Daily Brief

Researchers at F5 Labs identified a cyberattack campaign targeting Server-Side Request Forgery (SSRF) vulnerabilities in Amazon EC2-hosted websites. The attackers extracted EC2 Metadata, including sensitive IAM credentials, from the IMDSv1 endpoint by exploiting these SSRF vulnerabilities. Obtained IAM credentials enabled attackers to potentially access and manipulate AWS services like S3 buckets, posing risks of data exposure and service disruption. The malicious activity occurred predominantly between March 13 and 25, 2025, traced back to specific IP addresses in France and Romania. Attackers employed a systematic method, rotating query parameters and URL subpaths to effectively extract data from targeted EC2 instances. F5 Labs highlighted that older vulnerabilities continue to be exploited extensively, stressing the need for timely security update implementation and existing systems' hardening. This incident underscores the importance of transitioning from IMDSv1 to IMDSv2, which offers enhanced security features like session tokens to prevent similar SSRF attacks.

A serious security breach at the Office of the Comptroller of the Currency (OCC) led to unauthorized access of sensitive financial oversight data. The breach came to the OCC’s attention on February 11, upon alert from Microsoft about suspicious activity in their email systems. The compromised administrative email account had access to highly sensitive financial data used in examinations and supervisory oversight of federally regulated financial institutions. Immediate actions included disabling the compromised account and employing third-party forensic teams to determine the extent of data theft. The intrusion involved unauthorized access to non-public information and controlled unclassified information, including personally identifiable information. The Department of the Treasury had linked a similar past incident to Chinese government agents, although no official attribution has been made for this breach. Acting Comptroller Rodney Hood stressed the importance of a robust investigation to rectify vulnerabilities and address oversight failures that led to the breach.

Oracle acknowledged a recent incident involving the theft of credentials from two outdated servers, but stressed that its Oracle Cloud infrastructure remains unbreached. The company reported that the old servers were not part of their current cloud services, indicating that customer data and cloud functionality were not compromised. The compromised data involved user names, but passwords were protected through encryption or hashing, preventing the hacker from accessing usable credentials. Despite Oracle's reassurance, cybersecurity experts note a linguistic distinction between "Oracle Cloud" and "Oracle Classic”, suggesting that older cloud services were indeed affected. A serious inconsistency was observed when details provided by the hacker included data timestamps extending as late as 2025, raising concerns about the scope of the leaked information. Following the leak, Oracle emphasized that no Oracle Cloud customer environments or data were accessed and that the services continue to operate securely. Additional breaches reported include an attack on Oracle's Gen 1 servers, leading to the malicious installation of web shells and data theft from their Identity Manager database. Oracle also dealt with another separate breach at a SaaS entity formerly known as Cerner, now Oracle Health, which impacted sensitive patient data across several healthcare facilities in the U.S.

Fortinet has addressed a critical vulnerability, CVE-2024-48887, in FortiSwitch devices that allows remote password changes. The flaw, discovered internally by the FortiSwitch web UI development team, rates 9.8/10 in severity and can be exploited without user interaction. Attackers can manipulate admin credentials remotely via a specially crafted request to the set_password endpoint. Affected versions range from FortiSwitch 6.4.0 to 7.6.0; patches are available for versions 6.4.15, 7.0.11, 7.2.9, 7.4.5, and 7.6.1. As a temporary measure, Fortinet recommends disabling 'HTTP/HTTPS Access' and restricting access to trusted hosts only. Fortinet also released patches for other vulnerabilities on the same day, including an OS command injection flaw in FortiIsolator and multiple other flaws in different Fortinet products. Historical context: Fortinet has previously been targeted by attackers, with vulnerabilities exploited in the wild, including zero-day attacks in ransomware incidents.

Hackers exploited a zero-day vulnerability in Gladinet CentreStack's file-sharing software since March, impacting secure storage servers globally. The exploited flaw, identified as CVE-2025-30406, is a deserialization issue that allows execution of malicious code via ASP.NET ViewState integrity bypass. Impacted versions include up to 16.1.10296.56315; exploitation allows attackers to run arbitrary serialized objects on the server. Gladinet has issued patches in newer versions to address the flaw and advised users for immediate updates or keys rotation as an interim solution. This specific vulnerability has been listed in CISA's Known Exploited Vulnerability catalog due to its active exploitation in the wild. Exploitation techniques tied to the vulnerability align with methods previously used by Clop ransomware gang in other secure file transfer systems. Federal mandates require affected organizations to apply the security updates by April 29, 2025, or discontinue use of the compromised product. Such security threats highlight the ongoing risk to enterprises relying on file-sharing systems and the importance of timely updates and robust cybersecurity practices.

