Daily Brief

Agentic AI autonomously handles alert triage and investigations, acting like an experienced analyst within Security Operations Centers (SOCs). Unlike traditional AI tools that aid as assistants requiring human direction, Agentic AI operates independently, increasing operational efficiency and effectiveness. This advanced AI technology reduces the burden on human analysts by managing high-volume, repetitive tasks, which reduces fatigue and burnout. Agentic AI delivers consistent investigations and prioritizes alerts based on real risk indicators, ensuring thorough scrutiny and reducing oversight risks. Implementation of Agentic AI in SOCs leads to substantial cost savings, better resource utilization, and enhanced security outcomes by optimizing alert handling processes. It supports SOC teams by providing scalability and capacity to handle large volumes of alerts without additional human resources, crucial in the context of ongoing cybersecurity skills shortages. For security leaders considering Agentic AI, it is vital to select solutions that are transparent, adaptive, and maintain a human-centric approach for optimal integration and functionality.

Ukrainian institutions targeted by phishing campaign distributing malicious Excel files possibly linked to UAC-0226 threat group. Malware known as GIFTEDCROOK and an associated PowerShell script stolen from GitHub facilitates data theft through browser exploits, targeting information like browsing history and authentication details. Emails containing the Excel files use subjects sensitive to Ukrainian affairs, and macros in the files trigger malware deployment once enabled. CERT-UA has not attributed the attack to any specific country, although there are links to other suspicious activities suspected to involve Russia. Attack methods include leveraging victim’s resources such as file system mapping and Remote Desktop Protocol connections through advanced phishing tactics. Recent related activities include the deployment of the Legion Loader through fake CAPTCHA interactions leading to browser extension installations that harvest user data. Global cybersecurity agencies have been documenting and responding to similar phishing techniques, underscoring a continued need for vigilance against such cyber threats.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical CrushFTP vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified as CVE-2025-31161 with a CVSS score of 9.8, involves an authentication bypass that allows unauthenticated attackers to take control. Originally misnumbered as CVE-2025-2825, the correct CVE was issued amid disclosures that involved some controversy between the involved parties. Since its active exploitation was confirmed, evidence shows that threat actors are using the vulnerability to execute commands, install malware, and harvest credentials. Outpost24 first reported the flaw and collaborated with CrushFTP on a 90-day disclosure timeline. The technical briefing on the vulnerability has been minimal to avoid further exploitation. As of the latest reports, 815 instances remain unpatched, with significant numbers in North America and Europe. Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the updated patches by April 28 to mitigate risks and secure their networks.

Google has rolled out patches for 62 vulnerabilities in the Android system, including two that have been actively exploited. The critical vulnerabilities allow for remote escalation of privilege without the need for additional execution privileges or user interaction. CVE-2024-53197, one of the key vulnerabilities, involves an issue with the Linux kernel which Google had previously addressed. This vulnerability, along with CVE-2024-53104 and CVE-2024-50302, were used in a sequence to compromise a Serbian youth activist's phone in December 2024. Google had previously fixed CVE-2024-53104 and CVE-2024-50302 in February 2025 and March 2025, respectively. The latest update ensures all three vulnerabilities are now patched, closing the exploit path used in these targeted attacks. Android users are urged to update their devices immediately as patches become available from Android OEMs to mitigate the risk of exploitation.

Significant reductions at the Cybersecurity and Infrastructure Security Agency (CISA) are underway, potentially cutting nearly 40% of its workforce. Homeland Security Secretary Kristi Noem spearheads these cutbacks, undermining public-private cybersecurity collaboration efforts and coordination with local agencies. Previous key advisory boards and committees within Homeland Security that addressed cybersecurity threats and information sharing have been dissolved. In March, CISA underwent a firing and subsequent rehiring of employees following a court order, along with a budget cut to essential threat detection services for state and local governments. The personnel and budget cuts are likely to weaken U.S. cyber defenses by reducing threat-hunting teams and diminishing the nation’s capacity to counter foreign cyber threats effectively. It is feared that these actions will severely impair the sharing of threat intelligence between government and private sectors, limiting the response to cyber attacks and technological advisement. Recent congressional discussions highlight CISA’s understaffing issue and the critical need for a robust capability to collect and disseminate threat intelligence across various sectors. The elimination of Sector Coordinating Councils further compounds the collaboration challenges between the government and critical infrastructure entities.

