Daily Brief

Okta's Threat Intelligence team has identified VoidProxy, a phishing-as-a-service operation, targeting Microsoft and Google accounts, affecting multiple industries and geographic locations. Attackers utilize compromised email accounts to send phishing lures, redirecting victims through multiple URLs to a phishing site resembling legitimate login pages. The phishing sites are hosted on low-cost domains and protected by Cloudflare, complicating efforts to dismantle the infrastructure. VoidProxy employs an attacker-in-the-middle (AiTM) approach, capturing login credentials, MFA codes, and session cookies to facilitate account takeovers. The stolen data is managed via an administrative panel, allowing cybercriminals to track and monitor their campaigns effectively. Okta advises adopting strong authentication methods, such as passkeys and security keys, to mitigate the risk of these sophisticated phishing attacks. The ongoing nature of these attacks underscores the need for continued vigilance and collaboration among industry partners to enhance security standards.

Senator Ron Wyden has urged the FTC to investigate Microsoft for inadequate security measures leading to ransomware attacks on critical infrastructure, notably impacting U.S. healthcare organizations. The 2024 Ascension Health breach affected 5.6 million patients after a contractor clicked a malicious link, exploiting vulnerabilities in Microsoft's Kerberos authentication protocol. Attackers used "Kerberoasting" to steal encrypted service account credentials, exploiting weak passwords and deprecated RC4 encryption, facilitating privilege escalation and lateral network movement. Wyden criticized Microsoft's delayed response and insufficient communication regarding the risks of using RC4, advocating for default adoption of stronger encryption like AES 128/256. Microsoft acknowledges RC4's vulnerabilities, citing its minimal traffic usage, and is working to phase it out gradually to avoid customer disruption. The Senator frames Microsoft's practices as a national security risk, warning of inevitable future breaches without regulatory intervention. Microsoft's engagement with Wyden's office continues, with commitments to enhance security and address concerns raised by government entities.

Apple issued warnings to customers regarding a series of sophisticated spyware attacks targeting iCloud accounts, as reported by France's CERT-FR, part of the National Cybersecurity Agency. The alerts, sent on multiple occasions throughout the year, indicate the use of zero-day vulnerabilities and zero-click exploits, posing significant risks to affected devices. CERT-FR noted at least four instances of these threat notifications, with alerts sent in March, April, June, and September, highlighting the persistent nature of these attacks. The spyware attacks exploit vulnerabilities such as CVE-2025-43300 and CVE-2025-55177, prompting Apple to release emergency patches to mitigate these threats. Impacted users are advised to reset devices to factory settings, maintain updated software, and enable Lockdown Mode to enhance security measures. Apple has notified users in over 150 countries since 2021, reflecting the global scale and reach of these mercenary spyware threats. The company recommends accessing rapid-response emergency security assistance via Access Now's Digital Security Helpline for those targeted by these attacks.

Panama's Ministry of Economy and Finance (MEF) reported a potential cyberattack, claiming no critical systems were affected, ensuring continued normal operations. The ministry activated its security protocols immediately, reinforcing preventive measures across its IT infrastructure to contain the intrusion. Despite MEF's assurances, the INC Ransom gang claims to have stolen over 1.5 TB of data, including sensitive emails and financial documents. The ransomware group added MEF to its victim list on the dark web, releasing data samples as proof of the breach. INC Ransom, a ransomware-as-a-service group, has previously targeted high-profile entities like Yamaha Motor and Scotland's NHS. MEF's role in managing Panama's fiscal policy and canal revenues underscores the potential impact of this breach on national economic stability. The incident highlights the persistent threat posed by ransomware groups and the importance of robust cybersecurity measures in governmental institutions.

Villager, an AI-driven penetration testing tool linked to a China-based company, has been downloaded nearly 10,000 times since its July release, raising security alarms. The tool, available on Python Package Index, integrates multiple security tools and AI models, enabling automated attacks without requiring expert knowledge. Villager's features include a database of 4,201 AI prompts for exploit generation and a self-destruct feature to erase activity logs, complicating detection efforts. Researchers traced Villager to Cyberspike, a suspicious entity linked to AsyncRAT, a remote-access trojan known for capabilities like keystroke logging and webcam hijacking. The tool's release by a former Chinese CTF player underscores potential ties to Beijing's cybersecurity and intelligence recruitment efforts. Security experts warn against the rapid adoption of AI by attackers and emphasize the need for defenders to leverage AI-based solutions for protection. The discovery of Villager underscores the growing trend of AI-fueled cyber threats, necessitating heightened vigilance and proactive defense strategies.

