Daily Brief

Microsoft and CISA have issued warnings about a critical Exchange Server vulnerability, CVE-2025-53786, which could lead to a total domain compromise in hybrid deployments. Although no active exploits have been reported, the bug is considered highly likely to be targeted, prompting urgent mitigation measures. The vulnerability affects hybrid Exchange setups due to shared identity authentication between on-premises and cloud environments, allowing privilege escalation. CISA has mandated that government agencies address this issue by August 11, emphasizing the urgency of the situation. Organizations are advised to apply the April Hotfix and follow specific configuration steps to secure their Exchange environments. This flaw follows a series of security challenges for Microsoft, including previous breaches by state actors and financially motivated attackers. The vulnerability's exploitation requires existing administrative access, but successful attacks could be stealthy and difficult to detect. The incident underscores the importance of robust security measures and timely patch management in hybrid cloud deployments.

Bouygues Telecom, a major French telecom provider, experienced a data breach affecting 6.4 million customers, exposing personal information but not credit card details or account passwords. The breach was executed by a known cybercriminal group targeting specific internal resources; the company has since blocked access and enhanced security measures. The incident occurred on August 4, 2025, with Bouygues Telecom swiftly resolving the situation and notifying relevant French authorities, including ANSSI and CNIL. Impacted customers are at increased risk of fraud and phishing; they are advised to remain vigilant against unsolicited requests for sensitive information. Bouygues Telecom is proactively informing affected customers via SMS and email, urging them to monitor bank accounts for suspicious activities. This breach follows a similar incident at Orange, another French telecom provider, indicating a potential trend of targeted attacks on European telecoms. The breach reflects broader cybersecurity threats faced by telecom companies globally, with parallels drawn to attacks by Chinese cyber-espionage groups.

SonicWall confirmed that recent Akira ransomware attacks exploit a known vulnerability, CVE-2024-40766, in Gen 7 firewalls, dismissing initial concerns of a zero-day flaw. CVE-2024-40766 is a critical access control vulnerability in SonicOS, allowing unauthorized access and session hijacking, which was disclosed and patched in August 2024. The vulnerability has been exploited by ransomware groups like Akira and Fog, targeting networks that failed to implement recommended security measures during firewall migrations. SonicWall advises disabling SSL VPN services and limiting access to trusted IPs, while urging users to update to firmware version 7.3.0 or later for enhanced security. Customers are recommended to reset all local user passwords, particularly those for SSLVPN, to mitigate risks associated with the vulnerability. Some users have expressed skepticism about SonicWall's claims, noting discrepancies between their experiences and the vendor's statements, highlighting the need for continued vigilance. SonicWall's communication strategy and the ambiguity in its updates have led to uncertainty, stressing the importance of immediate action on recommended security measures.

Black Hat's Network Operations Center (NOC) operates independently to meet the high-security demands of the conference, staffed by volunteers and equipped with cutting-edge technology. The NOC team, comprised of volunteers from various tech backgrounds, works in shifts to monitor and mitigate potential threats, ensuring the stability and security of the conference network. A notable incident involved the FBI when the NOC detected a private detective trailing an attendee, highlighting the NOC's role in addressing both digital and physical security concerns. The NOC frequently encounters malicious activity during the conference, often generated by attendees practicing newly learned hacking techniques, necessitating real-time intervention. Vendors donate hardware and expertise, with rigorous selection criteria ensuring only the most effective tools are employed, fostering collaboration even among industry rivals. The NOC's proactive approach includes sandboxing networks for training sessions and developing custom software to visualize network traffic and identify threats efficiently. The collaborative environment at Black Hat's NOC not only enhances security but also serves as a learning platform for volunteers and vendors, driving innovation and improvement in cybersecurity practices.

CISA has published a detailed report on "ToolShell" attacks exploiting vulnerabilities in Microsoft SharePoint Server, affecting over 400 organizations, including the U.S. Department of Energy. The report identifies a critical vulnerability, CVE-2025-53770, with a CVSS score of 9.8, enabling remote code execution via untrusted data deserialization. Threat actors, including APT groups like Linen Typhoon and Violet Typhoon, have exploited this vulnerability to gain unauthorized access to sensitive systems. The report includes analysis of six malicious files and introduces "SharpyShell," a stealthy web shell used for exfiltrating cryptographic secrets. CISA provides Sigma rules for detecting exploitation attempts, advising organizations to ensure their EDR/SIEM systems can handle the complex queries. The vulnerability was possibly leaked following its disclosure at the Pwn2Own contest, raising concerns about the security of vulnerability reporting processes. Organizations are urged to review CISA's report and apply the provided indicators of compromise and detection rules to safeguard their systems.

