Daily Brief

SSL misconfigurations significantly impact an organization's attack surface due to complexities and high usage in web applications. Over half of all websites exhibit inadequate security largely due to weak SSL/TLS configurations, increasing vulnerability to cyberattacks. Proper SSL certificate setup is crucial for secure data transmission and identity authentication of websites. Traditional security tools often lack the capacity to monitor and manage SSL configurations effectively due to dynamic digital environments. Automated External Attack Surface Management (EASM) solutions are recommended for continuous monitoring and managing secure SSL configurations. Outpost24's cloud-based EASM platform is highlighted as an effective solution for enhancing organizational cyber resilience by detecting and mitigating SSL vulnerabilities. Proactive management of SSL configurations through advanced EASM solutions can reduce cyber risks and secure an organization’s digital presence.

Betty Webb, a key member of the WWII Bletchley Park code-breaking team, has died at the age of 101. She served in the ATS and was later assigned to Bletchley due to her strong language skills, handling crucial decoding activities against German and Japanese communications. Post-war, Webb's work remained classified under the Official Secrets Act, prohibiting her from sharing her experiences until the mid-1970s. Webb became a prominent speaker and advocate for Bletchley Park, helping transform it into a museum and sharing its history through talks and a memoir. Her efforts were recognized with several honors, including the MBE in 2015 for services to Bletchley Park and France's highest award, the Légion d'Honneur, in 2021. Webb expressed disillusionment in her later years upon witnessing the resurgence of far-right extremism. She remained actively involved in veterans' affairs and promoting the legacy of WWII veterans until her passing.

FIN7, a notorious Russian hacking group, has deployed Anubis, a Python-based backdoor, targeting Windows systems through compromised SharePoint sites. Anubis enables remote access, allowing attackers to execute commands, access files, and manipulate system settings on compromised systems. The malware is distributed via malspam campaigns, enticing users to download a malicious ZIP file from SharePoint, leading to full system control upon execution. Once activated, Anubis communicates with a remote server to receive commands, which are executed directly from memory to avoid detection. PRODAFT's technical report highlights the flexibility and stealth of Anubis, emphasizing its role in maintaining operational security and enabling diverse attacks like keylogging and password theft. Recently, FIN7 has also promoted a new tool, AuKill, designed to disable security software, signaling a shift towards enhancing their techniques for broader cybercrime activities. Independent analysis by GDATA corroborated Anubis's capabilities, underlining its potential for significant misuse in targeted cyber attacks.

Apple has issued updates for older versions of its operating systems to fix vulnerabilities that were already remedied in more recent versions. The updates address critical security flaws, including CVE-2025-24200, which bypasses USB Restricted Mode allowing unauthorized access to device data. Another patched issue, CVE-2025-24201, involved malicious web content escaping the Safari browser’s security sandbox. MacOS updates included fixes for a series of bugs and security weaknesses, with significant patches released for older versions like macOS Sequoia. The updates also enhanced Apple's latest operating systems, addressing 60 vulnerabilities in iOS and iPadOS 18.4, which weren't under active attack. Apple’s patching practice underscores its commitment to long product life cycles, aligning with its "Longevity by design" philosophy. Despite proactive measures by Apple, the delays in releasing patches for older OS versions pose potential security risks, as attackers could exploit known vulnerabilities during the lag time.

North Korean operatives posing as IT workers are increasingly targeting European companies, using sophisticated tactics to secure remote tech jobs and funnel salaries back to North Korea. These fake employees sometimes install malware, steal sensitive company data, and demand ransoms, while others underperform across multiple simultaneous jobs. They employ deception during recruitment, such as claiming broken webcams to avoid visual identification and utilizing AI to generate fake portraits and interview responses. The scam has been so effective that even cybersecurity firms have mistakenly hired these operatives, highlighting their capability to bypass advanced screening processes. With heightened awareness and regulatory obstacles in the U.S., these North Korean schemes are shifting focus towards European countries like Germany and Portugal. Investigators have uncovered fake resumes, guidance for navigating job sites in Europe, and instructions on acquiring fraudulent documentation to support work and residency claims. Payment for these fraudulent operations is often sought via cryptocurrencies and international transfer services to avoid tracking. The FBI has issued guidance to help employers identify potential fake candidates, including warning signs such as avoidance of in-person meetings and irregularities in provided profiles and documents.

