Daily Brief

Louis Vuitton confirmed the data breaches in the UK, South Korea, and Turkey were caused by the same cyberattack, likely orchestrated by the ShinyHunters group. The company has been actively notifying affected customers and has involved relevant authorities, including the Information Commissioner's Office. Personal data, but not payment information, was compromised in the breach, originating from unauthorized system access on July 2, 2025. Immediate actions to contain the breach included blocking the unauthorized access and deploying additional technical security measures. The breaches at Louis Vuitton are part of a pattern of similar incidents at other high-profile companies, indicating a targeted approach by the ShinyHunters. ShinyHunters is known for multiple significant data thefts and remains partly active despite recent arrests related to the group. Louis Vuitton is continuing its investigation with cybersecurity experts to prevent future incidents and assess the extent of the breach.

International law enforcement, led by Europol, executed Operation Eastwood to dismantle over 100 servers tied to the pro-Russian NoName057(16) network. The operation, which involved 19 countries, led to the arrest of two Russian nationals in France and Spain, and seven additional arrest warrants were issued. NoName057(16), a group of Russian-speaking sympathizers, launched attacks targeting websites of governments and institutions supporting Ukraine. Europol estimates that the network includes over 4,000 supporters who utilize a botnet built from several hundred servers to amplify their DDoS attacks. Recent attacks by this group include disruptions to Swedish banks, German companies, and government websites in Switzerland and the UK. Thirteen individuals were questioned regarding their involvement with the NoName057(16), with two main instigators identified but not publicly named. The crackdown was supported by cybersecurity forces from multiple countries and assisted by nonprofits like ShadowServer and abuse.ch for technical operations.

Cybersecurity experts identified a new variant of the malware loader Matanbuchus, known as Matanbuchus 3.0, which is designed to evade detection and utilize advanced infiltration techniques. Matanbuchus is marketed as malware-as-a-service on cybercrime forums, used to deploy ransomware and other malicious payloads by exploiting social engineering tactics. An incident involving Microsoft Teams showcased attackers impersonating IT help desk personnel, tricking employees into activating Matanbuchus via remote assistance and PowerShell scripts. The loader incorporates features like enhanced communication protocols, in-memory operations, and support for remote shell commands, increasing its stealth and operational flexibility. Matanbuchus 3.0 checks for administrative privileges and the presence of security tools on infected systems before executing further commands and communicating with a command-and-control server. Persistence is achieved by using sophisticated techniques such as COM manipulation and shellcode injection to schedule tasks. The updated service is offered at high rental prices, reflecting its sophisticated capabilities and the emphasis on targeted, stealthy attacks on enterprise systems. Researchers emphasize the evolving threat landscape and the risks posed by sophisticated loaders that exploit enterprise collaboration tools like Microsoft Teams to distribute malware.

Cloudflare's 1.1.1.1 DNS Resolver service outage on July 14 was due to an internal configuration error, not a cyberattack or BGP hijack. The misconfiguration linked 1.1.1.1 Resolver IP prefixes to an offline Data Localization Suite service, causing global service disruption. The issue was identified and resolved within approximately one hour, with full restoration achieved shortly thereafter. Cloudflare disclosed that the misconfiguration impacted multiple IP ranges and primarily affected UDP, TCP, and DNS-over-TLS traffic. DNS-over-HTTPS traffic was largely unaffected due to different routing mechanisms. Post-incident, Cloudflare plans to upgrade its systems to prevent similar issues, focusing on abstract service topologies for gradual deployments and health monitoring. The company acknowledged shortcomings in their legacy systems and internal documentation, which failed to catch the misconfiguration during peer review.

SonicWall SMA appliances have been compromised by a new malware, known as OVERSTEP, which modifies the boot process and installs a user-mode rootkit. The attacks, conducted by threat actor UNC6148, possibly utilized an undetected zero-day vulnerability allowing persistence and data theft from fully-patched but unsupported devices. UNC6148 has been active since at least October and uses data theft and extortion tactics; sensitive files stolen in these attacks have appeared on the World Leaks data-leak site. Researchers suggest the threat actor gained initial access by exploiting known vulnerabilities to steal local administrator credentials before devices were updated to the latest firmware. During an observed attack, the actor utilized a reverse shell to conduct reconnaissance and manipulate files on the compromised device, then deployed the OVERSTEP rootkit. OVERSTEP provides the attacker with capabilities to stealthily maintain access, manipulate system logs, and steal sensitive information like passwords and certificates. Despite attempts to trace and understand all access and modifications, researchers face challenges due to anti-forensic features of the rootkit which obscure much of the malicious activity. Security professionals are advised to monitor for potential compromises and conduct thorough investigations using indicators of compromise provided by Google Threat Intelligence Group.