Koi Security identified the 'GreedyBear' campaign, which infiltrated Mozilla's add-ons store with 150 malicious extensions, stealing approximately $1,000,000 from Firefox users. The extensions impersonated popular cryptocurrency wallets like MetaMask and TronLink, initially appearing benign before injecting malicious code to capture wallet credentials. Attackers utilized keylogging techniques within the extensions to exfiltrate user credentials and IP addresses to a remote server, facilitating further tracking and targeting. The operation also involved Russian-speaking pirated software sites distributing 500 malware variants, including trojans and ransomware, linked to a single command-and-control hub. Mozilla has removed the malicious extensions, but the campaign's scale and AI-driven tactics highlight the ease of executing large-scale cyber schemes. Despite Mozilla's detection systems, fraudulent extensions continue to appear, with signs of expansion to the Chrome Web Store already detected. Users are advised to verify extension authenticity by checking reviews and details, and to download official wallet extensions directly from project websites.

Researchers identified 11 malicious Go packages capable of delivering additional payloads on Windows and Linux, posing significant risks to software supply chains. The packages utilize command-and-control endpoints to execute second-stage payloads, which can gather host data and access web browser information. The decentralized nature of the Go ecosystem allows malicious modules to be easily imported, leading to potential developer confusion and inadvertent integration of harmful code. Two npm packages, naya-flore and nvlore-hsc, masquerade as WhatsApp libraries, incorporating a phone number-based kill switch that can remotely wipe systems. The npm packages have been downloaded over 1,110 times and remain available, highlighting ongoing threats within open-source repositories. Attackers exploit obfuscation techniques and discreet data exfiltration methods, underscoring the need for vigilance in monitoring open-source software dependencies. The findings emphasize the persistent supply chain risks associated with cross-platform malware, particularly as open-source software continues to expand.

Cybersecurity researchers identified multiple vulnerabilities in Axis Communications' video surveillance products, potentially allowing unauthorized remote code execution and system takeover. Over 6,500 Axis servers are exposed to the internet, with nearly 4,000 located in the U.S., posing significant security risks. Exploitation of these flaws could enable attackers to hijack video feeds, alter communications, and execute arbitrary actions on affected systems. The vulnerabilities allow attackers to assume a man-in-the-middle position, bypassing authentication and gaining system-level access to camera networks. No evidence currently indicates these vulnerabilities have been exploited in the wild, but the potential impact is severe. Organizations using Axis products should prioritize patching and securing exposed servers to mitigate these risks. This incident underscores the critical need for robust security measures in internet-connected surveillance systems.

Air France and KLM reported unauthorized access to customer data via a third-party service platform, affecting personal information but excluding sensitive data like passwords or credit card details. The breach involved customer names, contact details, Flying Blue numbers, and service request email subject lines, raising concerns about potential phishing attempts. The airlines' IT security teams, alongside the external service provider, quickly acted to halt the breach and implemented measures to prevent future incidents. Both airlines have notified the Dutch and French data protection authorities and advised customers to remain vigilant against phishing scams. The incident is part of a broader trend of data breaches at major organizations linked to third-party providers, with no specific threat actor publicly identified yet. The ShinyHunters cybercrime group is suspected of involvement, given its history of targeting similar entities, although no official attribution has been made. This breach underscores the critical need for robust third-party risk management and continuous monitoring of external platforms to safeguard customer data.

A survey by privacy group NOYB reveals only 7% of German Facebook and Instagram users support Meta using their data for AI training. 27% of surveyed users were unaware of Meta's data usage for AI, raising transparency issues and potential GDPR compliance challenges. Meta suspended AI training in Europe last year following NOYB's complaints, but resumed after EU and UK data protection authorities approved its "legitimate interests" basis. Despite Meta's notifications to users about data practices, NOYB claims less than half of users recall receiving these communications, questioning the effectiveness of Meta's consent strategy. NOYB is considering a class action lawsuit against Meta, potentially leading to significant financial repercussions for the company. German privacy officials anticipate that the EU's highest court may ultimately decide on the legality of Meta's AI data practices. The ongoing legal and public scrutiny could compel Meta to reevaluate its data handling and user consent mechanisms to align with European privacy expectations.

