Daily Brief

Brave Software has updated its browser to block Microsoft's Windows Recall feature from capturing screenshots automatically to protect user privacy. Windows Recall, an opt-in feature for Windows 11, captures and analyzes screenshots from active windows allowing users to search their past activities. This feature raised privacy concerns as it could potentially expose sensitive information like passwords and financial records. Microsoft responded to privacy criticisms by allowing software developers to opt-out and enhancing security with Windows Hello Enhanced Sign-in Security. Brave's latest update uses Microsoft's SetInputScope API to set browser windows to IS_PRIVATE, preventing Recall from saving browsing data. The update is currently available in Brave Nightly builds and will be included in stable releases soon. Users still interested in utilizing Recall can activate it manually via Brave's browser settings. Earlier, encrypted messenger Signal also implemented measures to block Windows Recall using DRM management to protect user privacy.

The FBI has issued a warning about IRL Com, a group attracting minors to commit real-world violent crimes, including shootings and kidnappings. IRL Com, an offshoot of a larger cybercrime network known as The Com, also engages in cyber fraud, ransomware attacks, and child sexual abuse. This group, which operates globally, comprises networks of hackers and SIM swappers, with many members being minors, especially teenage boys. Teens are often recruited through social media platforms, and the group uses swat-for-hire services as part of their criminal offerings. Finnish authorities flagged concerns about The Com manipulating young individuals to perpetrate or become victims of extreme violence. The Com additionally uses swatting, a method involving hoax calls to instigate a large police response to a victim’s location, to control & discipline members. Recent joint operations by FBI and UK authorities led to the arrest of three young British individuals involved in cross-Atlantic swatting incidents.

Brave browser version 1.81 will block Microsoft Recall's screenshotting capabilities by default to protect user privacy. Microsoft's Recall feature, introduced to enhance AI interactions on Copilot+ PCs, captures screen images frequently to facilitate data retrieval using image recognition and natural language processing. Originally set to be an opt-out feature, Microsoft adjusted Recall to opt-in amidst privacy concerns and criticism, enhancing data protection measures in its latest iteration. Brave Software insists that the adjusted, opt-in model of Recall still poses a privacy risk, prompting them to disable the feature in all Brave browser tabs. The decision for this block was influenced by similar actions from the secure messaging app Signal, which implemented DRM-based screening blocking on its platform. Brave's implementation selectively prevents only Recall-generated screenshots, avoiding interference with other applications like accessibility tools that require screenshot capabilities. Microsoft has further developed the Recall feature into Copilot Vision, an opt-in service that processes user activities more intensively by sending screenshots to Microsoft servers. Brave is set to release this update on August 5, 2025, continuing its commitment to robust user privacy protections against potential data harvesting by AI tools.

More than 400 organizations globally have been impacted by a series of cyberattacks exploiting vulnerabilities in Microsoft SharePoint. The attacks comprised multiple waves starting from July 17, with significant breaches including the US Department of Energy (DOE) and its National Nuclear Security Administration. DOE confirmed only a minimal impact, crediting robust cybersecurity measures and quick mitigation response. Among the other victims were additional government agencies and key sectors like telecommunications and software. Key vulnerabilities exploited were identified as remote code execution bug CVE-2025-53770 and a security bypass flaw CVE-2025-53771, both addressed in Microsoft's recent updates. Microsoft acknowledged the exploits late after initial reports, which suggest Chinese cyberspies involvement according to both Google and Microsoft. Measures including patching of affected SharePoint versions and strategic mitigations for impacted systems are underway across the victim organizations.

Clorox is suing Cognizant for gross negligence following a major cyberattack in August 2023, facilitated by a social engineering scheme. Hackers, identified as Scattered Spider, accessed Clorox systems by convincing Cognizant's help desk to reset an employee's password without proper verification. This breach led to network paralysis, halted manufacturing, widespread product shortages, and significant business disruption for Clorox. Clorox claims Cognizant failed to follow established security procedures for credential verification, leading to unauthorized access and spread of the breach. The lawsuit alleges Cognizant’s mishandling of the incident response exacerbated the situation, causing prolonged network downtime and ineffective containment. Clorox is seeking $49 million for direct remediation costs and a total of $380 million in damages for breach of contract and negligence. This incident highlights critical vulnerabilities in third-party vendor management and the importance of rigorous identity verification protocols in cybersecurity.

