Daily Brief

Approximately 9,000 files were stolen from the New South Wales Online Registry Website, impacting civil and criminal court cases. The stolen data includes affidavits and apprehended violence orders (AVOs), critical for protecting victims of domestic violence and other abuses. The breach was identified last Tuesday, with ongoing investigations led by cybercrime detectives and the Department of Communities and Justice. The data theft poses significant risks, potentially exposing personal details of victims and alleged offenders, making them targets for extortion or further victimization. Australian law enforcement is actively contacting potentially affected individuals and advises anyone concerned to report via Australia’s cybercrime reporting service. NSW's attorney general confirmed the severity of the breach and emphasized government efforts to manage the situation and maintain system integrity. This incident follows a similar cyberattack on Victoria's court system suggesting a regional challenge in securing judicial data systems.

FamousSparrow, a Chinese threat group, has recently targeted a US trade group and a Mexican research institute using advanced variants of the SparrowDoor backdoor and the newly added ShadowPad malware. Observed in July 2024, this marks the first use of ShadowPad by FamousSparrow, aligning with tactics commonly employed by Chinese state-sponsored actors. ESET researchers reported that the new SparrowDoor variants show significant enhancements, including command parallelization, which allows the execution of multiple tasks simultaneously. The attacks involved compromised web servers using Internet Information Services (IIS), where the attackers deployed a web shell to execute further malicious activities including malware deployment. Both targeted entities were using outdated versions of Windows Server and Microsoft Exchange Server, which likely contributed to their vulnerability. This latest incident highlights the continuous evolution and sophistication of FamousSparrow's cyber capabilities, indicating active development and deployment of new malicious tools. The linkage between FamousSparrow and other Chinese cyber espionage groups, such as Earth Estries and Salt Typhoon, suggests a broader strategy or cooperation among these actors, despite FamousSparrow being treated as a distinct entity by cybersecurity professionals.

Rachel Kroll, a respected sysadmin and blogger, posted an enigmatic advisory suggesting users terminate the use of the Linux monitoring tool, atop. Despite the lack of detailed explanation or context, the warning has significantly alarmed the Linux community. Kroll's credibility, based on her extensive background in tech, having worked with major companies and spoken at numerous tech conferences, adds weight to her stark warning. Atop, while being a valuable system monitoring tool, also logs performance data, which can be critical should an exploit or vulnerability be discovered within it. Tech forums and communities are abuzz with speculation and concern regarding potential unpublicized vulnerabilities in atop. The Register attempted to reach out to Kroll and atop's author, Gerlof Langeveld, for further details, but there has been no response yet. Users are advised that they can safely uninstall atop without harming their systems, with updates expected to be included in upcoming versions of various Linux distributions.

The Specops Breached Password Report revealed that even complex passwords meeting organizational standards are vulnerable, with 230 million such credentials compromised. Verizon's Data Breach Investigations Report 2024 indicates stolen credentials lead to 44.7% of breaches, underscoring the need for enhanced security measures. Alternatives like biometric authentication, behavioral biometrics, and blockchain offer potential password replacements but come with their own risks and limitations, such as vulnerability to spoofing and privacy concerns. Newer methods like Zero-knowledge Proof (ZKP) and Passkeys provide more secure authentication options by not transmitting actual credentials and using public key cryptography, respectively. Passphrases offer a user-friendly and secure option against brute-force attacks but require careful construction to avoid predictability. The emergence of security keys and expanded support for password-less logins across major platforms enhances user authentication without reliance on traditional passwords. Despite advancements in authentication technology, passwords remain foundational to security strategies, with multi-factor authentication (MFA) providing reinforced protection against vulnerabilities. As cyber threats evolve, maintaining robust password policies and integrating new authentication technologies are crucial for safeguarding digital identities.

RedCurl, a group known for corporate espionage since 2018, has started deploying ransomware in compromised networks, a shift in their usual operations. Bitdefender researchers have observed attacks particularly targeting Hyper-V virtual machines with "QWCrypt" ransomware, which differentiates from the common focus on VMware ESXi servers. Initial infection vectors include phishing emails with .IMG attachments, camouflaged as CVs, enabling DLL sideloading through legitimate Adobe executables to introduce malware. The attackers employ various stealth tactics, using "living-off-the-land" tools, a custom wmiexec for lateral movement, and the 'Chisel' tool for secure RDP access. QWCrypt ransomware features advanced options for targeted encryption, supporting command-line arguments to tailor attacks specifically to Hyper-V environments and offers selective encryption strategies to speed up the encryption process. Financial motives behind using ransomware could be multifaceted: it might serve as a distraction during espionage, a method for monetization after data theft, or possibly as a false flag operation. No dedicated leak site for double extortion indicates possible private negotiations for ransom rather than public demands, suggesting a quieter, potentially more strategic approach to ransomware deployment by RedCurl.

