Daily Brief

Google is updating Chromium to increase security by preventing Chrome from running as an administrator in Windows. This change echoes a security feature first introduced by Microsoft for the Edge browser in 2019, which originally warned users against launching with elevated permissions. The updated feature will automatically "de-elevate" Chrome's permissions if an attempt is made to launch it with administrative rights. Microsoft's involvement in the Chromium project has facilitated the addition of this security feature, which was based on their experiences with Edge. There's an added command-line switch to prevent potential infinite loops caused by the automatic de-elevation process. Running Chrome with administrative rights exposes the system to significant risks, as malicious downloads would also inherit elevated permissions, potentially leading to full system compromise. The de-elevation feature does not affect Chrome processes initiated in automation mode to allow compatibility with necessary automated tools.

Google Threat Intelligence Group reports that the Scattered Spider hacking group is now targeting US retail companies with ransomware and extortion operations. These attacks follow a pattern of sector-focused campaigns by the group, which has a history of launching successful cyberattacks on retail chains in the UK, including Marks & Spencer. The DragonForce ransomware, used in these attacks, was first seen in action against VMware ESXi hosts, attributing major disruptions within affected organizations. US retailers are advised to bolster cybersecurity defenses in response to these emerging threats, as indicated by the recent guidance from the UK National Cyber Security Centre (NCSC) following similar occurrences. Scattered Spider is known for utilizing sophisticated social engineering tactics, including phishing and SIM swapping, to breach high-profile targets and facilitate ransomware deployment. The collective nature of Scattered Spider complicates efforts to track and predict their activities, making them highly effective against even well-protected networks. The NCSC has yet to formally attribute the recent UK retail attacks to any specific group or coordinated campaign, underlining the ongoing investigations and the need for increased vigilance against such threats.

CVSS (Common Vulnerability Scoring System), once a vital tool in vulnerability management, is now considered inadequate due to its inability to factor in real-world variables and context. Many organizations rely solely on CVSS scores for prioritization, which may lead to misallocated resources and inefficiencies in addressing actual threats. Adversarial exposure validation (AEV) is proposed as a more effective method, focusing on real-world exploitability and impact rather than theoretical severity scores. AEV employs simulations of real attack scenarios in an organization’s specific environment to determine the exploitability and potential damage of vulnerabilities. This approach leads to more accurate risk prioritization, enabling security teams to focus on significant threats and optimize their remediation efforts. AEV also enhances communication within organizations by providing a clearer, more understandable way to report risks based on validated attack scenarios. Continuous validation through AEV offers a dynamic and evidence-based perspective, shifting from static prediction models to proactive, context-aware defense mechanisms. The shift to AEV marks a strategic and necessary evolution in cybersecurity practices, driven by the demand for evidence-based security in a rapidly changing threat landscape.

Samsung has issued updates for a critical security vulnerability in MagicINFO 9 Server, specifically targeting CVE-2025-4632 with a CVSS score of 9.8. The flaw, a path traversal vulnerability, allowed attackers to write arbitrary files with system authority and was actively exploited to deploy the Mirai botnet. CVE-2025-4632 was identified as a patch bypass for an earlier vulnerability, CVE-2024-7399, which Samsung had previously addressed in August 2024. The exploitation came to light following the release of a proof-of-concept by SSD Disclosure on April 30, 2025, leading to its misuse in the wild. Cybersecurity firm Huntress uncovered three incidents involving this vulnerability, with attackers downloading further malicious payloads and performing reconnaissance. Samsung advises all users of MagicINFO 9 Server to upgrade to the latest version (21.1052.0) immediately to mitigate the risks associated with this vulnerability.

Two cybercrime groups, BianLian and RansomExx, have exploited a vulnerability in SAP NetWeaver to deploy the PipeMagic trojan. ReliaQuest identified multiple incidents linking the exploitation to IP addresses previously associated with these groups. A specific server was found hosting reverse proxy services linked to the BianLian group, facilitating data extortion via the rs64.exe executable. The PipeMagic trojan, recently linked to the exploitation of a zero-day Windows CLFS bug (CVE-2025-29824), affects targets in the U.S., Venezuela, Spain, and Saudi Arabia. Attack attempts involved web shells placed on compromised systems due to exploits in SAP NetWeaver, although initial attempts failed. Subsequent attacks succeeded with the deployment of a Brute Ratel C2 framework and demonstrated new tactics to exploit the CLFS vulnerability. Multiple Chinese hacker groups are also reported to be exploiting related SAP vulnerabilities, indicating widespread malicious interest in the flaws. ReliaQuest emphasized the urgent need for patching both CVE-2025-31324 and CVE-2025-42999 due to similar exploitation risks and consequences.

