Daily Brief

Operation RapTor, coordinated by Europol, resulted in the arrest of 270 individuals involved in dark web activities across ten countries. Authorities seized over €184 million in cash and cryptocurrencies, more than 2 tonnes of drugs, and upwards of 180 firearms. The successful takedowns primarily targeted dark web platforms such as Nemesis, Tor2Door, Bohemia, and Kingdom Market. Significant arrests occurred in the United States, Germany, the United Kingdom, France, and South Korea, with further detentions in the Netherlands, Austria, Brazil, Spain, and Switzerland. Operation RapTor highlights the continued global crackdown on illegal dark web markets, following other operations like SpecTor in 2023, DisrupTor in 2020, and Dark HunTOR. Europol emphasized the effectiveness of international cooperation and intelligence sharing in combating the perceived anonymity of dark web criminals. This operation builds on the effort to make the internet safer by dismantling organized networks dealing in drugs, weapons, and counterfeit goods.

A Chinese threat group identified as UAT-6382 exploited a vulnerability in Trimble Cityworks software to infiltrate U.S. government networks. The exploited vulnerability, CVE-2025-0944, allowed for remote-code-execution and was used to deploy Cobalt Strike and VShell for long-term access. Attacks commenced in January 2025, targeting local government bodies managing utilities and infrastructure. The vulnerability has been patched, and it was added to the Known Exploited Vulnerabilities catalog by CISA in February 2025. Attack tactics included initial reconnaissance, deployment of web shells like AntSword and chinatso/Chopper, and malware installation via PowerShell. The malware, referred to as TetraLoader, was developed using MaLoader, a malware-building framework available in Simplified Chinese. Cisco Talos continues to monitor the threat actor's activities and the use of these sophisticated exploitation and post-exploitation techniques.

Russia is set to implement an experimental law enabling state-tracking of foreigners in Moscow via a smartphone app, starting September 1, 2025. The four-year trial, announced by Vyacheslav Volodin of the State Duma, aims to reduce migrant crime by closely monitoring foreign nationals. Foreigners will need to provide residence details, fingerprints, biometric photos, and consent to geolocation tracking. The law requires migrants to update the Ministry of Internal Affairs within three days of any residential change. The tracking measures exclude foreign diplomats, Belarusian citizens, and minors. The initiative, if successful, may be expanded to other regions beyond Moscow where nearly one million foreign nationals reside. This tracking law follows the recently troubled launch of the nationwide Register of Controlled Persons, affecting migrants with expired or breached visas. The Register has reportedly resulted in severe restrictions for migrants, including access to housing, banking, employment, and education, with many facing harsh conditions at the Sakharovo migrant center.

Chinese state-sponsored hackers exploited a remote code execution flaw in Ivanti Endpoint Manager Mobile (EPMM), CVE-2025-4428, to infiltrate government agencies globally. A related authentication bypass vulnerability, CVE-2025-4427, was also exploited; both vulnerabilities were patched by Ivanti on May 13, 2025. The hacker group, known as UNC5221, previously exploited other Ivanti products and specializes in attacking their systems, often seeking espionage opportunities. The latest campaign involved advanced tactics including the deployment of KrystyLoader from a compromised AWS S3 bucket, and using system commands for host reconnaissance. Detected exploitation involved significant data extraction actions like exporting databases, injecting malware persistently, and manipulating internal Office 365 and LDAP configurations. Post-compromise activities hinted at strategic espionage, focusing on high-value targets and likely employing real-time data exfiltration methods. The exploitation was observed starting just two days after the public disclosure of the vulnerabilities, underlining the urgency of timely patch management. The recent abuses link back to previous findings concerning the Linux backdoor 'Auto-Color', pointing to sustained Chinese interest in exploiting network perimeter defenses.

