Daily Brief

A critical vulnerability, identified as CVE-2025-31334, was discovered in the WinRAR file archiver that allows bypassing Windows' Mark of the Web (MotW) security alerts. The flaw affects all versions of WinRAR prior to the latest 7.11 release and enables the execution of arbitrary code on Windows machines. The MotW feature adds a metadata value indicating that a file is potentially unsafe if downloaded from the internet, prompting a security warning when such a file is executed. In affected WinRAR versions, a symbolic link (symlink) can be manipulated to bypass the MotW warning, potentially allowing malware execution without user knowledge. Creation of symbolic links in Windows generally requires administrator permissions, adding an additional security layer. The vulnerability was responsibly reported by Shimamine Taihei through Japan’s Information Technology Promotion Agency and addressed in WinRAR version 7.11. WinRAR has included enhancements from version 7.10 onwards to remove potentially privacy-compromising information from the MotW alternate data stream. Previous instances of similar MotW bypass issues have been exploited by threat actors, including state-sponsored groups, to deliver malware covertly.

Cybersecurity researchers discovered malicious libraries in the Python Package Index (PyPI) that stole sensitive data. The affected packages include bitcoinlibdbfix and bitcoinlib-dev, which impersonated fixes for the legitimate bitcoinlib module. Another package, disgrasya, contained a script for automating credit card fraud, specifically targeting WooCommerce stores. These packages were downloaded more than 39,000 times before being removed from the distribution site. Attackers engaged with users on GitHub, deceitfully promoting the malicious packages as necessary updates. The disgrasya package tested stolen credit card information on e-commerce sites to avoid fraud detection mechanisms. Malicious packages were programmed to simulate legitimate shopping activities to validate stolen credit card details. The research teams from ReversingLabs and Socket exposed the functionality and objective of these malicious Python packages.

President Trump dismissed both the head of the NSA and U.S. Cyber Command, General Timothy Haugh, and his civilian deputy, Wendy Noble, amid controversies. The firings were allegedly influenced by Laura Loomer, a far-right figure with extreme views, who had recently met with President Trump. Senator Mark Warner criticized the decision as politically motivated and detrimental to national security, highlighting the inconsistency compared to other administrative decisions. Representative Jim Himes expressed concern that the dismissal of Haugh, noted for his nonpartisan and security-focused approach, made the country less safe. General Haugh had been a reputable leader in national defense, confirmed unanimously by the Senate, with both offensive and defensive cyber experience. The new acting head of the NSA is Lieutenant General William Hartman, previously involved in offensive cyber operations. The shake-up coincides with the dismissal of other National Security Council members, adding to the turbulence within the U.S. national security apparatus.

In August 2024, the Port of Seattle suffered a ransomware attack by the Rhysida group, impacting IT infrastructure and service systems, including reservation check-ins and flight displays. The attack led to data theft involving 90,000 individuals, primarily affecting employees, contractors, and involving sensitive information such as Social Security numbers and medical data. Despite disruption, major airline and maritime operations remained unaffected as proprietary and federal partner systems were not compromised. The Port of Seattle refused to pay the ransom, risking public exposure of stolen data on the dark web leak site. The ongoing investigation indicates that the breach occurred mid-to-late August, with a complex and time-consuming assessment of the compromised data. Notification letters have been sent to the affected individuals, with the majority being residents of Washington state. The Rhysida ransomware-as-a-service operation has been active since May 2023 and has previously targeted high-profile entities globally.

A phishing campaign named "PoisonSeed" targets corporate marketing accounts to send fraudulent crypto seed phrases. The campaign infiltrates platforms like Mailchimp, SendGrid, and others using sophisticated phishing techniques to access user credentials. Spearheaded by possible unknown actors, distinct yet similar to known groups CryptoChameleon and Scattered Spider, it uses unique code variations. It employs domains resembling official service URLs to deceive victims, stealing and using their credentials to send malicious emails. Victims receiving these emails are misled into creating new wallets with seed phrases controlled by the attackers, compromising their assets. The subsequent phishing emails contain urgent upgrade or transfer instructions to trick recipients into using these compromised seed phrases. Security recommendations include ignoring unsolicited upgrade requests via emails and always accessing platforms directly through secure means. Users are advised to generate their own seed phrases and should not share or reuse seed phrases sent via email.

