Daily Brief

Xu Zewei, a 33-year-old Chinese national, was arrested in Milan, Italy for his connections to the state-backed hacking group, Silk Typhoon, and conducting cyberattacks on U.S. entities. He faces charges including wire fraud, conspiracy, unauthorized access to protected computers, and aggravated identity theft, related to cyber intrusions from February 2020 to June 2021. Xu is implicated in exploiting vulnerabilities in Microsoft Exchange Server during the COVID-19 pandemic to target over 60,000 U.S. organizations, successfully compromising sensitive data from more than 12,700. These cyberattacks were reportedly directed by China’s Ministry of State Security’s Shanghai bureau and executed notably through the Hafnium campaign, due to which sensitive information was stolen globally. Xu, who reportedly worked for Shanghai Powerock Network Co. Ltd during the attack period, is resisting extradition, claiming mistaken identity due to a common surname and a stolen mobile phone in 2020. The Justice Department emphasized the systemic use of private firms by China to obscure government involvement in global espionage efforts. Despite the arrest, experts like John Hultquist of Google Threat Intelligence Group suggest that the capture is unlikely to deter ongoing government-backed cyber espionage or significantly reduce operations.

Privacy advocates criticize the Metropolitan Police's use of live facial recognition (LFR) technology, questioning both its effectiveness and impact on civil liberties. Data reveals that out of 715,296 arrests since 2020, only 1,035 were assisted by LFR, with 773 leading to charges—accounting for merely 0.15 percent of total arrests. Critics argue the technology's costs and privacy implications outweigh its benefits in preventing crime. Big Brother Watch emphasizes the need for more efficient use of policing resources amid other uninvestigated serious crimes. The Met defends the technology, citing its role in significant arrests and enhancing operational efficiency without always leading to arrests. Recent deployment includes setting up permanent LFR cameras in Croydon after a two-year trial amid ongoing concerns over surveillance expansion. The lack of specific legislation regulating the use of facial recognition by police in the UK adds to the controversy and calls for oversight. The Met insists on solid safeguards with LFR, ensuring non-targeted individuals' biometrics are immediately deleted, focusing only on those matched with a watchlist.

Microsoft's latest Patch Tuesday resolves 130 vulnerabilities, including critical flaws in SPNEGO and SQL Server. This update marks the first of 2025 with no actively exploited zero-day vulnerabilities being patched, ending an 11-month streak. The publicly known vulnerability disclosed this month relates to Microsoft SQL Server which could allow unauthorized access to uninitialized memory, potentially exposing sensitive data. A severe remote code execution vulnerability in Windows SPNEGO Extended Negotiation could allow attackers to remotely execute code via a network, raising concerns about potential self-propagating malware akin to WannaCry. Other significant issues addressed include vulnerabilities in Windows KDC Proxy Service, Windows Hyper-V, and Microsoft Office, which could allow for remote code execution without user interaction or privileges. Microsoft also patched multiple security feature bypasses in Bitlocker which, if exploited, could permit access to encrypted data by attackers with physical access to the device. The discontinuation of SQL Server 2012 support was also noted, urging users to upgrade to receive future security patches.

Iranian ransomware group reactivates after five years, now named “Pay2Key.I2P,” offers cash for cyberattacks on the US and Israel. Updated malware builds on 2020's Pay2Key with features from Mimic ransomware, promising 80% payouts for attacks on "enemies of Iran." Morphisec researchers used undercover communication to gather intelligence on Pay2Key.I2P's operations and malware. The affiliation between Pay2Key.I2P, Pioneer Kitten, and Mimic ransomware signals a blend of Iranian state-sponsored cyber initiatives and organized global cybercrime. Pay2Key.I2P operational enhancements include the use of I2P networks for anonymity and expanded target strategies to include Linux systems. Within four months of operation, the group claimed to have collected over $4 million from 50 ransom payments. The group advertises its ransomware-as-a-service on darknet forums in Russia and China while also targeting American corporations following recent U.S.-Iran tensions. U.S. Homeland Security has issued an advisory alerting to the elevated threat level, urging increased network defenses against Iranian cyber threats.

Microsoft’s first Patch Tuesday of 2025 includes 130 new fixes, with a notable absence of actively exploited vulnerabilities. A critical vulnerability, CVE-2025-47981, rated at 9.8 CVSS, risks remote code execution through a buffer overflow in SPNEGO protocols. Office applications received significant attention with 16 patches; four critical vulnerabilities could allow remote code execution without user interaction. Critical AMD processor-related fixes were released, targeting early EPYC and Ryzen chips, emphasizing their lower risk but essential update requirement. CVE-2025-49717 in SQL Server introduces a complex remote code execution threat through a buffer overflow, though it's deemed less likely to be exploited. Updates included 16 additional fixes for Windows Routing and Remote Access Service and five for Microsoft’s BitLocker encryption system, with higher exploit likelihood. Adobe paralleled Microsoft’s patch release, emphasizing updates for ColdFusion and Experience Manager Forms due to critical vulnerabilities. SAP also issued security updates, including patches for vulnerabilities rated at a CVSS 10 in their Supplier Relationship Management and a 9.9 in S/4HANA and SCM systems.