Chinese-speaking hackers utilized a zero-day vulnerability in Trimble Cityworks software, commonly used by U.S. local governments for asset and work management. The hacking group identified as UAT-6382 deployed Cobalt Strike beacons and VSHell malware for persistent access and added web shells with tools in Chinese. Attacks began with network recon in January 2025; exploitation led to pivoted access in utility management systems. The exploited vulnerability, CVE-2025-0994, found in IIS servers, was patched in February 2025 after Trimble identified ongoing exploitation attempts. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) mandated federal patches by late February and issued a broad sector advisory. Rust-based malware loaders, TetraLoader, and MaLoader, used by the attackers, indicate sophisticated tooling and nation-state level capabilities.

Signal has applied Digital Rights Management (DRM) in Windows to prevent Microsoft Recall from capturing screenshots of private conversations in its chat application. Microsoft Recall, a tool designed to take snapshots of desktop activity, lacks specific controls to exclude certain applications like Signal, capturing almost everything except incognito-mode browser windows. Recall is not enabled by default and remains labeled as "Preview"; users must opt-in to activate this feature. Signal’s new "Screen security" setting, which uses DRM to block screenshots, is automatically enabled on Windows 11, with warnings issued if a user attempts to disable it. Despite the potential utility of screenshots for legitimate applications such as accessibility tools, Signal prioritized privacy concerns over functionality. Recall faced significant criticism from cybersecurity experts and privacy advocates upon its initial release, prompting Microsoft to revise the tool. Signal criticized Recall's approach to capturing screen content, suggesting it seemed hastily added to appeal to investors rather than being thoughtfully integrated.

A newly discovered privilege escalation flaw in Windows Server 2025 allows attackers to compromise any Active Directory user. The vulnerability exploits the Delegated Managed Service Accounts (dMSA) feature, introduced to mitigate Kerberoasting attacks and is part of the default configuration. The attack mechanism, named BadSuccessor, involves mimicking the dMSA migration process to gain identical privileges of any targeted user, including domain administrators. Akamai's research indicated that 91% of tested environments had users with permissions capable of executing this attack, which does not require control over the superseded account's permissions. Microsoft has tagged the issue as moderate in severity and stated that it won't be immediately serviced; however, a patch is under development. Organizations are being advised to restrict the creation of dMSAs and to strengthen permissions while using a PowerShell script provided by Akamai to audit dMSA creation rights across organizational units.

The FTC has finalized an order for GoDaddy to improve its security measures due to multiple data breaches and misleading security claims. Since 2018, GoDaddy experienced several security incidents, culminating in breaches in 2020 and 2021 where critical customer data was compromised. GoDaddy's security inadequacies included a lack of multi-factor authentication, insufficient software updates, and ineffective monitoring for threats. The settlement requires GoDaddy to establish a comprehensive information security program and employ multi-factor authentication across its services. GoDaddy must also secure its APIs, update its software and firmware management, and hire an external assessor to review its security practices biennially. The company is obliged to report any significant security incidents within 10 days and ensure no misleading communication about its security measures to users. Despite these breaches, GoDaddy stated it had already begun implementing some of the FTC's required security improvements, anticipating minimal financial impact from the compliance.

Chinese threat group UNC5221 exploited vulnerabilities in Ivanti EPMM to infiltrate various sectors including healthcare and defense. The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, enabled attackers to execute arbitrary code remotely without authentication. UNC5221 utilized KrustyLoader for payload delivery and exploited hardcoded database credentials for unauthorized data access. Attacks involved sophisticated techniques for data exfiltration, leveraging Ivanti's mobile device management infrastructure. The threat actor also used obfuscated shell commands and tools like Fast Reverse Proxy for reconnaissance and lateral movement. EclecticIQ identified a related command-and-control server, linking activity to previous attacks on universities and government entities. The discovery underscores the advanced persistent threats posed by state-sponsored actors, emphasizing the need for heightened cybersecurity vigilance.