Threat actor Mimo has transitioned from targeting Craft CMS to exploiting Magento CMS and misconfigured Docker instances to deploy cryptocurrency miners and proxyware. Mimo's operations have evolved in sophistication, indicating potential preparation for more financially lucrative criminal activities beyond cryptojacking. The attack involves exploiting PHP-FPM vulnerabilities via a Magento plugin, using it to drop GSocket for persistent and stealth access through a reverse shell. Techniques include using memfd_create() for in-memory execution of an ELF binary loader called "4l4md4r," facilitating the deployment of IPRoyal proxyware and XMRig miner without leaving disk traces. Mimo modifies the “/etc/ld.so.preload” file to inject a rootkit, hiding the presence of mining and proxyware tools to maximize monetization from compromised machines. The dual utilization of CPU resources for mining and bandwidth for proxy services allows continuous revenue generation even if the mining activity is detected and halted. Datadog has also detected Mimo exploiting publicly accessible Docker instances to further spread their malware and achieve persistence on compromised systems.

Unknown threat actors exploited a Microsoft SharePoint zero-day vulnerability to breach the National Nuclear Security Administration's (NNSA) network. The Department of Energy confirmed limited impact from the breach due to robust cybersecurity measures and cloud usage. The attacks, linked to Chinese state-sponsored groups, aimed at internet-facing SharePoint servers, affecting over 400 servers globally. Earlier incidents in 2019 involved Russian state hackers using a trojanized SolarWinds Orion update to breach similar US systems. No evidence exists of sensitive or classified information being compromised in the current breach. Cybersecurity agencies, including CISA, have urged immediate action to secure systems against the exploited vulnerabilities. Ongoing investigations seek to identify further exploit implications and additional threat actors involved.

Broadcom's VMware unit is currently preventing some customers with perpetual licenses from accessing necessary security patches. Customers affected are those without current support contracts and the company will not renew these unless converted to subscription models. This issue exposes users to increased cyber risks, particularly as VMware has issued multiple security advisories for critical flaws in 2025. CEO Hock Tan had promised in April 2024 free access to zero-day patches for supported vSphere versions to ensure security for perpetual license holders. Due to recent changes in the support portal that require entitlement validation, patch downloads have been delayed, with some users reporting a 90-day wait time. A VMware spokesperson mentioned a separate patch delivery cycle for non-entitled customers will be implemented, though no specific date has been provided. A Dutch court mandated continued support for at least two years for Rijkswaterstaat, a government agency, highlighting the severity and legal implications of Broadcom's support policy changes.

The popular NPM package 'is' was compromised through a supply chain attack that placed backdoor malware into the software. Over 2.8 million weekly downloads of 'is' exposed numerous development environments after maintainer accounts were hijacked via phishing. Compromised versions ranged from 3.3.1 to 5.0.0, and were available for several hours before being removed, creating a window for extensive malware spread. The malware enabled remote code execution, retrieved system information, and established a WebSocket connection to exfiltrate the data. Other packages like 'eslint' were also affected by similar attacks, containing infostealers targeting data in web browsers. The attacking pattern included using a fake domain to capture maintainer credentials and manipulate package versions. Recommendations for remediation include password and token resets, disabling auto-updates, and using lockfiles to secure dependencies against unauthorized changes.

Breach occurred at the National Nuclear Security Administration (NNSA), leveraging a recently patched Microsoft SharePoint zero-day. The Department of Energy confirmed minimal impact due to robust cybersecurity measures and rapid containment efforts. No sensitive or classified data was reportedly compromised in the attack on NNSA. Chinese state-sponsored groups identified by Microsoft and Google as exploiting the SharePoint vulnerabilities in global attacks. Over 400 servers infected and 148 organizations breached globally as per Cybersecurity firm investigations. The attack is reminiscent of the 2019 breach by APT29, a Russian state-sponsored group, using compromised SolarWinds software. CISA has responded by adding the exploited vulnerability to its catalog, ordering prompt security measures by U.S. federal agencies.