Microsoft Teams will soon alert users to potentially harmful links in private messages, targeting spam, phishing, and malware threats within the platform. The feature will be available to Microsoft Defender for Office 365 and Teams enterprise customers, enhancing existing security measures like Safe Links and ZAP. A public preview will be rolled out in September 2025 for desktop, Android, web, and iOS users, with general availability expected by November 2025. Administrators can activate the feature during the public preview through the Teams Admin Center, with default activation planned upon general release. Microsoft aims to bolster user awareness by displaying warning banners on messages containing flagged URLs, applicable to both internal and external communications. The new security measure complements recent efforts to block dangerous file types and manage communications from blocked domains within Teams. With over 320 million monthly active users, this initiative reflects Microsoft's commitment to maintaining robust security across its widespread user base.

The Akira ransomware group is exploiting CVE-2024-40766, a critical access control flaw in SonicWall SSL VPNs, to infiltrate networks through unpatched devices. SonicWall released a patch for this vulnerability in August 2023, urging users to update and reset passwords to prevent unauthorized access. Recent alerts from the Australian Cyber Security Centre (ACSC) indicate a rise in attacks targeting Australian organizations via this vulnerability. Rapid7 reports that the resurgence of attacks is likely due to incomplete remediation efforts, emphasizing the need for comprehensive patch management. Confusion arose in the cybersecurity community regarding potential zero-day exploits, but SonicWall confirmed the activity is linked to the known CVE-2024-40766. SonicWall advises updating to firmware version 7.3.0 or later, rotating passwords, enforcing MFA, and restricting access to mitigate risks. Organizations are urged to act swiftly to close security gaps and protect against ransomware threats exploiting known vulnerabilities.

A DDoS mitigation provider in Western Europe faced a massive 1.5 billion packets per second attack, threatening its ability to stay online. The attack originated from thousands of compromised routers and IoT devices across over 11,000 global networks, indicating a widespread botnet operation. FastNetMon, a network monitoring company, was engaged to counter the attack and utilized its automated detection systems to identify the threat within seconds. The attack emphasized the vulnerability of DDoS scrubbing services to high packet-rate floods, which can overwhelm systems through processing demands rather than bandwidth. A similar attack of nearly identical scale targeted another DDoS provider in Eastern Europe, suggesting a coordinated effort by the same botnet. An extortion email linked to the attack was sent to the second targeted entity, indicating a potential financial motive behind the incidents. FastNetMon's founder highlighted the need for ISPs to filter attack traffic at the source to prevent routers from being exploited by botnet operators. The incident follows a recent 11.5 Tbps DDoS attack mitigated by Cloudflare, reflecting an ongoing trend of adversaries testing the limits of network defenses.

Researchers at ETH Zurich unveiled VMScape, a Spectre-like attack that compromises guest-host isolation on AMD and Intel processors, affecting cloud virtualization security. VMScape allows a malicious virtual machine to extract cryptographic keys from an unmodified QEMU hypervisor, bypassing existing Spectre mitigations. The attack exploits speculative execution vulnerabilities, impacting AMD Zen 1 to Zen 5 and Intel Coffee Lake CPUs, but not newer models like Raptor Cove. VMScape achieves a data leak rate of 32 bytes/second, with a 98.7% accuracy, posing a significant risk to multi-tenant cloud environments. ETH Zurich reported the vulnerability to AMD and Intel, leading to the assignment of CVE-2025-40300 and subsequent security bulletins. Linux kernel developers have released patches to mitigate VMScape by implementing an Indirect Branch Prediction Barrier (IBPB) on VMEXIT. The mitigation strategy involves minimal performance impact, enhancing security without significantly affecting common workloads.

ETH Zurich researchers identified a new Spectre-based vulnerability, VMSCAPE (CVE-2025-40300), affecting AMD Zen and Intel Coffee Lake processors, threatening cloud environments by leaking hypervisor secrets. VMSCAPE allows malicious cloud users to extract sensitive data from the host domain without code modifications, posing a significant risk to virtualization security. The vulnerability targets Kernel Virtual Machine (KVM) and QEMU, exploiting incomplete branch predictor isolation to access host memory at a rate of 32 B/s on AMD Zen 4. Hardware fixes are deemed impractical; Linux maintainers have developed software mitigations, resulting in a performance overhead, particularly impacting emulated device environments. Intel and AMD are collaborating with Linux developers to implement existing and new mitigations, including "IBPB before exit to userspace," to address this vulnerability. The Linux patch is expected to be integrated into various distributions, with a focus on minimizing performance impact while securing affected systems. The discovery emphasizes the ongoing challenges of securing virtualization boundaries and the need for continuous vigilance against speculative execution vulnerabilities.

