Daily Brief

In May 2019, WhatsApp engineers uncovered a zero-day flaw allowing NSO's Pegasus spyware to install via a phone call, compromising around 1,400 accounts. The jury awarded Meta over $167 million in damages after NSO used the flaw for spying, affecting the privacy of WhatsApp users. Pegasus spyware provided NSO's clients unchecked access to phone and data actions, including activating cameras and microphones for covert surveillance. NSO had tried various legal defenses, including claiming sovereign immunity and asserting they only served government entities. The court proceedings revealed NSO spent significant amounts on developing malicious technology, capable of breaching both iOS and Android systems. Meta intends to donate any received damages to digital-rights groups, emphasizing their commitment to privacy and security. Post-verdict, NSO Group is considering further legal actions, maintaining their technology aids in preventing serious crimes and terrorism.

James Papa, a former service delivery manager at Computacenter, was dismissed from his role after he reported unauthorized access to Deutsche Bank’s server rooms. Papa claimed a Computacenter employee granted his girlfriend, Jenny, multiple unauthorized entries into Deutsche Bank's server rooms, where she had access to sensitive banking data. CCTV footage confirmed that Deutsche Bank's security team allowed Jenny to enter the server rooms without proper authorization, despite repeated warnings from Papa. Computacenter and Deutsche Bank allegedly interrogated Papa aggressively after he raised concerns about the security lapses and advised notifying the SEC. Papa was suspended and later terminated by Deutsche Bank under purported pressure, despite him being the only one fired for the incident. He has filed a lawsuit against Computacenter, Deutsche Bank, and its veep of datacenter operations for wrongful termination, violating whistleblower protection laws, and negligence, seeking over $20 million in damages. The incident raises significant concerns about security protocols and corporate accountability at Deutsche Bank’s U.S. facilities.

The US Department of Defense (DoD) is revamping its outdated software procurement systems to enhance security. Katie Arrington, DoD's CIO, launched the Software Fast Track (SWFT) initiative aimed at reforming the acquisition, testing, and authorization of software. The initiative will address cybersecurity and Supply Chain Risk Management (SCRM), making processes more agile and transparent in the face of complex software development challenges. Current procurement processes lack speed and visibility into software supply chains, which SWFT aims to improve significantly. Key goals include defining clear cybersecurity requirements, verifying software security, and expediting software adoption with an implementation plan expected within 90 days. The efforts align with broader objectives to equip military personnel with secure, high-quality software tools rapidly, enhancing both lethality and resilience. Challenges persist with securing government software, evidenced by recent malware attacks targeting the DoD and leaks of sensitive information. The DoD's use of unclassified communication tools like Signal for official business has raised concerns about security and the handling of confidential information.

A critical vulnerability in Apache Parquet, CVE-2025-30065, enables remote code execution through a deserialization flaw. F5 Labs released a proof-of-concept exploit tool after finding previous PoCs ineffective, proving the flaw's exploitability. The vulnerability impacts all Apache Parquet versions up to 1.15.0 and affects the parquet-avro module specifically. Although technically complex, the flaw's exploitation requires specific conditions and might only cause side effects during Java object instantiation. F5 Labs developed the tool to assist administrators in identifying vulnerable systems; it triggers an HTTP GET request to reveal susceptibility. Upgrading to Apache Parquet version 15.1.1 and configuring deserialization settings are recommended to mitigate risks. F5 Labs emphasizes the limited practical use of the CVE for attackers but acknowledges significant risks in environments that process unverified Parquet files.

Hackers are exploiting an RCE vulnerability (CVE-2024-7399) in Samsung MagicINFO 9 Server, allowing device hijacking and malware deployment. Samsung MagicINFO Server is a central management system used widely in sectors like retail and healthcare to manage multimedia content on digital signs. The vulnerability, disclosed and patched in August 2024, stems from improper file upload restrictions enabling attackers to upload malicious code. Security researchers recently published a proof-of-concept demonstrating how attackers achieve remote code execution by uploading a .jsp file and executing OS commands via the web. Arctic Wolf has reported active exploitation following the release of the proof-of-concept, predicting continued targeting due to the vulnerability's ease of exploitation. A variant of the Mirai botnet malware has been observed leveraging this vulnerability to take over affected devices. Urgent patching to version 21.1050 or later is recommended for system administrators to mitigate the risk associated with this vulnerability.

