Daily Brief

88% of surveyed security leaders express concern over supply chain risks, but less than half adequately monitor their external suppliers’ security. Roughly 79% of organizations oversee less than half of their nth-party supply chain through cybersecurity programs, leading to significant blind spots. 36% of businesses have only 1-10% of their supply chain protected, despite experiencing a material impact from incidents within the past year. Third-party breaches doubled globally last year, representing 30% of total attacks, according to Verizon’s 2024 data breach report. Only 56% of organizations perform risk assessments on all supply chain members, and often struggle with getting reliable responses due to self-reporting inaccuracies. A common tactic to mitigate supply chain threats includes acquiring cyber insurance, with 63% of organizations covered for such events. Companies are advised to evolve from traditional third-party risk management to a more resilient approach, focusing on real-time risk identification and response. The report encourages organizations to invest in comprehensive supply chain cybersecurity strategies to combat growing external threats.

Citrix has issued a warning about a critical vulnerability, CVE-2025-6543, in NetScaler appliances that is currently being exploited. The vulnerability affects NetScaler ADC and NetScaler Gateway versions and can cause denial of service (DoS) when exploited. Attackers are exploiting this flaw through unauthenticated, remote requests that force the appliance offline. Specific NetScaler configurations vulnerable to this attack are those set as Gateway or AAA virtual servers. Citrix has released patches for affected versions to mitigate the vulnerability. Another related vulnerability, CVE-2025-5777 or CitrixBleed 2, has also been identified, allowing attackers to hijack user sessions. Citrix advises administrators to update their systems immediately and monitor for any signs of compromise.

A security flaw in Microsoft’s Entra ID continues to pose a risk, affecting 9% of tested SaaS applications. Semperis discovered that the flaw allows attackers to manipulate the "mail" attribute in Entra ID accounts to take over a victim’s account. The vulnerability, known as nOAuth, was initially reported in June 2023 but still impacts multiple applications despite the disclosure. Attackers can exploit this flaw with minimal effort and without leaving significant traces, complicating detection for users and administrators. Microsoft recommunicated guidelines for application developers in response to Semperis' report to mitigate the risks associated with nOAuth. Properly implementing authentication and using immutable user identifiers are crucial for developers to shield applications from such vulnerabilities. The flaw not only allows data access within the SaaS application but also potentially enables attackers to access other Microsoft 365 resources.

WinRAR has fixed a critical directory traversal bug identified as CVE-2025-6218, which posed a high-severity threat with a CVSS score of 7.8. The vulnerability could allow the execution of malware when users extracted malicious archives using affected versions of WinRAR (version 7.11 and older) on Windows. The patch for this vulnerability has been included in WinRAR version 7.12 beta 1, released recently. The flaw allows for unintended extraction paths, causing malicious files to be dropped in sensitive system locations, potentially leading to unauthorized data access and remote control. These extracted malicious files could automatically execute upon startup, leveraging user-level access to steal sensitive information, install backdoors, or facilitate further attacks. Despite needing user interaction, the prevalent usage of outdated software versions heightens the risk of exploitation. This update also addresses other vulnerabilities including an HTML injection issue and minor concerns related to recovery volume testing and timestamp accuracy in Unix records. All WinRAR users, regardless of their operating system, are advised to update immediately to mitigate risks, though no exploits of CVE-2025-6218 have been reported to date.

Citrix warns of a new vulnerability, "CitrixBleed 2," impacting NetScaler ADC and Gateway, potentially allowing unauthorized session hijacking. The flaw, designated CVE-2025-5777, involves out-of-bounds memory access, enabling attackers to access session tokens and sensitive data. A related high-severity issue, CVE-2025-5349, affects the NetScaler Management Interface and could allow improper access control if exploited. Citrix advises users to upgrade to specified software versions and review active sessions for any irregularities before terminating them as a precaution. Devices still operating on unsupported software versions pose a significant security risk and require urgent upgrading. Over 56,500 NetScaler endpoints are exposed online, although the exact number vulnerable to these flaws remains unclear. Citrix has not confirmed active exploitation of these flaws but recommends immediate action to mitigate potential risks.