EncryptHub exploited a patched Windows zero-day vulnerability to deploy malware, including Rhadamanthys and StealC. The malware manipulates Microsoft Console (.msc) files and the Multilingual User Interface Path to maintain persistence and steal data. The zero-day exploit, tagged as CVE-2025-26633 by Microsoft, was part of an improper neutralization flaw in Microsoft Management Console. Microsoft addressed the vulnerability in a recent Patch Tuesday update. Trend Micro has named the exploit MSC EvilTwin and tracks the suspect under the name Water Gamayun, with ties to Russia. Attackers use digitally-signed installer files mimicking legitimate software like DingTalk to initiate the infection. The campaign involves sophisticated delivery mechanisms and custom payloads aimed at data theft and establishing control over victim systems. The attacks, still under active development, started in April 2024 and show evolving techniques.

Russian-speaking hacking group RedCurl, historically known for corporate espionage, has initiated a ransomware campaign using a new strain called QWCrypt. Romanian cybersecurity firm Bitdefender has identified this as the first instance of ransomware deployment by RedCurl, marking a significant shift in the group's operations. The ransomware was delivered through phishing attacks employing ISO files disguised as CVs, a continuation of RedCurl's established use of deceptive files. The attack involves multi-stage infection mechanisms, including the use of legitimate Windows executable files for malicious purposes (DLL side-loading) and social engineering to distract the victim. The implant from the initial loader sets the stage for further network infiltration and data collection, which ultimately leads to ransomware deployment. The ransomware not only encrypts virtual machines to paralyze hosted services but also attempts to disable endpoint security through BYOVD (bring your own vulnerable driver) techniques. The ransom note associated with the attack mimics those used by other ransomware groups such as LockBit, HardBit, and Mimic, suggesting a possible diversion or deeper strategic intentions by RedCurl.

Cybersecurity parallels boxing, where continuous active testing or "sparring" is crucial for maintaining effective defense strategies. Traditional penetration testing in organizations is infrequent, leading to potential security gaps due to configuration drift and lack of adversarial challenge. Infrequent testing can lead to undetected vulnerabilities and over time, the natural drift in IT environments can cause previously secure systems to become exposed. The article emphasizes the value of recurring, real-world scenario tests to identify and address security vulnerabilities efficiently. Automated pentesting offers a more frequent, cost-effective solution for testing compared to traditional methods, mimicking real-world attacks continuously. Contextual prioritization of fixes is important; not all detected vulnerabilities pose the same level of risk, depending on the network environment. Continuous testing helps organizations adapt quickly to new threats and improve their defenses proactively, minimizing potential exposure and costs from breaches.

Cybersecurity researchers identified two malicious npm packages, ethers-provider2 and ethers-providerz, which target the locally installed 'ethers' npm package for modifications to facilitate further malware attacks. ethers-provider2, downloaded 73 times, modifies 'ethers' by injecting a file that launches a reverse shell, allowing hackers to control the infected system remotely. Even after the removal of ethers-provider2, the malicious modifications within the 'ethers' library persist, potentially leading to re-infection if the original library is not thoroughly cleaned or reinstalled. The attack involves multiple stages, with the initial payload downloading and executing further malicious content from a remote server, designed to hide traces by deleting temporary files post-execution. The threat maintains a presence on compromised systems by continuously monitoring and modifying the 'ethers' library whenever it is present or re-installed. Despite the limited number of downloads, the impact of such packages is significant due to their ability to maintain persistence and control over affected systems. This incident highlights the sophistication of software supply chain attacks and underscores the importance of thorough verification and handling of third-party open-source packages.

Two harmful npm packages, 'ethers-provider2' and 'ethers-providerz,' were uncovered, containing code that patches other legitimate packages to introduce backdoors. The malicious packages exploit legitimate local installations by inserting a reverse shell backdoor, ensuring persistence even after the original malware is removed. Reversing Labs identified the attack during a routine security review, noting the sophisticated nature of the threat due to its covert operations and persistence mechanisms. The reverse shell patches legitimate files within the npm ecosystem, with 'ethers-provider2' targeting the 'ssh2' package and 'ethers-providerz' aiming at the @ethersproject/providers. Even if the original malicious package is uninstalled, the patched legitimate package retains the malware, continuing to compromise the system. Some earlier versions of these packages contained flaws that prevented full functionality, but corrections and reintroductions seem likely in the future. Reversing Labs also developed a YARA rule to aid developers in scanning their environments for remnants of these and related threats. General advice given includes stringent verification of package legitimacy and scrutiny of package code for any suspicious elements like obfuscated commands or external calls.

