Daily Brief

China has surpassed Russia as America's primary cybersecurity threat, significantly impacting US critical infrastructure through the Volt Typhoon cyberattacks. Former Rear Admiral Mark Montgomery emphasized the shift in cyber dynamics at the RSA Conference, highlighting China's advanced capabilities in targeted espionage and infrastructure disruption. Montgomery underscored the necessity of aggressive recruitment for US cyber military forces, advocating for the integration of National Guard talents into cyber defense strategies. He criticized the current corporate management of critical infrastructures, suggesting that US corporations lack motivation to enhance security measures against cyber threats. Montgomery proposed extending the Sarbanes-Oxley Act to enforce stringent cybersecurity measures among corporations to fortify national security. He predicted potential Chinese cyber retaliation linked to geopolitical tensions, particularly concerning Taiwan, which could undermine public confidence and crisis response. Montgomery dismissed other nation-states like North Korea and Iran as lesser threats compared to China, citing their limited capabilities and local focus. The article stresses an urgent need for proactive cyber defense measures to safeguard American interests and security against sophisticated nation-state cyber operations.

CISA has added vulnerabilities in Broadcom Brocade Fabric OS, Commvault web servers, and Qualitia Active! Mail to its Known Exploited Vulnerabilities catalog. A significant arbitrary code execution flaw discovered in multiple versions of Broadcom's specialized Fabric OS could allow attackers with admin privileges to run or modify OS commands. The Broadcom vulnerability, tracked as CVE-2025-1976, was actively exploited, prompting a necessary update to Fabric OS version 9.1.1d7 to mitigate the issue. Commvault's vulnerability (CVE-2025-3928) allows authenticated remote attackers to deploy webshells, affecting several versions of its software on both Windows and Linux platforms. The security flaw in Commvault's systems has also been under active exploitation, despite the fact that exploitation requires authenticated access. Another critical vulnerability in Qualitia Active! Mail was identified, affecting all versions up to BuildInfo: 6.60.05008561 and also actively exploited, predominantly impacting Japanese organizations. CISA has set deadlines for affected organizations to apply critical updates or mitigations to these vulnerabilities, with varying dates in May 2025 for compliance.

An open letter from the EFF and top cybersecurity professionals calls on President Trump to cease the investigation into former CISA head Chris Krebs, labeling it as political retaliation. The campaign against Krebs is linked to his discrediting of election fraud claims, which led to his firing post-2020 election confirmation of security. Trump's presidential memo accuses Krebs of abusing his power at CISA to suppress 'unfavored' viewpoints, particularly regarding election security and COVID-19 narratives. The memo involved revoking Krebs’ and his current employer SentinelOne’s security clearances, potentially affecting federal contracts and infosec community integrity. The cybersecurity community emphasizes the importance of independent, truthful reporting without fear of political repercussions to safeguard democracy. Krebs recently resigned from SentinelOne to focus on defending democracy and freedom of speech outside of corporate influences. Major concerns are raised about the broader implications for cybersecurity practices and national safety if such political interference persists.

SentinelOne identified attempts by a Chinese-related cyberespionage group, PurpleHaze, to conduct reconnaissance on its infrastructure and high-value clients. PurpleHaze is linked to the state-sponsored group APT15 and has previously targeted governmental organizations in South Asia using sophisticated malware such as GoReShell and ShadowPad. The threat actors employed operational relay box networks and Windows backdoors, complicating tracking and attribution of their cyber operations. Analysis revealed that the same South Asian government entity attacked in June 2024 was also a target in a later PurpleHaze operation employing ShadowPad, indicating potential ongoing espionage. ShadowPad has been used to target over 70 organizations across multiple industries, exploiting vulnerabilities in CheckPoint gateway devices. SentinelOne also detected efforts by North Korea-aligned individuals attempting to infiltrate their workforce, and ransomware groups trying to access the company’s security tools to evade detection. The underground cybercrime market continues to thrive, with offerings like 'EDR Testing-as-a-Service' allowing attackers to evaluate and refine their malware discreetly. Nitrogen, a ransomware group run by a Russian national, has been innovating by using social engineering to mimic legitimate companies and bypass security product procurements.