French cybercrime brigade (BL2C) arrested five suspected administrators of BreachForums, a notorious cybercrime discussion board. Initial arrests included an individual believed to be "IntelBroker" in February, with four more apprehended this week. The individuals are accused of involvement in various high-profile cyberattacks, including on companies like Snowflake and Ticketmaster. The suspects, all in their twenties, are linked to online ads for stolen data and the recruitment of criminal gangs. High-profile cybercriminals like Sebastien Raoult and Conor Brian Fitzpatrick were previously associated with BreachForums and have faced legal action in the US. BreachForums was shut down by the FBI in May 2024 but briefly resurfaced under a new domain before experiencing significant outages. Copycat sites have emerged since the takedown, using BreachForums' trusted PGP key, but their legitimacy remains questionable.

Citrix has published emergency patches for a critical vulnerability in NetScaler ADC, identified as CVE-2025-6543, which has been exploited in the wild. The flaw, rated 9.2 on the CVSS scale, involves a memory overflow that could disrupt service and alter control flow. Successful exploitation of the vulnerability requires specific configurations as a Gateway or AAA virtual server. Affected versions include both on-prem and hybrid deployments of Secure Private Access using NetScaler. Users are urged to update their NetScaler instances to the patches provided by Citrix to mitigate risk. This security issue follows closely another severe vulnerability patched recently in the same product series, highlighting ongoing security challenges. Citrix has not provided specifics on how the vulnerability has been exploited but confirmed observations of active exploits on unprotected systems.

French authorities have arrested five individuals linked to the operation of BreachForums, a platform used for trading and selling stolen data. The arrests, conducted by the BL2C unit of the Paris police, targeted known hackers in various regions including Paris, Normandy, and Réunion. Those detained include high-profile hackers known by aliases such as "ShinyHunters," "Hollow," "Noct," "Depressed," and "IntelBroker." The forum, known to facilitate illegal activities like data leaks and the selling of network access, had been relaunched as BreachForums v2 after its original shutdown in 2023. Key figures such as "ShinyHunters" and "IntelBroker" were reportedly managing the forum, playing significant roles in its operations and multiple high-profile data breaches globally. Notably, these cybercriminals were implicated in several breaches against French entities and were responsible for leaking sensitive information of millions, affecting organizations such as France Travail and the French Football Federation. BreachForums v2 went offline in April 2025 following a security breach exploiting a zero-day vulnerability in the MyBB platform, with no signs of revival.

Researchers have identified vulnerabilities in SAP GUI for Windows and Java that could allow unauthorized access to sensitive user data. Identified flaws in SAP GUI (CVE-2025-0055 and CVE-2025-0056) involve insecure storage of user input history, potentially exposing usernames, SSNs, and more. SAP GUI for Windows uses a weak XOR-based encryption for storing data, while the Java version stores data unencrypted. Citrix also patched a critical vulnerability (CVE-2025-5777) in NetScaler appliances that could allow attackers to steal valid session tokens. The Citrix vulnerability, if exploited, enables bypassing of authentication protections and has been compared in severity to a previous significant breach in 2023. Both SAP and Citrix have released patches for these vulnerabilities, and mitigation steps include disabling input history and upgrading outdated software versions. There is currently no evidence of active exploitation of the Citrix flaw, but experts suggest that its potential impacts could be severe.

Pro-Iranian hacktivist group Cyber Fattah leaked thousands of records from the 2024 Saudi Games. Leak includes IT staff credentials, government emails, personal information of athletes and visitors, and sensitive documents. Data believed to be extracted from the Saudi Games 2024 official website, published on a notorious cybercrime forum. Cybersecurity firm Resecurity links this leak to Iran's broader cyber propaganda against the US, Israel, and Saudi Arabia. Tensions in the Middle East escalate, with numerous hacktivist groups engaged in ideological cyber warfare. The incident adds to a series of cyber-attacks including a DDoS attack by 313 Team and data leaks by Predatory Sparrow against Iranian targets. Experts highlight this incident as part of a growing trend of hacktivism where cyberattacks serve as extensions of geopolitical disputes. Such cyber activities demonstrate the increasing integration of digital operations in political and military strategies.

