Daily Brief

Continuous Threat Exposure Management (CTEM) has become a strategic enabler for Chief Information Security Officers (CISOs), moving from a conceptual framework to a cornerstone of cybersecurity programs. CTEM integrates tools such as Adversarial Exposure Validation (AEV), External Attack Surface Management (ASM), autonomous penetration testing, red teaming, and Breach and Attack Simulation (BAS) to proactively manage and reduce security risks. The approach shifts from periodic security assessments to continuous, real-time threat exposure management, enhancing the alignment of security efforts with business objectives. Gartner predicts that by 2026, organizations implementing CTEM will be three times less likely to experience a data breach, underlining the effectiveness of the strategy. The methodologies within CTEM enable security teams to discover, prioritize, and monitor digital assets continuously, thus expanding visibility and improving the scalability and efficiency of security operations. The integration of AI and automation within AEV and autonomous penetration testing allows for more effective replication of real-world attacker behaviors and proactive identification of exploitable exposures. CTEM helps bridge the gap between security investments and business priorities, assisting CISOs in driving measurable, outcome-based security initiatives. The rapid adoption of CTEM across enterprises is attributed to increasing cyber risks, regulatory pressures, and the expanding digital footprints of businesses, necessitating a shift towards a more dynamic and proactive cybersecurity approach.

Mozilla has issued updates for Firefox to address two critical vulnerabilities discovered during the Pwn2Own Berlin contest. The vulnerabilities could allow attackers to access sensitive data or execute code by exploiting out-of-bounds read or write issues. CVE-2025-4918 and CVE-2025-4919 were the security flaws exploited, each awarded $50,000 at the event. The flaws affect several versions of Firefox, emphasizing the need for users to update their browsers promptly. Exploited vulnerabilities highlight the risks associated with web browsers as targets for malware attacks. Security experts Edouard Bochin, Tao Yan from Palo Alto Networks, and independent researcher Manfred Paul identified the vulnerabilities.

Microsoft addressed a total of 78 security flaws in its latest Patch Tuesday update, with five categorized as zero-day vulnerabilities actively exploited in the wild. The specific CVEs include CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, and CVE-2025-32709; details regarding the exploitation context, perpetrators, and targets remain undisclosed. The report from Wiz Threat Research highlights the importance of securing code repositories and development pipelines, revealing common vulnerabilities and attacker strategies. The article emphasizes the necessity for continual vigilance in updating software to protect against newly discovered vulnerabilities and to mitigate the risks of major breaches. Key tools and strategies for detecting hidden threats in seemingly safe files are discussed, including the use of Sysmon and Sigma rules for Windows, and grep or find commands for Linux/macOS. The cyber security landscape demands a unified approach connecting AppSec, cloud, and SOC teams to seal security gaps and enhance response times against attacks. The ongoing challenge for cybersecurity isn't just to react to threats but to proactively integrate resilience and comprehensive oversight in organizational security practices.

UK National Health Service (NHS) cybersecurity leaders have issued a public charter, urging tech vendors to pledge better security practices. Recent ransomware attacks have repeatedly targeted the NHS and its supply chain, escalating concerns about endemic cyber threats. The charter aims to enhance cyber resilience via collaboration, focusing on vendors servicing clinical systems and handling sensitive NHS data. Signatories of the charter are encouraged but not legally bound to the commitments, which detail measures to align with NHS cybersecurity goals. The initiative comes as the UK prepares to introduce the Cyber Security and Resilience Bill, aimed at strengthening protection of critical supply chains. NHS plans to include cyber security requirements in future contracts and ensure compliance through assurance processes and contractual terms. Several severe cyber incidents in the past year have disrupted critical healthcare services, revealing urgent needs for improved security measures at the board level.

The Alabama state government is currently grappling with an unspecified cybersecurity event which has compromised some state systems. However, it has not led to any significant disruptions in state services, and no personal information of citizens appears to be compromised. The event was detected when unauthorized individuals accessed some state employees’ credentials; external cybersecurity consultants are now assisting with system restoration. A separate case involves Liridon Masurica who was extradited to the US for operating BlackDB.cc, an illicit online marketplace selling stolen data, now facing up to 55 years in prison if convicted on all charges. Andy Frain Services, a security and event planning firm, reported a breach affecting nearly 101,000 individuals by the Black Basta ransomware gang, which claims to have stolen 750 GB of data including human resources files. Russian-backed cyber group Fancy Bear (APT28) has initiated a renewed cyberattack campaign against Ukraine, employing spear-phishing to exploit vulnerabilities in webmail servers. Europol has disrupted a significant online investment fraud network that tricked investors in several countries into losing over €3 million through a deceptive trading platform. National cyber defense capabilities are questioned as cuts in funding, specifically a $10 million reduction to the MS-ISAC, potentially limit effective response and preventative measures against such cybersecurity events.