M&S confirmed a network breach via a sophisticated impersonation attack, which led to a ransomware incident involving DragonForce malware. The breach occurred when attackers impersonated an M&S employee, deceiving a third-party IT support provider into resetting the employee's password. IT outsourcing company Tata Consultancy Services, providing help desk support for M&S, is suspected to have inadvertently facilitated the breach. The ransomware attack involved double-extortion tactics, potentially including stealing about 150GB of data and encrypting servers, threatening data release if a ransom was not paid. M&S chose not to interact directly with the ransomware operators and engaged professional negotiation services to handle the situation. Despite the attack and potential data theft, there has been no public confirmation of a ransom payment, though it was discussed with national authorities. The incident highlights ongoing vulnerabilities in retail security systems and the effectiveness of social engineering as an attack vector.

Samsung unveils major security upgrades for the upcoming One UI 8 on Galaxy devices, focusing on data security and privacy enhancements. Introduction of Knox Enhanced Encrypted Protection (KEEP), designed to create isolated environments within apps to store and encrypt sensitive data. Upgrades to Knox Matrix include stronger management of device security across all connected Galaxy devices and automatic user sign-out during identity forgery detection. Implementation of quantum-resistant technologies in Samsung’s Secure WiFi to protect against future quantum-based threats. Enhanced security features aim to safeguard user inputs and data across AI-driven tools including personalized updates, photo searches, and more. Users advised to upgrade to the new release to benefit from robust security measures and review their data privacy settings. One UI 8 expected to launch with new Galaxy Z Fold 7 and Z Flip 7 models, with updates soon to be available for older models as well.

A novel tapjacking attack called TapTrap allows malicious apps to deceive Android users through invisible UI manipulations, gaining unauthorized access to device permissions and data. Developed by researchers from TU Wien and the University of Bayreuth, TapTrap exploits Android's animation features to obfuscate real actions intended by the system, effectively remaining undetected by users. This technique utilizes zero-permission apps, initiating a transparent activity over a legitimate one, misleading users to click on seemingly benign options which are, in fact, permissions for malicious activities. Research shows that 76% of apps in the Google Play Store might be vulnerable to such attacks due to the common presence of susceptible activity components. Despite the introduction of Android 16, vulnerabilities to TapTrap attacks persist, with official confirmations of mitigation strategies yet to be fully implemented in future system updates. A video demonstration involving a game app has illustrated how TapTrap could manipulate a user into unknowingly granting camera access via a web browser. Google has acknowledged the problem and is actively working on fixes to enhance protections against such tapjacking techniques, with updates expected in forthcoming Android versions.

A massive browser hijacking campaign has targeted users of Chrome and Edge through malicious extensions, affecting over 2.3 million users. Initially harmless, these browser extensions, including a popular color picker from Geco, were later updated with malware that enabled surveillance and data theft. These extensions, despite performing their stated functions such as color selection, covertly tracked user activity, captured URLs, and could redirect browsers to attacker-specified sites. Koi Security researchers discovered the campaign, dubbed RedDirection, which includes 18 different malicious extensions available in both the Chrome Web Store and Microsoft's Edge Add-ons. The malware functionality in these extensions was not present from the beginning; instead, it was inserted during subsequent updates, which were automatically installed without users' interaction. The affected extensions offer various utilities like emoji keyboards, weather forecasts, and VPN services but secretly perform background activities that compromise users’ privacy. Investigations into the incident are ongoing, and neither Google nor Microsoft has yet responded to inquiries regarding how these extensions passed their security checks.

Hackers have exploited the Shellter red teaming tool to spread Lumma Stealer and SectopRAT malware following a license leak by a customer. Shellter, designed to evade antivirus systems, was compromised despite stringent security measures and vetting processes in place since February 2023. Elastic Security Labs reported that starting from late April 2025, the stolen versions of Shellter were used in various infostealer campaigns. Shellter’s version 11.0, released on April 16, 2025, has been utilized in cybercriminal operations, reported after its sale on a cybercrime forum. The malware spread includes methods like embedding malicious payloads into legitimate programs through self-modifying shellcode. Attack vectors involved sponsorship scams targeting content creators and fraudulent gaming modifications distributed via YouTube. The security industry faces increased challenges in mitigating threats due to weaponized legitimate tools, as seen with earlier instances involving Cobalt Strike and Brute Ratel C4. The Shellter Project criticized Elastic's disclosure approach, highlighting a tension between public safety priorities and the handling of vulnerabilities.

