Daily Brief

Miroslav Homer, a Czech developer and pen-tester, discussed strategic vulnerabilities related to heavy dependence on Microsoft and other U.S. cloud services. Homer urges reconsidering digital sovereignty and reducing reliance on American technology giants to mitigate security and operational risks. He uses incidents, such as Microsoft's alleged blocking of an email account belonging to the ICC Chief Prosecutor, to highlight potential disruptions. The article assesses the risks statistically, using Return on Security Investment and compares it to events like Crowdstrike’s outage, illustrating substantial potential financial impacts. Homer critiques the general lack of technological literacy among key decision-makers and stresses the importance of understanding the financial implications of tech dependencies. The prevalence of Android and its tie to Google accounts is cited as another example of overwhelming dependency on U.S. tech firms. Homer seeks to challenge prevailing mindsets and assumptions about technology choices in business through quantitative risk evaluation.

Over 740 printer models from Brother, Fujifilm, Toshiba, and Konica Minolta are susceptible to admin password exposure due to a manufacturing flaw. The vulnerability, identified as CVE-2024-51978, involves a predictable default admin password generated using a reversible algorithm based on the printer's serial number. The security flaw allows remote attackers to log into the printers as administrators by calculating the default password, leading to potential unauthorized access and control. Although firmware updates rectify many associated vulnerabilities, CVE-2024-51978 cannot be resolved in existing models because it's tied to the hardware's manufacturing process. Rapid7, a security research firm, discovered the issue and worked with JPCERT/CC to coordinate a disclosure process with affected manufacturers starting in May 2024. Users of affected models are urged to change their default admin password immediately and update their printer firmware, despite limitations in fully remediating the flaw. It is recommended that access to the printer’s admin interfaces is restricted, especially over unsecured protocols and external networks, to prevent unauthorized access.

Cisco has released patches for two critical vulnerabilities, CVE-2025-20281 and CVE-2025-20282, in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) components. Both vulnerabilities allow unauthenticated remote attackers to execute code on affected systems with root privileges, with severity ratings initially set at a maximum of 10/10. CVE-2025-20281 affects ISE and ISE-PPIC versions 3.3 and 3.4, enabling specially crafted API requests that bypass authentication. CVE-2025-20282, exclusively impacting version 3.4, involves inadequate file validation checks, allowing the uploading and execution of malicious files. There are no documented active exploits for these vulnerabilities; however, details are restricted to prevent potential misuse. Cisco advises immediate patch application; available updates include version 3.3 patch 6 or 3.4 patch 2 for CVE-2025-20281 and only version 3.4 patch 2 for CVE-2025-20282, with no alternative mitigations. Versions prior to 3.2 of ISE and ISE-PIC are not affected by these particular vulnerabilities but remain susceptible to other security risks.

Cybersecurity experts uncovered a critical flaw in the Open VSX Registry, which could potentially allow attackers to control the Visual Studio Code extensions marketplace. The vulnerability allows for the publishing of malicious updates to extensions, impacting millions of developer machines globally. The Eclipse Foundation, which maintains the Open VSX Registry, implemented several rounds of fixes following a responsible disclosure on May 4, 2025. This registry is widely integrated into various code editors like Cursor and Google Cloud Shell Editor, heightening the risk of a supply chain attack. The flaw originated from a GitHub Actions workflow in the publish-extensions repository that uses privileged credentials, thus exposing a secret token during auto-publish tasks. Attackers exploiting this vulnerability could gain the ability to publish new or modify existing extensions, inserting malicious code and compromising developer systems. The severity of this threat has led MITRE to add a new "IDE Extensions" technique in its ATT&CK framework in April 2025, highlighting the potential for abuse in IDE extensions.

A 27-year-old ex-student was arrested by New South Wales police for hacking into Western Sydney University and stealing data. The hacking began in 2021, initially aimed at obtaining cheaper parking, but escalated to compromising the university's systems and threatening to sell student information on the dark web. The university disclosed multiple security breaches affecting thousands of students and staff, with unauthorized access incidents reported from 2023 to 2025. During the police raid at the former student's home in Kingswood, investigators seized computer equipment and mobile devices that may contain evidence. The former student, identified as Birdie Kingston, is charged with 20 offenses, including unauthorized access, data theft, and system compromise. Over the years, Kingston allegedly stole over 100GB of confidential data, altered academic results, and demanded a ransom payment in cryptocurrency. The incidents reported include unauthorized access to Microsoft Office 365 and compromise of a single sign-on system, affecting around 17,500 individuals in total.

