Daily Brief

Cybersecurity experts have identified a new cybercrime campaign targeting Portuguese-speaking executives in Brazil, leveraging RMM software trials since January 2025. Attack vectors include phishing emails disguised as communications from financial institutions or mobile carriers, utilizing the Brazilian NF-e electronic invoice system as a bait. The emails contain malicious Dropbox links that trick victims into installing trial versions of legitimate RMM tools like N-able RMM Remote Access and PDQ Connect, enabling remote file access. Post initial compromise, attackers can further install secondary RMM software, such as ScreenConnect, to maintain and expand their control over the victim's systems. Predominantly, C-level executives and departments like finance and human resources across various sectors, including education and government, are being targeted. The malicious use of RMM tool trials by initial access brokers suggests a strategic abuse of these platforms to facilitate unauthorized access and control. N-able has responded by disabling the compromised trial accounts associated with this scheme. The situation highlights ongoing challenges in detecting and preventing phishing campaigns despite advancements in cybersecurity defenses.

AI agents are increasingly integral to business operations, enhancing user experiences and task automation. The use of AI agents poses significant security risks including data leaks and identity theft. Vulnerable AI systems can be exploited for information theft, misinformation spread, or unauthorized system control. Michelle Agroskin, from Auth0, will host a webinar titled "Building AI Agents Securely" to address AI security strategies. The webinar aims to provide practical, actionable security measures for businesses utilizing AI technology. The session is designed to be practical and beneficial for both new and existing AI deployments. Registration for the webinar is currently open and free for all participants.

Cybersecurity researchers have identified three malicious npm packages targeting Apple macOS users of the Cursor code editor. The packages, posing as developer tools for the Cursor API, overwrite Cursor's main files and disable updates to persist on the system. Over 3,200 downloads have been reported, with the packages designed to steal user credentials and deploy further malicious payloads. The attack exploits the growing interest in AI development tools by offering compromised software at reduced costs. Infected packages connect to a remote server to replace legitimate software with malicious versions, enabling arbitrary code execution. The discovery is part of a broader observation of npm package attacks, including other npm packages targeting cryptocurrency data. The security breach reflects an ongoing issue with software supply chain attacks, potentially affecting a wide range of users and applications.

The Vulnerability Operation Center (VOC) identified over 1.3 million unique security findings across 68,500 assets, highlighting the scale of vulnerabilities. A significant portion of these findings are CVEs, many of which remain unaddressed due to the volume and reactive nature of current vulnerability management practices. The CVE system, underpinned by entities like MITRE and NIST, has faced constraints such as backlogs and bureaucratic delays, affecting the timely updating and enrichment of the CVE data. The US Department of Homeland Security discontinuation of its contract with MITRE creates uncertainty about the future administration and effectiveness of the CVE program. The EPSS developed by FIRST is used to predict and prioritize vulnerabilities most likely to be exploited, aiding in more strategic vulnerability management. Despite attempts at efficient vulnerability management, the challenge lies in the large scale and unpredictable nature of CVE discoveries and exploitations. The article advocates for a shift from reactive vulnerability management to a more dynamic and strategic approach focused on threat mitigation and risk reduction. A renewed focus on designing and implementing resilient system architectures and baselines is recommended to manage vulnerabilities more efficiently and effectively.

Google has introduced Gemini Nano, an AI-powered large language model, to enhance Safe Browsing in Chrome, Search, and Android platforms. The new AI model operates on-device, offering real-time analysis and protection against newly emerging web-based scams. Specifically tailored to combat tech support scams, Gemini Nano evaluates web pages for scam signals and integrates with Safe Browsing for scam identification. Google plans to extend these protections to target other scam variants such as package tracking and unpaid tolls, with a rollout expected on Chrome for Android later this year. The AI enhancements have significantly improved scam detection, blocking 20 times more deceptive pages and reducing impersonation of airline services and government resources by over 80% and 70% respectively. Additionally, a new feature in Chrome on Android will alert users about deceptive or spammy notifications from websites, enhancing user data security. Google's continuous expansion of AI-driven security features follows earlier implementations in Android's Messages app and call screening technologies. The company is also developing an Advanced Protection feature for Android 16, mirroring some of Apple's security measures and adding new ones like scam detection during banking transactions.