Samourai Wallet's CEO and CTO pleaded guilty to laundering over $200 million for cybercriminals, facing potential prison sentences for conspiracy and operating an unlicensed money-transmitting business. The U.S. Department of Justice charged the founders with conspiracy to operate a money transmitting business and money laundering, with sentences up to 20 years. As part of their plea, the founders agreed to forfeit over $237 million, while their domains were seized and the mobile app was removed from Google Play. Samourai Wallet facilitated anonymous transactions, attracting over 100,000 downloads, and was marketed as a tool to conceal illicit proceeds, including from dark web markets. The service processed over 80,000 Bitcoins, valued at more than $2 billion, from various illegal activities, earning over $6 million in fees from its mixing services. Law enforcement actions included seizing Samourai's infrastructure and removing its app, disrupting its operations and sending a strong message against crypto-enabled money laundering. This case underscores the ongoing challenge of regulating cryptocurrency platforms and the importance of robust compliance measures to prevent misuse for illicit activities.

Microsoft has identified a significant vulnerability in on-premise Exchange Server, tracked as CVE-2025-53786, which can lead to privilege escalation in hybrid environments. The flaw, with a CVSS score of 8.0, allows attackers with admin access to an on-premises Exchange Server to escalate privileges in connected cloud setups. The vulnerability arises from shared service principals between Exchange Server and Exchange Online in hybrid configurations, complicating detection and auditing. Microsoft advises installing the April 2025 Hot Fix and reconfiguring service principal's keyCredentials if hybrid or OAuth authentication is no longer in use. The U.S. CISA warns of potential impacts on Exchange Online's identity integrity if the flaw remains unpatched, urging immediate mitigation. Microsoft plans to block Exchange Web Services traffic using shared service principals to enhance security and promote dedicated hybrid app adoption. CISA also advises disconnecting outdated public-facing Exchange or SharePoint Servers to prevent exploitation by cyber threat actors.

SonicWall clarified that recent attacks on its Gen 7 firewalls were linked to the patched CVE-2024-40766 vulnerability, not a zero-day exploit. CVE-2024-40766, with a CVSS score of 9.3, involves improper access control, potentially allowing unauthorized access and causing firewall crashes. The company is investigating fewer than 40 incidents, many linked to Gen 6 to Gen 7 firewall migrations without password resets. SonicWall's advisory stresses the importance of resetting local user passwords during firewall migrations to mitigate risks. SonicOS 7.3 has enhanced security measures, including protections against brute-force password attacks and support for multi-factor authentication. The vulnerability exploitation has been associated with Akira ransomware attacks, highlighting the need for robust security practices. SonicWall's proactive communication and guidance aim to prevent further exploitation and ensure customer security.

The Sysdig Cloud Defense Report 2025 reveals AI as both a tool and target in the evolving cloud security landscape, necessitating agile defense strategies. Attackers leverage AI for automation, exemplified by campaigns like CRYSTALRAY, which utilize open-source tools for rapid reconnaissance and credential harvesting. Sysdig Sage™, an AI cloud security analyst, reduces response times by 76%, with significant adoption in software and business services sectors. A 500% rise in AI/ML package workloads in 2024 was followed by a 25% decline, indicating improved security measures and governance. Recommendations for securing AI systems include API authentication, configuration hardening, and enforcing least privilege to safeguard digital assets. Real-time threat detection is essential, as cloud attacks can occur in under 10 minutes; the 555 Cloud Detection and Response Benchmark offers a strategic framework. CI/CD pipelines are increasingly targeted, highlighting the need for runtime visibility to prevent build system compromises and misconfigurations. Open source tools, such as Falco, are vital for modern cloud defense, offering real-time detection and compliance support, especially in regulated sectors.

The Alliance for Creativity and Entertainment (ACE) has successfully shut down Rare Breed TV, a significant illegal IPTV service offering over 28,000 channels. Rare Breed TV, based in North Carolina, provided unauthorized access to a vast library of TV channels and on-demand content, impacting copyright holders globally. A financial settlement was reached with the operators, who agreed to cease operations and cooperate with ACE, though the website remained active at the time of reporting. ACE, a coalition of over 50 major media entities, collaborates with global law enforcement to dismantle large-scale piracy operations. The shutdown of Rare Breed TV is part of ACE's ongoing efforts to combat digital piracy, following previous successful actions against various illegal streaming platforms. The enforcement action serves as a warning to piracy operators, emphasizing the legal and financial repercussions of running unauthorized streaming services. ACE's continued initiatives highlight the importance of industry collaboration in protecting intellectual property rights and combating digital piracy.