Oracle has confirmed a breach in its public cloud and informed certain customers about the data theft, despite earlier denials. The cyberattack was first exposed by a hacker using the alias “rose87168,” who claimed to have accessed and sold six million records from Oracle’s cloud servers. Experts verified the authenticity of the stolen data, which included private security keys and encrypted credentials, attributing the breach to an unpatched Oracle server vulnerability (CVE-2021-35587). Oracle enlisted cybersecurity firm CrowdStrike to address the aftermath of the breach, though CrowdStrike has not publicly commented on the matter. The FBI is investigating the incident, and the stolen data includes credentials ranging from outdated to as recent as 2024. Oracle is involved in a lawsuit in Texas related to the breach, which remains separate from an additional, undisclosed issue affecting Oracle Health. With potential violations of GDPR and HIPAA looming, Oracle could face significant fines and further legal challenges if they fail to meet regulatory compliance requirements for data breach notification.

EncryptHub, linked to breaches at 618 organizations, also reported critical Windows vulnerabilities. Microsoft addressed the vulnerabilities reported by EncryptHub during March 2025, improving system security. Outpost24's research connected EncryptHub to cyber-security researcher SkorikARI after a self-infection exposed EncryptHub's credentials. Evidence linking EncryptHub to SkorikARI includes password files and activity on GitHub and freelance sites. EncryptHub engaged in conversations with ChatGPT, debating on ethical classifications and planning future hacks. Despite his skills, EncryptHub's operational security flaws led to the exposure of his personal details and activities. EncryptHub's multiple roles include cybercriminal activities, freelance development, and reporting security bugs to major corporations. The threat actor's use of ChatGPT highlights a deep personal and moral conflict regarding his identity in the cyber realm.

A GitHub supply chain attack originating from a stolen SpotBugs token compromised thousands of repositories. Attackers exploited GitHub Actions workflows, beginning with SpotBugs and moving to reviewdog, to leak secrets in build logs. The initial compromise involved a Personal Access Token (PAT) at SpotBugs, exposed in November 2024, allowing attackers to infiltrate the reviewdog project subsequently. Over 23,000 GitHub repositories using tj-actions/changed-files unknowingly leaked sensitive data like API keys and passwords. Key findings revealed that the attack was more extensive and earlier than initially believed, dating back to a PAT exposure in November. The attack chain culminated in March when stolen credentials were used to poison dependencies and leak secrets from multiple projects. Despite significant findings, the motive and full extent of the attack remain unclear, with ongoing investigations by Unit 42. Researchers underscore the stealth and complexity of the attackers’ operations, including their ability to erase traces of malicious activity.

Spanish police apprehended six individuals linked to a major cryptocurrency investment scam leveraging AI-created deepfake advertisements. The scam duped 208 victims worldwide, accumulating approximately 19 million Euros ($20.9 million). Operation "COINBLACK – WENDMINE" was launched following a victim's complaint two years ago, resulting in the seizure of cash, electronics, firearms, and documents. The fraudsters utilized AI to generate fake endorsements from high-profile figures, boosting the perceived legitimacy and security of the investments. The scam operated in phases, initiating with romance or financial advisory approaches, leading to large fake returns on investments, followed by demands for more money to unlock supposedly blocked funds. In a final deceitful twist, victims were contacted by individuals posing as law enforcement or legal officials, claiming they could recover the funds for a fee. Authorities caution the public against investment platforms that promise guaranteed returns and stress the importance of verifying all investment opportunities.

The dark web leak site of the Everest ransomware gang was defaced and is now offline after an apparent hack over the weekend. An unknown attacker left a sarcastic message on the site: "Don't do crime CRIME IS BAD xoxo from Prague." Post-defacement, the Everest site has been completely taken down, currently showing an "Onion site not found" error. Security experts suggest a potential WordPress vulnerability might have been exploited for the defacement. Everest has evolved its operations from solely data theft to include ransomware attacks and selling access to compromised networks. Since its inception in 2020, Everest has posted over 230 victims on its leak site and facilitated double-extortion ransomware attacks. Among the recent victims, California-based cannabis brand STIIIZY was compromised in November 2024, resulting from an attack on its POS vendor. Everest is reportedly intensifying its focus on targeting healthcare organizations across the U.S. as indicated by the U.S. Department of Health and Human Services in August 2024.