Security teams must ensure full visibility of all devices accessing their environment to close security gaps. Microsoft identifies unmanaged devices as a major risk, with 90% of successful ransomware attacks originating from these devices. Scattered device data and the reality of shadow IT and remote work complicate maintaining a real-time, accurate device inventory. The enforcement and proper scoping of Multi-Factor Authentication (MFA) and access controls remain pivotal yet challenging for security teams, with 99.9% of account compromises affecting accounts without MFA according to Microsoft. Security tests against modern attack techniques are crucial, with static defenses often bypassed by new, innovative attack strategies. Prelude is enhancing security response by aggregating data across multiple security platforms into a unified dashboard, allowing for real-time security insights and optimizations. Prelude’s platform also includes capabilities for simulating attacks to test and validate security measures, ensuring defenses are effective against actual threats.

Kerberoasting is a complex cyberattack method that targets service accounts in Microsoft Active Directory using the Kerberos authentication protocol. Attackers leverage low detection risks and tools available online for spying on accounts with Service Principal Names (SPN) and subsequently cracking their passwords. The primary defense against Kerberoasting includes implementing robust password policies, such as enforcing unique, long passphrases and blocking known compromised passwords. Specops Software provides tools like Specops Password Policy and Specops Password Auditor to enhance Active Directory security by preventing weak and reused passwords. Multi-factor authentication (MFA) is crucial in safeguarding accounts against initial access, which is a prerequisite for launching a Kerberoasting attack. An exportable report from tools like Specops Password Auditor can help identify and secure stale accounts, commonly exploited in Kerberoasting. Verizon's Data Breach Investigation Report highlights that stolen credentials play a role in approximately 44.7% of data breaches, underlining the importance of secure authentication practices. Organizations are encouraged to adopt comprehensive, compliant password policies to protect against sophisticated password cracking techniques used in Kerberoasting.

Clorox is suing Cognizant for $380 million, alleging negligence in handling cybersecurity which facilitated a major cyberattack. The lawsuit claims that Cognizant’s service desk improperly handed over Clorox staff credentials to a cybercriminal, violating security protocols. Clorox reported severe disruptions to its operations due to the cyberattack, including paused manufacturing and substantial sales losses. The cybercriminals were able to penetrate further into the network by targeting additional IT security credentials and manipulating multi-factor authentication settings. Clorox criticizes Cognizant's sluggish response in reinstating critical cybersecurity tools and handling the aftermath of the attack. Despite Clorox’s efforts to remove the intruders within three hours of the breach, the impact included prolonged manual processes and operational downtime. Clorox seeks a jury trial and substantial damages, highlighting significant financial and operational damages resulting from the incident.

Ukrainian authorities have arrested the suspected administrator of XSS.is, a prominent Russian-speaking cybercrime forum, collaborating closely with French law enforcement and Europol. The arrest was based on evidence gathered during a four-year investigation by the Paris public prosecutor’s office, focused on ransomware and other cybercriminal activities related to the forum. Despite XSS.is banning ransomware topics in 2021, intercepted communications on the encrypted platform Jabber revealed ongoing illicit cyber operations generating millions in profits. French police penetrated 'thesecure.biz' server, used by threat actors for secure messaging, to surveil and collect evidence, leading to the identification of the forum’s administrator. The judicial inquiry into the forum’s activities includes charges of complicity in attacks on data processing systems, extortion, and criminal conspiracy. With over 50,000 users, XSS.is is a central hub for cybercriminals to trade malware, compromised system accesses, and discuss illegal activities, potentially leading to further arrests and a decrease in forum activity due to increased risk of law enforcement action. The arrest follows a pattern of increased international cooperation in tackling cybercrime, evidenced by recent similar operations against other cybercrime networks.

CISA has issued a warning about active exploitation of two vulnerabilities in SysAid IT service management software. Hackers are using these flaws, CVE-2025-2775 and CVE-2025-2776, to gain administrator access by exploiting unauthenticated XML External Entity issues. These vulnerabilities were first reported in December 2024 and patched in March 2025 with SysAid On-Prem version 24.4.60. Following the patch, proof-of-concept code was released showing the ease of exploiting these vulnerabilities to access sensitive information. The U.S. Federal Civilian Executive Branch (FCEB) agencies are required to patch their systems by August 12, following the Binding Operational Directive 22-01. Although primarily directed at federal agencies, CISA has urged all organizations to prioritize these patches due to the high risk and prevalence of the exploits. Numerous SysAid instances, primarily in North America and Europe, remain vulnerable and exposed online. Previous exploitation of a different SysAid vulnerability by the cybercrime group FIN11 in 2023 resulted in ransomware deployment, although no ransomware links have been observed with the current exploits.