Daily Brief

DevSecOps integrates security throughout development phases, aiming to mitigate vulnerabilities and improve system resilience. Implementing security early in the Continuous Integration and Continuous Delivery (CI/CD) pipeline identifies and remedies vulnerabilities quickly. Wazuh, an open source SIEM and XDR platform, enhances security monitoring by analyzing logs and detecting threats across various environments. The platform supports automation of security scans and integrates with third-party security tools, improving detection of software vulnerabilities. Wazuh also offers capabilities for monitoring CI/CD tools and the infrastructure where software development takes place, ensuring robust security. Its built-in compliance management tools help organizations adhere to various regulatory standards such as PCI DSS, HIPAA, and GDPR. Wazuh strengthens overall security posture by leveraging threat intelligence and providing continuous monitoring for potential security risks. With capabilities to generate compliance reports and detect pre-exploitation vulnerabilities, Wazuh supports a proactive security approach in DevSecOps.

Cybersecurity experts have identified a new credential phishing technique that pre-validates emails to target active, high-value accounts. The attack employs real-time email validation to filter and engage only with verified email addresses, enhancing the success rates of credential theft. This precision-validating phishing method contrasts sharply with traditional broad-spectrum phishing, focusing instead on individual high-priority targets. The phishing mechanism incorporates an APIor JavaScript-based validator within the phishing kit, confirming email activity before displaying a fake login page. Non-existent or inactive emails lead to a user redirection to neutral sites, such as Wikipedia, which helps the phishing campaign avoid detection by security systems. The strategy not only increases attack effectiveness but also complicates detection by automated crawler systems and security sandbox environments. Additionally, a related phishing campaign uses file deletion notifications as bait, directing victims to malicious links that either capture credentials or deploy malware disguised as common software. These sophisticated attacks highlight a growing trend of combining advanced technical methods with social engineering to enhance the efficacy and stealth of cyber threats.

Microsoft identified a zero-day vulnerability in the Windows Common Log File System (CLFS) being exploited for ransomware attacks. The vulnerability, CVE-2025-29824, allows attackers to gain SYSTEM privileges through an exploit delivered by the Trojan named PipeMagic. Microsoft tracked the attacking entity as Storm-2460, who engaged in credential harvesting followed by ransomware payload deployment. A ransom note linked to the RansomEXX ransomware family was discovered post encryption, hinting at the nature of the payload. The flaw was patched as part of Microsoft's regular Patch Tuesday update for April 2025. In addition to ransomware, various other cybersecurity vulnerabilities and threats were reported this week, including new high-risk CVEs across different software. Microsoft and other cybersecurity entities emphasize proactive defense mechanisms against sophisticated cyber threats.

AI is revolutionizing cybersecurity by enabling attackers to automate attacks and defenders to process and analyze vast data more efficiently. Defenders are currently overwhelmed by the sheer volume of data and alerts, making it challenging to pinpoint genuine threats swiftly. Integrating AI into security practices offers a significant advantage by enhancing capabilities such as digital forensics, vulnerability assessments, and endpoint detection. Rapid implementation of AI models without thorough testing or security guidelines is increasing risks, particularly concerning privacy and data protection. A balance is essential in adopting AI to mitigate risks, boost competitiveness, reduce costs, and expedite decision-making within organizations. The cybersecurity sector faces a shortage of professionals trained in effective AI application, necessitating continuous education on AI advancements. SANS Institute is addressing this gap by offering specialized training in data science and machine learning for cybersecurity professionals. SANSFIRE 2025 event in Washington, D.C., will provide hands-on AI cybersecurity training, aiming to equip professionals with essential AI skills for threat detection and security automation.

The UK Home Office unsuccessfully sought to enforce Apple to implant a backdoor in its encryption, aimed to enhance national security oversight. Apple responded by disabling the specific encryption feature for UK users rather than creating a backdoor, illustrating a strong stance on maintaining encryption integrity. The secretive nature of the government's request and subsequent appeal, which may remain classified, highlights ongoing tensions between privacy advocates and state security measures. A tribunal recently opposed the idea of a secret court for handling such sensitive requests, denying the government's proposal and questioning its justification. This incident underscores the broader challenges and ethical considerations in balancing national security needs with individual privacy rights in democratic societies. The growing scrutiny over government actions, whether in the UK or the US, suggests a critical public demand for transparency and legality in state security operations. Legislative frameworks and independent oversight are emphasized as necessary measures to prevent abuse of power in digital and cybersecurity environments.

