Daily Brief

Push Security discovered the ConsentFix attack, a new variant of ClickFix, targeting Microsoft accounts by exploiting the Azure CLI OAuth app without needing passwords or MFA verification. Attackers use social engineering to trick users into completing an OAuth flow, thereby stealing authorization codes to gain account access. The attack begins on compromised websites displaying fake CAPTCHA widgets, filtering targets by email address to ensure they are legitimate users. Victims are redirected to a legitimate Microsoft URL, where attackers capture the OAuth authorization code, granting them account access. This method bypasses traditional security measures, as attackers never require passwords or MFA, especially if users are already logged in. Security teams are advised to monitor for unusual Azure CLI login activities and legacy Graph scopes to detect potential unauthorized access. The attack is designed to trigger only once per victim IP, reducing the likelihood of detection through repeated phishing attempts.

A new Mirai botnet variant, named Broadside, is exploiting a critical vulnerability (CVE-2024-3721) in TBK DVR systems, specifically targeting the maritime logistics sector. Broadside introduces a custom command-and-control protocol and a 'Magic Header' signature, enhancing its stealth and exclusivity compared to previous Mirai variants. The variant employs Netlink kernel sockets for covert process monitoring and uses payload polymorphism to bypass static defenses, aiming to maintain control by terminating rival processes. Beyond denial-of-service attacks, Broadside attempts to harvest system credential files, including /etc/passwd and /etc/shadow, to establish a strategic foothold on compromised devices. The ongoing evolution of Mirai variants, since its source code leak in 2016, poses a persistent threat, demonstrating the need for robust security measures in critical infrastructure sectors. Organizations in the maritime logistics sector are advised to patch vulnerabilities promptly and enhance monitoring to detect and mitigate such sophisticated threats.

A zero-day vulnerability in Gogs, a self-hosted Git service, has been exploited, allowing attackers remote code execution on over 700 servers. The flaw, CVE-2025-8110, involves a path traversal weakness in the PutContents API, bypassing previous security measures with symbolic links. Attackers used symbolic links to overwrite critical files, including Git configuration files, enabling arbitrary command execution on compromised systems. Wiz Research discovered the vulnerability in July, noting a single actor or group likely automated the attack campaign. Over 1,400 Gogs servers were found exposed online, with many configured with 'Open Registration,' increasing vulnerability to attacks. The malware involved was created using the Supershell framework, communicating with a specific command-and-control server. Gogs maintainers acknowledged the flaw in October, with a patch still in development; users are advised to disable open registration and secure server access. Organizations should monitor for suspicious API activity and random repository names to detect potential compromises.

Elastic Security Labs has unveiled NANOREMOTE, a sophisticated Windows backdoor leveraging Google Drive API for command-and-control operations, complicating detection efforts. The malware exhibits code similarities with FINALDRAFT, another implant using Microsoft Graph API, suggesting a shared development lineage. NANOREMOTE's capabilities include data theft, payload staging, and task management, with functions for file transfer and command execution via Google Drive API. The malware targets sectors such as government, defense, telecommunications, education, and aviation in Southeast Asia and South America, linked to a suspected Chinese threat group. The attack chain involves WMLOADER, which mimics Bitdefender components to decrypt shellcode and initiate the backdoor, although the initial access vector remains unidentified. NANOREMOTE uses a non-routable IP address for communication, employing AES-CBC encryption to secure data exchanges over HTTP. An artifact linked to the malware was found in the Philippines, reinforcing the connection between NANOREMOTE and FINALDRAFT, both using a shared encryption key. The discovery of NANOREMOTE underscores the ongoing threat of advanced malware exploiting legitimate APIs for covert operations, necessitating enhanced detection strategies.

SentinelLabs research links two Salt Typhoon members to Cisco's 2012 Networking Academy Cup, suggesting skills gained were later used in Chinese cyber operations. Yu Yang and Qiu Daibing, associated with Beijing Huanyu Tianqiong, participated in the academy, which focuses on foundational cybersecurity skills. The academy's curriculum included products like Cisco IOS and ASA Firewalls, which Salt Typhoon allegedly exploited in global telecom breaches. Salt Typhoon's campaign, publicized in 2024, compromised at least 80 telecom companies, enabling espionage on sensitive communications worldwide. The findings caution vendors about offering training in geopolitically sensitive regions, as it may inadvertently enhance adversarial capabilities. The report suggests educational background is not a definitive predictor of cybersecurity aptitude, highlighting the strategic use of training programs. Cisco's involvement in the training is not implicated in espionage activities, but the situation emphasizes the complex dynamics of global cybersecurity education.