Ransomware attacks progress through stages, each offering a crucial window for detection and prevention. Most organizations miss early indicators, such as shadow copy deletion and process injections, allowing attackers to escalate their efforts quietly. Continuous ransomware validation is essential, simulating attacks to ensure systems detect and respond appropriately before actual ransom demands occur. The three stages of a ransomware attack include pre-encryption groundwork, encryption lockout, and the post-encryption ransom demand. Key indicators of compromise (IOCs) to monitor include shadow copy deletion, mutex creation, process injection, and service termination. Automated security validation tools can seamlessly integrate into security workflows, reducing the burden on IT teams while ensuring defenses are robust against evolving threats. Regular, continuous testing is critical as annual testing is insufficient against the fast-evolving ransomware tactics.

The UK's National Cyber Security Centre (NCSC) has employed popular social media influencers to promote two-factor authentication (2FA) as a part of its Stop! Think Fraud campaign. Influencers from various backgrounds, including comedy and personal finance, are creating content to demonstrate the effectiveness of 2FA in preventing unauthorized access. One skit by thesquidvids humorously illustrates how cybercriminals are thwarted by 2FA, showcasing its importance in securing accounts. This approach aims to reach a broader audience and enhance public awareness about the benefits of enabling strong account protections. NCSC's initiative reflects a broader strategy, which includes podcasts, blog posts, and other social media engagements, to bolster national cybersecurity. The campaign is supported by Action Fraud and the National Crime Agency (NCA) to combat fraud, which has been described as a life-ruining crime. This marks the second instance where NCSC has utilized influencer marketing, following a previous campaign about Christmas scams.

Insider threats pose significant financial and reputational risks to organizations, often leading to serious data breaches. Privileged Access Management (PAM) is crucial in controlling and monitoring access to sensitive systems, effectively mitigating insider risks. Insider incidents, especially those involving privileged accounts, are among the most costly, averaging USD 4.99 million per attack. Advanced PAM solutions automate the discovery and management of privileged accounts, reducing the opportunity for insider abuse. Implementing PAM practices like least privilege and just-in-time access can drastically limit unauthorized access and potential damage. PAM technologies ensure that remote access and third-party interactions are secure, minimizing risks from external collaborators. The combination of user activity monitoring and automated responses is effective in detecting and mitigating insider threats promptly. Beyond preventing insider threats, PAM enhances overall operational efficiency, compliance, and security of organizational systems.

Threat actors are using a cybercrime tool named Atlantis AIO Multi-Checker to perform automated credential stuffing on over 140 platforms. Atlantis AIO enables cybercriminals to test millions of stolen credentials rapidly, which are typically acquired through data breaches or underground forums. This tool differentiates from brute-force attacks by using stolen username and password combinations to access accounts on various platforms without prior authorization. Atlantis AIO is designed with pre-configured modules, which assist attackers in targeting a wide range of platforms, including email services, e-commerce sites, and financial institutions. The tool boasts features that maintain user anonymity and security, promising high success rates and customer satisfaction. Credential stuffing facilitated by Atlantis AIO can lead to account takeovers, fraud, data theft, and the sale of access credentials on dark web marketplaces. To combat these threats, it is recommended for organizations to enforce strong password policies and implement multi-factor authentication that is resistant to phishing attempts.

Google recently addressed a severe zero-day vulnerability in Chrome, tracked as CVE-2025-2783, exploited for espionage against Russian entities. The vulnerability allowed attackers to escape the browser's sandbox and deploy sophisticated malware during cyber-espionage attacks. The exploit was discovered by researchers at Kaspersky, who found it actively used to redirect users as part of Operation ForumTroll. This campaign targeted Russian organizations through phishing attacks that simulated emails from a legitimate scientific forum. Besides the initial exploit, attackers used a second vulnerability enabling remote code execution; however, details on this remain undisclosed. Google rolled out patches quickly in the Stable Desktop channel for Windows users, with immediate availability upon checking for updates. Researchers recommend updating Chrome to mitigate the risk and disrupt the exploit chain used in the attacks. This incident marks the first Chrome zero-day patched in 2025, following ten zero-days addressed by Google in the previous year.