Cisco has disclosed two critical remote code execution vulnerabilities in its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC), with the highest severity score of 10.0. The vulnerabilities, identified as CVE-2025-20281 and CVE-2025-20282, allow unauthenticated remote attackers to execute arbitrary code and commands with root privileges. CVE-2025-20281 is caused by insufficient input validation in an exposed API, while CVE-2025-20282 results from inadequate file validation in an internal API. These vulnerabilities could lead to a complete system compromise, enabling full remote takeover of the network security platform without any user interaction. Cisco strongly advises users to apply the latest patches immediately, with no available workarounds to mitigate the risks associated with these flaws. The company also addressed a separate medium-severity authentication bypass issue impacting all versions of ISE through the 3.4 branch, recommending updates to secure systems. Cisco reported no active exploitation of these flaws yet, but the potential impact and ease of exploitation make rapid patching imperative for affected organizations.

Nicholas Michael Kloster, a 32-year-old from Kansas City, has pleaded guilty to hacking into the networks of multiple organizations in an attempt to sell his cybersecurity services. Kloster was indicted for illegally accessing systems of three entities in 2024, which include a health club chain in Missouri, a Missouri nonprofit, and a former employer. During the breach, Kloster accessed sensitive systems, modified user permissions, and deployed a VPN to maintain system access. He tried to leverage his unauthorized access by offering his services to fix these very vulnerabilities, effectively using the breaches as a sales pitch for his cybersecurity consulting. Besides hacking, Kloster engaged in other criminal activities like reducing his gym membership fees, stealing a staff member's name tag, and misusing credit card information from his former employer. The consequences he faces include up to five years in federal prison without parole, a fine of up to $250,000, three years of supervised release, and restitution orders. The case highlights significant legal and ethical issues concerning unauthorized cybersecurity demonstrations and the misuse of accessed data for personal gain.

Scattered Spider, a criminal collective active since 2022, recently targeted prominent U.S. insurance firms such as Aflac and Philadelphia Insurance Companies, resulting in significant data theft and operational disruptions. These incidents share techniques with Scattered Spider's prior high-profile attacks on entities like Caesars, MGM Resorts, and Transport for London, often involving the manipulation of help desk processes to facilitate unauthorized access. The group uses a range of tactics including credential phishing, SIM swapping, push bombing, and direct MFA code solicitation, illustrating a shift towards identity-based breaches. Recent patterns suggest an escalating focus on retailers, with attacks on UK's Marks and Spencer and Co-op causing massive financial losses and operational hurdles. Push Security highlights the importance of adopting browser-based identity verification tools to mitigate such threats and enhance help desk security protocols. Despite some criminal arrests, similar attack techniques continue to be adopted by various criminal organizations, indicating a pervasive challenge across the cyber landscape.

Cisco has patched two significant security vulnerabilities in their Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), both rated with a CVSS score of 10.0. The vulnerabilities, identified as CVE-2025-20281 and CVE-2025-20282, could allow unauthorized attackers to execute commands as the root user. CVE-2025-20281 involves insufficient validation of user-supplied input via crafted API requests that could lead to elevated privileges. CVE-2025-20282 is triggered by inadequate file validation checks, allowing malicious files to be placed and executed in privileged directories. These critical flaws enable unauthenticated attackers to potentially gain root access and execute arbitrary commands on the affected systems. No workarounds are available, making it crucial for users to apply the provided updates promptly to mitigate risks. Security researchers Bobby Gould and Kentaro Kawane are credited with the discovery and reporting of these vulnerabilities. There have been no reported exploitations in the wild; however, quick remediation is advised to prevent potential security breaches.

ClickFix social engineering attacks exploiting fake CAPTCHA verifications saw a 517% increase in recent months. These attacks lead to various cybersecurity threats, including infostealers, ransomware, and remote access trojans. Victims are deceived into executing malicious scripts through error messages or fake CAPTCHA checks in Windows or macOS. The highest incidence of ClickFix attacks has been recorded in Japan, Peru, Poland, Spain, and Slovakia. Follow-on threats like FileFix are emerging, exploiting similar tactics through Windows File Explorer. FileFix tricks users into executing hidden PowerShell commands, masked behind seemingly benign file paths. Phishing campaigns leveraging SharePoint links pose additional threats due to lower detection rates by cybersecurity software.

