Daily Brief

Python's widespread use in software development has led to increased supply chain attacks, with malicious packages frequently uploaded to the Python Package Index (PyPI). In December 2024, attackers compromised the Ultralytics YOLO package, used extensively in computer vision, affecting thousands of downloads before detection. The prevalence of Python supply chain vulnerabilities demands a shift from the traditional "pip install and move on" approach to a more secure, controlled method. Over 100 high and critical CVEs exist in the standard Python base image, complicating efforts to secure Python environments effectively. Organizations must adopt new tools and strategies to gain visibility and control over their Python dependencies, ensuring robust security without disrupting workflows. A webinar is available to guide developers and security engineers in securing their Python supply chain, emphasizing practical measures and tools. The growing sophistication of threats necessitates a proactive stance on Python supply chain security, treating it as a critical aspect of software development.

Microsoft introduced Project Ire, an AI-driven agent designed to autonomously detect malware, potentially reducing manual analysis workload for security analysts. In testing, Project Ire accurately identified 89% of malicious files but only detected 26% of total malware samples, indicating room for improvement. Project Ire employs large language models (LLMs) and reverse engineering tools to classify software, aiming to enhance Microsoft Defender's threat detection capabilities. The initiative seeks to address alert fatigue among analysts by automating malware classification, allowing focus on more sophisticated threats. Despite moderate initial performance, Microsoft's goal is to enhance Project Ire's accuracy and scalability for broader deployment across its security suite. The development reflects a broader industry trend towards integrating AI in cybersecurity, as companies aim to counter AI-driven threats with AI-based defenses. Competitors like Google and Palo Alto Networks are also advancing AI initiatives, underscoring the critical role of AI in future cybersecurity strategies.

Sweet Security researcher Naor Haziz presented ECScape, a vulnerability in Amazon ECS, at Black Hat USA, enabling attackers to escalate privileges and access sensitive cloud data. The flaw exploits an undocumented ECS protocol, allowing a low-privileged container to hijack IAM credentials from higher-privileged tasks on the same EC2 instance. ECScape leverages a metadata service to impersonate the ECS agent, collecting IAM role credentials from other tasks without detection. Amazon advises stronger isolation models and warns that ECS tasks on shared EC2 hosts lack isolation, risking cross-task credential exposure. Recommended mitigations include using AWS Fargate for isolation, restricting metadata service access, limiting ECS agent permissions, and setting up CloudTrail alerts. The incident underscores the importance of treating each container as potentially compromiseable and adhering to the principle of least privilege. This vulnerability adds to recent reports of cloud security weaknesses, emphasizing the need for up-to-date security patches and least-privilege service accounts.

Akira ransomware is leveraging a legitimate Intel CPU tuning driver, rwdrv.sys, to disable Microsoft Defender, impacting security defenses on target machines. This attack utilizes a "Bring Your Own Vulnerable Driver" (BYOVD) strategy, exploiting known vulnerabilities in legitimate drivers for privilege escalation. The malicious driver, hlpdrv.sys, modifies Windows Defender settings via regedit.exe, effectively turning off spyware protections. Guidepoint Security has observed consistent abuse of rwdrv.sys in Akira ransomware incidents since mid-July 2025, providing high-fidelity indicators for threat detection. To counter these threats, Guidepoint Security released a YARA rule and indicators of compromise for both drivers, aiding in proactive defense measures. Akira ransomware has also been linked to potential zero-day exploits in SonicWall VPNs, prompting security advisories to restrict SSLVPN access and enforce multi-factor authentication. The DFIR Report details Akira's use of Bumblebee malware loader via trojanized software, emphasizing the need for vigilance against SEO poisoning and downloading from official sources. Organizations are advised to monitor for Akira-related activities and apply recommended security measures to mitigate risks effectively.