Over 20,000 accounts were breached in credential stuffing attacks against multiple Australian superannuation funds. AustralianSuper reported 600 of their accounts were compromised, using stolen passwords for fraudulent activities. Rest's MemberAccess portal was targeted, with 8,000 members having personal data exposed, though no funds were reportedly stolen. Hostplus and Insignia Financial are assessing the damage, though Insignia found no evidence of financial loss yet. ASFA has launched a Financial Crime Protection Initiative, including a hotline and a toolkit to improve industry-wide cyber defenses. Australian pension funds are urged to increase security measures, including encouraging members to use unique passphrases and update software.

Europcar Mobility Group experienced a data breach impacting 50,000 to 200,000 customers, exposing personal data stored in GitLab repositories. A hacker stole source code for Europcar's Android and iOS applications, along with SQL backups that contained customer names and email addresses. The breached data includes 37GB of backups and details about the company's cloud infrastructure and internal applications, without exposure of sensitives details like bank info or passwords. The threat actor attempted to extort Europcar by threatening to release the stolen data. Europcar notified affected customers and the data protection authority in the respective country about the breach. Investigations revealed that credentials used in the breach might have been obtained from previous infostealer compromises. The total extent of the damage is still under assessment, with efforts focused on strengthening security measures to prevent future incidents. Europcar's code repositories were targeted previously and were also part of a fake breach reporting incident in the past year.

A personal access token theft at SpotBugs triggered a widespread supply chain attack on GitHub, notably affecting Coinbase. Attackers initially infiltrated the GitHub Actions workflow of SpotBugs, leveraging it to compromise the repositories of the reviewdog project. The breach began in November 2024 but only became evident in March 2025 when Coinbase was directly targeted. The malicious activity involved pushing a tampered version of "reviewdog/action-setup," which was automatically disseminated through its dependencies. The attacker gained repository write access by being added as a member by a SpotBugs maintainer, utilizing a priorly stolen PAT to facilitate further malicious modifications. This attack employed a "pull_request_target" trigger in GitHub Actions, which allowed the attacker to execute workflows with access to repository secrets. The incident came to light after several months of the attackers monitoring the dependencies architecture, choosing the right moment to exploit high-value targets. Following the attack's detection, the SpotBugs maintainer rotated all tokens and PATs to revoke unauthorized accesses and prevent future breaches.

Emphasizing the importance of timely incident response over just maintaining backups as traditionally advised by experts. Research by UK's Bridewell consultancy highlights slow response times to cyber threats, notably ransomware, with many taking over six hours. Dray Agha of Huntress argues for immediate action within 30 minutes to mitigate risks significantly, as adversaries can cause substantial damage quickly. Simple configuration changes by attackers can create severe security issues, which are often difficult and costly to reverse. Reliance on backups can give organizations a false sense of security, as many backups are outdated or not comprehensive. Rapid incident response is crucial for limiting damage and facilitating quicker operational recovery. Financial constraints often hinder effective incident response and recovery, necessitating ample security budgets for adequate tools and trained personnel. The article suggests investing in proper incident responses and continuous funding for security to prevent or mitigate cyber disasters.

Containerization is now central to modern, cloud-native software development, enhancing application resilience, scalability, and portability. Technological strides from Linux Containers (LXC) to Docker, and the formation of the Open Container Initiative (OCI) have progressively enhanced security and performance in software delivery. Docker simplified container technology use, which boosted adoption rates but also brought about concerns regarding vendor lock-in and the need for system interoperability. The OCI addressed these challenges by standardizing container formats and runtimes, ensuring compatibility across various platforms and promoting a competitive atmosphere. Kubernetes, supported by OCI standards, has enabled consistent application orchestration across diverse infrastructures, reinforcing container ubiquity. Modern cloud-native applications demand a minimalistic approach, relying on distroless configurations that cater only to specific microservice needs, enhancing security and efficiency. Chainguard OS exemplifies the next generation of open source software delivery, emphasizing security, up-to-date content, and minimalism, drawing on direct updates from upstream sources. The distroless approach of Chainguard OS demonstrates significant reductions in vulnerabilities and resource use, aligning with the latest industry needs and user feedback.

