Daily Brief

Amazon CISO Amy Herzog highlighted the integration of red teams in the development of Alexa+ to anticipate and prevent security issues. Red teams and penetration testers are involved from the beginning to create safety measures against unintended or malicious system behaviors. The dual perspective of product engineers focused on functionality and security engineers on potential misuse enhances overall system security. Alexa+, currently in testing, aims to assist users with tasks across multiple services while ensuring data safety and system integrity. The system can interact with thousands of devices and services, requiring robust API security to prevent unauthorized actions. Security strategies include isolating systems and installing protections to prevent issues like prompt injection and unintended API interactions. Herzog’s approach of collaborative security planning from the start is noted as relatively unusual in the industry, aiming to ensure safer product deployment.

Seven malicious PyPI packages were identified using Gmail SMTP servers and WebSockets for unauthorized remote activities and data theft. The identified packages were active in PyPI for up to four years, with one package downloaded over 18,000 times. These packages impersonated legitimate software and exploited trusted Gmail services to bypass security systems like firewalls and endpoint detection. The malicious activities included setting up encrypted tunnels, executing shell commands, transferring files, and stealing sensitive credentials and email data. Strong indications were found that the intent behind these packages was to steal cryptocurrency, as seen from associated email addresses and previous similar attacks. Security researchers urge immediate removal of these packages from systems and recommend rotating any potentially compromised keys and credentials. Related research indicated a similar threat was found in an npm package targeting cryptocurrency wallets with over 1,000 units, downloaded 2,000 times before removal.

Cybersecurity experts report a new malware campaign using a disguised security plugin called "WP-antymalwary-bot.php" targeting WordPress websites. Once the plugin is activated, it grants attackers administrative access, allows remote code execution, and can hide itself from the WordPress admin dashboard. Features include code that notifies a command-and-control server, spreads malware into other site directories, and injects malicious JavaScript for ad delivery. The malware evolved to fetch JavaScript from other compromised domains to serve intrusive ads or spam, and incorporates a malicious wp-cron.php file for self-reactivation. Russian language elements in the malware suggest that the threat actors are likely Russian-speaking. Additional information by Sucuri and Trustwave revealed related web threats, including skimmers on e-commerce sites and deceptive CAPTCHA verifications dropping Node.js-based backdoors. It remains unclear how attackers gain initial access to victim sites, posing an ongoing threat to WordPress users.

Chris Krebs, former CISA director, had his Global Entry membership revoked following a feud with President Trump regarding the 2020 election security. Trump has accused Krebs of hiding evidence of electoral fraud and has extended his retaliation to Krebs’ professional life, intertwining criminal investigations and security clearances. Global Entry, a program facilitating expedited U.S. entry for pre-approved, low-risk travelers, was withdrawn from Krebs as a consequence of these accusations and investigations. The event is considered by many, including Krebs and cybersecurity community figures, as a vindictive act by Trump to undermine those who contradict his narrative of the 2020 election. An open letter from the Electronic Frontier Foundation and other cybersecurity leaders has implored Trump to cease his detrimental campaign against Krebs, seeing it as a threat to national security and professional integrity in cybersecurity. Krebs announced his resignation from SentinelOne, where he was employed, to focus fully on fighting these accusations, which he views as a broader battle for democratic principles and the rule of law. The incident has heightened discussions within the cybersecurity and political communities regarding the consequences of political influence over factual reporting and professional conduct in security matters.

SOC teams are shifting from traditional cybersecurity measures to Network Detection and Response (NDR) due to the ability of advanced adversaries to evade endpoint defenses and signature-based systems. NDR solutions enhance security by providing multi-layered detection strategies, analyzing raw network traffic, and identifying malicious activities and anomalies that may be missed by other tools. The adoption of NDR helps address several challenges including increasing attack surfaces due to cloud adoption and IoT proliferation, encryption that renders traditional inspection ineffective, and the unmanageable proliferation of devices. NDR offers a complementary approach to existing security technologies, providing a robust record of network communications, which is difficult for attackers to manipulate, thus aiding in accurate threat detection and forensic investigations. The cybersecurity workforce shortage is prompting organizations to adopt NDR to maximize analyst effectiveness by reducing alert fatigue and accelerating investigation processes through high-fidelity detections and rich context. NDR solutions support compliance with stringent regulatory requirements by providing detailed forensic evidence and comprehensive audit trails necessary for rapid incident notification and documentation. As cybersecurity threats become more sophisticated, the adoption of NDR is accelerating, providing essential visibility into network communications to detect and respond effectively to threats in modern complex IT environments. Corelight, a leading provider of NDR solutions based on the open-source Zeek network monitoring platform, advocates for comprehensive network visibility and advanced NDR capabilities to address security blind spots exploited in major breaches.