Guest users can exploit Microsoft Entra's subscription handling to create and transfer subscriptions, retaining ownership, and escalating privileges. The risk lies in the fact that guest users can leverage billing permissions scoped at their home tenant's billing account to initiate control in a target tenant. Normal security models that focus on Entra Directory or Azure RBAC roles do not typically cover billing roles, leaving a blind spot in security protocols. Attackers can exploit this oversight by using compromised or federated guest accounts to gain unauthorized access and maintain persistence within a tenant. Most organizations are unaware of the elevated access threat posed by seemingly low-risk federated guest accounts. Microsoft provides Subscription Policies as a mitigation tactic, allowing organizations to block transfers by unauthorized users, enhancing control over guest permissions. BeyondTrust suggests regular reviews of guest access policies and subscription governance to prevent such exploits and offers tools for detecting unusual subscription activities by guest accounts. Simon Maxwell-Stewart highlights the importance of re-evaluating the security implications of identity misconfigurations and weak default settings in modern enterprise environments.

A website originally created for the UK Home Office's anti-encryption campaign was repurposed to advertise payday loans. The website cost over £500,000 and was part of the controversial "No Place to Hide" campaign which targeted encryptions like Facebook Messenger. Technically, the site still promoted government messages against encryption but included a section offering loans from Wage Day Advance, a firm flagged for potential scam activities. The altered content was first detected by tech policy expert Heather Burns and reported by the publication The Register. Wage Day Loans claimed no knowledge of the change and stated that their SEO services had been outsourced. Despite the removal of the payday loan content shortly after discovery, it reappeared later before finally being taken down again. This incident highlights a broader issue of trusted domains being hijacked for SEO purposes, as seen in other cases with entities like Nvidia and Stanford University.

Unknown attackers distributed a trojanized SonicWall SSL VPN NetExtender application, designed to pilfer credentials from users by appearing legitimate. The infected application, dubbed SilentRoute by Microsoft, was distributed through fake websites and mimicked the appearance of SonicWall's original software. The malicious code in the NetExtender application enabled data theft by bypassing digital certificate validations and exfiltrating VPN configuration details to a hacker-controlled server. Alongside this, a spike in attacks leveraging ConnectWise using authenticode stuffing to insert malware was observed, primarily facilitated through phishing, malvertising, and fake AI tool advertisements on social media platforms. The ConnectWise exploits involve modifying the settings within the software's digital signature to create malicious configurations, allowing consistent remote access while presenting fake update screens to prevent system shutdowns. Both schemes underline the sophisticated techniques used by hackers to exploit digital signatures and trusted software processes to conduct their operations undetected.

Cybersecurity researchers have identified 35 malicious npm packages as part of the North Korea-linked Contagious Interview operation. The npm packages were found embedded in projects shared via LinkedIn job offers, exploiting developers' trust during the hiring process. Each package contains a hex-encoded loader, HexEval, that collects host information and delivers a JavaScript stealer tool called BeaverTail, which can download a Python backdoor named InvisibleFerret. The campaign’s tools enable remote control and data theft, specifically targeting cryptocurrency-related information. The malware avoids detection using complex, multi-layered techniques that bypass traditional security scans and manual reviews. Keylogger functionalities are included in one npm alias, enhancing threat actors’ surveillance capabilities. Recent versions of the campaign also use social engineering tactics, like fake interviews, to distribute malware. The ongoing nature and evolution of this campaign show North Korean threat actors refining their methods for sophisticated infiltrations into developer environments and systems.

Microsoft has announced an extension of the Windows 10 Extended Security Updates (ESU) program for an additional year until October 2026. The extension will provide critical security updates for users who choose to pay a fee or synchronize their PC settings with the cloud. This decision comes as the originally scheduled end of support for Windows 10 on October 14, 2025, approaches. Users can enroll in the ESU program through a new enrollment wizard in the Windows 10 Settings app, with options available for personalization. The ESU program is considered a temporary solution for users needing to operate on the legacy platform while transitioning to newer supported versions. ESUs are focused solely on security updates and will not include new features, non-security updates, or any design changes. Enrolled devices under this program will continue receiving updates through the extended period without requiring additional upgrades or changes.