An ongoing phishing campaign is exploiting the "Direct Send" feature in Microsoft 365, designed for sending emails from devices like printers and scanners without needing authentication. Varonis’ Managed Data Detection and Response (MDDR) team discovered the campaign targeting more than 70 organizations across various industries, primarily in the United States. Attackers are using PowerShell to send deceptive emails appearing as internal communications, thereby bypassing standard email authentication checks such as SPF, DKIM, and DMARC. The phishing emails typically mimic voicemail or fax notifications with PDF attachments instructing recipients to scan a QR code, leading to a phishing site aiming to steal Microsoft credentials. Despite the emails failing authentication checks, they are treated as trusted because they are routed through the organization's internal smart host. Microsoft has introduced a "Reject Direct Send" setting to help mitigate such attacks, and Varonis recommends implementing strict email authentication policies and training for employees. Phishing tactics in the campaign include branded PDFs and QR codes instead of direct links, making detection and prevention more challenging.

Glasgow City Council's digital services were crippled following a cyberattack on June 19, 2025, involving a supply chain issue affecting a third-party contractor's supplier. Although data theft has not been confirmed, the council is operating cautiously under the assumption that data may have been stolen. The attack disrupted numerous digital services including online forms, calendars, and various resident portals for planning, parking, pensions, and registrar appointments. No financial systems were compromised, and banking data is considered secure; however, access to many services remains restricted to prevent further issues. An investigation is underway, conducted in coordination with Police Scotland, the Scottish Cyber Coordination Centre (SC3), and the National Cyber Security Centre. The council has notified the UK's data protection watchdog due to the potential breach involving customer data from web forms. Residents have been advised to be vigilant against phishing attacks and to report any suspicious activities, especially involving requests for sensitive personal information. This incident adds to a series of public sector cyber disruptions across the UK, with similar recent attacks affecting West Lothian Council and Oxford City Council.

The NHS confirmed a patient died due to delays caused by a ransomware attack on Synnovis, a pathology services provider. The cyberattack resulted in significant disruption, affecting multiple NHS trusts and leading to thousands of canceled appointments. An investigation attributed long waiting times for critical blood test results as a contributing factor to the patient's death. Overall, 170 patients experienced varying degrees of harm as a result of the cyberattack, with most classified as "low harm." Synnovis CEO expressed condolences, acknowledging the cyberattack as a contributing factor to the fatal incident. Previous cases and research suggest potential fatal outcomes linked to ransomware disruptions in healthcare, with contentions around the exact impact. The Qilin cybercrime group, known for targeting healthcare facilities, claimed responsibility for this and other similar attacks globally. The incident has highlighted ongoing vulnerabilities in healthcare cybersecurity, prompting calls for enhanced protection measures.

SaaS platforms, while advantageous for business operations and collaboration, lack comprehensive data protection, leaning heavily on a shared responsibility model. Traditional data protection strategies in SaaS environments are often outdated or overly simplistic, failing to ensure resilience against inadvertent data deletions and misconfigurations caused by human error. Compliance and regulatory challenges are escalating with stringent frameworks like GDPR and HIPAA, pressing the need for robust data management tools beyond native SaaS capabilities. Data loss incidents extend impacts beyond IT, affecting customer service, revenue generation, and stakeholder trust, with recovery often cumbersome and slow. Internal threat landscapes are broadening, as dispersed team environments and complex access permissions increase data vulnerability within enterprises. Cyberthreats continue to evolve, exploiting SaaS vulnerabilities and leading to substantial downtime and financial losses for affected organizations. Speed and efficiency in recovery from data disruptions, such as ransomware or natural disasters, define the success of a business during crises. Establishing modern data resilience requires a proactive mindset and adoption of platforms designed for robust data security and management, like Veeam Data Cloud.

The UK is purchasing 12 F-35A fighter jets, which are capable of carrying nuclear weapons, to strengthen NATO's deterrent capabilities. These aircraft are not compatible with the RAF's current refueling tankers, necessitating reliance on allied tanker support for operations. Unlike the F-35B models, which can operate from aircraft carriers, the F-35A variants require conventional runways for take-off and landing. The F-35A's longer range and additional fuel capacity compared to the F-35B model enhance its suitability for extended training and operational missions. The UK's Ministry of Defence has faced criticism and unanswered questions regarding procurement details and the strategic rationale behind choosing F-35A over additional F-35Bs. Current plans indicate that these jets will primarily serve in training roles, with their capacity to carry nuclear arms serving as a secondary function. Critics argue that the F-35A purchase may be a temporary solution pending the development of the next-generation Tempest fighter, which promises greater range and payload capacity.