The Department of Homeland Security (DHS) terminated a $2.4 billion cybersecurity contract with Leidos after a legal challenge by competitor Nightwing. Nightwing alleged that Leidos received an unfair advantage due to insider information from a former DHS IT specialist. The contract intended to support the Cybersecurity and Infrastructure Security Agency (CISA) through various IT and cyber capabilities over seven years. DHS cited significant changes in its IT and cybersecurity service needs due to organizational and priority shifts as the reason for contract cancellation, asserting this was unrelated to Nightwing's protest. The contract, known as the ACTS Indefinite Delivery Indefinite Quantity contract, was originally advertised in December 2022 and awarded to Leidos in February. The DHS has no immediate plans to reoffer the contract and is exploring other ways to meet its future needs. Nightwing, spun out of defense contractor Raytheon, has not secured any government contracts since the split, while Raytheon continues to secure contracts in other divisions.

Ransomware gangs have started exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324), previously patched by SAP on April 24. This vulnerability facilitates remote code execution without needing user credentials, allowing hackers to upload malicious files and potentially seize entire systems. RansomEXX and BianLian ransomware operations have escalated their involvement in these attacks, as reported by ReliaQuest. Multiple Chinese APTs (UNC5221, UNC5174, and CL-STA-0048) are also targeting unpatched NetWeaver instances, aligning with potentially strategic aims of the People’s Republic of China. These attacks have led to over 581 backdoored SAP NetWeaver instances, including critical infrastructure targets in the UK, USA, and Saudi Arabia. A second vulnerability, CVE-2025-42999, was also exploited as early as March, enabling attackers to remotely execute arbitrary commands. SAP admins are urged to apply the available patches immediately or disable the compromised Visual Composer service to mitigate risks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to secure their servers against the CVE-2025-31324 flaw by May 20, highlighting the severity and broad potential impact of these vulnerabilities.

Ivanti has released patches for two zero-day vulnerabilities under active exploitation, potentially impacting customers using Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities are linked to two undisclosed open source libraries utilized in EPMM, raising concerns across the wider security ecosystem. Australia's Australian Signals Directorate (ASD) issued critical alerts for CVE-2025-4427 and CVE-2025-4428, noting that their combined exploitation could lead to serious remote code execution attacks. Affected organizations are advised to deploy the patches immediately or use alternative safeguarding measures like Portal ACLs or external WAFs. Ivanti is collaboratively working with the maintainers of the affected open source libraries to evaluate the need for separate CVE identifiers for these libraries. Another severe vulnerability, CVE-2025-22462, was addressed in the on-premises version of Neurons for ITSM, though it has not yet been exploited in the wild. Ivanti emphasizes the responsible use of open source code and employs tools like SBOMs to assess potential security threats in third-party libraries.

The Australian Human Rights Commission (AHRC) reported a data breach where hundreds of documents were leaked and indexed by search engines. Sensitive data exposed includes names, contact details, health information, schooling, religious affiliations, employment data, and photographs. This breach incident involved 670 documents accessed unlawly between April 3 and May 5, 2025. AHRC emphasized that the data leakage was due to underlying misconfigurations, not a direct result of a cyber attack. All web forms have been disabled by AHRC to prevent further data exposure; a dedicated investigation and taskforce have been set up to address the incident. The Office of the Australian Information Commissioner (OAIC) has been notified, and efforts are underway to remove the exposed documents from search engines. Affected individuals are being personally notified and provided with mental health support links due to potential distress from the exposure.

Max Schrems and noyb issued a cease and desist letter to Meta, challenging its AI data training practices in the EU. Noyb argues that Meta's reliance on "legitimate interest" to bypass explicit user consent for AI training violates GDPR rules. Previously, Meta paused its AI training in the EU following disputes and resumed under guidelines believed to conform with EDPB recommendations. Meta contends the data collection is vital for culturally aware AI, yet noyb deems it excessive compared to competitors like OpenAI. Schrems and noyb are prepared to seek injunctions and potentially pursue a class-action lawsuit, which could result in significant damages. Other EU groups are also considering legal action against Meta for its data collection practices for AI training. Meta believes its data processing approach for AI training is transparent and validated by EDPB, although interpreted differently by noyb.

