Daily Brief

4chan experienced significant outages and slow load times following a claimed cyberattack by an opposing forum site known as soyjack party. The alleged attackers reportedly stole and leaked 4chan's source code, along with personal details of its moderators and users' IP addresses, potentially comprising .edu and .gov email addresses. This breach was said to include full access to 4chan’s SQL databases, source, and shell, indicating a deep and comprehensive compromise. Social media coverage suggests 4chan was operating on an outdated, vulnerable version of PHP, further exacerbating its security weaknesses. The attackers, previously banned from 4chan, claimed to have reinstated their board on the site as part of the hack, hinting at a revenge motive. Discussions have surfaced about the potential of 4chan being used as a federal law enforcement honeypot, especially concerning with the exposure of moderator identities. Downdetector reported a peak of over 1,000 complaints from users during the outages, underlining the scale and impact of the disruption.

Landmark Admin, a Texas-based third-party administrator for major insurers, reported a significant data breach impacting 1.6 million individuals. Initially detected suspicious network activity on May 13, 2024, with an initial report suggesting 806,519 affected individuals. The breach involved unauthorized access that potentially exposed varying types of personal information. Affected individuals are being notified through personalized letters detailing the specific data compromised. The number of impacted persons was updated following a thorough investigation, with the possibility of further revisions as the forensic review continues. In response, Landmark is offering 12 months of identity theft protection and credit monitoring to the victims. Recipients of data breach notifications have a 90-day window to contact a dedicated helpline for queries and concerns.

4chan, a controversial online platform, experienced a significant security breach, resulting in its temporary shutdown. The attack, claimed by members of Soyjak.party, involved leaking screenshots of 4chan's admin panels and staff emails. The hacker, identified as a member of Soyjak.party, claimed to have had access to 4chan's systems for over a year before executing the attack. Among the information leaked were details that could allow unauthorized access to user locations, IP addresses, and internal management tools. The breach was attributed to the use of an outdated PHP version, making 4chan vulnerable to known security exploits. Following the breach, 4chan struggled with intermittent service, switching between text-only mode and showing Cloudflare errors. The PHP source code of 4chan was also leaked on another platform, indicating a widespread compromise of the site's underlying technology. This incident highlighted ongoing security challenges for forums and the critical need for regular system updates and patches.

China has publicly accused three NSA agents of launching cyberattacks on the 2025 Asian Winter Games' systems in Harbin, Heilongjiang province. The agents, alleged members of the NSA's Tailored Access Operations, are accused of attempting to implant backdoors and accessing sensitive data through the event's registration and timekeeping systems. China's state-run media reports over 270,000 cyberattack attempts on the games, attributing 170,000 to the United States and the remainder to other nations like Singapore and Germany. The report highlights these cyber activities as aggressive foreign interference aimed at disrupting and exploiting international events hosted in China. Beijing’s allegations mimic the usual Western narrative typically used to describe similar cyber activities by countries like China, Russia, North Korea, and Iran. Chinese authorities have issued bounties for information leading to the arrest of the implicated NSA agents, though the reward details have not been disclosed. China also claims the U.S. has targeted other crucial sectors in Heilongjiang province, including energy and telecommunications.

A federal judge has partially lifted a previous injunction, now allowing selected access for one DOGE staff member to the US Treasury Department's sensitive systems. This decision comes with stipulations including required training and financial disclosure compliance for the individual. The injunction modification follows after initial restricted access was put in place due to concerns about the handling of sensitive data by DOGE, a group encouraged by former President Trump and led by Elon Musk. Previous behaviors by a former DOGE employee, involving the mishandling of a Treasury database, had contributed to the original strict access limitations. Judge Jeanette Vargas cited improvements in procedural safeguards and training as key factors for allowing limited access. The allowed access includes crucial financial databases containing personally identifiable information (PII) of US citizens such as Social Security numbers and bank details. The case highlights ongoing litigation and concerns around privacy and proper data handling within government bodies.

