Daily Brief

Huawei's UK revenue fell to £188.2 million in 2024, an 85% drop from 2019, due to Western bans and restrictions. The UK Telecommunications (Security) Act mandates removal of Huawei tech from 5G networks by 2027, impacting local telecom infrastructure. Huawei's UK operations have downsized significantly, now focusing on servicing existing network products and limited consumer tech sales. The company employed 176 people in the UK in 2024, a sharp decline from 885 in 2019, reflecting reduced market presence. Despite UK setbacks, Huawei's global business grew 22% in 2024, with strategic focus on Asia Pacific and non-Western regions. Political decisions to restrict Huawei have delayed 5G deployment and impacted network performance in the UK, affecting economic productivity. Huawei continues to deny allegations of espionage, maintaining its stance against claims of spying for the Chinese government.

Armis identified ten critical vulnerabilities, named Frostbyte10, in Copeland E2 and E3 controllers, affecting refrigeration systems in major global supermarket chains. The flaws could allow attackers to manipulate temperatures, risking food and medicine spoilage and causing significant supply-chain disruptions. Copeland has released firmware updates to address these vulnerabilities; E2 controllers have reached end-of-life, urging customers to upgrade to E3 systems. The vulnerabilities include the potential for unauthenticated remote code execution due to a combination of predictable passwords and hidden API calls. CISA is issuing advisories to organizations using these controllers, emphasizing the urgency of applying patches to prevent exploitation. Despite no known exploits in the wild, the widespread use of Copeland systems makes them attractive targets for cybercriminals and nation-state actors. Lessons learned include the importance of secure password practices and proactive vulnerability management in operational technology environments.

Silver Fox, a cybercriminal group, is exploiting a Microsoft-signed WatchDog driver to deploy ValleyRAT malware, targeting Chinese-speaking users and businesses since mid-2022. The attack uses a Bring Your Own Vulnerable Driver (BYOVD) method, leveraging a vulnerable driver "amsdk.sys" to disable security solutions on compromised systems. The campaign employs a dual-driver strategy, using different drivers for Windows 7 and Windows 10/11, allowing attackers to neutralize endpoint protection and deploy ValleyRAT. ValleyRAT, the final payload, provides remote access and control capabilities, using anti-analysis features to avoid detection and contacting a command-and-control server for further instructions. Following disclosure, WatchDog released a patch addressing local privilege escalation, but attackers adapted quickly by modifying the driver to maintain the Microsoft signature. Silver Fox uses phishing, fake websites, and trojanized software to spread malware, with sub-groups targeting financial, design, and social media sectors for espionage and fraud. The group's operations are technically sophisticated, leveraging legitimate cloud services to host malicious payloads, and have established a black-market profit chain involving data theft and financial fraud.

A poll of over 1,500 Register readers revealed 93% support for reducing reliance on Microsoft in the UK public sector, amid a projected £9 billion spend over five years. The UK government has a Strategic Partnership Arrangement with Microsoft, effective until 2029, aimed at providing enhanced value across Microsoft's product and service portfolio. Critics suggest exploring free and open source software (FOSS) alternatives to address fiscal constraints, potentially generating savings and maintaining service continuity. Former UK government CIO Bill McCluggage advocates for trials of open source software and hybrid vendor strategies to foster competition and cost-efficiency. Jos Creese, an IT leader in UK government, warns of potential risks with open source, such as lock-in and system incompatibilities, which could disrupt integrated public services. The debate reflects broader trends in Europe, with 27% of respondents pointing to Germany's Sovereign Tech Fund and EU backing for FOSS as a model for the UK. A mixed strategy, combining Microsoft and FOSS, is favored by some to maintain competitive pressure and ensure value for taxpayers.

A plane carrying European Commission President Ursula von der Leyen encountered GPS jamming near Plovdiv, Bulgaria, attributed to Russian interference by local authorities. The jamming forced the aircraft to switch to manual navigation, highlighting vulnerabilities in satellite navigation systems amid geopolitical tensions. GPS jamming works by transmitting radio waves on the same frequencies as GPS satellites, potentially misleading navigation systems. The European Union plans to enhance satellite infrastructure and interference detection to counteract such threats, though implementation timelines remain unclear. Sanctions have targeted companies supplying Russia with GPS jamming capabilities, but the effectiveness of these measures is uncertain. The European Union Aviation Safety Agency is developing a comprehensive plan to mitigate risks from global navigation satellite system interference. Despite the incident, commercial aviation remains safe due to alternative navigation tools and pilot training, though military reliance on GPS may be more complex.