Asda's CIO Carl Dawson and VP of digital and technology Rob Barnes are departing. Their departures correlate with the nearing completion of Project Future, Asda’s major IT system overhaul initiated after the 2021 sale by Walmart. Project Future, intended to create independent IT systems post-Walmart, stretches completion to at least Q3 2025. Annual costs of the project are expected to drop significantly in 2025 as the project concludes. Asda shifted from Walmart’s SAP ERP system to its own S/4HANA system on Microsoft Azure cloud in January 2024. The transition includes a focus on converting IT systems at about 850 retail locations throughout 2024, with major store conversions starting post-Christmas 2024. New leadership appointments include Marcus Shaw as CIO and Adrian Berry continuing as CTO; David Devany will join as VP eCommerce and digital business.

Pakistan-linked threat actors targeted Indian railways, oil and gas, and external affairs sectors with advanced malware including CurlBack RAT and Spark RAT. SEQRITE discovered the escalation in attacks in December 2024, noting a shift from HTML Application files to Microsoft Installer packages for malware deployment. The hacker group, identified as a part of Transparent Tribe (APT36), previously used methods associated with another actor, SideWinder, to camouflage their attacks. Recent attacks involved diverse malware such as Xeno RAT, Action RAT, ReverseRAT, and tools for data theft from browsers and USB drives. Attack vectors included email phishing with decoy documents such as holiday lists for railway staff and cybersecurity guidelines by Hindustan Petroleum Corporation Limited. The new malware, CurlBack RAT, is designed for espionage, capable of gathering system information, downloading files, and executing commands on Windows systems. SEQRITE’s findings show growth in the group’s operational capabilities and a focus on both Windows and Linux systems to diversify their attack portfolio. The group increasingly uses obfuscated and customized tools, leveraging compromised domains and fake sites for credential phishing and payload hosting to enhance persistence and evade detection.

Fortinet reported that previously patched vulnerabilities are again being exploited, a method missed by security updates. Attackers utilized symbolic links to gain read-only access to vital system configuration files. The exploitation methods grant persistent access, outlasting typical security measures like patching and resets. Fortinet advised customers with unfeasible patch applications to disable SSL-VPN to halt exploitation routes. Global cybersecurity community sees an alarming trend of attackers maintaining access through sophisticated backdoors. In a related cybersecurity development, Android's security update addressed several critical vulnerabilities, including active zero-days. Independent researchers uncovered a backdoor in Chinese Unitree Go1 robot dogs, allowing total remote control over the devices. The Dutch government is investigating a significant data leak affecting multiple ministries with few details disclosed.

Chinese officials reportedly confessed to orchestrating cyberattacks against US infrastructure during a meeting with the Biden administration in Geneva. The admission indicates these cyber activities are a response to U.S. support for Taiwan, which China considers a rogue province. This statement was described by a former U.S. official as both a tacit admission and a warning regarding U.S.-Taiwan relations. Allegations suggest China-backed hackers have compromised US telecoms to an extent that threatens user privacy and enables critical infrastructure takedowns. In tech developments, Alibaba Cloud has expanded services in its overseas data centers including introducing advanced AI models and platforms. India has initiated a new $2.7 billion subsidy program to boost local manufacturing of electronic components, supporting its growing electronics sector. The Philippines has shut down Now Telecom for failure to develop its network and meet financial obligations to the national regulator.

Hacktivists often linked to nation-states, targeting critical infrastructure with sophisticated cyber tactics. Recent disruptions include a Moscow municipal communication system and water facilities in Texas, suggesting government ties. Intelligence agencies and cybersecurity firms observe that these groups typically follow state interests, offering plausible deniability to governments. Strategies involve using low-tech DDoS attacks for visibility, while more severe impacts are downplayed or unnoticed. Federal agencies acknowledge hacktivist fronts are used by nation-state actors like Russia’s GRU to masquerade their operations. Despite law enforcement efforts like Operation PowerOFF, the resurgence and transformation of these cyber threats persist. Experts call for demystification of hacktivist operations to reduce their impact and utilize incidents for strengthening cyber defenses. Security professionals urge continuous monitoring and a proactive approach to these politically or ideologically motivated cyber threats.

