

Russian IT professional Aleksandr Levchishin sentenced to 14 years in high-security penal colony for leaking sensitive medical records of Russian soldiers to Ukraine. Levchishin also found guilty of transferring funds to the Ukrainian military, leading to an additional charge of treason. Arrested by FSB in July 2023; trial was conducted behind closed doors and concluded with multiple charges including influencing critical information infrastructure. Historical context provided on the use of Russian courts under Putin's regime to suppress dissent and target critics, highlighted by the Human Rights Foundation. Russia's exit from the Council of Europe in 2022 mentioned, affecting Russian citizens' rights to appeal domestic court decisions internationally. Following the invasion of Ukraine, a significant increase in treason charges in Russia noted; 359 convictions in one year, with some detainees dying in custody. Added penalties include a monetary fine, one year of restricted freedom post-release, and a four-year ban from working with critical information infrastructure. Context on penal colonies in Russia described as harsh labor camps often located in severe environments, emphasizing the dire conditions faced by those convicted of high treason.

Flare's research on "The Account and Session Takeover Economy" highlights millions of enterprise threats from stealer malware. Stealer malware like Redline, Raccoon, and LummaC2 now prioritize hijacking enterprise session tokens, not just stealing passwords. Within hours of infection, cybercriminals use bots and dark web marketplaces to sort and sell access to high-value enterprise accounts. Detailed marketplace offerings enable attackers to bypass multi-factor authentication and gain immediate access. Once in possession of session tokens, attackers gain seamless entry into platforms like AWS and Microsoft 365, potentially leading to substantial breaches. According to Verizon's 2025 Data Breach Investigations Report, 88% of breaches involved stolen credentials, underscoring the significance of these attacks. Organizations are urged to adapt their defenses, emphasizing the importance of monitoring and securing session tokens alongside passwords.

Mimo hackers exploited CVE-2025-32432, a critical vulnerability in Craft CMS, to install cryptomining malware and proxyware. The attack deploys a web shell for sustained access, using a script to download further payloads and ensure no other competing miners are active. Besides cryptojacking, the hackers leverage compromised systems to profit from the victim's internet bandwidth via proxyjacking. The payloads include a loader named Mimo Loader and a cryptocurrency miner known as XMRig. The Mimo group, active since early 2022, has previously exploited vulnerabilities in several other systems, including Apache Log4j and Atlassian Confluence. Sekoia researchers pinpointed a Turkish IP address as the origin of the exploitation attempts, linking it to the Mimo group. Ongoing investigations emphasize the Mimo group’s continuous adaptation and exploitation of newly disclosed vulnerabilities for financial gain.

Apple successfully prevented over $9 billion in fraudulent App Store transactions in the past five years, including $2 billion in 2024 alone. The company identified nearly 4.7 million stolen credit card details and blocked 1.6 million accounts from any further transactions. Apple’s App Review team rejected around 1.9 million out of 7.7 million app submissions for failing to meet privacy and security standards. In 2024, Apple removed 143 million fraudulent ratings and reviews and over 9,500 deceptive apps from search results to protect users. Around 320,000 app submissions were rejected for being misleading copycats, and 43,000 were denied for using undocumented features. The company terminated 146,000 developer accounts for suspected fraudulent activities and prevented the creation of 711 million user accounts over fraud concerns. Apple advises customers to report any suspicious activities related to app downloads directly through their designated reporting channel.

In 2025, poor password management remains a critical vulnerability, linked to numerous data breaches. Verizon's 2025 Data Breach Investigations Report identifies that 38% of digital attacks involve credential abuse or phishing. Common password pitfalls include predictable passwords like '123456' or 'Password', and using easily deducible personal information. Despite advances in authentication technologies like biometrics and passkeys, passwords are still prevalent due to implementation challenges and limited adoption. Intruders continue to exploit weak passwords through brute force or credential stuffing, targeting thousands of accounts simultaneously. Specops provides tools like Specops Password Policy to enforce stringent password policies and detect compromised credentials in real-time for organizations like Mid Cheshire NHS Foundation Trust. Updated guidelines advise against routine password expiration, recommending changes only when there is suspicion of compromise to prevent insecure incremental updates. Enhanced password management features in tools like Specops Password Policy help organizations like Greater Manchester West Mental Health NHS Foundation Trust meet stricter security standards and customize password requirements for different user groups.

Browser-in-the-Middle (BiTM) attacks allow cybercriminals to control the victim's online session by using a transparent remote browser. Unlike Man-in-the-Middle (MitM) attacks that require malware and a proxy server, BiTM attacks deceive users into thinking they are on their own browser, when in fact it is controlled by the attacker. BiTM attacks focus on stealing session tokens post-multi-factor authentication (MFA), bypassing the need for additional verification. Attackers can quickly and covertly capture cookies or OAuth tokens, relaying them to their servers within seconds, putting sensitive user data at risk. The rapid exfiltration capability of these attacks makes them a significant threat to personal and organizational cybersecurity. Mitigation calls for rigorous security practices including cautious link access, strong passwords, continuous updates to password policies, and effective MFA. Despite the advanced nature of BiTM, fundamental security measures like robust passwords remain crucial in safeguarding against such attacks.

Cybersecurity firm GreyNoise detected cloud-based scanning across 75 exposure points on May 8, 2025. The scanning involved 251 malicious IPs hosted by Amazon and geolocated to Japan, targeting technologies like Adobe ColdFusion, Apache Struts, and Elasticsearch. These IPs exhibited behaviors such as exploiting known CVEs, probing for misconfigurations, and conducting reconnaissance activities. The IP addresses were previously inactive and resumed inactivity post-operation, suggesting they were temporarily rented for this specific campaign. Scanning targeted a broad set of technologies, indicating an indiscriminate approach to find exploitable systems. Significant overlap among scanned IPs for different vulnerabilities suggests a single operator or toolset was utilized. GreyNoise recommends immediate blocking of these IPs, cautioning that future attacks might use different infrastructures.