Cisco's Talos team discovered over 1,100 Ollama servers exposed to the internet, posing significant risks due to unauthorized access and potential exploitation. Ollama, known for its ease of local deployment, has become popular, yet many servers lack basic security measures such as access control and authentication. Using Shodan, Cisco found that 20% of these servers actively host models vulnerable to unauthorized access, potentially leading to resource exhaustion or financial impacts. The majority of exposed servers are located in the USA (36.6%), with significant numbers also in China (22.5%) and Germany (8.9%). While 80% of servers were dormant, they remain susceptible to unauthorized model uploads or configuration changes, posing risks of denial of service or lateral movement attacks. Cisco's findings stress the need for standardized security practices in AI deployments, including better access controls and network isolation. The study calls for improved security baselines and automated auditing tools to address vulnerabilities in AI systems, particularly those compatible with OpenAI APIs.

A malicious npm package named nodejs-smtp was discovered targeting Atomic and Exodus cryptocurrency wallets on Windows, posing as the legitimate Nodemailer library. The package, uploaded by "nikotimon," attracted 347 downloads before being removed from the npm registry. Utilizing Electron tooling, the package unpacks Atomic Wallet's app.asar, injects a malicious payload, and repackages the application, effectively acting as a cryptocurrency clipper. The malware redirects cryptocurrency transactions to wallets controlled by the threat actor, affecting Bitcoin, Ethereum, Tether, XRP, and Solana. Despite its malicious intent, the package functions as an SMTP-based mailer, maintaining a facade to avoid developer suspicion and pass application tests. This incident follows a similar campaign involving the "pdf-to-office" npm package, highlighting the risks of routine imports on developer workstations. Developers are advised to scrutinize package dependencies and monitor for unauthorized modifications to safeguard against such threats.

Cybersecurity researchers have identified a trend where Android dropper apps are now delivering SMS stealers and spyware, expanding beyond their traditional role of distributing banking trojans. These malicious campaigns are often disguised as legitimate government or banking apps, primarily targeting users in India and other Asian regions. Google's security measures, including the Play Protect Pilot Program, aim to prevent the sideloading of apps with dangerous permissions, but attackers are adapting to these defenses. Droppers like RewardDropMiner and others are designed to bypass security checks by initially appearing harmless, only activating malicious payloads after user interaction. Google's Play Protect continues to evolve, enhancing its threat detection capabilities, although gaps remain when users manually override security warnings. A separate campaign has been exploiting Facebook Ads to distribute the Brokewell banking trojan, targeting Android and Windows users with fake financial apps. These developments emphasize the need for continuous vigilance and adaptive security strategies to counter evolving malware distribution tactics.

Zscaler experienced a data breach after attackers accessed its Salesforce instance through compromised Salesloft Drift credentials, exposing customer information including support case contents. The breach is part of a broader supply-chain attack involving OAuth and refresh tokens, impacting multiple Salesforce environments and potentially leading to data exfiltration. Zscaler has revoked Salesloft Drift integrations, rotated API tokens, and strengthened customer authentication protocols to mitigate further risks. Google Threat Intelligence identified threat actor UNC6395 as responsible, targeting sensitive credentials and demonstrating advanced operational security tactics. The attack has prompted Google and Salesforce to temporarily disable Drift integrations, pending further investigation into the incident. Researchers suggest a connection between this breach and the ShinyHunters group, known for social engineering tactics to access and extort data from Salesforce instances. The incident underscores the importance of vigilance against phishing and social engineering, with Zscaler advising heightened awareness among its customers.

Amazon's threat intelligence team identified and disrupted a campaign by Russian state-sponsored group APT29 targeting Microsoft 365 accounts through compromised websites. The operation involved a watering hole attack, redirecting selected users to malicious domains that mimicked Cloudflare verification pages to trick them into authorizing attacker-controlled devices. APT29, linked to Russia’s SVR, used obfuscated code and a cookies-based system to evade detection, affecting European embassies and major corporations like Hewlett Packard Enterprise. Upon discovery, Amazon isolated the threat actor's EC2 instances and collaborated with Cloudflare and Microsoft to dismantle the malicious infrastructure. APT29 attempted to shift its operations to a different cloud provider, registering new domains to continue its credential and intelligence-gathering activities. Security recommendations include verifying device authorization requests, enabling multi-factor authentication, and monitoring for suspicious authentication events to mitigate such threats. Amazon confirmed that its infrastructure remained uncompromised, and its services were unaffected by this campaign.

