Daily Brief

Google released its May 2025 security update fixing 46 vulnerabilities, including a critically exploited security flaw. CVE-2025-27363, a high-severity vulnerability located in the System component, enables local code execution without extra privileges. The vulnerability is linked to an out-of-bounds write bug in the FreeType font rendering library and affects the processing of TrueType and variable fonts. Originally reported by Facebook in March 2025, CVE-2025-27363 was actively exploited in the wild prior to the update. Google upgraded FreeType to version higher than 2.13.0 to remediate the vulnerability. The security update also addressed additional issues in the Android System and Framework, enhancing protection against privilege escalation, data leaks, and service disruptions. Google has emphasized that the exploitation risks are mitigated by security improvements in newer Android versions and urged users to update their devices.

Critical security flaw in Langflow platform, CVE-2025-3248, now in the CISA's Known Exploited Vulnerabilities catalog due to active exploitation evidence. The flaw possesses a high severity score of 9.8 and enables remote, unauthenticated attackers to execute arbitrary code through the /api/v1/validate/code endpoint. Attack methodology involves misuse of Python’s exec() function without proper authentication or security measures in place, facilitating remote command execution on affected servers. While the vulnerability impacts multiple versions of Langflow, a fix has been provided in the latest version 1.3.0, released on March 31, 2025. Researchers at Horizon3.ai discovered and reported the vulnerability; it is deemed "easily exploitable" and potentially allows full server control. A proof-of-concept for the exploit was made public on April 9, 2025, increasing the urgency for patch implementations. Over 400 internet-exposed instances of Langflow have been identified, predominantly in the US, Germany, Singapore, India, and China. CISA mandates Federal Civilian Executive Branch agencies to patch the vulnerability by May 26, 2025, underlining the critical nature of the flaw.

President Trump's 2026 budget proposal recommends a $491 million cut for the Cybersecurity and Infrastructure Security Agency (CISA), a 17% reduction from its current funding. The proposed budget cuts are part of Trump's critique of CISA’s focus on countering online misinformation and election security, which he terms the "censorship industrial complex." In contrast to CISA's reduced funding, the Department of Homeland Security would receive a significant budget increase, specifically for enhancing border security and immigration enforcement. The criticism of CISA includes allegations of violating free speech by focusing on misinformation and self-promotion rather than protecting critical infrastructure. The budget proposal also contains financial reductions for other security agencies, including TSA and FEMA, citing reasons related to political bias and inefficiency. Trump has historically challenged the legitimacy of his election loss in 2020, influencing his stance on CISA's operations. Although a contentious proposal, it faces substantial challenges in Congress, with significant opposition expected, particularly regarding cuts to cybersecurity funding.

Luna Moth, also known as Silent Ransom Group, has increased data theft and extortion attacks on U.S. legal and financial sectors. These threat actors use callback phishing campaigns to gain remote access and steal sensitive data through social engineering tactics, without deploying ransomware. Attackers register fake domains through GoDaddy, mimicking IT support for major U.S. law and financial firms, to facilitate their scams. Victims are tricked into calling fake helpdesk numbers embedded in emails, where they are persuaded to install remote monitoring software, giving hackers direct access to their systems. Common tools exploited in these attacks include legitimate RMM software like Syncro, SuperOps, Zoho Assist, Atera, AnyDesk, and Splashtop, which are less likely to be detected as threats. Once access is gained, hackers spread through the network, searching and extracting valuable data, which they threaten to publish unless a ransom is paid. EclecticIQ’s report suggests adding indicators of compromise to blocklists and advises restricting the use of unapproved RMM tools to mitigate risk.

An unknown attacker accessed US government communications through TeleMessage, a clone of the secure messaging app Signal, used by Michael Waltz. TeleMessage, acquired by Smarsh in 2024, has temporarily shut down following the detection of the security incident, with investigations supported by an external cybersecurity firm. The exposure includes potentially unencrypted archived messages touching on sensitive topics from US Customs and Border Protection and financial transactions. The compromised app, discovered through a leaked photo of Waltz using it, was found to archive messages which could be insecure if not re-encrypted. Further analysis by journalists revealed hard-coded credentials in the app’s source code, suggesting significant security flaws. The incident raises questions about the legality of the app under Signal's open source license and its implications for security practices. Overall, the mishap underscores ongoing issues with secure communication within government circles and its ramifications on national security.