VexTrio Viper has developed fake apps masquerading as VPNs and spam blockers, available on Apple and Google stores, deceiving millions into subscription scams and ad fraud. Users are tricked into signing up for costly subscriptions, with some apps charging multiple times, leading to significant financial losses and difficulties in cancellation. VexTrio's operations include traffic distribution services and payment processors, redirecting internet traffic to scams through a complex network of shell companies. The group has been active since 2004, expanding its fraudulent activities across Europe, involving over 100 companies and brands in its schemes. VexTrio controls both publishing and advertising in affiliate networks, using cloaking services to disguise scam operations and evade detection. The cybersecurity industry is urged to treat scams with the same seriousness as malware, emphasizing the need for increased education and awareness to combat these threats. VexTrio's activities highlight the persistent threat of organized cybercrime in the ad tech industry, exploiting unsuspecting users on a global scale.

Google confirmed a breach of its Salesforce database by the group UNC6040, linked to ShinyHunters, affecting small and medium business customer information. The breach occurred in June, with ShinyHunters accessing contact information and related notes before Google cut off access. Cisco disclosed a voice-phishing attack, granting unauthorized entry to a third-party CRM system, leading to the export of basic profile information. Cisco clarified that no sensitive data, such as passwords or confidential customer information, was accessed during the intrusion. ShinyHunters is suspected of planning to launch a data leak site to escalate extortion tactics, increasing pressure on victims of recent breaches. The group is also linked to other Salesforce intrusions affecting high-profile companies, including Dior, Chanel, and Pandora. Both Google and Cisco are actively monitoring the situation and have not disclosed any demands for extortion payments. These incidents underscore the persistent threat of social engineering attacks and the need for robust security measures in CRM systems.

A new method, Ghost Calls, uses TURN servers in Zoom and Microsoft Teams to conduct command-and-control (C2) operations, bypassing traditional security measures. This technique leverages legitimate credentials and WebRTC to mask malicious traffic as normal video conferencing, making detection challenging for standard defenses. Presented at BlackHat USA by Praetorian's Adam Crosser, Ghost Calls does not exploit vulnerabilities but cleverly uses existing protocols for evasion. The method involves creating a TURN-based WebRTC tunnel, allowing attackers to proxy data and disguise C2 traffic through trusted infrastructure. The TURNt utility, developed as part of this research, facilitates tunneling C2 traffic via WebRTC servers, enhancing stealth and operational efficiency. The approach avoids exposing attacker infrastructure, utilizing encrypted WebRTC traffic and trusted domains to bypass firewalls and proxies. Zoom and Microsoft Teams have been contacted for potential responses or safeguards to mitigate this tactic's effectiveness.

Nigerian national Chukwuemeka Victor Amachukwu has been extradited to the U.S. from France to face charges related to hacking, fraud, and identity theft. Amachukwu is accused of spearphishing attacks on U.S. tax preparation businesses, resulting in the theft of personal data and fraudulent tax and loan applications. The scheme reportedly led to the theft of over $3 million, with $2.5 million from fraudulent tax refunds and $819,000 from SBA loan applications. The Department of Justice (DOJ) also links Amachukwu to a separate scam involving fake investment opportunities, defrauding victims of millions. Spearphishing attacks were conducted between 2019 and 2021, targeting U.S.-based entities to steal tax and personally identifiable information (PII). Amachukwu faces six counts of charges, and the U.S. seeks forfeiture of all fraud proceeds and substitute assets. Extradition occurred on August 4, 2025, with an initial court appearance the following day; a trial date is pending. This case underscores the ongoing threat of international cybercrime and the importance of cross-border cooperation in law enforcement efforts.

Multi-factor authentication (MFA) is crucial in blocking over 99% of automated credential-stuffing and phishing attacks, according to Microsoft research. Despite its effectiveness, MFA alone is insufficient if paired with weak, reused, or compromised passwords, leaving organizations vulnerable. Attackers can bypass MFA through tactics such as tricking users into approving fraudulent access or exploiting fallback mechanisms. Overreliance on MFA can lead to complacency, neglecting the foundational security measure of robust password management. Organizations should enforce strong password policies to ensure passwords are long, unique, and uncompromised, complementing MFA. A layered security approach, combining strong passwords with MFA across all critical systems, creates multiple barriers against unauthorized access. Educating users on password hygiene is essential to bolster the effectiveness of MFA and maintain a resilient authentication strategy.

