Daily Brief

Commercial spyware firm mSpy experienced another data breach, exposing millions of buyer records, including support tickets via Zendesk. The leaked data, accumulating to 318GB, contains 2.4 million unique email addresses, IP addresses, names, photos, and screenshots of financial transactions. Previous breaches occurred in 2015 and 2018, with substantial customer information leaked, emphasizing recurring security issues. Have I Been Pwned listed the breach on July 11, 2023, indicating the scale and specifics of the exposed data. Other stalkerware companies like LetMeSpy and pcTattletale have also recently suffered breaches, leading to their shutdowns. This incident highlights the ongoing privacy and security risks associated with using stalkerware applications, given their sensitive data collection practices. Users of the mSpy app are urged to be cautious and consider the long-term implications of personal data exposure.

The UK's National Cyber Security Centre Interim CEO Felicity Oswald criticizes China's mandated vulnerability reporting laws, conflicting with global cybersecurity norms. Oswald highlights the activities of the Beijing-backed Volt Typhoon gang as a significant uptick in cyber threats from China. Despite not attributing a recent Ministry of Defence data breach to China, Oswald expresses concerns over Chinese cyber strategies impacting global security. AWS China counters claims of business difficulties and layoffs, emphasizing strong growth and ongoing recruitment. Japanese researchers identify a supernova remnant from 1181, possibly formed by the collision of two white dwarf stars. India's telecom manufacturing boosted by the Production-Linked Incentive scheme, achieving a 370% increase in sales and reducing dependence on imported telecom equipment. Singapore's Competition and Consumer Commission holds off on approving Grab's acquisition of Trans-cab, citing potential harm to drivers and passengers. Australia's government instructs reviews of technology assets for foreign influences and vulnerabilities, along with enhancing cyber threat information sharing.

The Monetary Authority of Singapore (MAS) mandates phasing out one-time passwords (OTPs) for major retail banks within three months. This measure, developed in collaboration with the Association of Banks in Singapore (ABS), aims to enhance protection against phishing and other scams. OTPs, effective in online security since the 2000s, have become vulnerable to sophisticated phishing attacks, Android malware, and man-in-the-middle tactics. Recent measures include Google's crackdown on SMS permission abuses, influencing improvements in Singapore's cybersecurity landscape. Nearly 60% to 90% of customers at major banks like DBS, OCBC, and UOB are already using the more secure digital tokens. The MAS and ABS urge customers to switch to digital tokens promptly to avoid the risks associated with OTPs. Customers reluctant to switch will continue receiving OTPs, but this group is expected to shrink as digital token adoption increases.

Threat actors are weaponizing proof-of-concept (PoC) exploits within minutes of their release, as observed by Cloudflare in their 2024 security report. An example included the deployment of an exploit just 22 minutes after the disclosure of CVE-2024-27198, an authentication bypass flaw in JetBrains TeamCity. The most frequently targeted vulnerabilities were in Apache, Coldfusion, and MobileIron products. Cloudflare processes an average of 57 million HTTP requests per second, and has noticed an increase in CVE scanning, command injections, and PoC weaponizations. AI and ML are being utilized by Cloudflare to enhance the speed and accuracy of developing detection rules and WAF Managed Rulesets to combat rapid exploitation. The report also highlights that 6.8% of all daily internet traffic comprises DDoS attacks, marking an increase from the previous year and intensifying the focus on mitigation efforts. Cloudflare's report further includes strategies for defenders and comprehensive analysis of the current cybersecurity landscape with recommendations to improve overall security posture.

AT&T's Snowflake storage account suffered a significant security intrusion impacting over 100 million people. The incident highlights rising concerns around data security and breaches. The breach was discussed on "The Kettle," a weekly discussion show featuring journalists and cybersecurity experts. AI's potential to defend against malware and improve system security was skeptically debated among the experts. The discussion was hosted by Iain Thomson with experts including Tobias Mann, Brandon Vigliarolo, and Jessica Lyons. The show is also accessible through various platforms like RSS, MP3, Apple, Amazon, and Spotify.