Lovable AI platform identified as highly exploitable for creating phishing pages designed to steal credentials. VibeScamming technique allows cybercriminals to produce lookalike websites mimicking legitimate login pages like Microsoft's sign-in. Generative AI tools can automate the attack cycle, from hosting phishing pages to managing stolen data. Recent AI advancements reduce technical barriers, enabling attackers with minimal coding knowledge to create sophisticated malware. Security firm Guardio Labs introduces the VibeScamming Benchmark to assess AI models' susceptibility to phishing abuse. OpenAI's ChatGPT shows more resistance to misuse compared to others, scoring higher on the VibeScamming Benchmark. The findings highlight the potential misuse of AI in cybersecurity threats, urging stronger AI guardrails and monitoring systems.

Recent AI-powered vishing attacks impersonated the Italian Defense Minister to trick wealthy entrepreneurs into making fraudulent transfers. Vishing, or voice phishing, uses phone calls to deceive victims, with AI technology now enabling highly convincing voice cloning. Tools like Google DeepMind's WaveNet allow scammers to replicate human speech patterns, making scams more difficult to detect. These AI-enhanced attacks typically target banks, governmental agencies, and corporate executives, exploiting trust and urgency. Verizon’s report highlights that stolen credentials from such attacks contribute to a significant percentage of data breaches. Businesses and individuals are advised to implement strong authentication measures and train employees to recognize these sophisticated scams. The MGM Resorts data breach exemplifies the potential consequences of vishing, as attackers bypassed security checks leading to significant financial and operational damage. Enhanced security protocols and awareness training at service desks are vital to defend against these emerging cyber threats.

Phishing perpetrators are utilizing a sophisticated technique called 'Precision-Validated Phishing', targeting only specific, validated email addresses with phishing content. This new approach helps malicious actors avoid detection by traditional security methods by displaying phishing content only to pre-determined, high-value targets. Email security firm Cofense has noted a significant challenge posed by this tactic, as it renders common research methods, like using control or fake email addresses to analyze phishing infrastructure, ineffective. The technique either utilizes third-party email verification services to check the validity of an email in real-time or employs custom JavaScript that confirms whether the email is on a predetermined target list. When an email address isn't recognized as a target, the phishing site redirects the user to a harmless webpage, which complicates detection efforts by security tools. Moreover, some phishing sites now send a validation code or link to the victim’s email to proceed, further limiting the effectiveness of security analysts' traditional tactics. As a result, there is a call for cybersecurity defenses to adapt by integrating behavioral fingerprinting and real-time threat intelligence to effectively counter these evolved phishing strategies.

Law enforcement has detained at least five individuals linked to the Smokeloader botnet as part of the ongoing Operation Endgame. The operation initially resulted in the seizure of over 100 servers used by major malware groups, including Smokeloader. Europol revealed the continued effort involves analyzing data from seized servers to track down purchasers of these malicious services. Smokeloader, managed by a threat actor known as 'Superstar', was a pay-per-install service allowing remote access to infected computers. The botnet was utilized for diverse cybercrimes, including deploying ransomware, cryptocurrency mining, accessing webcams, and keystroke logging. Some detained suspects have cooperated with authorities, permitting the examination of digital evidence on their personal devices. Europol has established a dedicated website and released animated videos to enhance the public's understanding of the ongoing operations. The European Union's agency is encouraging anyone with relevant information to contact them through the Operation Endgame website, with translations available in Russian.

Google has launched a new security platform named Google Unified Security (GUS) to enhance its position in the enterprise security market, competing directly with Microsoft. GUS integrates Google’s existing security operations, cloud security services, and Chrome Enterprise, and adds new AI-driven agents to improve security alert management and malware analysis. The platform's introduction follows significant acquisitions by Google, including Wiz for $32 billion and Mandiant for $5.4 billion, signaling Google's escalation in the cloud-based security sector. Wiz’s technology, especially its Cloud-Native Application Protection Platform (CNAPP), enables multi-cloud security capabilities, crucial for Google to service both its own and other public cloud users effectively. Analysts view these moves as Google’s strategy to not only match but potentially exceed Microsoft's security offerings by integrating various security functions. Gartner Research indicated that although Google’s current security sales are considerably less than Microsoft’s, these strategic acquisitions position Google for substantial market growth. The integration offered by GUS aligns with strategies used by major players like Microsoft, aiming to make Google a more comprehensive security solution provider in the enterprise domain. With these expanded capabilities and strategic acquisitions, Google aims to boost its security revenues and provide enhanced security solutions across its cloud services.