Xinbi Guarantee, a Chinese-language Telegram-based marketplace, has handled $8.4 billion in transactions since 2022. The platform is known for selling illegal goods and services including technology, personal data, and specialized in money laundering services. A significant part of the transactions, according to Elliptic, are linked to criminal activities including funds stolen by North Korean operatives. Xinbi has attracted 233,000 users and supplies a broad range of services such as fake IDs, stolen personal data, and even services for intimidation and sex trafficking in China. It operates under the guise of an investment company registered in Colorado but has been marked as "Delinquent" on state records. Elliptic's report indicates that both Xinbi and HuiOne Guarantees were involved in laundering cryptocurrency for North Korea following the WazirX exchange hack. Telegram has shut down thousands of channels associated with these marketplaces, disrupting significant cybercrime operations. These findings were released shortly after the U.S. designated the HuiOne Group as a key entity in global money laundering schemes involving cryptocurrencies.

Nucor Corporation, the largest U.S. steel producer, experienced a significant cybersecurity incident causing disruptions in multiple locations. In response to the incident, Nucor took parts of its network offline to contain the attack and initiated containment and remediation measures. The cyberattack led to the temporary suspension of production activities, impacting operations across various facilities. The company has notified law enforcement and is working with external cybersecurity experts to investigate the attack. Details regarding the exact nature or date of the cyberattack have not been disclosed, nor is it clear if any data was stolen or encrypted. Nucor submitted an 8-K filing to the SEC detailing the incident and the company's immediate response measures. As part of the ongoing response, Nucor is gradually resuming production operations at affected locations.

VPN Secure's new parent company, InfiniteQuant, abruptly canceled thousands of "lifetime" accounts due to unsustainability and high costs from legacy deals. CEO Romain Brabant admitted the oversight happened during the acquisition process, stating the company was primarily focused on the technology and not the user agreements. Affected customers, who previously paid heavily discounted rates for lifetime service, expressed outrage on platforms like Reddit and Trustpilot, accusing the company of gaslighting. InfiniteQuant claims it was unaware of the lifetime deals, which were not disclosed by the former owner, BoostNetwork Pty Ltd, during the sale negotiations. A follow-up communication attempt to address customer concerns had over 20% bounce rate, further complicating the issue by poor email deliverability. InfiniteQuant intends to send a third email to apologize for the issue with previous communications and to offer discounted plans to the legacy lifetime subscribers. Users discovered the lifetime subscription offers through sources like StackSocial, although these were not mentioned in the financial documents reviewed during the acquisition. No refunds will be offered to the terminated lifetime accounts, with the company describing the move as a difficult decision required for survival.

A new phishing threat named "Meta Mirage" targets businesses using Meta's Business Suite. Cybersecurity firm CTM360 identified over 14,000 malicious URLs involved in this campaign, with 78% not blocked by browsers. The phishing operation uses fake Meta communications to deceive users into revealing passwords and OTPs. Attackers host phishing sites on trusted cloud platforms like GitHub, Firebase, and Vercel to evade detection. The campaign sends fake alerts about policy violations or urgent account issues, mimicking Meta's official tone and format. Victims receive progressively more urgent communications, heightening anxiety and pushing for quicker, less cautious responses. Compromised accounts are often used to run malicious ad campaigns, causing further damage. CTM360 recommends heightened vigilance and proactive security measures to combat this sophisticated phishing threat.

Keep Aware threat research team observed a sophisticated phishing attack that exploited legitimate domains to host malicious pages. The targeted phishing pages validated user credentials in real-time, specifically targeting corporate email addresses. Attack leveraged customized phishing pages featuring company-specific branding only when a recognized business email was entered. The attack employed anti-analysis JavaScript techniques on the phishing page to block right-click and shortcut keys, preventing easy inspection. Security measures include real-time, zero-day detection in-browser to prevent credential theft before data entry. The phishing infrastructure was capable of dynamically altering content based on the email address entered, featuring CAPTCHA challenges to add legitimacy. The phishing attack shows the importance of advanced browser-level protection to effectively block such targeted and sophisticated threats.