Daily Brief

XorDDoS malware is increasingly targeting the United States, accounting for 71.3% of observed attacks between November 2023 and February 2025. The malware, which has been active for over a decade, has broadened its scope to include Docker servers and IoT devices, converting infected systems into bots. Common initial access methods include SSH brute-force attacks, with the malware installing itself on vulnerable devices. XorDDoS establishes persistence on infected machines using initialization scripts and cron jobs, ensuring it reactivates at system startup. The malware decrypts internal configurations using the XOR key to facilitate command and control (C2) communications. Cisco Talos researchers in 2024 identified an updated architecture for XorDDoS, including a new VIP version sub-controller that manages an extensive botnet and potentially indicates commercial distribution. Language settings in the XorDDoS system hint at Chinese-speaking operators. Besides DDoS capabilities, the infections also pave the way for secondary payloads like cryptocurrency mining malware.

CISA has documented a medium-severity vulnerability in Microsoft Windows, CVE-2025-24054, which is being actively exploited to steal NTLM credentials. Microsoft patched this hash disclosure spoofing bug recently, despite NTLM being a deprecated authentication protocol. The vulnerability allows attackers to manipulate file interactions, such as selecting or inspecting without opening, to compromise systems. Attackers have used phishing and malicious files distributed via Dropbox to exploit this flaw and extract NTLM hashes, primarily targeting institutions in Poland and Romania. Check Point reports multiple phishing campaigns using malicious .library-ms files to harvest NTLMv2-SSP hashes and enable lateral movements within networks. Despite being rated as "Exploitation Less Likely" by Microsoft, this flaw has been weaponized rapidly, prompting urgent recommendations for patch implementation. FCEB agencies have a compliance obligation to fix this vulnerability by May 8, 2025, in response to these security breaches.

A critical flaw, CVE-2025-32433, in Erlang/OTP SSH allows unauthenticated remote code execution. The vulnerability was identified by researchers from Ruhr University Bochum in Germany, receiving a severity score of 10.0. Vulnerable systems include all devices operating the Erlang/OTP SSH daemon, with urgent updates advised. Erlang's widespread use in telecom and high-availability systems highlights the significant impact of this vulnerability. The flaw arises from incorrect handling of pre-authentication protocol messages in the SSH daemon. Attackers exploiting this vulnerability can execute commands with the same privileges as the SSH daemon, often with root access. Horizon3's Attack Team demonstrated a "surprisingly easy" proof of concept, emphasizing the urgency of applying patches. For systems that cannot be immediately updated, restricting SSH access or disabling the SSH daemon is recommended.

Legends International disclosed a data breach impacting its employees and venue visitors detected on November 9, 2024. The breach involved unauthorized activity in the IT systems, with personal data files confirmed to be exfiltrated. The exact types of exposed personal data are not yet determined, and the total number of affected individuals remains unknown. Legends manages over 350 venues globally, including prominent locations such as SoFi Stadium and One World Observatory. An investigation with external cybersecurity experts is ongoing, and enhanced security measures have been implemented post-incident. Affected individuals have been offered 24-month identity theft detection services through Experian with a July 2025 enrollment deadline. Despite the implementation of previous and new security measures, specific details regarding these protections have not been disclosed. There is currently no evidence that the exfiltrated data has been misused, and no ransomware group has claimed responsibility for the attack.

Windows vulnerability CVE-2025-24054, fixed in March 2025, is actively exploited via phishing, targeting governments and corporations. Hackers use .library-ms files in emails to trigger automatic SMB connections that leak Windows NTLM authentication hashes. Initially assessed as 'less likely' to be exploited, the flaw was confirmed used in attacks shortly after patch release. Phishing campaigns involved sending Dropbox links containing malicious .library-ms files to entities in Poland and Romania. In subsequent attacks, simply downloading a .library-ms file triggered the flaw, demonstrating a broader exploitation technique beyond zip archives. The attackers' IP was previously associated with Russian state-sponsored group APT28, though there isn't enough evidence for definite attribution. Captured NTLM hashes potentially allow for severe security breaches including authentication bypass and privilege escalation. Microsoft recommends installing the latest updates and disabling NTLM authentication to mitigate risks.