The UK Legal Aid Agency (LAA) has reported a cybersecurity incident potentially affecting financial records. Law firms partnered with LAA were alerted about the possibility of compromised payment information. Around 2,000 legal aid providers in England and Wales may be impacted by this security issue. The UK's National Crime Agency, alongside the National Cyber Security Centre, is assisting MoJ in investigating the cyber incident. This breach notification follows several high-profile cyberattacks on major UK retailers, indicating a larger trend of targeted cyber operations in the region. The LAA is currently assessing the extent of the incident and has implemented measures to mitigate further risks. The UK National Cyber Security Centre (NCSC) emphasized the urgency for all UK businesses to enhance their cybersecurity measures in response to recent events.

CISA has announced that the CVE-2025-3248 Langflow RCE vulnerability is actively exploited, prompting urgency in implementing security updates. The flaw allows unauthenticated internet-based attackers to gain control of affected Langflow servers via a flaw in an API endpoint. Langflow, an open-source tool used extensively for AI development, has a vulnerability in endpoint that improperly sanitizes user-input, enabling remote code execution. The vulnerability was resolved in Langflow version 1.3.0, with a recommendation for users to upgrade to mitigate risks. Horizon3 researchers have released a technical analysis of the CVE-2025-3248 flaw, noting at least 500 internet-exposed instances and demonstrating a proof-of-concept exploit. CISA mandates federal agencies to update or secure Langflow installations by May 26, 2025, or discontinue its use. Those unable to upgrade immediately should limit network exposure of Langflow by employing measures like firewalls or VPNs and avoid direct internet connections. The latest software version, Langflow 1.4.0, includes numerous fixes, further enhancing security postures for users.

Threat actors have exploited obsolete GeoVision IoT devices through command injection flaws to build a Mirai botnet. These compromised devices are used for distributed denial-of-service (DDoS) attacks, detected first by Akamai SIRT in April 2025. Samsung MagicINFO 9 Server vulnerability, patched in August 2024, also targeted for Mirai botnet deployment using a path traversal flaw. Akamai identifies that outdated firmware on older devices with no available patches is a major vulnerability for such attacks. Exploited vulnerabilities include high-severity flaws in Hadoop YARN and a previously identified issue in DigiEver. Arctic Wolf recommends updating Samsung MagicINFO to version 21.1050 or later to mitigate risks associated with these vulnerabilities. Evidence links these incidents to a known campaign "InfectedSlurs," emphasizing the reuse of tactics and tools among cybercriminal networks.

Modern organizations struggle to secure their public-facing assets due to factors like shadow IT and third-party exposures. External Attack Surface Management (EASM) is increasingly crucial in mitigating vulnerabilities and enhancing digital resilience. EASM enables security teams to manage and comprehend complex digital attack surfaces, particularly in hybrid environments. It offers continuous visibility, crucial for proactive threat detection and risk prioritization, thus preventing potential cyberattacks. Digital Risk Protection (DRP) complements EASM by proactively identifying threats across an organization’s digital footprint, including social media and the deep web. EASM’s integration into DRP strategy should involve regular assessments, collaboration across departments, continuous improvement, and careful vendor selection. Outpost24’s EASM solution is highlighted as an effective tool combining cyber threat intelligence and attack surface management.

Cybersecurity researchers identify two groups, Reckless Rabbit and Ruthless Rabbit, using Facebook ads to promote investment scams with fake celebrity endorsements. Scammers employ Traffic Distribution Systems to manage and filter user traffic, enhancing the effectiveness of their schemes. The scams involve sophisticated data collection via web forms, then use HTTP GET requests to validate potential victims' geography and contact details. Victims passing initial screenings are led to platforms where they are deceived into transferring funds or entering financial data. Reckless Rabbit targets users in specific Eastern European countries, using domain generation algorithms to dynamically create credible yet fake platform domains. Scams leverage call centers to guide victims through the money transfer process, intensifying the scam's perceived legitimacy. U.S. and European authorities are taking action against similar scams, indicating a growing trend of sophisticated cybercrimes using social media platforms. Recent arrests in Spain and escalating scam operations worldwide emphasize the persistent and adaptive nature of cybercriminal strategies.