Google Pixel 10 phones now include C2PA support to verify digital content authenticity, enhancing transparency for AI-generated media. C2PA's Content Credentials provide a cryptographically signed manifest, offering verifiable provenance for images, videos, and audio files. The Pixel Camera app has achieved Assurance Level 2, the highest security rating defined by the C2PA Conformance Program. Pixel 10 devices feature on-device trusted time-stamps, ensuring the trustworthiness of images even if captured offline. This capability is supported by Google Tensor G5, Titan M2 security chip, and Android's hardware-backed security features. Google's initiative marks a significant step toward media transparency and trust, supporting the creative use of AI in digital content.

U.S. Senator Ron Wyden has requested the FTC investigate Microsoft for alleged cybersecurity negligence linked to ransomware attacks on critical infrastructure, including healthcare networks. The call to action follows a ransomware incident at healthcare provider Ascension, affecting 5.6 million individuals and disrupting electronic health records. Attackers exploited Microsoft's default security settings and the outdated RC4 encryption to gain unauthorized access, highlighting potential systemic weaknesses. Wyden criticized Microsoft's failure to enforce stronger password policies and its continued support for insecure encryption technologies like RC4. Microsoft plans to deprecate RC4 in future updates, aiming to enhance security by disabling the cipher by default in Windows 11 24H2 and Windows Server 2025. The senator's letter raises concerns about the broader implications of relying on a single vendor for national infrastructure, stressing the need for secure-by-design defaults. This scrutiny adds to previous criticisms of Microsoft's cybersecurity practices, including incidents involving Chinese threat actors and Microsoft Exchange Online compromises.

Browser extensions, often overlooked, pose significant security risks by executing privileged code and accessing sensitive data within enterprise-approved browsers. Keep Aware's guide emphasizes the need for visibility, control, and real-time response to manage these risks effectively. Malicious or compromised extensions can harvest business data, expose credentials, or enable network intrusions, highlighting the need for vigilant management. Even trusted extensions can be compromised through supply chain attacks, turning them into persistent threats. Various management approaches include GPO/MDM policies, EDR tools, enterprise browsers, and purpose-built security extensions like Keep Aware. Keep Aware offers real-time monitoring and automated policy enforcement, enhancing security without disrupting user productivity. Organizations must balance security with usability, ensuring effective extension management without hindering employee workflows.

U.S. Senator Ron Wyden has called for an FTC investigation into Microsoft's alleged security negligence, following a ransomware attack on Ascension, a major U.S. hospital network. The attack exploited weaknesses in Microsoft's default configurations, impacting over 140 hospitals and compromising the personal and medical data of approximately 5.6 million patients. Wyden criticized Microsoft for continuing to use the outdated RC4 encryption algorithm, which has been a known vulnerability for years, increasing exposure to cyber threats. The senator accused Microsoft of prioritizing profit over security, citing the company's lucrative business in selling cybersecurity add-ons to organizations. Wyden's letter emphasized that Microsoft's dominant market position sets a low security baseline for government and critical infrastructure, posing national security risks. The FTC's potential investigation could pressure Microsoft to implement more secure default settings and expedite promised security updates, such as the RC4 patch. This situation reflects broader concerns about vendor accountability in securing software that supports critical services, with implications for regulatory oversight in the tech industry.

The EU is considering legislation that mandates ISPs and messaging apps to scan user content or implement encryption backdoors, sparking significant privacy concerns. Over 600 security experts have opposed the proposal, arguing it is intrusive and technically unfeasible, with a high potential for false positives. Critics warn that the legislation could lead to a "national security disaster," potentially exposing data to adversarial nations and undermining privacy. The proposed rules aim to combat child sexual abuse material (CSAM) but lack clear guidance on implementation, relying on AI for detection. If passed, encrypted app providers like WhatsApp and Signal would be required to comply, despite technical and ethical challenges. Some EU member states, such as Germany, are expressing reservations, potentially delaying the legislation for further review. Companies like Signal and Tuta have pledged to resist compliance, citing EU constitutional privacy rights and potential legal challenges. Similar UK legislation has faced implementation hurdles, highlighting the complexity and contentious nature of such surveillance measures.