Daily Brief

ASUS has reported a critical security flaw in routers with AiCloud capability, identified as CVE-2025-2492. The vulnerability has a high severity with a CVSS score of 9.2, allowing remote unauthorized function execution through crafted requests. Users are strongly urged to update their router firmware to the latest version to mitigate risks associated with this security flaw. ASUS advises strengthening security by using distinct, robust passwords for different devices and services, avoiding consecutive sequences. The company also recommends disabling AiCloud and related services that are internet-facing if firmware updates are not feasible or if devices are at end-of-life. Additional precautionary measures include disabling remote access features, such as DDNS, VPN, DMZ, and port forwarding.

A group of 48 House Democrats expressed concerns about the potential security risks of using unapproved AI systems to manage federal data, highlighting the use of Elon Musk's Grok-2 AI model. Led by Representatives Don Beyer, Mike Levin, and Melanie Stansbury, the group criticized the Department of Government Efficiency (DOGE) for potentially violating federal laws and OMB AI directives. Concerns were raised about AI-assisted inefficiencies and privacy breaches involving sensitive information, including government employee details and financial data. Instances of conflict of interest were noted, such as a dual-role White House aide using a SpaceX-hosted AI to analyze governmental operations. The Democrats' letter to the OMB insisted on halting the use of all non-compliant AI technologies and strictly adhering to existing legal standards. Rep. Gerald Connolly has also taken action, sending letters to federal agencies to investigate DOGE's adherence to the Privacy Act, the Federal Information Security Management Act, and the E-Government Act. The letter ended with a series of pointed questions about the specific AI models and their applications within DOGE, reflecting ongoing scrutiny and potential for further legislative action.

The Interlock ransomware gang has adopted ClickFix attacks to impersonate IT tools and deploy ransomware, starting January 2025. ClickFix attacks involve deceiving victims into running harmful PowerShell commands that install malware under the guise of fixing an error or authentication. Initially, Interlock used fake updates for browsers and VPN clients to infiltrate systems but has now switched to using fake CAPTCHA prompts on websites mimicking legitimate IT resources. The malware payload includes multiple malicious tools such as LummaStealer, BerserkStealer, keyloggers, and a configurable Interlock RAT (Remote Access Trojan). Following initial system compromise, the attackers employ stolen credentials to move laterally across the network, using methods like RDP and various remote access tools. Before executing the ransomware, the attackers exfiltrate valuable data via Azure Blobs, setting the stage for demanding ransom payments. Sekoia's investigation highlights the evolving nature of the ransom note focusing on legal consequences and regulatory implications if the breach is disclosed. Interlock’s operations have demonstrated the growing sophistication and variation in ransomware attack vectors, indicating a broader trend among cybercriminal gangs and state-sponsored groups, including North Korea's Lazarus Group.

CISA issued an alert regarding a data theft from Oracle’s public cloud infrastructure, urging Oracle users to enhance security measures. Oracle initially denied the breach but later acknowledged that customer data was stolen due to unpatched "obsolete" login servers. The stolen data may include emails, passwords, authentication tokens, and encryption keys, posing significant risks. Recommended actions include resetting passwords, monitoring authentication logs, and enforcing multi-factor authentication. The extent of the breach and its impact are still not fully determined, according to CISA. Oracle faces a lawsuit in Texas for not alerting affected users in a timely fashion about the breach. Oracle has not provided additional comments beyond their initial downplayed notification to affected customers.

The FBI reports an increase in scammers posing as employees of the FBI's Internet Crime Complaint Center (IC3), targeting individuals who have previously been defrauded. Over 100 incidents involving this scam have been reported between December 2023 and February 2025, with victims initially contacted through various methods including email, phone calls, and social media. Scammers, frequently creating fake female personas on social networks, infiltrate groups meant for fraud victims, deceitfully positioning themselves as victims too. The scammers encourage victims to contact a fictitious IC3 Chief Director, "Jaime Quin," through Telegram to assist in recovering their lost funds. Once contact is established, "Quin" claims to have retrieved the lost funds but uses this narrative as a façade to access victims’ financial information and exploit them further. The FBI emphasizes that genuine IC3 employees will never contact victims directly nor request payment in exchange for recovering stolen funds. Public is advised to safeguard personal information and scrutinize the legitimacy of individuals or entities offering fund recovery services.

