Daily Brief

Thousands of Asus routers are compromised by a botnet named AyySSHush, as detected by the threat monitoring firm GreyNoise. The botnet exploits vulnerabilities in the routers to disable Trend Micro security features and gain backdoor access. Attackers are using brute-force attacks and authentication bypass bugs to achieve initial router access and execute arbitrary commands. Compromised routers have an SSH backdoor installed, making the botnet nearly invisible and persistent even after firmware updates. GreyNoise worked closely with governments and industry partners before disclosing these vulnerabilities months after their discovery. The specific router models affected are popular ones, namely RT-AC3100, RT-AC3200, and RT-AX55. GreyNoise notes similarities between this botnet and another campaign named ViciousTrap, mentioned by French research group Sekoia. Asus issued patches for the vulnerabilities, but affected devices still require a factory reset to completely eradicate the threat.

A flaw in Apple's Safari web browser enables fullscreen browser-in-the-middle (BitM) attacks, posing significant credential theft risks. Attackers exploit the Fullscreen API in Safari, allowing them to obscure browser guardrails and deceive users into revealing sensitive information. SquareX researchers observed that these attacks particularly endanger Safari users due to the browser's insufficient alert mechanisms when entering fullscreen mode. The technique involves tricking users via legitimate-looking but malicious websites, using tools like noVNC to superimpose an attacker-controlled browser window over the legitimate session. This type of attack does not trigger security alerts from endpoint detection and response systems (EDRs) or secure access service edge (SASE/SSE) because it abuses standard browser functionalities. Unlike Safari, browsers like Firefox and those based on Chromium signal to users when full screen mode is activated, adding a layer of security that Safari lacks. SquareX's disclosure to Apple received a "wontfix" response, with Apple suggesting their current fullscreen animation is an adequate indication for users. Apple has yet to offer a detailed public response to SquareX's findings or BleepingComputer's inquiry about their stance on the issue.

Cybercriminals are distributing malware through fake installers of popular AI tools like OpenAI ChatGPT and InVideo AI. Malware variants linked to this scam include CyberLock ransomware, Lucky_Gh0$t ransomware, and a destructive malware named Numero. CyberLock encrypts files by escalating privileges and demands a $50,000 ransom in Monero, whereas Lucky_Gh0$t targets files under 1.2GB, erasing backups. Numero malware disrupts the graphical user interface of Windows, making systems unusable by continuously running malicious processes. Fake websites, such as "novaleadsai[.]com," are promoted using SEO poisoning to look authentic, tricking users into downloading malicious software. Victims are lured with offers like free access for a year, followed by a hefty monthly subscription fee, only to receive malware in place of the promised software. Talos and Mandiant reports highlight an uptrend in the misuse of AI tool popularity for spreading various malware targeting business and marketing professionals. Malvertising campaigns also direct users from reputable platforms like Facebook and LinkedIn to malware-infected websites, further emphasizing the broadened threat landscape.

The U.S. Treasury Department sanctioned Funnull Technology, a Philippines-based firm, for supporting large-scale cyber scams causing over $200 million in American losses. Funnull Technology facilitated various online scams, including romance baiting and pig butchering, by providing IP addresses and hosting services to cybercriminals. These criminals built trust with victims via social platforms then lured them into fraudulent investment schemes, eventually diverting invested funds to their own accounts. The sanctioned firm also used domain generation algorithms and web design templates to help cybercriminals impersonate legitimate brands and evade takedown attempts. U.S. entities are now prohibited from conducting any transactions with Funnull or its Chinese administrator, Liu Lizhi, and all their U.S. assets are frozen. Additional penalties could apply to international financial institutions engaging in transactions with the blacklisted entities. The FBI issued a flash alert detailing technical aspects of Funnull's operations, including IP addresses and domain patterns indicative of their scam operations. Cybercrime losses in the U.S. hit a record $16.6 billion in 2024, with over $6.5 billion attributed to investment scams.

