Daily Brief

The 2025 Enterprise Browser Extension Security Report highlights a significant but overlooked threat vector in browser extensions widely used in business environments. 99% of enterprise users have browser extensions installed, with over half using more than ten, expanding the potential for security breaches. More than half of these extensions access sensitive data under 'high' or 'critical' risk permissions, exposing organizations to data theft and other cyber threats. A significant 20% of employees use GenAI extensions, with a majority categorized under high-risk permissions, necessitating stringent control measures. A large portion of extensions is published anonymously or by first-time publishers, complicating the verification of trust and increasing vulnerability to malicious intents. Many extensions are outdated or not regularly updated, and some are sideloaded, bypassing standard security checks and further intensifying security risks. LayerX advises strict policies for managing browser extension usage and highlights actionable insights to mitigate risks during their upcoming webinar.

ASUS has issued updates for its DriverHub software to fix two critical vulnerabilities allowing remote code execution. The security flaws could enable attackers to execute arbitrary code by manipulating HTTP requests and modifying .ini files. DriverHub, which assists in identifying and updating necessary drivers by connecting to a specific ASUS-hosted site, was the target of these vulnerabilities. An attack involves deceiving a user into visiting a malicious sub-domain and executing altered "AsusSetup.exe" via the DriverHub's endpoint. The attack chain includes a modified ".ini" file that triggers a script to install or execute potentially harmful content on the affected system. Security researcher MrBruh discovered these vulnerabilities and reported them leading to their fix by ASUS after years of potential exposure. ASUS has not detected any instances of the vulnerabilities being exploited in the wild but urges users to update their DriverHub software immediately.

Dutch and U.S. authorities collaborated to dismantle a criminal proxy network, using infected IoT and EoL devices. Active since 2004, the platform, known as anyproxy[.]net and 5socks[.]net, facilitated anonymous activities via a botnet. Daily, over 7,000 proxies were advertised, predominantly affecting devices in the U.S., Canada, and Ecuador. The botnet exploited IoT devices with known security vulnerabilities to install TheMoon malware. This law enforcement action coincides with other major crackdowns including the shutdown of a cryptocurrency exchange involved in money laundering and six DDoS-for-hire services. The action highlights the continuing effort by authorities to combat cybercrime networks that exploit device vulnerabilities for malicious purposes. The focus on preventing botnet activities is part of a broader strategy to curb cyber risks that can lead to significant legal and reputational consequences for businesses.

Research from GitGuardian reveals a high percentage of company secrets and credentials exposed in public repositories remain valid for years, posing significant security risks. Organizations often lack awareness of the exposure or the operational capacity to swiftly remediate the exposed secrets, resulting in prolonged vulnerability. The persistence of valid secrets is due to the complexities of updating hardcoded secrets across multiple systems, which can disrupt production environments. Limited remediation resources prioritize only high-risk exposures, and legacy systems do not support modern security practices such as ephemeral credentials. Analysis indicates that exposed cloud and database credentials in production systems are a direct threat, with valid credentials significantly increasing for cloud services from 2022 to 2024. Practical steps for remediation include immediate rotation of credentials, implementing IP allowlisting, using dynamic secrets, and transitioning to modern authentication methods to minimize risks. Adopting automated secrets management and focusing on short-lived credentials can effectively reduce the attack surface and enhance security. The report emphasizes the urgent need for organizations to improve detection, rapid remediation, and overall management of secret exposures to protect sensitive data and systems.

The UK’s National Cyber Security Centre (NCSC) is advocating for a market structure that rewards security-driven software vendors, addressing the issue at their CYBERUK conference. NCSC's CTO, Ollie Whitehouse, criticized the current market for failing to incentivize companies to prioritize building secure products, shifting the risk onto customers. Industry leaders from Vodafone, Mandiant, and Sage, during a panel discussion, expressed skepticism about the NCSC's approach, highlighting the complexity of cyber security issues and questioning the effectiveness of market intervention. Whitehouse proposed both incentivizing good security practices and penalizing vendors for subpar security measures to foster a better security ecosystem. Amidst varying opinions, there remains a significant divide on whether regulatory interventions or market-driven solutions are more effective in enhancing software security. The debate also covered the role of cyber insurance and international collaboration on setting standardized security expectations for vendors. The NCSC also launched a voluntary Software Security Code of Practice aimed at setting a baseline for security practices, akin to previous successful initiatives in AI security.

