Daily Brief

Hackers are exploiting a critical vulnerability in the OttoKit WordPress plugin to create rogue admin accounts on websites. The flaw allows attackers to bypass authentication and gain administrative privileges using the plugin's API. OttoKit, impacting over 100,000 sites, is a key tool for automation and connecting websites to third-party services. The vulnerability was reported on April 11, 2025, and patched by April 21, 2025, with most users updated by April 24, 2025. Attackers targeted REST API endpoints, mimicking integration attempts to exploit the system, and subsequently created new admin accounts. Patchstack has issued a strong recommendation for users to update the plugin and check logs and settings for signs of compromise. This incident marks the second critical severity flaw exploited in OttoKit since April 2025, underlining ongoing security challenges.

Play ransomware gang utilized a zero-day vulnerability in Windows Common Log File System, tracked as CVE-2025-29824, to escalate SYSTEM privileges. Microsoft detected and patched this vulnerability, revealing its exploitation in a limited set of attacks on sectors across multiple countries, including IT and real estate in the US, finance in Venezuela, software in Spain, and retail in Saudi Arabia. RansomEXX gang linked to initial attacks; they installed PipeMagic malware to facilitate ransomware deployment and encrypt files. No ransomware was deployed in the intrusion on a U.S. organization studied by Symantec; however, the Grixba infostealer, linked to the Play ransomware group, was used. Play ransomware, active since June 2022, is known for double-extortion tactics, threatening victims with data exposure if ransoms aren’t paid. The FBI, along with CISA and the ACSC, issued a warning about the Play ransomware gang after breaches affected approximately 300 organizations globally as of October 2023. High-profile victims of Play ransomware include Rackspace and Arnold Clark, indicating significant impacts on major corporations.

Universal 2nd Factor (U2F) introduces a physical device for two-factor authentication, improving login security beyond traditional passwords. Despite the strength of passwords, Verizon’s 2024 Data Breach Investigations Report indicates that stolen credentials are involved in approximately 31% of data breaches. The Specops Breached Password Report 2025 highlights that even complex passwords can be compromised, with many users still reusing passwords across multiple accounts. U2F devices work by creating a new cryptographic "key pair" that must correspond with the registered system to grant access, enhancing security significantly. Mainstream adoption faces challenges such as the cost of devices, though they are relatively inexpensive, and the need for user education on the new technology. Risks associated with losing the physical U2F device are comparable to misplacing common items like car keys, but losing the device doesn't compromise access due to the dual requirement of password and device. Passwords continue to provide foundational security benefits and remain essential alongside evolving technologies like U2F for effective cybersecurity strategies. Multi-factor authentication, including technologies like U2F, is becoming increasingly crucial for enhancing and complementing password-based online defenses.

Europol announced the takedown of six DDoS-for-hire platforms used in thousands of global cyber-attacks. Four individuals were arrested by Polish authorities, and the US seized nine related domains. The compromised DDoS services enabled attacks on schools, governments, and businesses for fees as low as EUR 10. These platforms lacked technical entry barriers, offering user-friendly interfaces for orchestrating attacks. Seized services operated under names such as cfxapi, cfxsecurity, and quickdown, offering various subscription plans. Operation PowerOFF, with Dutch and German collaboration, targets the dismantling of DDoS-for-hire infrastructure, resulting in previous arrests and service disruptions. Recent reports by cloud security firms identified a shift towards hybrid architectures in DDoS services, blending botnets with dedicated servers.

A second critical vulnerability in the OttoKit WordPress plugin is currently being exploited. The flaw, identified as CVE-2025-27007 with a CVSS score of 9.8, allows for unauthenticated privilege escalation. All plugin versions up to 1.0.82 are susceptible; users are urged to update to version 1.0.83 immediately. The exploit involves unverified initial connections enabling attackers to create administrative accounts. Attackers are also targeting a related vulnerability, CVE-2025-3102, suggesting a broader, coordinated attack. Exploitation attempts have been observed since May 2, 2025, with a significant increase on May 4, 2025. Due to over 100,000 installations, the impact potential of this exploit is extensive, affecting numerous WordPress sites globally.

