Daily Brief

Security researchers at Koi Security identified a privacy breach involving the FreeVPN.One Chrome extension, which allegedly captures and transmits user screenshots to a remote server. Despite its verified status and featured placement on the Chrome Web Store, the extension reportedly began this unauthorized activity in July, raising concerns about browser marketplace security. The extension, with over 100,000 installations, initially transmitted screenshots unencrypted, later updating to use encryption, indicating a calculated approach to avoid detection. Developers claim compliance with Chrome policies, asserting that screenshot functionality is disclosed in their privacy policy, though researchers dispute the transparency of these practices. Koi Security's findings suggest the extension activates on trusted domains, contradicting developer claims that screenshots are only taken on suspicious sites. The incident highlights potential gaps in Chrome Web Store's security checks, as the extension's behavior change was not immediately detected or addressed by Google. The ongoing availability of the extension raises questions about the effectiveness of current browser extension vetting processes and the need for enhanced oversight.

QuirkyLoader, a new malware loader, has been identified as distributing various malicious payloads, including Agent Tesla and Snake Keylogger, through email spam campaigns since November 2024. IBM X-Force revealed that the malware leverages DLL side-loading, where a legitimate executable inadvertently loads a malicious DLL, which then injects the final payload using process hollowing. Recent campaigns targeted Taiwan and Mexico, with Taiwan's attack focusing on Nusoft employees to deploy Snake Keylogger for stealing sensitive information. The campaign in Mexico appeared more random, delivering Remcos RAT and AsyncRAT, indicating a broader targeting strategy. The QuirkyLoader's DLL module is consistently written in .NET and uses ahead-of-time compilation, making detection and analysis more challenging. Concurrently, new phishing tactics, including QR code-based attacks, are emerging, exploiting the inability of traditional security measures to detect malicious QR codes effectively. These developments highlight the need for enhanced email security measures and awareness of evolving phishing techniques to protect sensitive data and systems.

Fastly's report reveals AI crawlers contribute to 80% of AI bot traffic, significantly impacting web server performance and increasing operational costs for digital platforms. Meta, Google, and OpenAI dominate AI crawler traffic, collectively accounting for 95%, with Meta alone responsible for 52% of this activity. OpenAI leads in AI fetcher traffic, generating 98% of requests, indicating their strong position in the AI chatbot market with ChatGPT. The report warns of potential service disruptions and performance degradation due to unsustainable loads from poorly engineered AI bots. Industry experts call for responsible crawling norms and standards, emphasizing the importance of honoring robots.txt and publishing IP address ranges. Some webmasters are employing active countermeasures like Anubis and Nepenthes to combat excessive bot traffic, though these require careful implementation. The report suggests that small site operators are particularly vulnerable, and highlights the need for regulatory intervention to address the issue. Cloudflare's pay-per-crawl model and Fastly's recommendations aim to mitigate the financial burden on website operators caused by AI bot traffic.

Picus Security's Blue Report 2025 reveals a 46% success rate in password cracking attempts, nearly double from the previous year, indicating a critical vulnerability in password management. The report is based on empirical data from over 160 million attack simulations worldwide, showcasing real-world challenges in preventing credential-based attacks. Weak passwords and outdated hashing algorithms are identified as primary factors contributing to the increased success of brute-force and rainbow table attacks. Organizations continue to neglect internal account security, with 46% of environments having at least one password hash cracked and converted to cleartext. Credential abuse remains a silent but significant threat, allowing attackers to move laterally and escalate privileges without detection, often leading to data exfiltration. Valid Accounts (MITRE ATT&CK T1078) are the most exploited technique, with a 98% success rate, highlighting the need for improved identity security measures. To mitigate risks, organizations are urged to enforce stronger password policies, adopt multi-factor authentication, and regularly validate credential defenses through simulated attacks.

Noah Michael Urban, a key member of the Scattered Spider group, received a 10-year prison sentence for wire fraud and conspiracy, surpassing the eight-year sentence requested by prosecutors. Urban, known by aliases such as King Bob and Gustavo Fring, was involved in stealing millions from cryptocurrency wallets through SMS phishing and SIM swap attacks. The group targeted dozens of individuals and companies, using stolen credentials to access confidential data, including personal and intellectual property information. Urban admitted to making several million dollars from these activities, although he lost most of his earnings to gambling, retaining a few million. The court mandated Urban to pay $13 million in restitution to the victims, reflecting the financial impact of his crimes. Scattered Spider, also known as 0ktapus and UNC3944, is recognized for sophisticated social engineering attacks on high-profile organizations globally. The collective has shifted focus from retail and insurance to the aviation and transportation sectors, indicating evolving threat vectors.