Google confirmed a data breach in June involving its Salesforce CRM, attributed to the ShinyHunters extortion group. The breach involved vishing attacks targeting employees to access and extract customer data from Salesforce systems. Impacted data was largely limited to publicly available business contact information for small and medium enterprises. Google has conducted an impact analysis and implemented mitigation strategies to address the breach. ShinyHunters, linked to multiple high-profile breaches, continues to target Salesforce instances, affecting companies like Adidas, Qantas, and Cisco. Affected companies face extortion demands, with some paying significant ransoms to prevent data leaks. The ongoing attacks emphasize the need for robust social engineering defenses and CRM security measures.

Cisco's Talos division identified critical vulnerabilities in Dell's ControlVault3 firmware, affecting over 100 laptop models. The flaws, termed "ReVault," allow attackers to bypass Windows login and install persistent malware, impacting Latitude and Precision series. Vulnerabilities include out-of-bounds flaws, arbitrary free, stack overflow, and unsafe deserialization issues, potentially leading to privilege escalation. Attackers with physical access can exploit these vulnerabilities without needing system login credentials or encryption passwords. Dell has issued security updates to mitigate these risks, urging users to update through Windows Update or Dell's website. Recommendations include disabling unused security peripherals and enabling chassis intrusion detection in BIOS for added security. The vulnerabilities pose significant risks in environments using biometric and smartcard authentication, common in government and industrial sectors.

A new report reveals a 319% increase in vCISO adoption among MSPs and MSSPs, driven by rising cybersecurity threats and SMB demand. AI integration has reduced manual workloads by 68%, allowing service providers to efficiently scale operations and improve service delivery. The shift to AI-powered vCISO models is transforming these services from niche offerings to essential components of cybersecurity strategy. Service providers report enhanced business outcomes, including higher margins, better upsell opportunities, and increased recurring revenue. Despite operational challenges, 81% of providers are already using AI, with an additional 15% planning adoption within the next year. The report emphasizes the strategic importance of AI in delivering scalable, consistent, and high-quality cybersecurity services. As the industry evolves, AI-driven tools will be crucial for meeting the growing demand and maintaining competitive advantage.

WhatsApp introduces a new security feature to help users identify potential scams in group chats. The feature includes a "safety overview" context card detailing group creation, member count, and scam warnings. Users can control who adds them to groups and exit suspicious groups without viewing the chat. Notifications from unknown group chats are silenced until users decide to engage. WhatsApp alerts users when contacted by unknown numbers, encouraging caution and verification. Over 6.8 million scam-related accounts were disabled by WhatsApp in the first half of the year. The company collaborated with OpenAI to dismantle a scam center in Cambodia, targeting users with various fraudulent schemes. WhatsApp continues to enhance privacy features, including Advanced Chat Privacy for sensitive information protection.

Microsoft announced Project Ire, an AI-driven system for autonomous malware classification. The system uses large language models to reverse engineer software, determining if files are malicious or benign. Project Ire aims to enhance malware detection, reduce manual analysis, and accelerate threat response. It employs a multi-step evaluation process with detailed logs for security team reviews. Initial tests showed a 90% accuracy rate in flagging malicious files, with a low false positive rate. The prototype will be integrated into Microsoft's Defender organization for broader threat detection. Microsoft continues to support cybersecurity research, awarding $17 million in bounties to security researchers.

Trend Micro identified a critical remote code execution vulnerability in its Apex One endpoint security platform, affecting systems with unpatched software. The flaw, due to a command injection weakness, allows attackers to execute arbitrary code remotely on vulnerable systems. Trend Micro has released a mitigation tool to temporarily protect against exploitation, though it disables some remote management functionalities. A security patch is expected by mid-August 2025, which will restore the disabled functionalities. The Japanese CERT has issued an alert, urging users to apply mitigations promptly. Administrators are advised to secure endpoints and consider IP source restrictions if their management console is exposed externally. Trend Micro's advisory follows previous zero-day patches in Apex One, emphasizing the need for regular updates to prevent exploitation.