ASUS has identified a critical authentication bypass flaw in routers with AiCloud, tracked as CVE-2025-2492 with a CVSS v4 score of 9.2. The vulnerability allows remote attackers to execute unauthorized functions on the device without needing authentication. AiCloud, a feature in ASUS routers, transforms these devices into private cloud servers, enabling remote file access, media streaming, and file syncing. The security flaw affects a wide range of router models, and ASUS has released firmware updates for multiple series including 3.0.0.4_382, 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102. Users are urged to update their firmware through the ASUS support portal or product finder page to mitigate risks. Additional security recommendations include using unique, complex passwords for wireless networks and router administration. End-of-life products impacted by the flaw should disable AiCloud and related internet access services to enhance security. No active exploitations or public exploits are reported yet, but the vulnerability could potentially be used for malware distribution or incorporating devices into DDoS attacks.

Cybersecurity experts have identified an extensive SMS phishing (smishing) campaign exploiting toll road users across eight U.S. states for financial gain. The campaign utilizes a smishing kit created by a person known as "Wang Duo Yu," marketed as part of a China-based service called Lighthouse. Fraudulent messages mimic U.S. toll collection systems like E-ZPass, directing victims to enter personal details on spoofed websites. Victims are deceived into enabling links via SMS, then face a fake CAPTCHA followed by requests for financial information on counterfeit payment pages. Analysis reveals that smishing kit affiliations extend to a group termed Smishing Triad, which conducts large-scale international scams involving postal service impersonations. The smishing kits are not only used for theft but also come with a "double theft" feature where stolen credit/debit card information is exfiltrated back to the creators. There is a growing concern as Wang Duo Yu’s kits are now targeting banks and financial institutions in the Asia-Pacific region, escalating global cybersecurity risks. The campaign's scale and complexity, supported by a vast infrastructure and human resources, challenge effective preventive measures by tech giants like Apple and Google.

SonicWall SMA VPN appliances have been under attack since January 2025, exploiting a vulnerability identified as CVE-2021-20035. Initially believed to only cause denial-of-service attacks, the flaw now allows remote code execution with an updated CVSS score of 7.2. Arctic Wolf reported that hackers used exploits targeting the SonicWall SMA 100 series, compromising devices with default super admin passwords. The compromised devices include multiple models such as SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v. CISA has acknowledged the threat by adding the vulnerability to its Known Exploited Vulnerabilities catalog and mandated federal agencies to secure their networks immediately. Arctic Wolf recommends limiting VPN access, deactivating unnecessary accounts, enforcing multi-factor authentication, and resetting local account passwords to combat the threat. Additional guidance was issued by SonicWall to patch another critical vulnerability in SMA1000 secure access gateways and address a bypass flaw in Gen 6 and Gen 7 firewalls.

Credential-based attacks are the preferred method for cybercriminals, exploiting weak or stolen credentials to bypass security systems without detection. Google Cloud and IBM X-Force report high instances of cloud breaches and cyberattacks due to compromised accounts, affecting roughly one-third of global incidents. It's crucial for organizations to adopt strong password policies, implement multi-factor authentication, conduct regular staff training, and audit their Active Directory frequently to minimize vulnerabilities. Continuous monitoring and updating of Active Directory with tools like Specops Password Policy can prevent future breaches by detecting and addressing compromised passwords across the network. An immediate, well-rehearsed incident response plan is vital for minimizing damage and recovery time following a credential-based attack. Traditional security measures should be complemented with proactive strategies such as scanning for compromised passwords to effectively shield organizations from potential cyber threats. Specops Software’s Password Policy helps organizations by blocking access with known compromised passwords and promoting the creation of secure credentials.

Chinese-speaking IronHusky hackers have targeted government entities in Russia and Mongolia using upgraded MysterySnail RAT malware. The RAT was spread through a malicious MMC script pretending to be a Word document, facilitating the download of secondary payloads for persistence on affected systems. An intermediary backdoor discovered in the attacks allows file transfers, command execution, process management, and file deletion between the compromised devices and attackers' servers. Kaspersky experts noted that after initial defense measures blocked the attacks, the hackers deployed a simplified, more efficient version of the RAT dubbed MysteryMonoSnail. The updated RAT version supports extensive command functionalities, enhancing hackers' control over compromised systems. Originally detected in 2017, the IronHusky group has a history of espionage focused on military and diplomatic intelligence concerning Russian and Mongolian affairs. The latest findings and technical details of the ongoing cyber-espionage campaign have been documented in a recent Kaspersky report, including indicators of compromise.