DomainTools uncovered a cybercrime operation using Russian bulletproof hosting by Proton66, exposing malicious payloads via a fake antivirus site. The operation, linked to an emerging threat actor dubbed Coquettte, was found due to an operational security failure that left crucial infrastructure data exposed. Proton66, also connected to another service named PROSPERO, has been involved in distributing various malware like GootLoader and SpyNote through phishing tactics. The fake antivirus service distributed malware within a ZIP file containing a Windows installer that downloaded additional payloads from a C2 server. Analysis revealed Coquettte’s identity as a 19-year-old self-described software engineer, controlling both the distribution website and the C2 server. The threat actor is also involved in creating online resources for manufacturing illegal substances and weapons, suggesting broader criminal activities. Coquettte is likely associated with a larger hacking group called Horrid, which supports amateur cybercriminals entering underground networks.

The Alan Turing Institute warns that UK law enforcement is currently ill-prepared to combat AI-enabled criminal activities. A new report from the Institute's Centre for Emerging Technology and Security advises the National Crime Agency (NCA) to establish a task force focused on AI-driven crime within five years. The NCA acknowledges the increasing use of AI in serious crimes such as cybercrime, fraud, and child sexual abuse, and is considering the Institute’s recommendations. AI is making cybercrime more sophisticated, allowing criminals to create convincing scams and fraudulent communications that are hard to distinguish from genuine interactions. UK law enforcement is advised to adopt AI technology more effectively in their operations to counteract the sophisticated use of AI by criminals. The report suggests that future AI developments will likely enhance criminals' capabilities, making the need for AI integration into law enforcement tools even more urgent. Academics express significant concern over the gap between the technology available to law enforcement and the evolving nature of AI-enabled threats.

A Russian national and former employee of ASML and NXP is accused of engaging in industrial espionage, sharing secrets with Russian operatives. Dutch intelligence services allege he made multiple trips to Russia, passing sensitive information about semiconductor technology during meetings with intelligence figures. The accused reportedly used Google Drive to upload and share proprietary information with his contacts in Russia. During his trial in Rotterdam, it was revealed that he stored data on USB drives which he transported to Russia. The defendant claimed the documents in his possession were outdated and not useful for semiconductor production. He has admitted to having proprietary documents, stating they were for personal education, not espionage. His employment history includes working for ASML after its acquisition of Mapper, a startup that failed in 2020, and later for NXP and Delft University. Dutch police arrested him in August 2024 following a tip from intelligence services, discovering confidential documents related to ASML and TSMC on his devices.

Ivanti disclosed a severe vulnerability (CVE-2025-22457) in its Connect Secure products, now patched, actively exploited by attackers. The vulnerability allows remote unauthenticated attackers to execute arbitrary code through a stack-based buffer overflow. Attackers have used the flaw to deploy TRAILBLAZE, a dropper, and BRUSHFIRE, a memory-resident backdoor, aiming for persistent access. Mandiant observed the exploitation linked to the China-nexus group UNC5221, potentially associated with established threat groups like APT27. The attackers focused on various Ivanti products, with some evidence of exploitations on unsupported Pulse Connect Secure appliances. Users are advised to monitor ICT environments for signs of compromise and reset affected appliances to a secure version. UNC5221 has also utilized obfuscated networks comprising compromised devices from other manufacturers to conceal its activities. This is part of a trend of increasing aggressive cyber espionage by China-nexus groups targeting global edge device vulnerabilities.

Unauthorized access in Australian superannuation funds led to theft from accounts. Hackers breached secure info, affecting multiple funds, amid high competition among over 100 super funds. ASFA reported efforts to obtain unapproved access to several funds’ portals; most attacks were thwarted. The "Rest" fund acknowledged unauthorized activity and contacted affected members; approximately 8,000 members had personal details exposed. Some reports indicate actual monetary theft from member accounts during night hours to avoid detection. Increased call center and website traffic following the breaches, with some funds' websites becoming unresponsive. Security breaches are part of a troubling trend seen previously in the Australian superannuation industry. Ongoing situation with updates pending as funds continue to assess and mitigate damage.