FBI Deputy Assistant Director Cynthia Kaiser highlighted the increased efficiency of Chinese government-backed hackers in utilizing AI across various stages of cyber attacks. These state-sponsored groups have infiltrated U.S. critical infrastructure sectors including government, telecommunications, energy, and water systems, often undetected for extended periods. Specific incidents noted include the Volt Typhoon, which compromised outdated routers to create a botnet aimed at U.S. targets, and the Salt Typhoon, which breached U.S. telecommunication and government networks. Chinese attackers commonly exploit unpatched vulnerabilities or outdated devices to gain initial access, then navigate silently within the compromised networks. AI is being deployed by these attackers not for autonomous end-to-end attacks but to enhance preliminary tasks like scanning and initial exploitation, making these processes faster and more effective. The rise of AI in cyber attacks poses challenges in network security, specifically in detection and prevention of lateral movement within networks. The FBI continues its efforts in tracking and responding to both nation-state and criminal cyber threats, despite recent governmental budget and personnel cuts. Kaiser underscores the importance of implementing robust security measures like multi-factor authentication (MFA) to counter sophisticated social engineering attacks, including those using deepfake technology.

Microsoft 365 Copilot presents new security risks by accessing sensitive data across various SaaS applications. Reco, a SaaS security platform, addresses these vulnerabilities by treating Copilot as part of the SaaS ecosystem requiring continuous monitoring. Reco's security approach includes analyzing user prompts, managing data exposure, and ensuring robust access governance. The platform uses techniques like natural language processing and attack pattern matching to identify suspicious queries. It also monitors Copilot’s actions and outputs, integrating with systems like Microsoft Purview to manage data sensitivity. Reco provides direct visibility into Copilot’s interactions across the SaaS environment, helping to detect potential data breaches or unauthorized accesses. The strategy includes detecting risks from new or unsanctioned integrations that might occur as Copilot gets interconnected with other applications. Reco's comprehensive security measures are critical for entities utilizing Copilot to prevent data leaks and ensure data privacy.

In 2024, Google observed a reduction in zero-day vulnerabilities being exploited, totaling 75, down from 98 in 2023. A significant 44% of these zero-day exploits targeted enterprise security products, with 20 specific flaws in security software and appliances. Shift in zero-day exploit targets includes 33 zero-days in enterprise software, predominantly within tools like Ivanti, Palo Alto Networks, and Cisco. Mobile devices and browsers saw a decline in zero-day exploits, with a third less for browsers and nearly half less for mobile compared to the previous year. Microsoft experienced 22 vulnerabilities, while high-profile vendors like Apple, Android, Chrome, and Firefox also faced various exploits. Six broad threat activity clusters have been linked to 34 of the 75 zero-day vulnerabilities, aligning with espionage and financial motivations. Google discovered sophisticated exploit chains in Firefox and mobile browsers used by threat actors for high-impact attacks, including RomCom RAT deployment. The Google Threat Intelligence Group highlighted the evolution of zero-day threats and noted an improvement in vendor mitigation strategies against such exploits.

In 2024, Google's Threat Intelligence Group reported 75 zero-day vulnerabilities exploited, with over 50% linked to spyware attacks. This represents a decrease from 97 zero-days in 2023, but part of an overall upward trend from 63 in 2022. Notable contributors to these exploits include China-linked groups and North Korean operators, with the latter involved in zero-day exploits blending espionage and financial motives for the first time. The majority of these exploits targeted end-user platforms like web browsers, mobile devices, and desktop operating systems, with Windows emerging as a particularly popular target. Exploits against enterprise-targeted products, such as security and networking software, accounted for 44% of the zero-day attacks, signifying a shift towards more focused attacks on business environments. Google has observed a slow but steady increase in zero-day exploits, although efforts by vendors to mitigate these vulnerabilities are beginning to show results. The future trends in zero-day exploitation are expected to be influenced heavily by vendors' proactive security measures and their ability to adapt to evolving threats.

North Korean operatives are securing jobs in top global companies to steal intellectual property and fund their regime. Methods include using AI-generated LinkedIn profiles and having teams work on job challenges, while a "front man" handles interviews. A simple yet effective interview question about Kim Jong Un instantly reveals these infiltrators, who then terminate the interview. Once hired, these workers perform well to gain further access to company systems and extract sensitive information gradually to avoid detection. The FBI recommends conducting coding tests on company premises and being vigilant about remote work applications to prevent such infiltrations. Perpetrators often leave behind malware and collect sensitive login information even if caught and fired, heightening risks of future breaches. Tactics are evolving, with North Korean operatives adapting to countermeasures, like setting up laptop farms in the US to circumvent IP tracking. Continuous education for all staff involved in the hiring process and increased scrutiny during the interview and onboarding phases are advised to combat this threat.