Noah Michael Urban, part of the Scattered Spider group, pled guilty to wire fraud and identity theft charges. Urban faces a possible decades-long prison term and a minimum $1 million fine; sentences from two separate indictories will be determined in Florida. He's ordered to pay over $13.2 million in restitution to 59 victims, comprising both individuals and organizations. Urban's crimes occurred between August 2022 and March 2023, involving SIM swapping to hijack victim accounts. Following his arrest in January 2024, authorities seized over $3 million in cryptocurrencies, cash, jewelry, and watches from him. His conviction includes evidence of poor operational security, such as storing victims' passwords on his computer and failing to delete browser history. Urban used aliases like "Sosa" and "King Bob" during his criminal activities, primarily targeting email and crypto wallets through SIM swapping.

Google has issued updates for 62 vulnerabilities in the April 2025 Android security patch, including two actively exploited zero-days. One zero-day, CVE-2024-53197, a privilege escalation flaw in the Linux USB-audio driver, was used by Serbian police to unlock devices with tools from Cellebrite. This exploit is part of a chain that includes other zero-days targeting USB Video Class and Human Interface Devices, revealed by Amnesty International. Another critical fix, CVE-2024-53150, addresses an out-of-bounds read in the Android Kernel that could expose sensitive data without user interaction. The security update includes fixes for 60 additional vulnerabilities, primarily severe elevation of privilege issues. Google ensures immediate update distribution to Pixel devices, with other manufacturers requiring more time for implementation. Previous incidents noted include the exploitation of another zero-day, CVE-2024-43047, by Serbian authorities using NoviSpy spyware against dissenters.

Nine VSCode extensions in the Microsoft Visual Studio Code Marketplace are infected with a cryptominer, posing as legitimate development tools. The malicious extensions include hidden PowerShell scripts that install and operate the XMRig miner to mine Ethereum and Monero. These extensions have collected over 300,000 installs since their release on April 4, 2025, possibly due to artificially inflated popularity metrics. The PowerShell script disables critical Windows services, establishes persistence, escalates privileges, and evades detection using various techniques. The malware mimics system binaries and uses DLL hijacking for privilege escalation, and it maintains persistence through tasks and registry modifications. Infected users are advised to uninstall the deceptive extensions immediately and manually remove all traces of the miner and associated malware. BleepingComputer has reached out to Microsoft regarding the presence of these extensions in their marketplace, awaiting an official response.

WK Kellogg Co disclosed a data breach affecting employee and vendor data, linked to an attack on Cleo software by the Clop ransomware gang. The breach exploited two zero-day vulnerabilities, tracked as CVE-2024-50623 and CVE-2024-55956, in Cleo’s managed file transfer utility. Unauthorized access was first noted on December 7, 2024, while WK Kellogg became aware of the potential breach on February 27, 2025. Stolen data includes sensitive information such as names and social security numbers of individuals connected to the company. The company provided affected parties with free one-year access to identity monitoring and fraud protection services via Kroll. WK Kellogg has worked with Cleo to strengthen security measures and prevent future incidents following the breach. This incident is part of a larger series of attacks by the Clop ransomware gang targeting organizations using Cleo’s file transfer software.

Microsoft has implemented a safeguard hold on the Windows 11 24H2 update for systems using SenseShield's sprotect.sys driver due to compatibility issues causing BSODs. Affected systems include those with any version of the sprotect.sys driver, used primarily in security software and enterprise solutions for encryption protection. SenseShield Technology is collaborating with Microsoft to resolve the issue, and further updates will be provided as they become available. IT administrators can check for affected endpoints by referencing safeguard ID: 56318982 in Windows Update for Business reports. Users of Windows Home or Pro editions can check for upgrade holds via the Windows Update section in Settings. Microsoft advises against manually updating Windows 11 on affected PCs using the Installation Assistant or Media Creation Tool until the issue is resolved. Previously, compatibility holds were removed for certain users of AutoCAD, Asphalt 8: Airborne, and specific ASUS devices, demonstrating ongoing efforts to manage upgrade impacts.