American telecom giant AT&T confirmed a massive data breach affecting virtually all wireless customers and multiple MVNO partners due to unauthorized access on a third-party cloud platform. The breach occurred between April 14 and April 25, 2024, and involved exfiltration of AT&T records of customer calls and texts from mid-2022 and early 2023, including interaction counts and call durations. Threat actors obtained call data records which could potentially reveal customer locations and were used in conjunction with prior data to map phone numbers to identities. The compromised data included interactions with AT&T landlines and other carriers but did not comprise personal information like Social Security numbers or the content of communications. AT&T plans to notify affected current and former customers and has advised them to be vigilant against potential phishing and smishing scams. The breach is linked to other high-profile breaches of companies like Ticketmaster and Santander, all traced back to hackers exploiting vulnerabilities in Snowflake's cloud services. Law enforcement has made at least one arrest in connection with the breach, and investigations are ongoing with collaborative efforts from security agencies. Snowflake has introduced mandatory multi-factor authentication for all users to prevent future unauthorized access.

CDK Global reportedly paid $25 million in Bitcoin to resolve a ransomware attack that disrupted its operations and affected approximately 15,000 car dealerships nationwide. The cyberattack caused significant operational delays, halting sales and vehicle registrations at major dealerships for two weeks. Recovery efforts involved possibly restoring from backups and dealing with encrypted critical data, extending system downtime even after the ransom payment. The attackers, identified as the BlackSuit group, also responsible for previous high-profile ransomware incidents, received a transaction of 387 Bitcoins. The economic impact from the outage on dealerships is estimated to exceed $600 million, a figure that contrasts sharply with the ransom amount but may still underestimate the total losses including reputational damage. Sonic Automotive reported to the SEC ongoing issues with some systems and third-party applications, indicating potential extended disruptions beyond initial recovery efforts. This incident highlights an upward trend in ransom payments despite a general decline in the proportion of victims choosing to pay ransoms.

Over 1.5 million Exim mail servers are at risk due to an unpatched critical vulnerability identified as CVE-2024-39929. The vulnerability allows remote attackers to bypass security filters and deliver malicious executable attachments by exploiting multiline RFC2231 header filenames. Exim versions up to and including 4.97.1 are affected, with an urgent patch released by developers to address the flaw. While no active exploitations are currently known, a proof of concept (PoC) is available, increasing the risk of potential attacks. The flaw predominantly affects servers in the United States, Russia, and Canada, exposing them to the risk of compromised systems if the malicious attachments are executed. Exim's widespread use as the default Debian Linux MTA and its popularity as the world's most prevalent MTA software highlight the critical nature of timely upgrades and patches. Administrators are advised to restrict remote Internet access to vulnerable servers as an immediate protective measure against potential exploitation attempts.

U.S. House Committee chairs have publicly urged the White House to scrutinize a Microsoft-G42 partnership involving significant U.S. AI technology investments. Microsoft plans to invest $1.5 billion into UAE-based AI firm G42, raising alarms about potential AI tech transfer to China. Representatives McCaul and Moolenaar expressed concerns regarding national security due to G42's historical ties with China and current deepening relationships between UAE and China. Both G42 and Microsoft assert that they have implemented stringent security measures, including a "vault within a vault" to safeguard AI technologies. Despite assurances, skepticism remains among U.S. lawmakers about the adequacy of safeguards against the transfer of sensitive technologies. The bipartisan concern underlines the strategic importance of the partnership and calls for thorough governmental reviews to assess and mitigate potential security risks.

Rite Aid experienced a cyberattack in June, claimed by the RansomHub ransomware group, resulting in a significant data breach. Over 10 GB of customer information was reportedly stolen, which may include names, addresses, and other personal details. Rite Aid has restored its systems with the assistance of third-party cybersecurity experts and is now fully operational. The pharmacy chain is currently finalizing its investigation into the attack and has begun notifying affected customers. No financial data, health information, or social security numbers were compromised in the breach. Rite Aid has emphasized its commitment to safeguarding personal information and treating the data breach as a top priority. RansomHub specializes in data theft for extortion, threatening to leak stolen data if their ransom demands are not met.