Over 10,000 Docker Hub images were found leaking sensitive information, impacting more than 100 companies, including a Fortune 500 firm and a major bank. Flare's analysis revealed these images contained active credentials for production systems, cloud services, and AI platforms, posing significant security risks. Nearly half of the compromised images included five or more exposed secrets, allowing attackers potential access to critical infrastructure. A significant portion of the leaks originated from "shadow IT" accounts, which evade enterprise monitoring and contain high-value credentials. Flare identified instances where personal Docker Hub accounts exposed sensitive credentials without visible links to the organizations involved. Despite removal efforts, 75% of deleted secrets remained active, highlighting the need for improved credential management practices. Flare recommends developers avoid embedding secrets in images, utilize secrets management tools, and conduct automated scans to prevent future exposures.

Robotic Process Automation (RPA) is increasingly used in enterprises to automate repetitive tasks, necessitating robust identity and access management (IAM) strategies for non-human identities (NHIs). RPA bots, often more numerous than human employees, require careful identity lifecycle management to prevent security risks and ensure efficient operations. Challenges with RPA in IAM include bot management, increased attack surfaces, and integration difficulties with legacy systems, potentially leading to unmanaged credentials and security gaps. Implementing best practices such as treating bots as first-class identities, using secrets management tools, and enforcing Privileged Access Management (PAM) can mitigate these challenges. Enterprises are advised to adopt Zero-Trust Network Access (ZTNA) principles and strengthen authentication processes, such as Multi-Factor Authentication (MFA), for human users managing RPA bots. KeeperPAM® offers a unified platform to manage credentials, enforce the Principle of Least Privilege (PoLP), and monitor privileged sessions, securing both human and automated identities. As automation evolves, organizations must adjust IAM strategies to secure both human users and RPA bots, ensuring operational efficiency and security.

WIRTE, an advanced persistent threat group, has been targeting Middle Eastern government and diplomatic entities with the AshTag malware suite since 2020. The group's operations have extended to Oman and Morocco, indicating a broader geographical focus beyond previous targets like the Palestinian Authority and Egypt. AshTag is delivered through phishing emails using geopolitical lures, leading to the deployment of a modular backdoor capable of remote command execution. The attack chain involves sideloading a malicious DLL, AshenLoader, which facilitates further component drops and minimizes forensic traces. Despite regional conflicts, WIRTE has maintained consistent activity, deploying new malware variants and engaging directly within victim environments. The group's espionage efforts are primarily aimed at intelligence collection, with a specific focus on diplomacy-related documents. The use of the Rclone utility for data exfiltration underscores the group's technical sophistication and adaptability in achieving its strategic objectives.

A critical zero-day vulnerability in Gogs, tracked as CVE-2025-8110, is actively exploited, affecting over 700 instances globally, with a CVSS score of 8.7. The flaw involves improper symbolic link handling in the PutContents API, allowing attackers to execute arbitrary code on affected systems. This vulnerability serves as a bypass for a previously patched remote code execution flaw, CVE-2024-55947, highlighting persistent security challenges. Attackers have used a Supershell-based payload, linked to Chinese hacking groups, to establish reverse SSH shells to attacker-controlled servers. The campaign is characterized by a "smash-and-grab" approach, with attackers leaving behind evidence such as repositories with random 8-character names. Users are advised to disable open-registration, limit internet exposure, and scan for suspicious repositories to mitigate ongoing risks. Additional threats include exploitation of leaked GitHub Personal Access Tokens, enabling attackers to gain initial access and perform lateral movements across cloud environments.

The UK's Legal Aid Agency (LAA) is recovering from a major cyberattack, with operations resuming but users facing significant system challenges. The Client and Cost Management System (CCMS) remains problematic, with users experiencing random session terminations and increased complexity in workflows. New security measures include an AWS Secure Browser and multifactor authentication, aimed at protecting sensitive data but complicating user access. Users report frustrations with increased login times and stringent file management protocols, impacting efficiency and productivity. The May 2025 attack exposed sensitive data related to legal procedures, with details under a government injunction, highlighting the breach's severity. The LAA has enhanced technical support and system monitoring to address ongoing user difficulties and improve service reliability. The breach's implications stress the importance of balancing security enhancements with operational usability in critical public sector systems.