Recent infections in Fortinet FortiWeb units employed public RCE exploit CVE-2025-25257. The Shadowserver Foundation detected 85 instances on July 14, and 77 the next day, linking them to this exploit. CVE-2025-25257, a pre-authenticated SQL injection vulnerable in numerous FortiWeb versions, was identified as the attack vector. Public exposure of exploits on July 11 led to active exploitations, highlighting the immediate need for updates to patched versions. A majority of the compromised systems are located in the United States. FortiWeb functions as a Web Application Firewall high in demand among enterprises and governmental bodies. Administrators urged to update urgently or disable HTTP/HTTPS admin interfaces to protect against these attacks.

The pro-Russian NoName057(16) hacking group, known for launching DDoS attacks, was targeted in an extensive law enforcement operation named "Operation Eastwood." Europol and Eurojust led the operation with collaborative efforts from 12 countries, including the USA and multiple European nations. The operation resulted in the disruption of over 100 servers used by NoName057(16), with primary actions conducted on July 15, 2025. Targets of NoName057(16) span across Europe and Israel, affecting NATO sites, government agencies, and critical infrastructure sectors. Two individuals were arrested, and seven European arrest warrants were issued, focusing on those believed to be core members and administrators of the group. Authorities extended their reach to warn approximately 1,100 participants and 17 administrators of the group through Telegram messages, about their potential criminal liability. Despite significant setbacks to NoName057(16), Europol indicates that due to core members residing in Russia, the group might soon recover and continue their operations.

Unknown attackers are exploiting fully patched, end-of-life SonicWall VPN appliances, deploying a novel backdoor and rootkit named OVERSTEP. Google’s Threat Intelligence Group links the campaign to "UNC6148," a previously uncategorized threat actor. The malware alters the appliance’s boot process, maintaining persistent unauthorized access and facilitating the theft of sensitive credentials. High confidence is expressed that attackers are using previously stolen credentials and OTP seeds to access SonicWall Secure Mobile Access (SMA) 100 series appliances. Mandiant’s analysis revealed local administrator credentials were used to initiate an SSL-VPN session, although the origin of these credentials remains unclear. Attack implementation might involve known vulnerabilities or potentially an unreported zero-day, with the attackers manually clearing logs to minimize detection. OVERSTEP's capabilities include stealing passwords, certificates, and OTPs and manipulating network access control policies for persistence. Google urges businesses using vulnerable SonicWall devices to inspect their systems for signs of compromise, citing limited but significant impact on victim organizations.

Google's Threat Intelligence Group identified threat cluster UNC6148 targeting SonicWall SMA 100 series with a backdoor called OVERSTEP. These attacks utilize stolen credentials and OTP seeds, likely exfiltrated from the devices as early as January 2025. UNC6148 possibly exploited known vulnerabilities or zero-day flaws to gain unauthorized access and establish SSL-VPN sessions, despite normal security restrictions. The attackers deployed OVERSTEP to alter the appliance's boot processes for persistent access and to conceal their activities within the system. OVERSTEP uses advanced techniques such as hijacking library functions and hooking into APIs to hide artifacts and receive commands. The rootkit's capabilities include deleting specific log entries to obscure their activities, complicating forensic analysis and detection. Google associates these attacks with potential ransomware deployment and data theft, linking UNC6148 to data posted on a notorious extortion gang's leak site. Recommendations include acquiring disk images for forensic purposes and possibly working with SonicWall for further analysis to counter the rootkit’s anti-forensic measures.

Cybersecurity researchers have identified a critical design flaw in Windows Server 2025, affecting delegated Managed Service Accounts (dMSAs) and group Managed Service Accounts (gMSAs). The vulnerability, termed "Golden dMSA," allows attackers to bypass authentication processes and generate passwords for all dMSAs and gMSAs, enabling persistent and unlimited access across Active Directory. Exploitation of this flaw is considered low complexity but requires access to the Key Distribution Service (KDS) root key, typically held by highly privileged accounts. The flaw involves a predictable password-generation structure that simplifies brute-force attacks, making it computationally easy to derive service account passwords. The presence of the KDS root key allows attackers to derive the current password for any dMSA or gMSA without contacting the domain controller, which can facilitate lateral movement and credential harvesting across domains. The attack can turn a single domain compromise into a persistent backdoor affecting every dMSA account forest-wide. Microsoft has responded to the disclosure of this vulnerability, emphasizing that the protection features were not designed to prevent domain controller compromises. Semperis has released an open-source proof-of-concept to demonstrate the power and reach of the Golden dMSA attack technique.