Medical device manufacturer Masimo Corporation reported a significant cyberattack affecting its production capabilities and causing delays in customer order fulfillments. The incident, disclosed via an SEC Form 8-K filing, occurred on April 27, 2025, targeting the company's on-premise network systems. Despite the attack, Masimo’s cloud-based infrastructure remains unaffected; however, several on-premise systems have been isolated to prevent further damage. The breach has led to operational disruptions, with some manufacturing facilities operating below normal levels, impacting the company's ability to process and ship orders as scheduled. The specific type of cyberattack has not been detailed, but the company is currently working with external cybersecurity experts to investigate and restore normal operations. Law enforcement has been notified of the incident, and an ongoing investigation aims to determine the precise nature and scope of the breach. Masimo has not identified any claims from ransomware groups regarding responsibility for the attack as of this reporting.

CISA has alerted that basic cyber attack techniques are being used to target U.S. oil and natural gas infrastructure. Threats could cause operational disruptions, physical damage, and compromise of industrial control systems and operational technology. Despite the simplicity of the attack methods, the impact is potentially significant due to poor cybersecurity practices in critical infrastructure sectors. Joint advisory from CISA, FBI, EPA, and DOE provided guidelines for enhancing security, including the removal of public-facing OT devices and enforcing strong password policies. Advice was also given to use VPNs with multifactor authentication, demilitarize zones for IT and OT network segmentation, and maintain robust failover and recovery processes. Practicing manual control operations and routine testing of emergency protocols were emphasized to ensure resilience against disruptions. Regular collaboration with third-party service providers was recommended for additional security support and tailored defensive strategies.

Cybersecurity researchers revealed multiple critical vulnerabilities in the on-premise version of SysAid IT support software. The flaws, identified as CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777, involve XML External Entity (XXE) injections allowing pre-authenticated remote code execution. Attackers could exploit these to perform Server-Side Request Forgery (SSRF) attacks and potentially execute remote code by injecting unsafe XML entities. An additional related vulnerability, CVE-2025-2778, involves OS command injection, which could further facilitate remote code execution. Successful exploitation could allow unauthorized access to sensitive data, including plaintext administrator passwords, enabling full administrative control. SysAid has released a software update version 24.4.60 to patch these vulnerabilities. A proof-of-concept (PoC) exploit showing the combined use of these vulnerabilities has been made public, raising the urgency for updates. This is not the first time SysAid has been targeted; previous exploitations were reported in CVE-2023-47246 incidents involving ransomware attacks by Cl0p.

Polish authorities, in collaboration with international law enforcement, arrested four individuals connected to six DDoS-for-hire platforms. These platforms facilitated thousands of cyberattacks globally, targeting sectors like education, government, commerce, and gaming. The services, marketed as legitimate stress-testing tools, were primarily used for disrupting online operations through excessive traffic, causing service outages. The crackdown involved coordinated efforts by Germany, the Netherlands, Poland, and the U.S., leading to the seizure of domains and data important for further investigations. Dutch police created decoy booter sites to educate potential users about the legality and surveillance of such services. International cooperation, under Operation PowerOFF, has been pivotal since December 2018 in combatting the proliferation of DDoS-for-hire platforms. This operation highlights ongoing efforts to dismantle cybercrime networks and the instrumental role of data sharing between countries in tackling such illegal activities.

Security Service Edge (SSE) platforms are essential for securing hybrid work environments and SaaS access, offering centralized policy enforcement and connectivity. SSEs, however, have a critical limitation: they lack visibility and control over activities within the browser, where significant user risks and sensitive activities occur. Current SSE implementations fail to monitor or control real-time actions inside browser tabs, making them vulnerable to attacks, insider threats, and data leaks. To address these vulnerabilities, organizations are adopting browser-native security solutions such as Enterprise Browsers and Enterprise Browser Extensions. These browser-native platforms enhance security by providing controls directly within the browser, suitable for unmanaged devices and remote users. Combining SSE with browser-native security offers comprehensive protection, extending from network-level to user-level interactions. The integration of both security approaches encourages a revaluation of conventional security frameworks, focusing more on user interaction points. The report advocates for a shift in security paradigms to encompass end-to-end protection in light of evolving threats and the increased use of browser-based applications.