The upcoming free webinar, hosted in collaboration with the Center for Internet Security (CIS), focuses on establishing a legally defensible cybersecurity program. The session addresses the increasing legal expectations and accountability for cybersecurity practices in organizations of any size and operational scope. Experts from CIS will provide practical guidance on developing structured, strategic cybersecurity programs that meet industry and legal standards. The webinar emphasizes the importance of having a scalable and clear defense strategy that does not necessarily require a massive budget or a large security operations center. Key topics include the consequences of inadequate basic security measures and how to avoid legal pitfalls by proving compliance and effective security practices. This educational session aims to enhance operational readiness, legal risk management, and organizational reputation through proven and sensible cybersecurity measures.

Researchers have identified critical vulnerabilities in the Versa Concerto platform, affecting network security and SD-WAN orchestration. The discovered flaws, if exploited, allow attackers to completely compromise both the application and its underlying host system. Notable among the defects is CVE-2025-34027, which leverages a race condition to execute remote code via malicious file writing. Specific exploitation involves overwriting system files to secure a reverse shell, increasing the severity of potential damage. Despite responsible disclosure by researchers on February 13, 2025, Versa Networks has not yet released patches for these vulnerabilities. Recommended interim security measures include blocking certain characters in URLs, dropping specific connection requests, and vigilant monitoring of network traffic. The ongoing situation raises significant concerns about the security readiness and response strategies of network orchestration platforms.

Less than 4% of security teams have fully automated core identity workflows like MFA enrollment and access revocation. Human error is implicated in 60% of data breaches, underscoring the persistent threat it poses to enterprise security. A significant automation gap in identity management persists, leading to substantial security breaches and loss of enterprise resources. 52% of enterprises have experienced breaches due to manual mishandling of identity tasks, leading to customer and partner losses. The automation gap is maintained by rapid organizational growth, dispersed applications, and fragmented infrastructures. Organizations are encouraged to adopt automation across all application ecosystems to mitigate risks and enhance security. While AI is considered for closing the automation gap, 78% of security leaders are hesitant to fully trust AI with core identity tasks. Cerby introduces solutions that blend automation with human oversight, aiming to bridge the automation gap in identity security.

Signal updated its Windows app to prevent Microsoft Recall from capturing screenshots, enhancing user privacy. The "screen security" feature in Signal blocks content from being captured by setting a DRM flag on Signal's app windows. Concerns were initially raised about Microsoft Recall due to its potential for privacy invasion and security risks. Microsoft responded to these concerns by making Recall opt-in and adding features to protect user data. Despite improvements in Recall, Signal deemed it necessary to add an extra layer of protection for its Windows 11 users. Signal's screen security measures may complicate the usage of screen readers, but users can disable this feature if needed. Signal developers urge AI developers to consider the privacy implications of tools like Recall more thoroughly in the future.

West Lothian Council in Scotland confirmed a breach involving ransomware group Interlock, which resulted in the theft of sensitive data. The data stolen from the council's education network includes personal information of teachers, parents, and scanned identification documents. Initial reports suggested no data was stolen, but subsequent verification revealed a trove of data posted online by the attackers. Key operational data like pupil records, financial information, and core council data remained secure, housed on different systems. The impact on educational activities and ongoing SQA exams is reported as minimal, with major systems for school operations unaffected. Immediate action has included risk assessments and strengthening security protocols. The council is in communication with Police Scotland and the Scottish Government for investigation. Parents and guardians are advised on heightened vigilance against potential scams using the stolen data and encouraged to change their passwords. Discussions on banning ransom payments in the public sector are underway, highlighting a government strategy to disincentivize such attacks.

Critical bugs in Versa Concerto could allow unauthorized remote code execution (RCE) and authentication bypass. Versa Networks' platform centralizes management for SD-WAN/SASE, catering to large enterprises, telecom operators, and government agencies. ProjectDiscovery discovered and reported three security issues, with the vendor initially acknowledging but not confirming resolution. Despite promises of hotfixes by April 7, Versa Networks ceased communication after this date. With the 90-day disclosure period ended, ProjectDiscovery publicly shared details to warn users of potential risks. Temporary mitigations advised include blocking specific URL characters and incoming request headers. Versa Networks has yet to issue a formal response or solution to the disclosed vulnerabilities as of the last update from researchers.