Microsoft's July 2025 Patch Tuesday addressed 137 vulnerabilities, including a zero-day flaw in the Microsoft SQL Server. The zero-day vulnerability, identified as CVE-2025-49719, involved information disclosure through improper input validation and could be remotely exploited. Among the resolved issues are 14 Critical vulnerabilities, with 10 allowing remote code execution, one for information disclosure, and two related to AMD side channel attacks. The zero-day vulnerability was publicly disclosed before an official fix was available, highlighting ongoing security challenges. Several critical vulnerabilities in Microsoft Office and SharePoint were also patched, which could allow remote code execution from specially crafted documents or internet-based exploits. Aside from Microsoft, other vendors also issued updates and advisories addressing security concerns within their products in July 2025. Administrators are advised to update affected systems promptly to mitigate potential threats from these vulnerabilities.

Cybersecurity experts uncovered a malware operation affecting 90,000 North American users, involving a trojan named Anatsa disguised as a "PDF Update" app on Google Play. The malicious app deployed fake overlay screens claiming banking services were down for maintenance to steal banking credentials. Anatsa, also known as TeaBot and Toddler, has been active since 2020 and utilizes dropper apps to deliver malware after initially appearing benign. The malware can execute credential theft, keylogging, and Device-Takeover Fraud (DTO) to perform unauthorized transactions directly from the victims' devices. The attack pattern includes creating legitimate-looking apps on Google Play, gaining user trust, and later embedding harmful updates. The malware receives updates on targeted financial institutions from an external server to adapt to different banks dynamically. Anatsa's operations are characterized by intermittent active and dormant periods, helping it evade detection and maintain effectiveness. Although the malicious app and its developer have been removed from Google Play, it reached significant download milestones before detection.

The rapid evolution of cyber threats is outpacing the capabilities of traditional data protection tools, necessitating a shift to cloud-native cyber resilience strategies. Attackers are increasingly using sophisticated methods such as GenAI for malware creation and social engineering, targeting not just large enterprises but also smaller entities and cloud environments. Regulatory pressures are intensifying, with stringent global mandates on data privacy, sovereignty, and recovery, which many existing tools cannot meet without significant manual oversight. The costs associated with data sprawl across multi-cloud, SaaS, and edge environments are mounting, emphasizing the need for centralized, cost-effective data protection solutions. Cloud-native platforms for cyber resilience differ from traditional cloud-based backups by offering proactive threat hunting, AI-powered detection, and seamless integration with broader security infrastructures. Industry recognition, such as Druva’s leadership in Gartner's Magic Quadrant, highlights the growing importance and acceptance of cloud-native solutions in enterprise data security. To effectively counter modern cyber risks, organizations must adopt intelligent, fully managed cloud-native solutions that not only back up data but also enhance overall cyber resilience.

Anatsa, a banking trojan, was again found disguised as a legitimate app on Google Play, this time mimicking a PDF viewer with over 50,000 downloads. The malware activates upon the app's installation, targeting users of North American banking apps by overlaying fake notifications about banking maintenance to conceal its activities. Threat Fabric researchers have monitored Anatsa's presence on Google Play for years, noting repeated incidents where the trojan achieved significant download milestones through trojanized utility and productivity apps. In a recent modus operandi, the operators keep the initial versions of these apps clean and later push an update that introduces malicious code to download and install the Anatsa payload. Upon infection, Anatsa connects to its command-and-control server to receive instructions and list of apps to monitor, enabling unauthorized access and fraudulent transactions. The most recent affected app, 'Document Viewer – File Reader' by 'Hybrid Cars Simulator, Drift & Racing,' delivered its trojan payload between June 24 and 30, following an update six weeks post-release. Google has since removed the malicious app, and affected users are advised to uninstall the app, run a full system scan, and reset their banking credentials. Users are advised to download apps only from trusted publishers, scrutinize user reviews, check app permissions, and limit the number of installed apps to enhance security.

Nearly a dozen Chrome extensions with 1.7 million installs discovered to have malicious capabilities, allowing user tracking and data redirection. Extensions masquerade as useful tools (e.g., VPNs, volume boosters) but execute harmful activities in the background via Chrome Extensions API. Koi Security identified the harmful extensions, noting some still persist in the Chrome Web Store despite previous alerts. These extensions capture and transmit user data to remote servers, which also hold the capability to redirect users to potentially harmful websites. Google's auto-update feature unintentionally propagates these malicious updates to users without explicit consent or notification. The malicious code was added in updates after initial installation, hinting at external compromise of previously safe extensions. Additional malicious extensions found in Microsoft Edge's official store, with total user impact estimated over 2.3 million from both stores. Researchers recommend immediate removal of affected extensions, clearing of browser data, system malware checks, and monitoring for irregular account activities.