Google has issued an emergency update to address a new zero-day vulnerability in Chrome, the eighth such flaw patched this year, affecting users across Windows, macOS, and Linux platforms. The vulnerability, identified as a buffer overflow in the LibANGLE library, could lead to memory corruption, crashes, sensitive information leaks, and arbitrary code execution. Immediate updates have been made available in the Stable Desktop channel, though full deployment to all users may take days or weeks, as per Google's advisory. Details of the zero-day are restricted to prevent exploitation until a majority of users have applied the patch; the flaw is under coordination due to its presence in third-party libraries. Previous zero-day vulnerabilities this year have been linked to espionage and account hijacking, highlighting ongoing threats and the need for rapid patch management. Organizations are advised to ensure automatic updates are enabled or manually update their systems to mitigate potential exploitation risks. This series of vulnerabilities demonstrates the critical importance of maintaining up-to-date security measures and monitoring for emerging threats.

Google has issued a security update for Chrome to address a high-severity vulnerability actively exploited in the wild, tracked under Chromium issue ID "466192044." Details about the CVE identifier, affected component, and nature of the flaw remain undisclosed to prevent further exploitation and allow users time to apply the patch. This update is part of Google's ongoing efforts, marking the eighth zero-day flaw addressed in Chrome this year, highlighting the persistent threat landscape. Users are advised to update Chrome to versions 143.0.7499.109/.110 on Windows and macOS, and 143.0.7499.109 on Linux to mitigate potential risks. The update also includes fixes for two medium-severity vulnerabilities, underscoring the importance of maintaining up-to-date software. Other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi are also encouraged to implement these patches promptly. Google's approach of withholding specific details aims to protect users by reducing the risk of reverse engineering the patch by malicious actors.

Huntress identified a critical vulnerability in Gladinet's CentreStack and Triofox products due to hard-coded cryptographic keys, impacting nine organizations across sectors like healthcare and technology. The flaw allows threat actors to forge access tickets, potentially leading to unauthorized access to sensitive files and remote code execution through ViewState deserialization. The vulnerability is rooted in the "GenerateSecKey()" function, which generates static cryptographic keys, allowing decryption and forging of access tickets by attackers. Attackers exploit the flaw by crafting URL requests to the "/storage/filesvr.dn" endpoint, setting access ticket timestamps to never expire, enabling indefinite reuse. The attacks have been linked to IP address 147.124.216[.]205 and involve chaining with a previous vulnerability (CVE-2025-11371) to access critical machine keys. Organizations using affected products should immediately update to version 16.12.10420.56791 and monitor logs for specific indicators of compromise. Rotating machine keys is crucial if indicators of compromise are detected to mitigate potential exploitation and secure affected systems.

A new campaign uses Google search ads to distribute the AMOS infostealer, targeting macOS users seeking troubleshooting advice on platforms like ChatGPT and Grok. Researchers from Kaspersky and Huntress identified the campaign, which manipulates legitimate AI chat platforms to deliver malicious instructions leading to malware installation. The attack begins with users searching for macOS maintenance tips, redirecting them to compromised AI chat sessions that guide them to execute harmful commands in macOS Terminal. Once executed, a bash script prompts users for their password, which is then used to install the AMOS malware with root-level access, compromising system security. AMOS, a malware-as-a-service operation, rents for $1,000/month and targets macOS systems to steal sensitive information, including cryptocurrency wallet data and browser credentials. The malware achieves persistence through a LaunchDaemon, ensuring it restarts quickly if terminated, posing ongoing risks to infected systems. Users are advised to exercise caution with online instructions and verify the safety of commands before execution to prevent falling victim to such exploits.

DroidLock, a new Android malware, locks screens and demands ransom, targeting Spanish-speaking users via fake app websites. The malware gains control through VNC sharing, accessing messages, contacts, and potentially erasing data. It tricks users into granting Device Admin and Accessibility Services permissions, enabling fraudulent activities like changing PINs and locking devices. DroidLock employs 15 commands, including screen overlays and factory resets, to maintain control and pressure victims. Victims are instructed to contact the attacker via Proton email, with threats of file destruction if ransom isn't paid within 24 hours. Zimperium, part of Google's App Defense Alliance, shares findings to enhance Play Protect's ability to detect and block DroidLock. Users are advised to avoid side-loading APKs from untrusted sources and regularly use Play Protect to scan for threats.