Google has issued security updates for Android, addressing 45 vulnerabilities, including an actively exploited FreeType 2 flaw. The critical vulnerability, identified as CVE-2025-27363, allows arbitrary code execution and affects all versions of FreeType up to 2.13. Facebook security researchers first discovered this high-severity bug in March 2025, with potential targeted exploitation noted. Exploitation involves an out-of-bounds write when parsing certain TrueType font files in vulnerable FreeType versions. Additional updates in the May 2025 bulletin cover high-severity issues in Android's Framework, System, Google Play, and Kernel, along with components from MediaTek, Qualcomm, Arm, and Imagination Technologies. The security updates are applicable to Android versions 13, 14, and 15, with older versions like Android 12 no longer supported or receiving fixes directly, though Google Play system updates may offer some mitigation. Android users with unsupported versions are advised to switch to third-party distributions or newer devices to maintain security.

The 2025 Verizon Data Breach Investigations Report highlights significant breaches driven by third-party exposure and machine credential abuse. Incidents linked to third parties doubled in one year, emphasizing the need for robust management of non-employee identities. Machine identities, such as service accounts and bots, are rapidly increasing and becoming prime targets for attackers due to poor oversight. Traditional security tools are insufficient for the growing complexity and scale of managing both human and machine identities in a unified way. SailPoint offers solutions that address these complex challenges by providing an enterprise-scale identity security platform that includes machine identities management. Organizations are advised to adopt a unified approach to identity governance to protect against vulnerabilities and enhance security across all user types. The DBIR urges businesses to extend identity security practices to encompass contractors, partners, and machine entities to avoid potential breaches.

Microsoft has issued a warning regarding the potential security weaknesses in using default Helm charts for Kubernetes deployments. Helm charts, which simplify the deployment process of applications on Kubernetes, often come with default settings that prioritize convenience over security, leading to potential misconfigurations. These misconfigurations can expose sensitive data, cloud resources, or entire environments, making them vulnerable to attacks. Key vulnerabilities include exposing services to the internet without adequate network controls and lacking sufficient authentication or authorization safeguards. Microsoft's research team advises reviewing and adjusting the configurations in Helm charts and YAML manifests based on security best practices. Regular scans of publicly facing interfaces and ongoing monitoring of container activities are recommended to detect and mitigate threats. The issue is significant because many exploits of containerized applications originate from these default and negligent configurations.

Microsoft Entra ID is critical for identity management in business, heavily targeted with over 600 million daily attacks. Despite built-in protections such as multifactor authentication and conditional access, gaps remain in Microsoft Entra ID’s native security. Companies experience significant disruptions from breaches, including downtime, failed audits, and reputational damage. Microsoft's model indicates user responsibility for data backup, highlighting the importance of a dedicated backup strategy. Limitations in native recovery tools, like the Recycle Bin’s brief retention period, underscore the need for robust backup solutions. Effective backup strategies should align with organizational risk profiles, balancing protection needs against cost and resource availability. Tailored backup approaches enhance resilience, ensuring businesses can recover swiftly and continue operations despite threats. Veeam Data Cloud offers enhanced management and recovery solutions, catering to the inherent limitations of native Entra ID protections.

Researchers identified a supply-chain attack using malicious Go modules on GitHub designed to target Linux servers. The malware, contained within three Go modules, executes a disk-wiping script that leads to irreversible data loss and system failure. The destructive payload, a Bash script named done.sh, uses a 'dd' command to overwrite all data on the primary Linux storage volume, /dev/sda. This form of attack checks for a Linux environment before execution, ensuring it only affects Linux systems. The obfuscated code within the modules retrieves and immediately executes a remote wiper script, leaving minimal response time for mitigation. Impersonated Go modules mimicked legitimate projects, increasing the likelihood of developers inadvertently integrating malicious code into their applications. The decentralized nature of the Go ecosystem, with its lack of stringent verification, facilitates this type of malware dissemination. GitHub has since removed the identified malicious modules from its platform to prevent further spread.