Google is set to resolve a privacy flaw in Chrome version 136 that has allowed websites to detect users' browser histories for over two decades. The flaw involves the ':visited' link styling feature, which can reveal whether users have clicked certain links, leading to potential privacy breaches and security risks. Chrome 136 will use a triple-key partitioning system for visited links, limiting visibility to the same site and frame origin where the link was originally clicked. This update prevents cross-site history leaks, enhancing user privacy without removing the usability provided by the ':visited' styling cue. Previously considered fixes, like completely removing the ':visited' selector or utilizing a permissions model, were dismissed due to their impracticality and potential for abuse. The feature has been in experimental stages since Chrome 132 and will be enabled by default in the upcoming release. Other major browsers like Firefox and Safari have implemented partial measures against history leakage but have not introduced a partitioning solution like Chrome’s.

Tycoon2FA, a Phishing-as-a-Service (PhaaS) platform, is now equipped with improved evasion techniques to bypass multi-factor authentication on Microsoft 365 and Gmail. Recent updates include the use of invisible Unicode characters in JavaScript to evade detection and the transition to a self-hosted CAPTCHA system that mitigates the risk of domain reputation flagging. The phishing kit also incorporates an anti-debugging feature that detects and blocks browser automation tools, further complicating its analysis and potential shutdown. Trustwave reported a significant 1800% increase in phishing attacks utilizing malicious SVG files since April 2024, highlighting a broader shift in phishing tactics. Malicious SVG files are used to masquerade as harmless images like logos or voice messages, embedding JavaScript that redirects users to fake login pages. The escalation in sophisticated phishing attacks underlines the need for organizations to upgrade their security measures, including adopting phishing-resistant authentication methods and stringent email attachment screening.

A novel cybersecurity risk has emerged in software development, termed 'slopsquatting', arising from generative AI's propensity to fabricate non-existent package names in coding. This threat differs from traditional typosquatting as it isn't based on typographical errors but on AI hallucinations of false package dependencies in languages like Python and JavaScript. Analysis of 576,000 AI-generated code samples revealed around 20% recommended nonexistent packages, with open-source tools showing a significantly higher hallucination rate than commercial counterparts such as ChatGPT-4. Over 200,000 unique but fictitious package names were identified, with 43% recurring consistently across different prompts, presenting a new and predictable attack vector for cybercriminals. 58% of the hallucinated package names appeared more than once in multiple tests, suggesting that such errors by AI tools are not isolated incidents but can be deliberately exploited by attackers. Researchers emphasize the importance of manually verifying package names, using dependency scanners, and testing AI-generated code in secure environments to prevent potential cyberattacks. Adjusting AI model settings to decrease randomness and verifying dependencies meticulously are recommended strategies to reduce risks associated with slopsquatting.

AI coding assistants are generating code suggestions that include nonexistent software packages, potentially introducing risks to software supply chains. Researchers found discrepancies in package suggestions from commercial and open-source models, with a significant portion suggesting phantom packages. Attackers exploit this by registering malicious packages under these nonexistent names, which can then be inadvertently used by developers, leading to possible malware execution. This new form of attack, termed "slopsquatting," involves targeting hallucinated names generated by AI, which are often similar to existing legitimate packages. Security improvements and defensive measures are being discussed and implemented, though the challenge remains complex due to the nature of AI-generated outputs. Companies and developers are urged to verify AI-generated code and package suggestions against known and trusted sources before implementation. Recent security incidents highlight the urgency of addressing these vulnerabilities in AI-powered code generation tools.

Microsoft quietly re-introduced its contentious Recall feature in Windows 11, aimed at capturing and storing screenshots to help users retrieve past activities on their PCs. Originally launched and quickly shelved due to privacy concerns, Recall now comes enabled by default on specifically designed Copilot+ PCs, with changed default settings to improve user data protection. Recall's functionality involves AI-driven local storage of screenshots, application activity, and other data to facilitate searching and recalling user actions by keywords. Despite enhancements, the feature faced initial resistance due to privacy issues, exemplified by security experts successfully bypassing protections to access the stored data. To strengthen security, Recall now works with major browsers and employs Windows Hello for authentication before accessing the screenshot archive. Microsoft claims the data is stored and encrypted locally, is not shared with Microsoft or third parties, and requires user permission for each snapshot. Expected to roll out in early 2025, the feature will be available in select languages and regions, with gradual deployment plans detailed by Microsoft for the European Economic Area.