AI technology is being rapidly adopted in businesses, acting similarly to employees with significant system access. The integration of AI, especially through platforms like OpenAI, poses unique identity and security challenges not covered by traditional models. Enterprises must choose between developing their own AI solutions or buying from external providers, with both paths presenting significant security risks. AI agents can access and control sensitive data, creating potential backdoors for data breaches when compromised. Effective AI security requires continuous access control and real-time identity and device risk evaluations. Beyond Identity provides solutions to secure AI access by linking agent permissions to verified user identities and updating access controls based on current security posture. Businesses are encouraged to attend Beyond Identity's webinar to learn more about securing internal AI systems and to see a demo of effective access controls.

The CEO of Co-op Group confirmed that all 6.5 million members had their data stolen in a recent cyberattack attributed to the group Scattered Spider. The data breach included personal details like names and contact information; no financial data was compromised. Attackers were blocked before they could deploy ransomware, allowing Co-op IT staff to monitor and track their activities comprehensively. In response to rising cyber threats, Co-op has partnered with The Hacking Games to engage neurodiverse youth in ethical cybersecurity roles. The National Crime Agency arrested four young individuals concerning the cyberattacks on British retailers, including Co-op. All were released on bail pending further investigation. The attack has prompted discussions on the importance of cybersecurity in both the public and private sectors, emphasizing the need for robust protections against such incidents. Co-op is also emphasizing the broader impact and necessity of cybersecurity education among stakeholders including parents, educators, and industry professionals.

Air Serbia was forced to delay issuing June 2025 payslips due to an ongoing cyberattack affecting the airline's operations. The cyberattack, which began around early July 2025, led to a deep breach of the company's Active Directory, compromising business processes and internal communications. In response to the attack, Air Serbia's IT team implemented multiple security measures including staff-wide password resets, installation of security scanning software, and internet access restrictions. IT management actions included terminating all service accounts, adding datacenters to a demilitarized zone, and deploying a new VPN client to counter identified security vulnerabilities. Despite these efforts, as of mid-July, the internal source reported that the threat actors’ access has not been fully eradicated, and the exact entry point of the attackers remains unknown due to lack of proper security logs. Concerns were raised about the potential compromise of personal data and a lack of public disclosure about the breach. The recent cyber incidents at Air Serbia included malware likely being involved, specifically an infostealer, with no extortion demands made up to the reported date.

Google has issued an update for Chrome, rectifying six vulnerabilities, including an actively exploited zero-day. The critical flaw, CVE-2025-6558, allowed attackers to bypass Chrome's sandbox security through a specially crafted HTML page. Chrome's sandbox is a vital security feature that isolates browser operations from the operating system, preventing potential malware spread. The exploited zero-day vulnerability lies within the ANGLE abstraction layer, which processes GPU commands from untrusted websites. Users are urged to update their Chrome browser to version 138.0.7204.157/.158 to safeguard against the flaw. Other vulnerabilities fixed include issues within Chrome's V8 engine and WebRTC but were not actively exploited. This zero-day exposure marks the fifth similar incident tackled by Google's security team this year, highlighting ongoing security challenges.

Cybersecurity researchers have identified a sophisticated new variant of the Konfety Android malware. Konfety uses an "evil twin" technique, where a malicious app mimics the package name of a legitimate app from the Google Play Store but is distributed via third-party sources. This variant is designed to evade detection by tampering with the APK structure, using malformed APKs and dynamic code loading. Features include encrypted assets, runtime code injection, and deceptive manifest declarations to thwart analysis tools and reverse engineering. The malware exploits the CaramelAds SDK to deliver ads, install unwanted apps, and generate spam-like notifications while hiding its app icon. Geofencing capabilities allow Konfety to alter its functionality based on the user's geographic location. Related findings include Ducex, a Chinese Android packer that conceals payloads and blocks debugging, and TapTrap, a novel technique that can bypass Android's permission system.