Credential-based attacks, where valid credentials are used by cybercriminals, account for nearly one-third of global cyberattacks and facilitate 47% of cloud breaches. These attacks often occur due to weak or non-existent protection of credentials, making organizations with these security gaps prime targets. Immediate steps for responding to such attacks include multi-factor authentication, strong password policies, regular staff training, and frequent audits. It's crucial to implement security strategies like scanning Active Directories for compromised passwords, which can prevent future breaches. Specops Password Policy aids in protecting against credential-based breaches by blocking compromised passwords and promoting the creation of secure ones. Regular monitoring and updating of security measures are recommended to keep ahead of cybercriminals and minimize potential damages from attacks. The real-time example highlights the urgency and potential damage of such attacks, illustrating the importance of preparedness and rapid response.

Cisco has issued updates for a critical vulnerability in Webex, identified as CVE-2025-20336, which permits unauthenticated remote code execution through malicious meeting links. The flaw stems from insufficient validation of inputs in Webex’s custom URL parser, allowing attackers to trick users into downloading dangerous files to execute commands. Attackers can exploit this by persuading a user to click a specially crafted meeting invite link, leading to arbitrary command execution under user privileges. This vulnerability affects all Cisco Webex App installations across different operating systems with no available workaround; updating the software is essential to mitigate risks. Cisco also patched other security issues, including a privilege escalation in Secure Network Analytics and user enumeration vulnerability in Nexus Dashboard. Despite these vulnerabilities, Cisco's security team has not found any active exploitation or evidence of these vulnerabilities being targeted in the wild. Additionally, a previously disclosed Cisco vulnerability (CVE-2024-20439) has been actively exploited, prompting urgent update recommendations from CISA for U.S. federal network security.

A multi-stage malware campaign distributing families like Agent Tesla, Remcos RAT, and XLoader has been observed. Attack uses a phishing email with a 7-Zip archive containing a .JSE file to initiate the infection sequence. The .JSE script downloads a PowerShell script that decodes and executes a Base64-encoded payload, leading to further malware deployment stages. Multiple execution paths are utilized, including .NET and AutoIt compiled executables, to increase attack resilience and complicate analysis. Techniques involve code injection into processes like "RegAsm.exe" and "RegSvcs.exe" to deploy payloads such as Agent Tesla. Additionally, a separate campaign by IronHusky targeted government organizations in Mongolia and Russia with a newly versioned MysterySnail RAT. IronHusky’s campaign likely used phishing with a malicious MMC script mimicking official documents to distribute the malware. Kaspersky reported proactive measures by affected companies led to a simpler, less capable version of MysterySnail, dubbed MysteryMonoSnail, being deployed.

The CVE (Common Vulnerabilities and Exposures) program, operated by MITRE, faced potential shutdown due to a sudden halt in US government funding, although last-minute government action extended funding by 11 months. Concurrently, the European Union has launched its own vulnerability tracking system, the EUVD (European Union Vulnerability Database), under the administration of ENISA, aimed at enhancing self-sustainability in vulnerability management within Europe. The EUVD utilizes a mix of its own IDs, alongside CVE IDs and GSD IDs from the potentially defunct Global Security Database, to track vulnerabilities. This development could lead to a fragmentation in how security vulnerabilities are tracked globally, with potential implications for how vulnerabilities are managed and reported across different regions. Industry experts express concerns regarding dependency on single government entities for funding and the neutrality of such programs, suggesting that a multi-nationally backed system might avoid impartiality issues. Discussions are also arising around whether regional systems like the EUVD will become favored over global systems due to regional regulatory influences. New initiatives such as the CVE Foundation and the GCVE (Global CVE Allocation System) are being explored to provide more robust and decentralized approaches to vulnerability management. The continued evolution of vulnerability tracking systems highlights the importance of a standardized approach to ensure coherence and reliability in managing security vulnerabilities globally.

AI tools have spontaneously integrated into SaaS environments, often bypassing existing security measures. Employees are using AI for efficiency, such as summarizing deals or integrating chatbots, without recognizing potential data exposure risks. These AI enhancements are creating "shadow integrations" in SaaS stacks that are not easily visible to security teams. Traditional security strategies, reliant on manual tracking or user education, are insufficient to address these emerging threats. The session led by Dvir Sasson at Reco will focus on adapting security tactics to manage AI's expanding role in operational frameworks. Addressing AI security readiness is crucial, as traditional approaches do not fully cover the increased risks in decentralized, dynamic SaaS applications. Security professionals are encouraged to be proactive in evolving their strategies to include AI-specific considerations and potential vulnerabilities.