A new EDR bypass method, "Bring Your Own Installer," has been identified being used to install Babuk ransomware. This bypass technique, abusing the SentinelOne agent upgrade process, was uncovered by Aon's Stroz Friedberg Incident Response team. Attackers exploit a gap during the agent update that allows them to disable the EDR, leaving systems unprotected. It is recommended for SentinelOne users to enable the "Online Authorization" feature to prevent such attacks. Further investigations confirmed the bypass method works across multiple versions of the SentinelOne agent. After discovery, SentinelOne communicated mitigation steps to clients and other major EDR vendors. SentinelOne advises enabling Local Upgrade protection to strengthen security against such vulnerabilities. The impact of this bypass technique was first noticed during a forensic investigation of a client network following a ransomware breach.

Microsoft highlighted security risks in default Kubernetes Helm charts, which could expose sensitive data. Helm charts, crucial for streamlined application deployment on Kubernetes, often come with weak default settings, including lax authentication and exposed ports. Without adjustments, these settings leave applications vulnerable to scanning and exploitation by malicious actors. The report by Microsoft Defender for Cloud Research emphasized insecure default configurations in Helm charts as a significant threat to Kubernetes workloads. Three specific cases were cited indicating the scope of security issues across different Helm chart deployments. Microsoft advises users to manually review and secure YAML configurations and Helm charts before deployment. Regular scans for configuration errors and vigilant monitoring for unusual activities in container environments were recommended as part of the security practices.

The Darcula PhaaS platform facilitated the theft of 884,000 credit cards through 13 million malicious text message clicks over a seven-month period from 2023 to 2024. Researchers from multiple international organizations, including NRK and Mnemonic, uncovered the operation, highlighting its global reach across over 100 countries and 20,000 domains imitating major brands. Darcula's phishing texts typically masquerade as road toll fines or package delivery notices, tricking victims into providing account credentials on spoofed websites. Innovations in the platform include the use of RCS and iMessage for sending texts, a feature that increases the effectiveness of these phishing attacks. Recent upgrades to Darcula add capabilities like auto-generating phishing kits for any brand, incorporating stealth features, converting stolen credit card details to virtual cards, and simplifying the admin panel. Introduction of generative AI into Darcula by April 2025 allows criminals to create custom scams in any language using LLM tools. Investigation revealed the backbone toolkit 'Magic Cat,' the operation's connection to a Chinese individual, and lavish lifestyles funded by the scam. All findings were shared with law enforcement, uncovering operations involving large-scale SIM farms and processing setups for handling stolen credit cards.

TeleMessage, an Israeli company, experienced a potential security breach leading to the suspension of its services. This incident occurred with the company's TM SGNL tool, used for archiving messages from apps like Signal. A hacker claimed to breach TeleMessage and accessed data, though direct messages from Trump officials were reportedly safe. Stolen data may include government officials' contact details, some message contents, and back-end credentials. Screenshots from the breach show links to U.S. Customs and Border Protection and other financial institutions. The source code for the backdoored app, TM SGNL, analyzed by experts, revealed multiple vulnerabilities. Signal’s official spokesperson emphasized that the company does not guarantee security for unofficial app versions. Smarsh, the parent company, engages a cybersecurity firm to investigate and has promised transparency and updates.

The Darcula phishing-as-a-service platform stole 884,000 credit cards from SMS phishing attacks, impacting 13 million users globally. Over seven months, Darcula's cybercriminals utilized 20,000 domains to spoof reputable brands, targeting Android and iPhone users across more than 100 countries. Darcula has evolved to use RCS and iMessage in addition to SMS, increasing the effectiveness of their phishing attacks. New features allow criminals to automatically generate phishing kits for any brand and employ generative AI to create more convincing and language-specific scams. Mnemonic researchers reverse-engineered the Darcula infrastructure, discovering the 'Magic Cat' toolkit and infiltrating related Telegram groups. The investigation traced digital footprints to a Chinese individual believed to be the creator; despite company denials of involvement, ongoing activities suggest continuous operation. All findings from the investigation have been shared with law enforcement to aid in tackling this extensive cybercrime operation.