Cybercriminals are increasingly exploiting the popularity of AI tools to spread ransomware and malware, with incidents involving deepfake content generators and fake AI tool websites. Notable ransomware groups like CyberLock and Lucky_Gh0$t, along with new malware like Numero, exploit SEO poisoning and malvertising to appear prominently in search engine results. CyberLock ransomware, disseminated through a counterfeit AI tool site, demands a $50,000 ransom in Monero, claiming the funds support humanitarian efforts. Lucky_Gh0$t, a derivative of Chaos ransomware, masks itself as a ChatGPT installer, targeting files under 1.2GB for encryption, with larger files replaced by junk data. The novel malware, Numero, primarily disrupts the visual interface of Windows systems, locking the graphical elements in a dysfunctional loop without data encryption. Organizations are urged to download AI tools exclusively from reputable, official sources to avoid these increasingly sophisticated attacks leveraging AI technology fascination.

Threat landscapes are rapidly expanding, exposing new vulnerabilities that attackers are eager to exploit using sophisticated techniques such as Attack Surface Management (ASM). Sprocket Security's Attack Surface Management Tool focuses on understanding attacker behavior and provides capabilities for real-time asset mapping and change detection. Attackers utilize publicly available tools and automation to discover assets, highlighting the necessity for organizations to continuously monitor and protect their digital infrastructures. A highlighted case within the article is the mass exploitation of VMware ESXi servers, demonstrating the critical need for timely patches and proactive security measures. Sprocket Security emphasizes the importance of seeing an organization’s digital infrastructure from an attacker's perspective to effectively prevent breaches. The article encourages the integration of ASM tools into daily security workflows to enhance visibility, proactive defense, and efficiency in testing and validation phases. Sprocket ASM provides free tools that offer continuous penetration testing capabilities, notifications on new discoveries, and the ability to track manually added assets not visible on the internet.

Cybersecurity researchers identified a new remote access trojan (RAT) exploiting corrupted DOS and PE headers to avoid detection on Windows systems. The malware was discovered by Fortinet's FortiGuard Incident Response Team after persisting undetected for several weeks on a compromised machine. Fortinet acquired memory dumps from the machine to analyze the malware, which concealed its operations within a dllhost.exe process. The malware decrypts C2 server information from memory and establishes secure communication over TLS, enhancing its stealth and persistence. Despite corrupted headers obstructing direct payload analysis, Fortinet successfully deconstructed the malware in a controlled environment after multiple attempts. The RAT has capabilities for capturing screenshots, managing system services, and handling incoming connections, effectively turning the infected host into a multipurpose remote-access platform. The communication with the C2 server and the complex multi-threaded architecture of the RAT support simultaneous operations and evolving attack strategies.

Billions of stolen cookies are actively sold on the dark web and Telegram, with 7-9% still exploitable. Stolen cookies, often underestimated in danger, can allow cybercriminals access to sensitive personal and financial data without needing passwords. The majority of these cookies carry ID data for user identification and ad targeting; only a minor portion contains critical information such as passwords. Cybercriminals use stolen session cookies to impersonate users, bypass multi-factor authentication, and potentially access corporate systems and data. Infostealer malware like Redline, Vidar, and LummaC2, although targeted by law enforcement, facilitate the theft and sale of these cookies. NordVPN advises careful consideration before accepting website cookies and recommends regular updates and cleaning of browser data to mitigate risks.

Victoria's Secret has temporarily shut down its website and certain in-store services due to a security incident. The fashion retailer operates around 1,380 stores globally and reported annual revenues of $6.23 billion for the fiscal year ending February 2025. Stores under the Victoria's Secret and PINK brands remain open as the company works to restore full operations. CEO Hillary Super communicated to employees that the recovery process from the incident would be prolonged. Specific details regarding the nature of the cyberattack, such as whether it involved ransomware or if a ransom was demanded, have not been confirmed. The incident at Victoria's Secret is part of a larger trend, following recent cybersecurity breaches at other major retailers like Dior and Adidas. Recent attacks against UK retailers like Harrods, Co-op, and Marks & Spencer have been linked to the DragonForce ransomware group, with indications of similar tactics being used in the US.