Orange Belgium reported a data breach involving unauthorized access to information of 850,000 customers, impacting their fixed and mobile connectivity services in Belgium and Luxembourg. The breach, detected in late July, compromised customer data such as names, telephone numbers, SIM card numbers, PUK codes, and tariff plans, but did not include passwords or financial information. Orange Belgium has not confirmed encryption of systems during the breach and stated the incident is unrelated to global telecom attacks linked to China's Salt Typhoon group. The company is actively notifying affected customers via email and SMS, advising them to be cautious of potential phishing attempts or fraudulent communications. An ongoing investigation is underway, and while the responsible threat group is known, details remain undisclosed due to investigative protocols. This breach is distinct from a separate incident affecting Orange Group's French customers, which led to operational disruptions in July. Orange Group, the parent company, has a global presence with significant revenues, emphasizing the potential impact of data security incidents on its operations and reputation.

A 20-year-old Scattered Spider member received a ten-year U.S. prison sentence for wire fraud and aggravated identity theft linked to cryptocurrency thefts. Noah Michael Urban, known by various aliases, was ordered to pay $13 million in restitution and will face three years of supervised release post-incarceration. Urban's criminal activities involved SIM swapping attacks that led to the theft of $800,000 from at least five victims, according to the U.S. Department of Justice. The Department of Justice unsealed charges against Urban and co-conspirators for using social engineering to breach corporate networks and steal digital assets. Scattered Spider has aligned with groups like ShinyHunters and LAPSUS$, forming a cybercrime alliance to enhance their operational capabilities. The group employs tactics such as social engineering, credential theft, and ransomware deployment, exploiting human vulnerabilities over technical flaws. Cybersecurity experts note that such alliances often form in response to increased law enforcement pressure, enhancing the threat's versatility and danger.

Apple has issued security updates for iOS, iPadOS, and macOS to address CVE-2025-43300, a zero-day vulnerability actively exploited in targeted attacks. The flaw, an out-of-bounds write in the ImageIO framework, can lead to memory corruption when processing malicious images. The vulnerability was discovered internally by Apple and has been mitigated through improved bounds checking in the latest software updates. While the attackers and specific targets remain unidentified, the flaw is believed to have been used in sophisticated, targeted operations. This update marks the seventh zero-day fix by Apple this year, highlighting ongoing challenges in securing its platforms against real-world exploits. In addition to this patch, Apple recently addressed a Safari vulnerability affecting the Chrome browser, demonstrating a proactive stance on cross-platform security issues. Organizations and users are urged to apply the latest updates promptly to protect against potential exploitation.

China disrupted global internet access for over an hour by blocking TCP port 443, affecting HTTPS traffic and various online services. The incident, detected by Great Firewall Report, occurred between 00:34 and 01:48 Beijing Time on August 20, 2025. This blockage impacted Chinese users' access to international websites and essential services relying on external servers, such as Apple and Tesla. The disruption's cause is unclear, with no significant events reported that would prompt such censorship at the time. The Great Firewall Report suggests the incident may involve a new or misconfigured device, differing from known Great Firewall equipment. Speculation arises whether China was testing its internet control capabilities or if the event was an operational error. The Great Firewall's past technical issues and China's willingness to share its technology with other nations raise concerns about global internet governance. Pakistan's internet traffic drop prior to China's incident suggests potential coordination or similar technical challenges in implementing internet censorship.

Microsoft addressed a vulnerability in M365 Copilot that allowed unauthorized file access without logging, yet chose not to inform customers of the fix. The flaw enabled malicious insiders to bypass security by requesting file summaries without links, compromising audit logs. The issue was classified as "important" rather than "critical," prompting Microsoft to fix it silently, adhering to its policy on CVE disclosures. Security experts emphasize the ease of exploiting this flaw, raising concerns about the completeness of audit logs for organizations using Copilot before August 18, 2025. Calls for greater transparency in reporting cloud service vulnerabilities are growing, with experts urging cloud providers to disclose all vulnerabilities as CVEs. Microsoft has not publicly commented on the vulnerability or its decision not to notify affected customers. The incident highlights ongoing debates about cloud security practices and the need for improved communication with enterprise clients.