A federal judge has conditionally lifted an injunction allowing a single DOGE staffer, Ryan Wunderly, access to sensitive US Treasury systems following proper training and compliance. This decision modifies a previous ruling from February which entirely blocked DOGE's access due to concerns over handling and safeguarding of sensitive financial data. Ryan Wunderly's access to the US Treasury's payment and data systems is contingent upon completing required training and submitting a financial disclosure report. The injunction was initially placed due to inappropriate actions by a former DOGE aide, who breached policy by mishandling unencrypted data. Judge Jeanette Vargas's decision to grant limited access came after the Trump administration addressed procedural deficiencies around the protection of confidential information. The decision allows access to extensive Treasury data, including personally identifiable information of US citizens, raising concerns about privacy and security. DOGE, led by Elon Musk and endorsed by President Trump, aims to cut federal spending but has faced multiple lawsuits over privacy violations related to accessing government data.

Microsoft announced the disabling of all ActiveX controls in Windows versions of Microsoft 365 and Office 2024, starting later this month. ActiveX, introduced in 1996, has become a security risk, exploited by cybercriminals using zero-day vulnerabilities to deploy malware. After this update, documents with ActiveX will display a "BLOCKED CONTENT" notification, effectively preventing interaction with ActiveX objects. Users can manually enable ActiveX via the Trust Center, though Microsoft advises against it for security reasons. This change is part of a larger effort that began in 2018 to enhance security by also blocking risky features such as VBA and XLM macros, and Excel 4.0 macros. Microsoft's proactive measures align with their ongoing strategy to phase out older technologies posing security risks, including a planned phase-out of VBScript.

UNC5174, a China-linked threat actor, employs SNOWLIGHT malware and the VShell tool targeting Linux systems. The SNOWLIGHT malware downloads a remote access trojan (RAT) called VShell for enhanced control and data exploitation. Attacks leverage open-source tools for cost efficiency and to complicate attribution efforts, blending into the broader hacking community. Recent exploitation of vulnerabilities in Ivanti appliances highlights the strategic targeting of multinational sectors. The French National Agency for the Security of Information Systems observes tactics aligned with UNC5174’s tradecraft. Sysdig reports use of WebSockets for covert command and control operations, enhancing the stealth of attacks. The ongoing campaign underlines risks to organizations from sophisticated fileless malware and RATs capable of executing remote commands. TeamT5 implicates another China-nexus group using related techniques to penetrate security flaws in Ivanti appliances across various countries.

A cyber espionage group, known as UNC5174, linked to China’s Ministry of State Security, is utilizing a sophisticated Remote Access Trojan (RAT) to infiltrate global organizations, predominantly in the US. This cyber toolkit includes a custom malware called SNOWLIGHT, and an open-source, fileless backdoor named VShell, which is reputed to be superior to Cobalt Strike in cybercrime forums. VShell, designed to be undetectable by traditional file-based antivirus systems, operates completely in memory, complicating efforts to identify and mitigate the malware. The attackers have been active since at least November 2024, with ongoing operations involving domain squatting for phishing, affecting brands like Cloudflare, Google, and others. The Sysdig Threat Research Team has observed that new command and control domains linked to this espionage operation are emerging nearly every day, indicating an active and evolving threat landscape. Despite VShell's developer removing the software for legal reasons, it remains available and operational via clones on GitHub, with features that include WebSocket protocols for secure and concealed data exfiltration. Analysts predict that UNC5174 will continue supporting Chinese government objectives while expanding their infrastructure to facilitate espionage and access brokering activities.

Google is implementing a new security feature in Android devices that triggers an automatic reboot after three days of inactivity. This security measure is intended to protect data by encrypting memory when devices are not in use. The update was included in the latest Google Play services release, aiming to make it more difficult for forensic tools to extract data. Previously, devices in the After First Unlock (AFU) state could have user data extracted; this update forces devices into the Before First Unlock (BFU) state by rebooting them. Similar functionality has been previously introduced by GrapheneOS, which implemented an auto-reboot mechanism after 18 hours of inactivity. Google's version reboots the device after 72 hours, which, while less aggressive than GrapheneOS's approach, still enhances security against unauthorized data extraction. Additional recommendations for improving device security include disabling USB data transfers when the device is locked. The feature is being distributed progressively and is available through the latest Google Play system update.