Cybersecurity researchers have identified an updated variant of Hijack Loader malware, incorporating advanced evasion features such as call stack spoofing and anti-VM checks. The new module in Hijack Loader obscures the origin of function calls, complicating its detection and allowing it to execute without revealing malicious activity. The loader not only delivers secondary payloads like information stealer malware but also includes modules that bypass security protocols and inject malicious code. Recent campaigns associated with Hijack Loader have utilized legitimate code-signing certificates and innovative distribution strategies, such as the ClickFix tactic. Leveraging GitHub for command and control, the SHELBY malware family, discovered in parallel research, also exhibits sophisticated cyberattack techniques via phishing emails aimed at data extraction. Another malware, Emmenhtal, distributed via phishing with payment-themed attachments, employs .NET Reactor for obfuscation, a trend increasingly observed in malware loaders and stealers. Across all instances, the continuous evolution and maintenance of these malware loaders indicate an active pursuit to complicate malware analysis and enhance persistence on targeted systems.

Senior White House National Security Adviser Michael Waltz has been accused of using personal Gmail accounts for conducting government business involving sensitive matters. Usage of Gmail by Waltz and his aides reportedly includes discussions on military positions and weapons systems, raising concerns about operational security and compliance with legal requirements for preserving government records. The allegations come in the wake of the "Signalgate" scandal where Waltz inadvertently added a journalist to a highly confidential Signal group chat, exposing sensitive military details. Waltz’s spokesperson stated that he did not send classified information via Gmail and ensured compliance with record-keeping rules by cc'ing emails to his official government account. President Trump has voiced support for Waltz amidst controversies, although there was a possibility of dismissal related to leaks to the press rather than security practices. These incidents underscore ongoing concerns about the security practices of high-level officials and the potential risks of handling sensitive information on unsecured platforms.

North Korean IT workers, known as "IT warriors," are expanding their operations in Europe after intensifying U.S. scrutiny and sanctions. Posing under false identities, these workers secure remote IT employment in European firms, using tactics like fabricated resumes and diverse claimed nationalities. The Google Threat Intelligence Group (GTIG) discovered these activities especially targeting companies in Germany, Portugal, and the UK. These workers are part of a broader strategy by North Korea to generate substantial revenue for the regime through deceptive IT employment, keeping up to 90% of the earnings for government coffers. Methods for obfuscating financial transactions include cryptocurrencies and payment platforms such as TransferWise and Payoneer. The deception extends to involvement in fields such as artificial intelligence, blockchain, and web development, with goals including data theft and potential extortion. U.S. Justice Department and Treasury have taken actions against North Koreans and their associates involving similar schemes in the U.S., underscoring a pattern of global fraudulent IT employment. North Korean IT workers utilize their positions in foreign companies to potentially facilitate cyber espionage and support the country's military and weapons funding.

A sophisticated malware campaign using multiple scripting languages (VBS, batch, and PowerShell) was analyzed by the Acronis Threat Research Unit. The malware, identified as DCRat or Rhadamanthys, initiates from a deceptive email with a RAR attachment titled “Summons for account garnishment” targeting Spanish speakers. The infection chain involves a multistage script execution starting from VBS to batch files, then to a PowerShell script which finally deploys the malware. Malicious scripts are heavily obfuscated making traditional security solutions less effective at detection; additional layers of scripts and obfuscation complicate detection even further. The payload, a .NET executable packed with a custom .NET packer, is loaded via RunPE, a common malware technique, with key components encrypted in data blobs using XOR operations. To counter these threats, Acronis recommends multilayered security solutions that involve advanced heuristics, behavioral analysis, and generic script emulators for early detection and neutralization. The malware payload posed risks of unauthorized access, data theft, and system compromise, indicating the high stakes involved in preventing the deployment of such malware. Acronis' ongoing research and development are crucial in adapting their security solutions to emerging threats and ensuring comprehensive defense mechanisms.

Over 1,500 PostgreSQL database servers have been compromised in a fileless cryptocurrency mining attack. The security firm Wiz identified the threat actor behind this campaign, known as JINX-0126, using advanced evasion techniques to avoid detection. The attackers exploit poorly configured PostgreSQL instances using a SQL command to run arbitrary shell commands, facilitating initial access and reconnaissance. A Base64-encoded shell script is employed by the attackers to eliminate competing miners and install a mining module called PG_CORE. An obfuscated Golang binary, mimicking a legitimate PostgreSQL component, is used for maintaining persistence and elevating privileges within the compromised server. The malware leverages a Linux fileless execution technique to run the XMRig mining software without a traceable footprint on the filesystem. Wiz linked three cryptocurrency wallets to the campaign, each controlling approximately 550 distinct mining workers, indicating widespread impact of the attack.