Cybercriminals are increasingly using the AI-powered Lovable platform to create phishing pages and malware portals, targeting large brands and employing CAPTCHA to bypass bots. Proofpoint identified tens of thousands of Lovable URLs in email threats, with campaigns impersonating Microsoft, UPS, and Aave to harvest credentials and financial data. A significant phishing operation used Tycoon, redirecting users to fake Microsoft login pages to steal credentials and MFA tokens through adversary-in-the-middle tactics. Another campaign targeted UPS customers, sending phishing emails that collected personal and financial information, which was then sent to attackers via Telegram. Cryptocurrency theft involved impersonating Aave, leading users to connect wallets to fraudulent sites, potentially resulting in asset loss. A malware campaign delivered zgRAT via Lovable-hosted apps posing as invoice portals, using Dropbox to distribute trojanized files. Lovable has implemented real-time detection and daily scans to mitigate abuse, with plans for further protections, though vulnerabilities remain as demonstrated by recent tests.

Amazon addressed security flaws in its Q Developer VS Code extension, which could have enabled attackers to leak sensitive data and execute arbitrary code on developers' machines. The vulnerabilities, discovered by AI security researcher Johann Rehberger, involved prompt injection attacks that could bypass security measures without developer consent. Rehberger's findings showed that attackers could exploit the extension to leak API keys and execute remote code, using commands like "ping" and "find" with specific flags. Despite fixing the issues, Amazon did not issue a CVE or public advisory, citing that the vulnerabilities did not meet CNA program criteria for disclosure. The lack of transparency in Amazon's response contrasts with other companies like Microsoft, which have been more open about similar security patches. The incident raises concerns about the security of AI tools that can alter their own configurations, highlighting a potential risk across multiple vendors. Developers using the Amazon Q Developer extension are advised to update to the latest version and follow best security practices to mitigate risks.

Apple has issued emergency updates to address a zero-day vulnerability, CVE-2025-43300, exploited in sophisticated attacks against targeted individuals. The flaw, an out-of-bounds write in the Image I/O framework, can lead to memory corruption and potentially allow remote code execution. Impacted devices span a wide range of both older and newer Apple models, necessitating urgent updates to iOS, iPadOS, and macOS versions. Improved bounds checking has been implemented to mitigate this vulnerability, enhancing security against malicious image file processing. This marks the sixth zero-day Apple has patched this year, reflecting ongoing challenges in securing its ecosystem against advanced threats. Users are strongly advised to install the latest security updates immediately to protect against potential exploitation. Details on the attacks remain undisclosed, but the nature of the flaw suggests targeted exploitation, emphasizing the importance of timely patching.

The FBI and Cisco Talos have identified Russian government spies exploiting a seven-year-old Cisco bug in end-of-life devices to infiltrate U.S. critical infrastructure networks. The actors, linked to Russia's FSB, have targeted thousands of networking devices, modifying configurations to enable unauthorized access and collect sensitive information. The exploitation leverages legacy, unencrypted protocols such as Cisco Smart Install and SNMP, with some devices affected by the CVE-2018-0171 vulnerability. Cisco urges immediate upgrades to patched software versions and adherence to security best practices to mitigate ongoing risks. The campaign impacts sectors including telecommunications, higher education, and manufacturing across multiple continents, focusing on strategic interests of the Russian government. The operation aims to gather configuration data for potential future use, with other state-sponsored actors likely pursuing similar activities. Organizations are advised to remain vigilant and consider the broader threat landscape posed by advanced persistent threats targeting outdated infrastructure.

Security researcher Marek Tóth revealed a clickjacking vulnerability affecting popular password manager browser extensions, potentially exposing millions of users to credential and data theft. The attack, termed DOM-based extension clickjacking, manipulates UI elements in web pages, allowing attackers to steal login credentials, 2FA codes, and credit card details. The vulnerability impacts 11 widely-used password managers, including 1Password and iCloud Passwords, by exploiting auto-fill features in browser extensions. Attackers can create fake sites with invisible forms, tricking users into auto-filling credentials, which are then sent to a remote server. Responsible disclosure has led to some vendors, like Bitwarden and Enpass, working on fixes, while others have yet to release patches. Users are advised to disable auto-fill features and configure browser extensions to require manual permission for site access to mitigate risks. US-CERT has been contacted to assign CVE identifiers to these vulnerabilities, highlighting the need for swift vendor response and user awareness.