Anthropic's Claude AI chatbot was misused by unknown entities to create over 100 fake political personas on Facebook and X, engaging with tens of thousands of genuine accounts. The operation aimed to amplify moderate political views to influence public opinion and policy in Europe, Iran, the UAE, and Kenya. Diverse narratives were pushed including promoting UAE's business environment, critiquing European energy policies, and supporting or criticizing political figures in various countries. This orchestrated campaign utilized Claude not just for generating content, but also for strategic interactions like commenting, liking, or resharing posts to simulate authentic social behavior. The campaign featured sophisticated persona management via a structured JSON-based approach, enabling systematic tracking and engagement across multiple accounts. It demonstrated new tactics in digital influence, such as using humor and sarcasm to counter accusations of being bots. Anthropic highlighted the potential for AI to simplify the execution of complex influence operations, suggesting a future increase in such activities. The report also noted other misuses of Claude, including using AI to scrape and brute-force security data, indicating a broader range of cyber threats facilitated by AI technologies.

The UK's Information Commissioner's Office (ICO) has opted not to pursue further investigation into the British Library's 2023 ransomware attack. The decision was made based on current priorities and resource allocation, despite the severity of the incident caused by a lack of Multi-Factor Authentication (MFA) on an admin account. The British Library was commended for its transparency and comprehensive communication during the recovery process from the ransomware attack. In March 2024, the library published an in-depth review of the attack, sharing valuable insights about its IT vulnerabilities and the corrective steps taken post-incident. The ICO has expressed approval of the Library's ongoing efforts to enhance data security and their proactive measures to educate other organizations on cybersecurity. Meanwhile, the ICO is facing internal challenges with resource constraints and a significant backlog in complaint resolutions, impacting overall performance. The ICO is currently hiring and implementing significant digital and process changes to improve efficiency and response times to complaints.

OX Security's 2025 Application Security Benchmark Report indicates that 95-98% of application security (AppSec) alerts are unnecessary, which does not reduce risks. Despite an increase in detection capabilities with more sophisticated tools, the vast number of security alerts has led to alert fatigue and inefficiency within security teams. Security teams often spend considerable resources addressing vulnerabilities that pose little to no threat, diverting attention from genuine security risks. Significant organizational resources are wasted on inappropriate vulnerability fixes, affecting both budgets and development timelines. The report advocates for a prioritization-based approach in AppSec, emphasizing the need for strategies that focus on evidence-driven prioritization from code design to runtime. OX Security introduces Code Projection technology, designed to enhance contextual understanding and dynamic risk prioritization by mapping cloud and runtime elements back to their code origins. The findings underscore the inefficacy of current detection-only models in application security and propose a shift to prioritization to effectively manage the real threats amidst the noise of non-critical alerts.

A comprehensive phishing campaign has been dispatching the DarkWatchman malware across various Russian industries, including media, tourism, finance, and energy. The financially motivated group Hive0117, known for its past activities in the Baltic region, has been identified as the orchestrator of these attacks. Enhanced versions of DarkWatchman demonstrate advanced evasion techniques, using JavaScript for malicious activities like keylogging and deploying secondary payloads. A new threat, Sheriff backdoor malware, specifically targets Ukraine's defense sector using compromised local news portals for dissemination. Sheriff malware is capable of executing remote commands, taking screenshots, and covertly exfiltrating data, maintaining a low detection footprint for prolonged espionage. IBM links technical elements of the Sheriff backdoor to known malware families such as Turla's Kazuar, highlighting a sophisticated level of threat actor cooperation or development overlap. Ukraine has experienced a significant increase in cyber incidents in 2024, although the severity of these incidents has seen a considerable decrease.