Chris Krebs, ex-head of the US Cybersecurity and Infrastructure Security Agency (CISA), resigned from cybersecurity firm SentinelOne. President Trump issued an executive order revoking Krebs's and associated entities' security clearances, citing Krebs's denial of 2020 election fraud. The order also demands an investigation into Krebs's assurances of the 2020 election's security by the Attorney General and the Department of Homeland Security. Krebs joined SentinelOne in 2023 after his consultancy was acquired; the company was not involved in his activities during his tenure at CISA. Krebs stated his resignation was necessary to focus on fighting for democracy, freedom of speech, and the rule of law independently. Krebs publicly stated that the 2020 presidential election was secure, contrary to unfounded claims of widespread election malfeasance.

Chrome extensions totaling 57 were found with tracking code, impacting over 6 million users. Discovered by John Tuckner of Secure Annex, these extensions have the capability to monitor user browsing, access cookies, and execute remote scripts. These 'hidden' extensions do not appear in Chrome Web Store searches and can only be installed via direct URL. Despite claims of providing ad-blocking and privacy services, the extensions request overly broad permissions, posing significant privacy risks. Tuckner's investigation highlighted potential spyware characteristics due to their obfuscated code and hidden functionalities. Following Tuckner’s report, several extensions have been removed from the Chrome Web Store, yet some remain. Google has acknowledged the issue and is conducting an investigation into these risky extensions. Users of these extensions are advised to remove them immediately and reset passwords as a precaution.

China-linked Mustang Panda has launched a sophisticated cyberattack on an organization in Myanmar using advanced malware tools. The updated malware includes a new backdoor named TONESHELL, lateral movement tool StarProxy, and keyloggers PAKLOG and CorKLOG. TONESHELL has enhanced capabilities in command-and-control communication and client identifier management. StarProxy, which uses DLL side-loading, facilitates encrypted traffic proxying between infected devices and command-and-control servers. Newly implemented keyloggers capture and store keystroke and clipboard data, lacking independent data exfiltration functionalities. SplatCloak, a new EDR evasion tool, helps the malware evade detection from security systems like Windows Defender and Kaspersky. These updates signify Mustang Panda's ongoing efforts to refine their techniques and maintain operational security for prolonged effectiveness in their cyber espionage activities. Concurrently, another China-nexus cyber espionage group, UNC5221, has been updating their BRICKSTORM malware targeting Windows environments in Europe.

Ahold Delhaize, a major food retail company, affirmed data theft from its U.S. systems following a cybersecurity incident in November 2024. The incident led to certain files being extracted from some of the company's internal U.S. business systems, as confirmed by a company spokesperson. Following the cyberattack, Ahold Delhaize took several of its IT systems offline to prevent further damage, affecting some U.S. brands, pharmacies, and e-commerce operations. The ransomware group INC Ransom claimed responsibility for the attack, posting evidence of the data theft on a dark web extortion site. Although the details of stolen information are still under investigation, Ahold Delhaize pledged to notify affected individuals if personal data was compromised. Law enforcement has been updated about the situation, and the company continues to keep all its stores and online services operational. The ongoing investigation is part of broader efforts to understand the scope of the incident and secure affected systems.

CTM360 reports a significant increase in SMS-based phishing via PointyPhish and TollShark campaigns, focusing on false reward claims and fake toll charges. PointyPhish involves over 3,000 domains, using urgency of expiring rewards to direct victims to malicious sites where payment details are stolen. TollShark uses more than 2,000 domains banking on fears of unpaid tolls to gather personal information. Both campaigns utilize Darcula Suite, a Phishing-as-a-Service (PhaaS) platform, to quickly create and scale phishing operations globally. These scams impact a wide geographical area and target customers of various brands on a large scale, ensuring a broad capture of sensitive financial data. Darcula Suite supports advanced features like multi-channel SMS delivery to enhance the efficacy and reach of these phishing attacks. CTM360 identified an escalation of related phishing activity, including over 16,000 impersonation sites aligned with various malware variants.

