Daily Brief

Tech Transparency Project report reveals numerous VPN apps in Apple and Google stores with Chinese ownership, unclear to users. Chinese law mandates local companies to aid national intelligence, raising privacy concerns for app users. Apple's App Store guidelines state VPN apps must not misuse user data, but enforcement is questionable with Chinese apps. Out of 20 popular free VPNs analyzed, several are linked to Qihoo 360, a firm on the US Entity List due to alleged ties with China's PLA. Despite concerns, apps like Turbo VPN and VPN Proxy Master remain accessible in US markets. Google's policies lack specific clauses for VPNs, focusing instead on general data transparency. Neither tech giant has responded to inquiries regarding the security and origin of these VPN developers.

Hackers are exploiting a flaw in Discord's invite system to redirect users to malware-infested sites by reusing expired or deleted invite links. The vulnerability allows the recovery of custom invite codes from level 3 servers that lost their status or for expired temporary and deleted permanent invites. Cybercriminals create malicious Discord servers that appear legitimate to unsuspecting users, tricking them into downloading malware through a crafted "verification" process. The campaign has affected over 1,300 users across the US, UK, France, the Netherlands, and Germany. From these malicious sites, multiple stages of infection are launched, including the use of PowerShell, obfuscated C++ loaders, and VBScript files ultimately leading to remote access trojans and information-stealing malware. Ongoing malware persistence is ensured by scheduled tasks that rerun the malware every five minutes. Users are advised to distrust outdated invite links and verification requests, and server admins to prefer permanent invites for security.

Apple updated iOS/iPadOS to fix a zero-click exploit used by Paragon's Graphite spyware, which targeted journalists. Two journalists notified by Apple in April confirmed spyware infections, prompting an investigation by The Citizen Lab. The vulnerability, cataloged as CVE-2025-43200, allowed spyware to be deployed via maliciously crafted photos or videos shared through iCloud Link. The Citizen Lab traced the spyware attacks back to the same group, suggesting targeted surveillance of specific individuals and organizations. Notifications of potential spyware attacks were also sent to approximately 90 journalists and activists via WhatsApp. The Italian government ended contracts with Paragon following a report linking the spyware to infections of high-profile individuals, including journalists and human rights activists. Security experts warn Graphite spyware operates covertly, creating significant challenges for traditional mobile security measures. Apple’s latest security measures recommend users update their devices and activate Lockdown Mode to protect against such sophisticated exploits.

Cybersecurity experts have discovered a significant campaign where over 269,000 web pages were infected by JSFireTruck, a malicious JavaScript technique, within one month. The JSFireTruck method involves using obfuscated code written in JSFuck—an esoteric programming style—making analysis and detection challenging. The malware checks the referrer URL of visitors; if detected as coming from a major search engine, it redirects them to malicious sites that can lead to further malware infections or scams. The analysis revealed a major spike in infections on April 12, with around 50,000 web pages compromised in a single day, highlighting the scale and precision of the attack. In conjunction with the JSFireTruck campaign, a related traffic distribution service (TDS) named HelloTDS has been implemented to redirect users to deceptive sites based on their geographic location, IP, and device fingerprinting. HelloTDS employs a multi-stage, dynamic approach using various top-level domains to host malicious content and manage redirection, effectively evading detection and selectively targeting victims. This campaign illustrates sophisticated persistence and evolution in attack strategies, posing a substantial threat due to its stealth and widespread nature.

ISC2 highlights unrealistic job expectations in cybersecurity job descriptions for junior roles, impacting hiring success. Entry-level ads often demand advanced certifications and years of experience beyond the realm of possibility for newcomers. Over a third of hiring managers expect early-stage professionals to hold senior certifications like CISSP, which is unrealistic. The necessity for on-the-job training and development support is emphasized to bridge the skills gap in cybersecurity. Technical skills are highly valued in India, while other regions prioritize interpersonal skills alongside technical know-how. Diversity in educational background can be beneficial, as hiring from non-STEM fields brings new perspectives to cybersecurity. Current strategic shifts include sourcing candidates from internships, apprenticeships, and varied educational pathways. The cybersecurity job market is moving towards specialization, with a decreasing demand for generalists and an oversaturated market post-recent layoffs.