Commvault has confirmed a breach in its Microsoft Azure environment by an unidentified nation-state actor exploiting CVE-2025-3928. The zero-day vulnerability was utilized to access the environment, though no unauthorized data access or customer data theft occurred. Immediate security enhancements and credentials rotation were implemented following the detection of the breach. The U.S. CISA has recognized CVE-2025-3928 as a known exploited vulnerability, urging timely patching by May 19, 2025. Commvault advises customers to implement Conditional Access policies, rotate secrets, and monitor sign-ins to prevent further exploits. Specific IP addresses linked to the malicious activity have been advised to be blocked and monitored for security.

SonicWall has confirmed the active exploitation of two security flaws in its SMA100 Secure Mobile Access appliances. Affected models include SMA 200, 210, 400, 410, and 500v, with patches already issued for these vulnerabilities. The exploited vulnerabilities could potentially allow unauthorized file access and session hijacking. SonicWall has urged customers to check their SMA devices for any signs of unauthorized access. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a related SonicWall SMA 100 Series vulnerability to its KEV catalog due to active exploitation evidence. There are no specific details available yet on the attackers, the targeted entities, or the full impact of the exploitation.

A China-aligned hacker group, "TheWizards," has been actively exploiting an IPv6 feature to perform adversary-in-the-middle (AitM) attacks targeting software updates. The group employs a custom malware tool, "Spellbinder," which hijacks the IPv6 Stateless Address Autoconfiguration (SLAAC) protocol to reroute traffic to attacker-controlled servers. Victims of these attacks span various countries including the Philippines, Cambodia, UAE, China, and Hong Kong, affecting individuals and organizations like gambling companies. The attacks primarily target Windows environments where Spellbinder intercepts and manipulates network traffic to force devices to connect to malicious domains instead of legitimate update servers. These malicious activities lead to the installation of the "WizardNet" backdoor, which facilitates persistent access and further malware deployment on compromised devices. ESET, the cybersecurity firm, provided the detailed analysis and suggested monitoring or disabling IPv6 traffic where it is not essential to mitigate such threats. Similar tactics were identified earlier in the year by another hacking group exploiting WPS Office update features, underscoring a broader trend in cyber attack strategies targeting software updates.

Former NSA cybersecurity director Rob Joyce predicts AI will soon excel in finding bugs and developing exploits. Joyce noted AI's capabilities are advancing quickly, with AI models already outperforming humans in coding competitions. During recent capture-the-flag contests, AI-powered teams performed comparably to human teams, showcasing significant problem-solving abilities. AI is expected to enhance both offensive and defensive cyber operations by automating tasks and scaling operations. LLMs (large language models) are aiding in the creation of more sophisticated and culturally relevant phishing campaigns. AI's role in defense is also highlighted, with examples of AI performing complex code reverse-engineering significantly faster than human counterparts. Joyce shared insights on an unconventional ransomware attack on a Linux-based video camera, showcasing innovative criminal adaptability in bypassing security measures.

A new malware campaign targets WordPress websites using a deceptive plugin that pretends to be a security enhancement. The crafted plugin, once installed, allows attackers persistent site access, capability to execute remote code, and JavaScript injection while avoiding detection. Wordfence researchers discovered altered WordPress core files which autonomously recreate the malicious plugin if deleted. The entry point for the infection is believed to be compromised hosting accounts or FTP credentials, with the exact method still unclear. The malware provides unauthorized administrator access and can modify site contents by embedding PHP code or malicious JavaScript in site headers. Warning signs of infection include specific changes to 'wp-cron.php' and 'header.php' files, and suspicious administrator actions traceable via access logs. The command and control server of this malware is based in Cyprus, with operational characteristics similar to previously seen supply chain attacks.

Jen Easterly, former head of CISA, highlighted the negative impact of budget and personnel cuts on U.S. cyber defense at an RSA Conference event. Easterly criticized the prioritization of loyalty to President Trump over allegiance to the U.S. Constitution within the agency. She asserted that cybersecurity is an imperative national security issue, urging that it should remain non-partisan. The cutbacks are seen as diminishing America's ability to combat evolving and serious cyber threats, including those from state actors. CISA's role in election security, which represents a small fraction of the overall budget, was defended as vital to protecting the integrity of U.S. elections. Claims against former CISA director Chris Krebs by Trump were mentioned as examples of the administration's undermining of truthful election security information. Easterly expressed concerns over the long-term impacts on national security due to the weakening of CISA's operational capabilities.