A China-linked threat group, referred to as Chaya_004, has been actively exploiting a severe vulnerability in SAP NetWeaver, identified as CVE-2025-31324 with a criticality score of 10.0. This flaw allows remote code execution via a vulnerable endpoint, leading to the uploading of web shells and deployment of the Brute Ratel C4 post-exploitation toolkit. Hundreds of SAP systems across multiple industries worldwide, including energy, pharmaceuticals, and government sectors, have been compromised. Initial discovery of the flaw was made by ReliaQuest, with observed attacks beginning in January 2025 and significant compromises identified through March 2025. The attackers deployed a Golang-based web shell named SuperShell, hosted on an IP address associated with various other malicious tools and services. Mandiant and other cyber security firms have observed additional exploitation activities, such as cryptocurrency mining and the use of multiple exploit tactics. It's critical for SAP users to apply available patches immediately, restrict access, disable unnecessary services, and monitor for signs of malicious activity to mitigate risks.

The FBI warns about malware infecting end-of-life (EoL) routers, converting them into proxy networks sold on platforms like 5Socks and Anyproxy. These outdated routers, no longer supported with updates, are susceptible to attacks using readily available exploits, enabling the installation of persistent malware. Threat actors use these compromised devices as part of residential proxy botnets to obscure their identities and locations, facilitating various cybercriminal activities. Commonly targeted models include EoL routers from Linksys and Cisco, with reported cases of exploitation by Chinese state-sponsored actors for espionage. Infected routers are managed via command and control servers, receiving directives that may include executing scans to find and compromise other vulnerable devices. Indicators of a router being compromised include network disruptions, overheating, performance issues, unexpected configuration changes, and unusual network traffic. The FBI recommends replacing EoL routers with up-to-date models, applying firmware updates, changing default credentials, and disabling remote administration to mitigate risks.

Cisco has patched a critical vulnerability in IOS XE Software impacting Wireless LAN Controllers. The flaw, identified as CVE-2025-20188, could allow unauthenticated attackers to fully control devices via a hard-coded JSON Web Token. The vulnerability, with a CVSS score of 10.0, enables severe actions like file uploading, path traversal, and arbitrary command execution with root privileges. Exploitation is possible only when the 'Out-of-Band AP Image Download' feature is enabled, which is not the default setting. The affected feature facilitates OS image downloads over HTTPS, beneficial for certain large or automated enterprise setups. Vulnerable devices include various Cisco products, while Cisco IOS (non-XE), Cisco IOS XR, Meraki, NX-OS, and AireOS-based WLCs are not affected. Although no active exploitations are reported, the severity of the issue calls for immediate update application as per Cisco’s advisories, with no available mitigations other than disabling the affected feature. Cisco urges users to check their device versions against the Cisco Software Checker to ensure security.

Pearson, a prominent education company, confirmed a cyberattack resulting in stolen corporate and customer data. Unauthorized access was gained through an exposed GitLab Personal Access Token in a public .git/config file. The breach involved stealing terabytes of information from Pearson’s internal and cloud platforms, including AWS, Google Cloud, and Salesforce CRM. The stolen data reportedly includes customer details, financials, support tickets, and source code, affecting millions globally. The attack was traced back to January 2025 and involved scanning for exposed Git configuration files and embedded credentials. Pearson labeled the compromised data as mostly "legacy," though specifics weren’t fully disclosed. The company has augmented its security measures and is working with law enforcement on further investigations. Pearson had previously disclosed a related breach investigation of its subsidiary, PDRI, in January of the same year.

An npm package called 'rand-user-agent', used to generate randomized user-agent strings, has been compromised in a supply chain attack. Despite being deprecated, the package remains popular with 45,000 weekly downloads, exploited due to its semi-abandoned status. Threat actors introduced malicious code in versions 2.0.83, 2.0.84, and 1.0.110, which were not authorized releases on the original GitHub repository. The malicious code includes a remote access trojan (RAT) that creates a hidden directory and establishes a connection to a command and control (C2) server. This RAT can send sensitive information like machine ID, hostname, and OS details to the attackers and receive further malicious commands. The compromised versions of the package have been removed from npm, urging users to revert to the legitimate last version, 2.0.82. Downgrading to the safe version does not remove the RAT; a full system scan is recommended for users who have installed the affected versions.