Recent weeks have seen significant ransomware attacks on major UK retailers including Marks and Spencer, the Co-Op, and Harrods, causing prolonged system downtimes. The incidents highlight a systemic failure in corporate cybersecurity, exacerbated by inadequate attention and investment in IT security. There is a notable lack of transparency and public disclosure about the details and impacts of these security breaches, reflecting a culture of silence and minimal compliance. The British Library's own report on its 2023 ransomware attack serves as a stark example, revealing major data leaks and permanent system losses due to outdated and underfunded IT infrastructure. The article advocates for an open and collaborative approach to addressing cybersecurity failures, similar to self-help groups, where organizations can learn from each other's experiences and mistakes. It suggests the establishment of industry-wide protocols for managing the security lifecycle of IT projects, emphasizing the importance of regular reassessment and maintenance. The piece criticizes the prevailing corporate attitude towards IT security as a non-urgent expense, calling for a shift towards recognizing and addressing IT vulnerabilities as a critical priority. The article concludes that without a major cultural shift in how companies handle cybersecurity, systemic flaws will continue to pose severe risks.

Threat actors use AI-powered tool pretenses to distribute Noodlophile, a malicious information stealer. Over 62,000 views were recorded on a single Facebook post, indicating significant user interaction. Fake sites and social media ads prompt downloads of malware through seemingly benign AI-generated content. The malware, disguised as media files, initiates infection by downloading a malicious .exe file. Noodlophile Stealer harvests browser data, crypto wallet information, and more, sometimes bundled with a remote access trojan, XWorm. The malware developer is believed to be from Vietnam, based on their GitHub profile. Cybercriminals continue to exploit public fascination with AI to promote malware, with Meta reporting over 1,000 related URL takedowns since early 2023. A parallel malware threat, PupkinStealer, was also identified, stealing data with minimal detection evasion.

Developer Micah Lee discovered 51 data breach records and four infostealer log dumps linked to DOGE employee Kyle Schutt. Schutt has access to sensitive government data via his role with the Federal Emergency Management Agency. Infostealer logs containing Schutt's credentials suggest potential compromises of his computers. Leaked credentials were found in prominent data dumps, including the 100GB Naz.API and ALIEN TXTBASE, highlighting substantial cybersecurity risks. Infostealer logs indicate personal accounts and possibly work-related accounts at risk, underlining the need for stringent security practices in government and sensitive roles. The article also reports on other serious cybersecurity incidents, including a critical Cisco vulnerability and internal data leaks from the LockBit ransomware gang. The necessity of stronger security measures is underscored by the collapse of a UK business due to a ransomware attack and the sentencing of the Celsius CEO for fraud related to security misrepresentation.

Christiaan Beek of Rapid7 developed a proof-of-concept for CPU ransomware based on a vulnerability in AMD Zen chips. This exploit would enable attackers to inject unauthorized microcode directly into CPUs, bypassing traditional security technologies. Although challenging, rewriting CPU microcode is feasible, demonstrated by Google’s manipulation of random number generation in the same AMD chips. Beek highlights a shift in cybercriminal tactics, referencing UEFI bootkits for sale on cybercrime forums and historical efforts by the Conti ransomware group. CPU-level ransomware poses a significant risk as it could survive operating system reinstalls and modify hardware functions to enforce ransom demands. Despite potential severity, such CPU-focused ransomware is not yet found in the wild, but the theoretical framework is established. Beek calls for a renewed focus on fundamental cybersecurity practices due to continued vulnerability exploitation and insufficient implementation of basic security measures like multi-factor authentication.

The Bluetooth Special Interest Group (SIG) has released Bluetooth Core Specification 6.1, introducing significant privacy enhancements. A key feature in the update is the randomization of the Resolvable Private Addresses (RPA) update timing, making device tracking by third parties significantly more difficult. Before this update, RPAs were refreshed at predictable 15-minute intervals, which could have been exploited in correlation attacks for long-term device tracking. With Bluetooth 6.1, RPA updates will now occur randomly between 8 to 15 minutes, and settings can be further customized to any interval between 1 second to 1 hour. The random selection uses a NIST-approved generator, enhancing security measures against pattern tracking and correlation attacks. Bluetooth 6.1 also improves power efficiency by allowing the Bluetooth controller to manage RPA updates autonomously, reducing demand on the host device's CPU and memory. This update is particularly beneficial for devices with limited battery resources, such as fitness bands, earbuds, and IoT sensors. Full implementation and support of Bluetooth 6.1 features in devices may not be seen until around 2026, pending further testing and validation.