Researchers disclosed critical vulnerabilities in Apple's AirPlay protocol that could allow attackers remote control over devices. The vulnerabilities, named AirBorne, were found in both Apple and third-party devices utilizing the AirPlay SDK. Specific flaws, such as CVE-2025-24252 and CVE-2025-24132, enable a wormable zero-click remote code execution (RCE) exploit, allowing malware to spread across networks. Attackers could exploit these vulnerabilities to deploy ransomware and backdoors, significantly threatening user data security. Devices connected to public Wi-Fi are at high risk, with potential breaches extending to enterprise networks when compromised devices connect to them. All identified vulnerabilities have been patched in recent AirPlay and CarPlay updates. Organizations are urged to update all susceptible devices immediately and to advise employees to do the same for personal devices.

CISA has included a severe security vulnerability from Commvault in its Known Exploited Vulnerabilities catalog. The vulnerability, identified as CVE-2025-34028 with a CVSS score of 10.0, is a path traversal flaw in Commvault Command Center versions 11.38.0 through 11.38.19. The issue, which allows code execution through malicious ZIP file uploads, was discovered and reported by watchTowr Labs. Commvault has patched the vulnerability in newer releases, specifically versions 11.38.20 and 11.38.25. This vulnerability marks the second time a Commvault flaw has been actively exploited; the prior CVE-2025-3928 also involved remote attack capabilities. Affected agencies, notably those within the Federal Civilian Executive Branch, are mandated to apply the security patches by May 23, 2025, to mitigate risks. No unauthorized access to customer backup data has been detected despite the exploitation incidents.

Following a series of cyberattacks on Marks & Spencer, Co-op, and Harrods, the UK’s NCSC issued new cybersecurity guidance. Marks & Spencer experienced a disruptive ransomware attack by DragonForce, affecting online orders and payments. Co-op faced a cyber incident that led to VPN restrictions and eventual confirmation of significant customer data theft. Harrods reported an attempted breach, leading to increased network security measures, though no confirmed data breach. All incidents involved social engineering tactics to infiltrate networks, primarily through help desk impersonation. The NCSC refrained from speculating on the attackers’ identities but highlighted ongoing investigations with law enforcement. Enhanced security recommendations include reviewing and strengthening helpdesk authentication processes. Businesses nationwide are urged by NCSC to prepare for potential cyber threats by adopting recommended security measures.

Iranian threat group Lemon Sandstorm targeted critical national infrastructure in the Middle East, maintaining access for nearly two years. The group used custom backdoors such as HanifNet, HXLibrary, and NeoExpressRAT to conduct extensive espionage operations. The objective was suspected network prepositioning to ensure persistent future access, reflecting a strategic long-term threat. Fortinet identified and reported these activities which occurred from May 2023 to February 2025. Such nation-state-sponsored activities underline the critical need for robust cybersecurity measures in protecting sensitive national infrastructures.

Small to midsize business security personnel often fulfill multiple roles, from CISO to IT Help Desk, effectively becoming the entire security department. Despite Google Workspace handling infrastructure and spam filtering, it does not fully secure user identities, leaving significant security responsibilities to company admins. The first line of defense in cloud-native work environments is strong identity protection with enforced configuration through Google Workspace or a third-party identity provider (IdP). Phishing and social engineering via email remain top threats, underscoring the need for diligent monitoring and response strategies, despite Google's extensive filtering capabilities. Data Loss Prevention (DLP) is crucial as information leakages often occur slowly through employee errors or unchecked sharing permissions, requiring robust controls to manage sensitive data effectively. Maintaining visibility across all user activities and settings in Google Workspace is essential due to the vast and varied responsibilities faced by small security teams. Automated tools like Material Security help manage and monitor configurations continuously, alerting teams to any deviations in security settings and enabling rapid response to potential threats. Balancing productivity with security is crucial as teams manage sharing settings and permissions within Google Workspace to minimize risks without overly restricting collaboration.