A Chinese-affiliated cyber threat actor exploited a flaw in ESET security software to deploy the TCESB malware, previously undetected in other attacks. The malware exploits the ESET Command Line Scanner by utilizing DLL Search Order Hijacking, targeting a legitimate Microsoft DLL named "version.dll." Kaspersky analysts discovered the suspicious DLL in multiple devices' temporary directories, identifying its malicious activity starting early 2024. The vulnerability, CVE-2024-11859 with a CVSS score of 6.8, was addressed by ESET in late January 2025 after responsible disclosure. TCESB modifies kernel structures to disable system notification routines and installs a vulnerable Dell driver via BYOVD to escalate privileges. Continuous monitoring for installation of known vulnerable drivers and unexpected kernel debugging activities is recommended to detect similar threats. The ESET security updates have been applied to consumer, business, and server products for Windows to mitigate this security risk.

GitGuardian's 2025 report reveals a 25% increase in exposed secrets on GitHub, totaling 23.77 million in 2024. Non-human identities, such as service accounts and AI agents, now outnumber human identities 45-to-1 in DevOps, increasing vulnerability. Seventy percent of secrets detected in 2022 are still active, indicating a failure in credential management and rotation. Private repositories, previously thought safer, contain significantly more exposed secrets than public ones. AI tools like GitHub Copilot are exacerbating the problem by promoting faster coding at the expense of security. Over 100,000 valid secrets from Fortune 500 companies were found exposed in public Docker images on Docker Hub. Collaboration tools such as Slack and Jira are emerging as key vectors for critical credential leaks, often lacking adequate security measures. Despite the adoption of secret management tools, a 5.1% leakage rate suggests that a holistic approach to secret lifecycle management is urgently needed.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a significant security flaw in Gladinet CentreStack to its Known Exploited Vulnerabilities catalog. The identified vulnerability has a CVSS score of 9.0 and relates to a hard-coded cryptographic key that may allow remote code execution. Specifically, the vulnerability, designated as CVE-2025-30406, involves the incorrect management of a "machineKey" used in the IIS web.config file, which can be exploited to forge ViewState payloads for server-side deserialization. Active exploitation of this flaw has been observed in the wild, with the initial exploit occurring as a zero-day in March 2025. Gladinet has issued an advisory and released a fix in the CentreStack version 16.4.10315.56368 on April 3, 2025. They have recommended immediate patching or, alternatively, rotating the machineKey value as a temporary measure. Details regarding the attackers' identities, their methods of exploitation, and the specific targets remain undisclosed.

Microsoft patched a zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824, which was exploited to deploy ransomware. The exploitation targeted diverse sectors across multiple countries including IT and real estate in the US, finance in Venezuela, a software company in Spain, and retail in Saudi Arabia. The malware, named PipeMagic, is a trojan that uses a malicious MSBuild file with an encrypted payload, enabling SYSTEM privileges upon successful execution. Threat actors utilized the certutil utility to download PipeMagic from a compromised legitimate third-party site, although the initial access vector remains unknown. This is the second instance of a Windows zero-day vulnerability associated with PipeMagic, following another similar exploit patched by Microsoft previously. The attack process includes overpowering system processes, extracting user credentials, and encrypting files, leaving behind a ransom note linked to the RansomEXX family. Microsoft continues to monitor and analyze these attacks but was unable to retrieve a sample of the ransomware for further analysis.

Microsoft has released patches for 126 vulnerabilities, with one actively exploited EoP flaw in the Windows CLFS Driver. The actively exploited vulnerability, identified as CVE-2025-29824, allows attackers to escalate privileges without needing administrative access. Out of the total vulnerabilities, 11 are deemed Critical, 112 Important, and two Low; the vulnerabilities include remote code execution and DoS bugs. CVE-2025-29824 has been tied to ransomware attacks and has been listed in the U.S. CISA's Known Exploited Vulnerabilities catalog. Some vulnerabilities, including critical remote execution flaws in Microsoft Office and Windows services, require urgent patching. Microsoft is yet to release patches for several critical vulnerabilities for Windows 10. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to apply necessary fixes by April 29, 2025. Other security updates from different vendors have also been released to address various vulnerabilities recently.