China's Guoxing Aerospace deployed twelve satellites equipped with advanced AI capabilities aimed at astronomical and emergency services applications. The satellites form part of a planned constellation of 2,800, featuring high-speed laser communication links and significant computing power. South Korea announced purchasing a state-of-the-art supercomputer from HPE for enhanced research capabilities and also plans to buy 10,000 GPUs to boost local tech innovation. US-imposed tariffs are predicted to slow tech spending growth in the Asia-Pacific region, impacting IT investments and raising costs due to supply chain disruptions. India's HCL Technologies, in partnership with Foxconn, received approval to build a semiconductor plant focused on producing display driver chips. Japan enacted a new law allowing for active cyber defense measures, marking a shift in policy by permitting offensive cyber capabilities and mandating critical infrastructure to report security incidents.

Scattered Spider, a notorious cyber gang, recently attempted to access a large US retailer’s systems by impersonating an employee through a help desk call. Jon DiMaggio, a former NSA analyst, monitored the call and noted the criminals' proficiency and convincing impersonation of legitimate employees. The group, known for techniques like SIM swapping and ransomware, has previously breached major establishments including MGM and Caesars. Despite the realistic approach, the attack did not result in ransomware infection or data theft due to the retailer's robust security measures and expert staff. Mandiant tracks Scattered Spider as UNC3944 or Octo Tempest, highlighting their continuous evolution and skill in bypassing conventional security protocols. The UK retailer Co-op also faced a threat from Scattered Spider, leading to decisive early action to pull systems offline to prevent further intrusion and data encryption. Post-attack, Co-op is in recovery, taking measures to safely and gradually restore their systems and improve stock availability both online and in physical stores.

Academics from Germany, Hong Kong, and the UK have introduced a new cryptographic privacy method called Zero-Knowledge Location Privacy (ZKLP). ZKLP enables users to verify their location within a specific region without revealing their exact coordinates, enhancing user privacy. This technique utilizes zero-knowledge proofs, particularly zk-SNARKs, and optimizes these for floating-point calculations to align with the Geospatial Discrete Global Grid System. Despite offering usability for applications needing location data, the ZKLP technique does not address location data spoofing issues and would need interaction with third-party systems for authenticity checks. By adopting such technology, user proximity to others can be evaluated at significant speeds (470 peers per second), without compromising privacy. The method is potentially adaptable for scenarios requiring verified location data like content authenticity in media and could support machine learning and Proof-of-Personhood applications. The research, presented at the IEEE Symposium on Security and Privacy, showed that ZKLP's implementation is less error-prone than previous methods due to advancements in handling floating-point computations in cryptographic protocols.

'Defendnot' is a new tool capable of turning off Microsoft Defender by registering a deceptive antivirus on Windows systems. This tool exploits an undocumented API within Windows Security Center to fool the system into recognizing a fake antivirus product. Developed by researcher es3n1n, Defendnot succeeds a similar project that was previously taken down due to copyright issues. Defendnot bypasses enhanced security protocols by injecting its code into a trusted system process, Taskmgr.exe, to mimic legit software registration. Once activated, Microsoft Defender shuts down automatically as Windows avoids running multiple antivirus applications simultaneously, leaving systems unprotected. The tool also ensures persistence by creating an autorun task in Windows, activating upon user login. Microsoft is currently identifying and blocking Defendnot as malware under the signature 'Win32/Sabsik.FL.!ml.' While presented as a research project, Defendnot highlights vulnerabilities within trusted system processes that can be exploited to disable crucial security defenses.

Chinese front companies are posting recruitment ads to target former US federal employees, under the guise of consulting roles. These fake companies, detected by the Foundation for Defense of Democracies (FDD), appeared on platforms such as LinkedIn and Craigslist. The recruitment scheme aims to exploit the vulnerability of recently laid-off employees who might unintentionally leak sensitive information. The companies claimed to be based in the US, Singapore, and Japan, but many signs, including website domains and contact information, indicated they were controlled by Chinese entities. FDD's investigation began after noticing suspicious job listings, leading to the discovery that the firms were linked to a legitimate Chinese company, Smiao. Additional indicators such as shared IP addresses and email hosting services further confirmed the Chinese origins of these firms. This operation increases the risk of sensitive US information being accessed by foreign intelligence due to deceptive employment offers.