Microsoft marks its 50th anniversary, reflecting on a legacy of pivotal software developments and mixed outcomes. The company has dominated the enterprise sector with its productivity suite, despite challenges from competitors like Google. Key successes include the development of popular operating systems like Windows 3.0 and strategic acquisitions such as GitHub and LinkedIn. Notable missteps include the failure of Windows Phone to capture the smartphone market and the underperformance of products like Microsoft Bob and Zune. Microsoft's investment in cloud technology and artificial intelligence marks its latest focus areas, aiming to secure its future in cutting-edge technology sectors. The tech giant has also faced criticism for underestimating competitors, notably Google's Chrome browser and the consumer shift to mobile devices. Reflections on Microsoft's history include both groundbreaking achievements and notable errors, highlighting the complex journey of a leading technology company.

Google announces the ability for enterprise Gmail users to send end-to-end encrypted (E2EE) emails to any email platform using a new encryption model. This new feature supports encryption without the need for custom software or exchanging encryption certificates, simplifying the encryption process. The E2EE feature is currently in beta for intra-organizational emails within Gmail, with plans to expand to all Gmail users and subsequently to other email services. The encryption is powered by client-side encryption (CSE), ensuring that data is encrypted before leaving the client and stored securely in Google’s cloud, inaccessible to third parties including Google. For recipients using non-Gmail services, such as Microsoft Outlook, Google provides a method to view encrypted emails through a guest Google Workspace account. The encryption keys used in this process are managed in a cloud-based key management service, allowing administrators to control access to encryption keys. The introduction of this technology aims to improve data privacy and security while reducing the complexity and resources traditionally required for secure email communication.

Google has launched a new end-to-end encryption (E2EE) service for Gmail business users, facilitating encrypted email communication across any platform. The new E2EE model allows enterprise users to send encrypted emails easily without complex certificate management typically required by S/MIME protocols. Initially, the service will enable sending E2EE emails within the same organization, with plans to expand to all Gmail users and eventually to any email service. Users can activate encryption by selecting the "Additional encryption" option, with Gmail handling the decryption automatically for Gmail recipients. Non-Gmail recipients will access emails through a secure link, viewing them in a restricted Gmail version or using a guest Google Workspace account. The E2EE feature leverages client-side encryption (CSE) to ensure data is encrypted before it reaches Google’s servers, enhancing privacy and compliance with data sovereignty laws and regulations like HIPAA. Google has previously implemented client-side encryption across various Google Workspace tools, including Google Drive and Google Meet, as part of its broader security strategy.

A significant increase in scanning attacks targeting Palo Alto Networks GlobalProtect login portals has been observed. Over 24,000 unique IP addresses were recorded participating in the activity, with a peak of 20,000 IPs per day starting from March 17, 2025. The majority of these source IPs originate from the United States and Canada, primarily focusing on systems based in the USA. Of the detected IPs, 23,800 are classified as “suspicious,” and 154 have been confirmed as "malicious." The scanning pattern suggests a potential prelude to exploiting vulnerabilities, historically found to surface two to four weeks after such reconnaissance activities. GreyNoise has noted a similar pattern over the last 18 to 24 months, involving targeted attacks and reconnaissance on known vulnerabilities. The scanning activity may be related to another identified pattern involving a PAN-OS crawler that spiked concurrently on March 26, 2025. Administrators are advised to review logs since mid-March for signs of compromise and to implement defensive measures against potential exploitation attempts.

Lucid, a phishing-as-a-service platform, targeted 169 entities across 88 countries utilizing Apple iMessage and RCS for Android to bypass SMS filters. The service, developed by the Chinese-speaking XinXin group, mainly focuses on stealing credit card data and personally identifiable information in Europe, the UK, and the US. Lucid, alongside other platforms like Lighthouse and Darcula, partakes in a broader underground economy, offering phishing services on a subscription basis. These phishing campaigns mimic legitimate entities like postal services and courier companies, using convincing templates to extract sensitive information. Lucid's operations use iPhone device farms and Windows-based mobile device emulators to send large volumes of scam messages. Advanced evasion techniques include IP blocking, user-agent filtering, and creating single-use URLs to avoid detection. The service also offers tools for creating customizable phishing sites and a real-time monitoring panel for tracking victim interactions. The findings highlight the growing sophistication of phishing attacks, which are becoming increasingly difficult for traditional security measures to detect.