WhatsApp patched a critical vulnerability, CVE-2025-55177, in its iOS and macOS apps that may have been exploited in the wild, affecting fewer than 200 targeted users. The flaw involved insufficient authorization of linked device synchronization messages, potentially allowing attackers to process content from arbitrary URLs on victims' devices. This vulnerability was possibly used in conjunction with CVE-2025-43300, affecting Apple devices, as part of a sophisticated zero-day attack chain. WhatsApp proactively sent in-app threat notifications to the impacted users, indicating a coordinated response to mitigate further exploitation. The incident emphasizes the importance of timely patching and monitoring for signs of exploitation, especially when vulnerabilities are actively targeted. Organizations should review their update management processes to ensure rapid deployment of security patches to minimize exposure to similar threats.

Scattered Spider, also known as UNC3944, targets enterprises by exploiting browser vulnerabilities, focusing on sensitive data within Chrome, Edge, and Firefox environments. The group has evolved its tactics to precision-target human identity and browser environments, differentiating itself from other cybercriminal organizations. Attack methods include advanced phishing campaigns utilizing malicious JavaScript to steal credentials and manipulate browser runtime. Organizations are urged to implement multi-layered browser security strategies, including runtime script protection and session integrity measures. Browser extensions serve as potential attack vectors; robust governance is essential to block untrusted scripts and manage permissions. Disabling or replacing sensitive APIs with decoys can disrupt reconnaissance efforts without affecting legitimate workflows, crucial for BYOD environments. Integrating browser telemetry into security intelligence platforms enhances incident response and threat hunting capabilities, strengthening overall security posture. CISOs are encouraged to adopt browser-native security controls to protect against identity-based threats, enhancing security for SaaS applications and remote work environments.

Norway has contracted BAE Systems for five Type 26 frigates, valued at £10 billion, potentially delaying the Royal Navy's own fleet expansion. The agreement supports 2,000 jobs in Scotland and an additional 2,000 across the UK, bolstering the local economy until the late 2030s. Norway's strategic partnership with the UK aims to enhance North Atlantic security, focusing on countering Russian submarine threats. BAE Systems faces scheduling challenges, as Norway's first delivery is expected by 2029, impacting the Royal Navy's construction timeline. The Royal Navy's current fleet is strained, with only six active Type 23 frigates, risking a capability gap as older ships retire. BAE Systems is accelerating construction, utilizing a new Glasgow shipbuilding hall to work on two Type 26 frigates simultaneously. The Type 26 design was chosen over French, German, and American alternatives, aligning with Norway's anti-submarine warfare needs.

Netscout reported 8 million DDoS attacks globally in the first half of 2025, with EMEA experiencing 3.2 million incidents, highlighting the scale of the threat. The most powerful attacks reached over 3 Tbps, leveraging compromised IoT devices, routers, servers, and PCs to overwhelm targets with traffic. DDoS-as-a-Service platforms have simplified attack deployment, allowing anyone with cryptocurrency to launch attacks, increasing accessibility and frequency. Key targets include infrastructure sectors and unexpected industries like jewelry wholesale, with hacktivists and nation-states often behind the attacks. A British classical music website faced prolonged application-layer DDoS attacks, forcing the site to block entire countries to mitigate the impact. Current defenses focus on filtering and command-and-control server detection, but the need for automated detection and response systems is critical. The article suggests developing a centralized service to detect and disconnect compromised devices, akin to a malware circuit breaker, to mitigate DDoS threats effectively.

Security firm Pangea has discovered a vulnerability in large language models (LLMs) that allows adversarial instructions to be hidden within legal documents, bypassing AI guardrails. Dubbed "LegalPwn," this attack vector exploits LLMs' compliance with legal disclaimers, enabling prompt injections and potentially harmful outputs. The vulnerability poses risks as LLMs are increasingly integrated into critical systems, emphasizing the need for robust security measures. Tests showed that some AI models, including OpenAI's GPT-4o and Google's Gemini 2.5, were susceptible, misclassifying malicious code as safe. Successful attacks in live environments included bypassing AI-driven security analysis and executing harmful code, such as reverse shells. Pangea proposes solutions like its "AI Guard" product, enhanced input validation, and human-in-the-loop review to mitigate these vulnerabilities. The research underscores the importance of ongoing vigilance and adaptation in AI security practices as these technologies evolve.