Victoria's Secret successfully restored all critical systems after a cyberattack on May 24, impacting corporate and e-commerce operations. The fashion retailer has resumed full functionality and is collaborating with external security experts to assess the attack's ramifications. Despite the significant breach, Victoria's Secret anticipates no substantial impact on its fiscal results for 2025, though it may face ongoing attack-related expenses. The cyberattack forced the company to delay the release of its Q1 financial results as essential systems were temporarily inaccessible. The breach is part of a broader wave of cyberattacks targeting major fashion and retail brands globally, indicating a potentially coordinated threat. No groups have yet claimed responsibility for the cyberattack on Victoria's Secret, and the company has withheld specific details about the breach's nature.

Ransomware groups are exploiting unpatched SimpleHelp Remote Monitoring and Management (RMM) vulnerabilities to launch double extortion attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) emphasized the exploitation of SimpleHelp RMM in attacks related to an unnamed utility billing software provider. Sophos reported that threat actors accessed a Managed Service Provider's SimpleHelp deployment, enabling attacks on multiple downstream customers. Mitigation recommendations issued by CISA include updating software and avoiding payment of ransoms to discourage further criminal activities and funding of illicit activities. The Fog ransomware attack combined the use of legitimate employee monitoring software and open-source penetration testing tools for targeting a financial institution in Asia. Trend Micro identified a significant number of victims across various sectors claimed by Fog ransomware actors. LockBit ransomware activity continues robustly, with recent leaks revealing China as a primary target among other global entities. Despite ongoing challenges, LockBit plans to innovate with the next iteration of its ransomware, incenting information on leak sources and reactivating operations.

Traditional Security Operations Centers (SOCs) are challenged by outdated models and overwhelming alert volumes, leading to inefficiency in threat management. Continuous Threat Exposure Management (CTEM) offers an evolved approach, focusing on managing risks rather than reacting to alerts, thereby transforming security strategies. CTEM employs a framework that prioritizes real-world impact assessments over theoretical threat models, enhancing the relevance and efficiency of security responses. The conventional alert-centric approach in SOCs leads to a misallocation of resources, as many alerts do not correlate with actual threats or business impact. CTEM is designed to identify and mitigate exposures before they are exploited, integrating business context into security operations to streamline efforts and prioritize actions. This new model doesn't necessarily reduce the number of security tools used but changes their application to focus on strategic, data-driven risk reduction connected to business impacts. With CTEM, security operations transition from passive monitoring to active, precision-driven risk management, aligning closely with business outcomes and objectives. The evolution towards CTEM indicates a significant shift in security paradigms, focusing on preemptive measures and effective control validations, signaling a fundamental change in the role and function of SOCs.

Cloudflare's recent widespread service outage was confirmed not to be due to a cybersecurity incident, and no data was compromised. The outage was caused by a failure in the underlying storage infrastructure of their Workers KV system, managed by a third-party cloud provider. The disruption lasted for approximately 2.5 hours and affected multiple Cloudflare services, including edge computing and AI platforms. Google Cloud Platform and other major services were also impacted by this service disruption. Cloudflare has announced plans to enhance resilience by reducing reliance on third-party providers for its backend storage. The company will transition its Workers KV storage to its own R2 object storage and implement cross-service safeguards to prevent future outages. New tools are being developed to enable systematic restoration of services during similar disruptions, aiming to prevent secondary issues caused by traffic surges during recovery.

Four Financial Conduct Authority (FCA) employees received warnings for sending regulator data to personal email accounts. Three of these individuals were given their first written warning, while one was on a final warning for similar misconduct. The incidents, which occurred during the 2022/23 financial year, involved unspecified data whose details were not fully disclosed. The FCA, responsible for overseeing UK's financial services, takes breaches of its email security policies seriously and has set measures for handling such violations. The regulator previously fined Equifax £11 million for a data breach, indicating its strict stance on data security within the sector it monitors. Historical context includes a 2020 incident where the FCA accidentally leaked personal information of complainants in a Freedom of Information Act response. Security experts highlighted the broader risk of using personal email for corporate matters, stressing the importance of robust data protection policies. No further incidents necessitating disciplinary actions were reported in the fiscal years following 2023/24 and 2024/25.