Cybersecurity experts identified a malicious Python package on PyPI, designed to manipulate and redirect MEXC cryptocurrency exchange orders. The package, named ccxt-mexc-futures, was downloaded over 1,000 times before being removed from PyPI. It targeted specific APIs of the MEXC platform, rerouting order placement, cancellation, and creation to a malicious server. This enabled unauthorized execution of code on users' computers, capturing sensitive information like API keys and tokens. Users impacted by this package are advised to revoke compromised tokens and uninstall the package immediately. The incident highlights broader concerns regarding software supply chain security and the risks of malicious packages in coding ecosystems. Research into AI-generated "hallucinated" package names suggests additional complexities and risks in maintaining secure software supply chains. Developers and organizations are urged to be vigilant about including third-party dependencies that may harbor vulnerabilities or malicious code.

A critical vulnerability, CVE-2025-24859, has been identified in Apache Roller, impacting versions up to 6.1.4 with a maximum severity CVSS score of 10.0. The flaw allows malicious entities to maintain access by keeping user sessions active after password changes, posing significant security risks. Apache's security advisory highlights that all active sessions should now be invalidated following password modifications with the release of Apache Roller 6.1.5. The vulnerability discovered by security researcher Haining Meng can permit intruders to retain unauthorized access, potentially allowing continuous exploitation of the compromised account. Prior vulnerabilities in Apache's other tools, like in Apache Parquet and Apache Tomcat, emphasize ongoing critical security challenges within widely used software. Organizations using Apache Roller are strongly advised to update to the latest version immediately to mitigate the risks associated with this vulnerability. Awareness and prompt action are crucial given the potential for this vulnerability to be exploited analogously to the recent active exploitation of the Tomcat flaw.

Microsoft has updated the default settings for ActiveX in Microsoft 365, disabling all controls by default to enhance security against unauthorized remote code executions. Previously, Microsoft 365 presented a prompt asking users before enabling ActiveX controls, which relied heavily on user comprehension of potential security risks. ActiveX technology, a relic from last century's software development practices, has been known for vulnerabilities that could lead to system exploitation through social engineering and malware. Microsoft's decision comes as part of a larger strategy to phase out outdated technologies, such as VBScript and ActiveX, which are still in use largely due to the vast amount of legacy corporate workflows. Users who require ActiveX can re-enable it through the Trust Center, assuming they have administrative permission to adjust these settings. Despite its reduction in usage, ActiveX remains part of Microsoft's ecosystem due to its historical importance in integrating productivity applications and business processes. This move marks a significant, perhaps final step in Microsoft's long-term plan to eliminate less secure technologies from its software suite to protect users from potential cyber threats.

Hertz confirmed the theft of customer information during the zero-day data raid on Cleo file transfer products. Affected data includes names, contact details, dates of birth, credit card and driver's license information, and details related to workers' compensation claims. A subset of customers may have additionally had sensitive information stolen, such as Social Security numbers, passport information, and Medicare IDs. The breach affected customers across Hertz, Dollar, and Thrifty brands, all owned by Hertz Corporation. Hertz reported the breach to law enforcement and regulators, and Cleo has since patched the vulnerabilities exploited in the attack. Cybercrime group Cl0p claimed responsibility for the attacks on Cleo products, impacting around 70 organizations. Hertz is providing affected individuals with two years of identity monitoring or dark web monitoring services.

The 2025 Enterprise Browser Extension Security Report by LayerX highlights the widespread use and security risks of browser extensions in corporate environments. Nearly 100% of employees use browser extensions, with over half having more than ten installed, posing significant security threats. Over half of the browser extensions can access sensitive data such as passwords and browsing history, creating substantial risks for enterprise data security. A significant number (54%) of browser extension publishers are unverified, complicating the ability to assess the security and trustworthiness of the extensions. The growth of GenAI extensions introduces additional risks, with many having permissions that could compromise enterprise data significantly. Many extensions are poorly maintained; 51% have not been updated in over a year, and 26% are sideloaded, avoiding basic security checks. The report offers recommendations for IT and security teams on how to manage and mitigate the risks associated with browser extensions. Comprehensive analysis in the report serves as a guide for CISOs and IT professionals to create informed strategies for managing browser extension risks.