Coordinated DNS hijacking attacks have targeted decentralized finance (DeFi) cryptocurrency domains registered with Squarespace, directing users to phishing sites. Attackers modified DNS records, leading users to sites that used wallet drainers to steal cryptocurrencies and NFTs from connected wallets. Affected platforms include Compound Finance, Celer Network, and Pendle, all of which confirmed that the integrity of their protocols remains uncompromised. Squarespace recently acquired the affected domains from Google Domains, during which crucial security features like multi-factor authentication were disabled. Attack mechanisms may involve exploiting reseller access and newly created accounts due to the domain migration process. Users affected by the phishing sites are urged to revoke smart contract approvals, change passwords, and transfer funds to secure wallets. Ongoing investigation into the full scope and method of attacks with Squarespace yet to provide official comments or remedies.

CISA's covert red team operation revealed critical security failures within an unnamed federal agency, undetected for five months. The team exploited an unpatched CVE in Oracle Solaris, resulting in a full system compromise and unauthorized third-party exploitation. The agency delayed patching the known vulnerability for over two weeks and failed to conduct a thorough investigation or incident response. Entry restrictions in part of the network initially thwarted further access, but the red team succeeded through a phishing attack leading to a full domain compromise. Sensitive username and passwords found in plaintext highlighted severe mismanagement and outdated security practices. Following the assessment, CISA's engagement with the agency's security team led to significant improvements in incident detection and response. Recommendations emphasized the importance of defense-in-depth, network segmentation, and moving away from reliance solely on known IoCs for detecting threats.

Netgear has issued a firmware update for multiple WiFi 6 routers to rectify critical vulnerabilities including a stored XSS and an authentication bypass. The XSS flaw, identified in the XR1000 Nighthawk model, could potentially allow attackers to hijack user sessions or direct users to malicious sites by exploiting the router’s interface. The authentication bypass issue in the CAX30 Nighthawk AX6 model poses severe threats, enabling unauthorized administrative access and possibly full device control. Firmware updates correcting these issues are now available and strongly recommended by Netgear for immediate installation. The advisory highlights serious potential compromises, including session hijacking, privileged actions without consent, and full system takeover. Users are urged to promptly download the updated firmware versions—1.0.0.72 for XSS vulnerability and 2.2.2.2 for the authentication bypass—to mitigate risks. Netgear has been in news recently, with another set of vulnerabilities disclosed in the now unsupportable WNR614 N300 model, emphasizing ongoing security challenges. The company's statement emphasized their non-liability for consequences of not adhering to recommended security measures.

Netgear advises users to update their routers' firmware to patch critical vulnerabilities affecting multiple WiFi 6 router models. The stored XSS flaw (PSV-2023-0122), fixed in firmware version 1.0.0.72, affects the XR1000 Nighthawk gaming router and could allow attackers to hijack user sessions and steal data. An authentication bypass issue (PSV-2023-0138), resolved in firmware version 2.2.2.2, impacts the CAX30 Nighthawk AX6 6-Stream cable modem routers, potentially permitting unauthorized administrative access. Both vulnerabilities pose significant security risks, especially the authentication bypass which could lead to a complete takeover of the device. A spokesperson from Netgear was unavailable for comment when additional details of the flaws were sought by the press. Users affected by the flaws are strongly urged by Netgear to download and install the latest firmware updates as a preventive measure against potential attacks. Netgear also cautioned users of the WNR614 N300 router about multiple vulnerabilities, recommending replacement due to the lack of support for this end-of-life model.

Palo Alto Networks' Unit 42 identified a malware campaign utilizing DarkGate to exploit Samba file shares across North America, Europe, and Asia during March and April 2025. The malware infiltrates systems through malicious Microsoft Excel (.xlsx) files prompting users to execute embedded scripts from Samba servers. DarkGate, emerging as a MaaS since 2018, enables remote control, code execution, cryptocurrency mining, and the deployment of further payloads. The campaign reemerged strongly following the takedown of the QakBot infrastructure by law enforcement in August 2023. Attack sequences also involve JavaScript, using similarly deceptive methods to download and initiate malware via PowerShell scripts. DarkGate evades detection by scanning for anti-malware software and assessing the CPU to determine if it operates on a physical or virtual machine. Communication with its command and control (C2) servers is obfuscated within unencrypted HTTP requests to avoid easy tracing. Researchers underscore the enduring threat of DarkGate due to its evolving tactics and highlight the imperative for robust cybersecurity measures.