Apple recently patched a zero-click flaw in the Messages app that was exploited using Paragon's Graphite spyware to spy on journalists. The security flaw, identified as CVE-2025-43200, allowed attackers to send a malicious iCloud Link to trigger the vulnerability without user interaction. The exploit specifically targeted Italian journalist Ciro Pellegrino and another prominent European journalist, infecting their devices to access sensitive data discreetly. Updates were issued in February 2025 for various Apple operating systems, resolving this vulnerability alongside another critical zero-day flaw. This pattern of attack underlines issues with the accountability of spyware use and highlights the ongoing risk to journalists and individuals in the civil sector. Apple has started issuing threat notifications to users suspected of being targeted by state-sponsored attacks since November 2021. The Italian government and Paragon ended their contract amid allegations of illegal use of the spyware, as confirmed by Italy’s Parliamentary Committee acknowledging the usage of Graphite under legal approval for national security. The exposure of these vulnerabilities and exploits is likely to increase calls for stricter regulations on the use of commercial spyware both nationally and within the EU.

Ransomware attackers targeted utilities by exploiting a vulnerability in the SimpleHelp remote management tool. The security flaw, identified as CVE-2024-57727, affected versions of SimpleHelp up to 5.5.7, allowing unauthorized remote access. Despite a patch released in January, many users failed to update, leaving systems exposed to ransomware attacks. Incidents involved service disruptions and double extortion tactics, where attackers stole sensitive data before encrypting files. CISA issued an alert highlighting the ongoing risk and urged organizations to patch affected systems immediately. The Play ransomware group was noted for similar attacks targeting critical infrastructure using this vulnerability. Additional threats included DragonForce ransomware exploiting the same flaw to attack managed service providers and their clients. The series of attacks underline the critical importance of timely software updates in preventing ransomware incidents.

Trend Micro has issued updates to fix critical vulnerabilities in Apex Central and Endpoint Encryption PolicyServer products. The identified vulnerabilities include remote code execution and authentication bypass issues. No evidence of active exploitation has been reported, yet immediate update implementation is strongly advised. The critical flaws impact products used in enterprise environments, particularly in regulated industries requiring strict data protection compliance. The updated versions provide solutions to both high severity and critical vulnerabilities, addressing remote code execution and potential SQL injection and privileges escalation. Both pre-authentication remote code execution vulnerabilities found in Apex Central were resolved in their respective patches. Patch management shifts towards automation are discussed, emphasizing the need for efficient, script-free patching methods in modern IT environments.

VexTrio operates a sophisticated cybercriminal network utilizing various Traffic Distribution Services (TDS) like Help TDS and Disposable TDS to redirect web traffic to scam and malware distribution sites. These TDS systems, supported by adtech companies such as Los Pollos and Taco Loco, encourage the participation of malware and advertising affiliates by offering financial incentives for scam activities including gift card fraud and phishing. The criminal network extensively targets and compromises WordPress websites, injecting malicious code that initiates the redirection to VexTrio's infrastructure, eventually landing users on scam pages. Infoblox's analysis revealed over 4.5 million DNS TXT record responses pointing to domain sets with distinct command-and-control servers based in Russia, showing how VexTrio and affiliates manipulate DNS responses for redirecting traffic. The VexTrio network experienced a significant disruption in November 2024 when Los Pollos was exposed as a participant, facing substantial affiliate withdrawals and redirection shifts to other TDS services. Malicious campaigns utilized by VexTrio and related TDS networks employ Google Firebase Cloud Messaging and custom-developed scripts to send push notifications directing users to fraudulent content. Despite being registered in countries with KYC regulations, VexTrio and its affiliate adtech firms manage to elude full accountability by insufficiently vetting publishing affiliates.

Citizen Lab confirmed zero-click attacks via Graphite spyware against European journalists. Victims included a European journalist and Ciro Pellegrino of Fanpage.it. Attackers exploited a zero-day vulnerability, CVE-2025-43200, in iOS 18.2.1 using crafted iCloud Link photos/videos. Apple patched the vulnerability in iOS version 18.3.1, introducing additional security checks. Spyware was delivered through iMessage without user interaction and left minimal traces on devices. Infected devices contacted a C2 server linked to Paragon's infrastructure hosted by EDIS Global. Attack details align with previous uses of Graphite spyware in zero-click attacks targeting other Italian figures.