Threat actors linked to the Play ransomware family exploited CVE-2025-29824, a recently patched Microsoft Windows zero-day vulnerability, targeting an unnamed U.S. organization. The attackers utilized a privilege escalation flaw in the Common Log File System (CLFS) driver and potentially accessed the network through a Cisco Adaptive Security Appliance. Symantec's findings indicate the exploit was implemented using bespoke tools, including a customized information stealer named Grixba and disguised executable files in the Music folder. During the attack, commands were executed to collect details on all machines in the target's Active Directory, storing outcomes in a CSV file, although no ransomware payload was deployed during the intrusion. Artifact files created during the attack were discovered in the C:\ProgramData\SkyPDF path, indicative of the sophisticated nature of this specific exploitation attempt. Notably, the attack involves advanced tactics like creating and adding a new administrator user, and ensuring cleanup of exploit traces. This incident reflects the broader trend of ransomware attackers leveraging zero-day vulnerabilities to infiltrate targets, a tactic previously noted in other ransomware campaigns.

Curl project founder Daniel Stenberg is implementing stricter report screening due to a surge in AI-generated bug reports which waste maintainers' time. Stenberg likens the excessive number of invalid AI-assisted reports to a DDoS attack, draining resources and contributing to maintainer burnout. A new policy on HackerOne now requires reporters to disclose the use of AI in their submissions, with immediate bans for those submitting low-quality reports. The increase in AI-generated reports has significantly impacted the workflow, with none of the AI-generated submissions in the past six years identifying a valid bug. Peers in the industry, like Python's Seth Larson, also express concerns about the costs associated with addressing these deceptive but initially plausible reports. Low-quality reports, treated as almost malicious, heighten stress and the risk of burnout among key contributors to open-source projects. Despite offering substantial bounties for valid bug discovery, the curl project has not paid out for any AI-generated reports, highlighting their ineffectiveness. The incident that prompted Stenberg's decisive action involved a report that initially seemed credible but turned out to be based on nonexistent functions.

Security researchers identified a malicious package named "discordpydebug" on the Python Package Index that acts as a remote access trojan. Although appearing as a tool for Discord bot developers, the disguise actually conceals malware capable of serious cyber activities. Installed over 11,500 times, the RAT can manipulate files, execute commands, and exfiltrate sensitive data. The RAT manipulates outbound HTTP polling to avoid detection and can bypass most traditional security defenses. Reflecting broader security issues, over 45 related hazardous npm packages were also found, all linked to a singular cyber threat actor. The findings highlight a significant and ongoing software supply chain vulnerability, suggesting heightened scrutiny is necessary for software developers and the platforms hosting such packages.

A federal jury mandated NSO Group to pay approximately $168 million to WhatsApp for deploying Pegasus spyware, affecting over 1,400 global individuals. The lawsuit, initiated by WhatsApp against NSO Group in 2019, highlighted the targeting of journalists, activists, and dissidents using the Pegasus spyware. Victims included 456 individuals in Mexico, with significant numbers also in India, Bahrain, Morocco, and Pakistan, spanning 51 different countries. The spyware exploited a critical zero-day vulnerability in WhatsApp’s voice calling feature to disseminate. U.S. District Judge Phyllis J. Hamilton emphasized NSO's violation of both federal and state laws, and the contradictory claims of NSO regarding its users' activities and intents. WhatsApp plans to seek a permanent injunction against NSO's operations targeting its platform and will donate to digital rights organizations to combat similar vulnerabilities. In total, punitive damages were set at $167,254,000, with an additional $444,719 in compensatory damages for the efforts involved in mitigating the attack vectors. This ruling represents a significant victory for privacy advocates and has further legal and ethical implications for the global surveillance software industry.

New Zealand’s government endorses a bill to ban social media access for users under 16, though not as a formal government initiative. The proposal, introduced by MP Catherine Wedd, requires social media companies to verify the age of new users. Incidents of cyber-bullying, exposure to inappropriate content, and social media addiction are key concerns driving the bill. Prime Minister Christopher Luxon emphasizes the need for safety measures online, similar to those in the physical world. The legislation suggests penalties up to NZ$2 million for platforms that fail to accurately verify user ages. There is uncertainty about the bill’s progression, as it needs advocacy without direct support from the party machinery. The bill is met with interest from the opposition and aligns with global trends towards protecting children online, mirrored by similar movements in Australia and the UK.