A malicious Python package named "discordpydebug" was discovered targeting Discord bot developers with RAT malware. Hosted on Python Package Index (PyPI) since March 2022, the package has been downloaded over 11,000 times. The malware provides attackers with capabilities for data theft, remote code execution, and system monitoring. Once installed, the package enables remote control by connecting to an attacker-controlled server and can execute commands and steal sensitive information. The RAT lacks persistence mechanisms but bypasses security using outbound HTTP polling to avoid firewall detection. It includes functions to read and write host machine files, enhancing the attackers' ability to access sensitive data remotely. Mitigation recommendations include verifying package origins, scrutinizing code for suspicious functions, and utilizing security tools to detect malicious packages. The package exploits the lack of stringent security audits on PyPI, deceiving users with its legitimate-sounding name and absence of documentation.

Ransomware groups are utilizing Kickidler employee monitoring software to conduct reconnaissance and steal credentials in compromised networks. Cybersecurity firms Varonis and Synacktiv reported that ransomware affiliates such as Qilin and Hunters International are deploying Kickidler following initial breaches. The malicious campaign begins with a decoy Google Ad for RVTools leading to a Trojanized download site, installing a backdoor that facilitates further attacks. The attackers maintained prolonged access to victim systems, gathering credentials to infiltrate off-site cloud backups undetected. This strategy avoids direct memory dumping or other easily detectable actions, using instead the stealthy data harvesting capabilities of Kickidler. The end goal involves deploying ransomware to encrypt VMware ESXi servers' virtual hard disks, significantly disrupting enterprise operations. Comprehensive defenses include auditing remote access tools, enforcing authorized software use, and blocking unused RMM ports and protocols.

An extensive cryptocurrency phishing campaign named FreeDrain, discovered by SentinelOne and Validin, has been actively stealing digital assets from crypto wallets for several years using sophisticated SEO manipulation and free-tier web services. Over 38,000 sub-domains associated with the FreeDrain campaign, which use cloud infrastructure such as Amazon S3 and Azure Web Apps to mimic legitimate crypto wallet interfaces, have been identified. Victims are typically redirected to phishing sites from search engine queries about wallets, where they are tricked into entering their wallet's seed phrases. The operation is largely driven by actors working within the Indian Standard Time zone and appears highly organized, operating mostly during standard weekday hours. Techniques employed by the attackers include leveraging the trust in platforms like gitbook.io, webflow.io, and github.io to lure victims; they also use generative AI for content creation and spamdexing to enhance SEO visibility. Once a seed phrase is submitted on these phishing pages, the attacker's automated systems can drain funds from the wallets within minutes. The FreeDrain operation represents a significant example of modern, scalable phishing frameworks that expertly utilize both technological innovations and social engineering tactics. Additional cyber threats related to cryptocurrency, like Inferno Drainer and malvertising campaigns utilizing Facebook ads to distribute malware, continue to challenge digital security landscapes.

Insight Partners, a major venture capital firm, disclosed a data theft incident impacting sensitive investor and employee information due to a cyberattack on January 16, 2025. The breach occurred through a sophisticated social engineering attack, allowing unauthorized access to certain IT systems for one day. Despite the breach, Insight Partners confirmed that there were no disruptions to their ongoing business operations. An ongoing investigation with a hired eDiscovery vendor intends to establish the extent of the breach and identify affected individuals. Exposed data varies and could impact personal and financial security of the investors and employees involved. Affected parties are being advised to change passwords, enable two-factor authentication, and monitor financial activities closely. Initial notifications to potentially impacted individuals will be carried out in waves starting in the coming days. To date, no information regarding the breach has appeared on ransomware sites or extortion portals, leaving the attackers unidentified.

SonicWall has issued patches for three critical vulnerabilities in the SMA 100 Series devices, enabling remote code execution. Attackers could potentially escalate privileges to administrator level, write files, and execute them at the root level by exploiting these security flaws. The addressed vulnerabilities could allow an attacker with SMA SSL-VPN user account access to modify system directories and elevate privileges. One of the vulnerabilities, CVE-2025-32819, may have been exploited as a zero-day, with previous incidents suggesting active exploitation. Previously identified vulnerabilities in the SMA 100 Series, including some from 2021 and 2023, have been actively exploited according to recent findings. The fixes are included in the newly released firmware version 10.2.1.15-81sv, and users are urged to upgrade their devices to this latest version to ensure security against these issues.