Researchers from the University of Zurich conducted a secretive AI study on Reddit's r/changemyview, posing as users to test AI's persuasive abilities. The study involved AI-generated responses aimed at altering the viewpoints of real users, without disclosure, violating subreddit rules. The team did not inform the subreddit moderators of their methods, which included using AI to emulate personal traits and argumentative skills. Despite achieving results suggesting that AI can outperform human persuasive benchmarks, the experiment has been criticized for ethical lapses. The experiment had initially received ethical approval from the university, yet variations to the study lacked subsequent ethical reviews. The subreddit moderators have protested the study and requested that the university prevent its publication, citing unethical practices. University insists the study’s insights are vital and do not justify suppression, though external academics criticize the ethical handling and potential harms. The controversy highlights broader concerns about the use of AI in manipulating public opinion and the ethical implications of non-disclosure in research settings.

In March 2025, senior members of the World Uyghur Congress, who live in exile, were targeted by a Windows-based malware aimed at surveillance. The malware was delivered through a spear-phishing campaign using a trojanized version of UyghurEdit++, a legitimate tool designed to support the Uyghur language. Victims received alerts from Google indicating they were subject to government-backed attacks. Investigations suggest these threat actors employed tactics associating with the Chinese government. The malicious emails included Google Drive links that downloaded a password-protected RAR archive containing the compromised software. The malware had capabilities for system profiling, sending collected data to an external server, and could also fetch and execute additional malicious commands and plugins. This incident is part of ongoing digital transnational repression aimed at the Uyghur diaspora, with the intent to monitor their communications and influence concerning the human rights situation in Xinjiang.

CISA has added two critical vulnerabilities in Broadcom Brocade Fabric OS and Commvault Web Server to its KEV catalog due to active exploitation. The Broadcom vulnerability, identified as CVE-2025-1976, allows code execution with root access if exploited by a locally authenticated admin user. This particular flaw affects Fabric OS versions from 9.1.0 to 9.1.1d6 and has been fixed in the subsequent version 9.1.1d7. The Commvault vulnerability necessitates an attacker having authenticated user credentials, meaning the exploit is not feasible with unauthenticated access. Affected systems must be internet-accessible and previously compromised through different means for the Commvault vulnerability to be exploitable. The exact details of how these vulnerabilities have been exploited in the wild have not been disclosed. CISA advises Federal Civilian Executive Branch agencies to patch the identified vulnerabilities by specific deadlines in May 2025 to mitigate risks.

Researchers at Citizen Lab discovered a phishing campaign and supply chain attack aimed at the Uyghur diaspora, likely instigated by Beijing. The attack involved emails that appeared to be from trusted sources, offering links to download a compromised Uyghur text editor, UyghurEditPP. This malware-infected program included capabilities for remote access, information upload to a server, and the installation of additional malicious files. The targeting of Uyghur language software fits into broader patterns of cultural suppression and human rights violations by Chinese authorities against the Uyghur minority. Despite the high level of social engineering involved in the attack, affected members of the World Uyghur Congress (WUC) were forewarned by Google and did not fall for the trap. The failed phishing attempt highlights the need for constant vigilance by targeted communities against future, potentially more sophisticated threats. Citizen Lab's report underscores ongoing concerns about the safety and security of software developed within persecuted or high-risk groups.

Michael Scheuer, a former Disney employee, was sentenced to 36 months in prison for unauthorized access to Disney's IT systems and identity theft. Scheuer modified the fonts and content on Disney’s Menu Creator application, leading to operational disruptions for up to two weeks. Unauthorized alterations included dangerous changes to allergen information and offensive imagery on the menu items. Post-termination, Scheuer executed a denial of service (DoS) attack, affecting the login capabilities of 14 Disney employees. The use of a commercial VPN and previous IP ranges linked to Scheuer helped investigators trace the unauthorized activities back to him. Scheuer also accessed and modified data on secure file transfer protocol (SFTP) servers of a third-party vendor used by Disney. Following FBI intervention and the seizure of Scheuer's computer equipment, the malicious activities ceased. Post-imprisonment, Scheuer will undergo three years of supervised release, including a prohibition on any contact with Disney or the affected individuals.

Jeffrey Bowie, a cybersecurity CEO, is charged with installing malware on a hospital PC in Oklahoma City. Bowie admitted on LinkedIn to creating and deploying software that captured screenshots every 20 minutes, sending them to a remote host. The malware was discovered on a PC at St. Anthony's Hospital during a forensic review but was promptly removed without compromising patient information. Bowie claimed the software was developed "on the fly" using PowerShell and was meant for use on a guest computer in the hospital waiting area. He also revealed his recent mental health issues and psychosis, linking them to his actions during the incident. Despite his claims, court records indicate a warrant for his arrest was issued, though Bowie contests he was never actually detained. Bowie argues that mishandled mental health treatment and fears about data safety, fueled by a recent IT breach at a related hospital, led to his actions. Bowie faced significant backlash on LinkedIn, with many advising him to cease communication and seek legal advice.