State-sponsored hacking groups from Iran, North Korea, and Russia utilized the ClickFix technique for malware deployment over recent months. ClickFix, a social engineering tactic originally used by cybercriminals, manipulates users into executing malicious commands under the pretext of solving an issue or completing verification. Notable hacking clusters such as TA427 (Kimsuky), TA450 (MuddyWater), and UNK_RemoteRogue (associated with Russia) have adopted ClickFix to improve their phishing campaigns and malware distribution. The deployment strategies include sending phishing emails that mimic credible entities, directing victims to attacker-controlled sites, and tricking them into installing malware like Quasar RAT or RMM software. Attacks targeted sectors like finance, government, health, education, and transportation, particularly focusing on geopolitical hotspots such as the UAE, Saudi Arabia, Canada, Germany, Switzerland, and the US. Proofpoint’s report highlights the evolution of the ClickFix technique from a niche method into a commonly used tool by nation-state actors, supporting espionage and data exfiltration efforts. The rapid adoption of ClickFix by multiple state-sponsored groups underscores the need for heightened awareness and improved cybersecurity measures against sophisticated social engineering attacks.

Large Language Models (LLMs) are advancing in both defensive and offensive cyber operations, influencing sectors like security technologies and cybercrime. AI-powered malware, though still in early stages as reflected in examples from MIT and IBM, showcases potential future threats. There has been a noted increase in the use of AI for offensive strategies, including scams and AI-facilitated attacks; prominent instance involved a $25 million loss by Arup due to AI-based voice spoofing. Various nation-state actors including those from China and Iran are increasingly leveraging AI, like Generative AI chatbots, for malicious purposes such as disinformation campaigns and sophisticated spear-phishing attacks. The risks and costs of adopting LLMs in businesses are substantial and multifaceted, ranging from increased operational costs and security risks to ethical concerns and significant resource consumption. Security experts must remain vigilant and enhance traditional security practices to manage the new vulnerabilities introduced by LLMs, which expand potential attack surfaces considerably. Prompt injection vulnerabilities in GenAI applications have been identified as critical emerging threats, requiring ongoing attention and mitigation strategies to safeguard digital infrastructures.

CISA highlighted increased risks of breaches due to compromised Oracle Cloud legacy servers, warning about the exposure of sensitive credential material. Oracle confirmed the compromise involved "two obsolete servers," which did not affect current Cloud services or customer data directly. Leaked credential information included usernames, emails, passwords, authentication tokens, and encryption keys, posing a threat to enterprise environments. CISA advised implementing several security measures: resetting passwords, replacing hardcoded credentials, enforcing multi-factor authentication, and monitoring authentication logs. Oracle privately told clients that old client credentials were stolen from a legacy environment last active in 2017. Threat actors had posted data as recent as 2025 on hacking forums, indicating ongoing unauthorized access and data extraction. Oracle's breached servers included the use of a web shell and malware, with data theft occurring from the Oracle Identity Manager (IDM) database. A separate breach in January affected Oracle Health and led to the compromise of U.S. patient data across healthcare organizations and hospitals.

British soldiers successfully disabled drones using a Radiofrequency Directed Energy Weapon (RF DEW) that disrupts drones' electronics with high-frequency radio waves. The RF DEW system can engage airborne targets up to 1 km away and is particularly effective against multiple drone threats simultaneously due to its wide beam. According to the Ministry of Defence, the cost of operating this weapon is remarkably low, at just 10p per shot. The technology is part of a larger £40 million investment by the UK government in RF DEW research, aimed at further development for operational deployment. During trials, the RF DEW successfully tracked, engaged, and defeated over 100 drones, including handling two swarms in one go. Similar technologies, such as the US's THOR system, demonstrate international interest and investment in anti-drone warfare technologies. The weapon system is portable and can be mounted on a flatbed truck, making it a flexible solution for mobile operations.

Blockchain technology is lauded for its potential to revolutionize online authentication, promising significant security benefits over traditional passwords. Utilizing cryptographic keys for identity verification could reduce risks associated with password vulnerabilities and safeguard against data breaches by eliminating centralized databases. Examples in real-world applications include R3 Corda in financial services for secure KYC processes and blockchain in healthcare for secure patient data exchange. Despite these advantages, blockchain technology faces challenges including high operational costs, scalability issues, legal and regulatory hurdles, and a general lack of understanding and interoperability. Blockchain promises a decentralized approach to data handling and security, possibly complementing existing security measures like multi-factor authentication. Traditional passwords retain advantages such as simplicity, universality, and ease of reset, suggesting that they will not become obsolete in the near future. Effective security strategies should integrate robust password policies with advanced solutions like blockchain to strengthen both user authentication and overall system security. The ongoing reliance on passwords underscores the importance of maintaining strong password security practices alongside exploring innovative technologies like blockchain.