DragonForce threat actors exploited security vulnerabilities in the SimpleHelp tool to deploy ransomware via a Managed Service Provider (MSP). Accessed data included device names, user info, and network configurations across multiple customer environments. Exploitation of three specific CVEs in SimpleHelp allowed unauthorized access, leading to data theft and ransomware attacks on various endpoints. Some MSP clients successfully blocked the attack, but others experienced significant impacts, including double-extortion tactics. Recent developments position DragonForce as a prominent ransomware cartel, often reshuffling within the cybercrime ecosystem. Cyberint suggests another group, Scattered Spider, may have facilitated initial access, highlighting complex alliances in ransomware operations. The attacks have prompted a reevaluation of security strategies around AI-driven malware and remote access tools. Sophos identifies ongoing risks and recommends enhanced employee training and stricter remote access controls to mitigate similar threats.

The European Commission has introduced the EU Startup and Scaleup Strategy to transform Europe into a leading global hub for technology startups, enhancing their development from inception to mature businesses. The strategy aims at reducing administrative burdens, facilitating financing through a proposed public-private fund of at least €10 billion, and improving cross-border operations within the Single Market. Key initiatives include the Scaleup Europe Fund to address financing gaps and the Lab to Unicorn program to boost university collaborations across Europe. The strategy seeks to attract and retain top talent by offering enhanced employee stock options and easing cross-border employment regulations. Measures include simplifying startup-related regulations across the EU to foster a more innovation-friendly atmosphere. Progress will be monitored through the European Startup and Scaleup Scoreboard and annual surveys, benchmarking Europe against global counterparts. This move aligns with the broader Choose Europe initiative, promising comprehensive updates on its progress by 2027. Despite current dominance by major US tech companies, the EU strategy represents a proactive step to nurture and retain homegrown tech enterprises, reducing reliance on American technology solutions.

LexisNexis Risk Solutions reported a data breach affecting 364,000 individuals, with personal information stolen. The breach originated from a compromised company account on GitHub, not affecting internal networks or systems. Data stolen includes names, contact details, Social Security numbers, and driver's licenses; financial data remained secure. The breach was discovered on April 1, 2025, but occurred on December 25, 2024. Affected individuals are advised to monitor their accounts for fraud and will receive two years of free identity protection. LexisNexis is a major global data broker with significant ties to Fortune 500 and Fortune 100 companies.

Chinese state-sponsored group APT41 used Google Calendar for malware command and control, utilizing a malware named TOUGHPROGRESS. Google discovered the activity involving compromised government websites and the targeting of multiple government entities in late October 2024. The campaign involved spear-phishing emails linked to a ZIP archive containing deceptive files and a malware-laden Windows shortcut disguised as a PDF. TOUGHPROGRESS malware employed evasion techniques, including memory-only payloads and encrypted commands in Google Calendar events. The malware was programmed to interact with Google Calendar, storing harvested data and command results in calendar events, cleverly hiding their activities. Google has dismantled the malicious operations by taking down the involved Google Calendar and terminating related Workspace projects. This incident is part of a wider pattern, with APT41 previously found using Google's services for attacks on industries and governments worldwide.

Over 100,000 WordPress sites are at risk due to a severe vulnerability in the TI WooCommerce Wishlist plugin. The flaw, rated CVSS 10.0, allows unauthenticated attackers to upload arbitrary files without user authentication. All versions up to and including 2.9.2 of the plugin are affected; no patches are available as of the last update. The vulnerability is linked to improper file type validation in the plugin's file upload function. Attack scenarios could enable malicious actors to achieve remote code execution through uploaded files. The issue is exacerbated when the WC Fields Factory plugin is installed, activated, and integrated. Plugin users are advised to deactivate and remove the TI WooCommerce Wishlist plugin to mitigate risk.

Victoria's Secret's website has been offline for three days due to a security issue, impacting both online and some in-store services. The company has enlisted third-party experts and initiated response protocols to address the incident while securing their systems. Despite the online disruptions, over 800 physical stores remain open, indicating isolated impacts on specific operational systems. The significance of the online platform is highlighted by its substantial revenue generation, accounting for about one-third of the company’s total revenue. The unavailability of the website has led to a nearly 7% drop in stock price as investors react nervously to the outage and potential financial implications. Specific details about the nature of the incident, such as whether it involves ransomware, are still unspecified as the company refrains from commenting on investigative details. The timing of the attack coincides with US Memorial Day, exploiting reduced staffing levels typically seen during public holidays. Recent similar cyber attacks have targeted major UK retailers, underscoring an ongoing threat wave against the retail sector globally.