iClicker's website was hacked between April 12 and April 16, 2025, introducing a fake CAPTCHA that tricked users into downloading malware. The attack utilized a ClickFix social engineering strategy, requiring users to paste a malicious PowerShell script into their system to "verify" themselves. Targeted visitors received a PowerShell script that connected to a remote server, downloading different malware based on the visitor type. Non-targeted visitors received benign software. The malware potentially allowed attackers full access to the infected devices, capable of extracting sensitive information like passwords, credit card details, and cryptocurrency wallets. BleepingComputer’s inquiries regarding the attack received no response from Macmillan, although iClicker later posted a security bulletin advising affected users to run security checks and update passwords. The security bulletin was made difficult to find due to a 'noindex, nofollow' tag, potentially limiting public awareness of the incident and its resolution. Users of iClicker’s mobile app or those who did not interact with the fake CAPTCHA were not affected by this security breach.

Fake AI video generation websites are being utilized to deploy the Noodlophile infostealer malware. These sites, attracting users via social media platforms like Facebook, pose as advanced AI tools capable of generating videos from uploaded files. The Noodlophile malware is being marketed on dark web forums as a malware-as-a-service, frequently packaged with data theft services. The infection begins when a user uploads files to the malicious site, thinking they are receiving an AI-generated video, but instead receives a malware-laden ZIP file. The ZIP file contains executables and scripts that perform a multi-stage infection to deploy the Noodlophile Stealer, covertly bypassing some security measures. The malware primarily targets browser-stored information, including credentials, session cookies, and cryptocurrency wallet details, with data exfiltrated via Telegram. The malware setup is enhanced with optional remote access tools, increasing threat capabilities, particularly on systems without adequate security protections. Recommendations for protection include verifying file sources and extensions, and using updated antivirus software to scan all downloaded files.

Fake AI video generation tools are being used to spread the new Noodlophile stealer malware, targeting data from web browsers. Advertised on high-visibility Facebook groups, these tools bait users with the promise of AI-generated video content. The malware campaign was identified by Morphisec, noting that Noodlophile is sold on dark web forums as part of a malware-as-a-service operation. Victims downloading a ZIP file expecting an AI video find a malicious executable instead, which initiates a multi-stage infection process. Noodlophile steals information such as account credentials, session cookies, and cryptocurrency wallet files. The stolen data is sent to the attackers via a Telegram bot used as a covert command and control server. Increased risk stems from potential bundling with XWorm, a remote access trojan, amplifying the threat level.

The FBI disrupted a sizable botnet and issued indictments against four individuals, including three Russians and one Kazakhstani, for operating a criminal proxy-for-hire service utilizing outdated routers. This botnet was part of a proxy network that sold access to compromised routers, enabling various cybercrimes like DDoS attacks through domains like 5socks and Anyproxy. Federal investigations revealed that the criminal operation, active since 2004, generated over $46 million by offering monthly subscriptions for these proxies. The affected routers, from manufacturers such as Linksys, Ericsson, and Cisco, were targeted due to their older status and lack of current security updates. The FBI issued a FLASH bulletin and a PSA urging the replacement of vulnerable, end-of-life routers to prevent further exploitation by cybercriminals using TheMoon malware. In a joint effort titled Operation Moonlander, European and US law enforcement collaborated to take down this network, which advertised over 7,000 proxies while actual active proxies were significantly lower. The indictments emphasize issues like false registration information used in setup and operations of these proxy services, highlighting deceptive practices in cybercriminal operations.

UK Ministry of Defence (MOD) is redirecting its spending from US-based defense contractors like Boeing and Lockheed Martin towards European suppliers, with a particular increase in expenditure towards French firms. Research by Tussell reveals that the total MOD expenditure with private contractors increased by 31% from 2019 to 2024, with real growth recorded at 5%. As of the end of 2024, about half of the MOD's spending was with UK firms such as Rolls-Royce and BAE Systems, while the percentage spent on US firms has been decreasing since 2022. The shift in MOD spending may continue to favor European companies significantly due to political and economic decisions by the current US administration, including possible impacts of tariffs and policy changes. Facilities Management and Construction sectors saw a significant increase in their proportion of MOD financial outlay, attributed mainly to the £1.6 billion Future Defence Infrastructure Services program. Digital and Consultancy services made up 14% of the MOD's spending in 2024, an indication of changing priorities within the defense expenditure framework. Concerns about dependencies on US technology, as highlighted by the F-35 fighter jet program issues, are influencing the MOD’s reassessment of its strategic supply chain and procurement decisions.