The Consumer Financial Protection Bureau (CFPB) has withdrawn proposed Biden-era regulations that would have classified certain data brokers as consumer reporting agencies, imposing stricter data handling requirements. The scrapped rules aimed at enhancing transparency and accuracy among data brokers to protect American consumers' sensitive information from unauthorized sales and uses. Reclassification would have limited data sale purposes to legitimate screenings like credit checks, explicitly excluding marketing uses. The CFPB cited the non-essential nature of the legislative rulemaking at this time as a reason for the withdrawal, deciding that no further action on the proposal will be undertaken. Public concerns persist surrounding data privacy, with reports of extensive personal data harvesting by app developers and telecommunication firms for sale to data brokers. Last year, major U.S. telecom operators were fined heavily for unsanctioned sharing of subscribers' location data, underscoring ongoing privacy issues. The decision leaves open significant potential for misuse of expansive personal data collections, touching on both financial fraud and national security risks. The move might signal a broader shift in regulatory focus or governmental incapacity to address complex privacy concerns amid contemporary data exchange practices.

A Seattle court dismissed with prejudice the defamation lawsuit brought against DEF CON by Christopher Hadnagy, a former conference participant. The dismissal prevents Hadnagy from refiling the lawsuit, marking a significant legal victory for DEF CON. The court found that Hadnagy failed to prove the allegations against him were false, which is crucial since truth is a key defense against defamation. Allegations included inappropriate behavior and harassment, with specific claims about Hadnagy's conduct towards female colleagues. DEF CON’s motives for banning Hadnagy were supported by multiple accounts and detailed in a transparency report, though not all facts were fully documented during the proceedings. Despite conflicting testimonies and procedural questions during the lawsuit, the core allegations were deemed truthful, dismissing the need for detailed evidence pre-ban. DEF CON expressed on social media that the victory supports their commitment to protecting conference attendees and encouraging reports of misconduct. Hadnagy expressed dissatisfaction with the court's decision, labeling the situation as escalated workplace conflict rather than sexual misconduct.

During Pwn2Own Berlin 2025, contestants successfully exploited zero-day vulnerabilities in enterprise technology, totaling $435,000 in rewards on the second day. Significant exploits included Nguyen Hoang Thach from STARLabs SG breaching VMware ESXi for $150,000 and Dinh Ho Anh Khoa from Viettel Cyber Security breaking into Microsoft SharePoint for $100,000. Other notable feats included hacking into Mozilla Firefox, Red Hat Enterprise Linux, and Oracle VirtualBox with various sophisticated zero-day vulnerabilities. The contest introduced an AI category for the first time, featuring exploits against AI technologies like Redis and Nvidia's Triton Inference Server. This event is a part of the OffensiveCon conference running from May 15 to May 17, targeting fully patched products across multiple categories, including AI, web browsers, virtualization, and more. Competitors have the chance to earn over $1,000,000 in rewards with Tesla vehicle hacking attempts also on the agenda, although no attempts were registered initially. After the contest, disclosed zero-day vulnerabilities will give vendors 90 days to patch before details are publicly released by the Trend Micro Zero Day Initiative.

Procolored, a printer manufacturer, unintentionally distributed malware-included drivers and software for at least six months. Security software identified a Remote Access Trojan (RAT) and cryptocurrency-stealing malware in Procolored's software downloaded from their website. The compromised software was available for six printer models hosted on the file-sharing service Mega.nz. Cybersecurity firm G Data confirmed the presence of malware which managed to steal nearly $1 million in cryptocurrency. Procolored initially denied the accusations, attributing the detections to false positives, but later admitted the possibility of an infected USB being used to upload files. Following the discovery, Procolored removed all software from its site, conducted a thorough malware check, and re-uploaded clean versions. Procolored advised customers to install the updated software and conduct full system scans to remove any traces of the malware. Despite the resolution, Procolored's communication about the malware's impact to customers remains unclear.

Skitnet malware, also known as "Bossnet," is being increasingly adopted by ransomware gangs for post-exploitation activities in network breaches. Initially offered on the RAMP underground forum since April 2024, Skitnet's popularity among criminals has surged notably by early 2025. Prodaft researchers have observed its deployment in real-world attacks by notable ransomware groups like BlackBasta during Microsoft Teams phishing campaigns and others like Cactus. Skitnet features a Rust-based loader that decrypts and executes a Nim binary which then sets up a DNS-based reverse shell for robust C2 communication. The malware is capable of managing communication and command execution via HTTP or DNS, enhancing its stealth and effectiveness. Additional capabilities include executing PowerShell scripts in memory using a .NET loader, enabling deeper and more customizable attacks. The use of ready-made tools like Skitnet is preferred by some criminal groups due to their cost-effectiveness, rapid deployment, and the difficulty in attributing attacks to specific actors. Prodaft has released indicators of compromise (IoCs) related to Skitnet on its GitHub page to assist in defense against these threats.