Daily Brief

Microsoft quietly re-introduced its contentious Recall feature in Windows 11, aimed at capturing and storing screenshots to help users retrieve past activities on their PCs. Originally launched and quickly shelved due to privacy concerns, Recall now comes enabled by default on specifically designed Copilot+ PCs, with changed default settings to improve user data protection. Recall's functionality involves AI-driven local storage of screenshots, application activity, and other data to facilitate searching and recalling user actions by keywords. Despite enhancements, the feature faced initial resistance due to privacy issues, exemplified by security experts successfully bypassing protections to access the stored data. To strengthen security, Recall now works with major browsers and employs Windows Hello for authentication before accessing the screenshot archive. Microsoft claims the data is stored and encrypted locally, is not shared with Microsoft or third parties, and requires user permission for each snapshot. Expected to roll out in early 2025, the feature will be available in select languages and regions, with gradual deployment plans detailed by Microsoft for the European Economic Area.

Microsoft is developing a new feature in Defender for Endpoint to isolate traffic to and from undiscovered network endpoints. This capability aims to prevent attackers from moving laterally across the network by blocking communications with these unseen devices. The feature works by automatically containing the IP addresses of devices that haven't been discovered or integrated into Defender for Endpoint. Automatic attack disruption identifies and blocks IP addresses related to malicious or unknown devices, applying containment measures to protect network integrity. The new security measure will extend to devices running Windows 10, Windows 2012 R2, Windows 2016, and Windows Server 2019+ that are onboarded to Defender for Endpoint. Administrators have the option to manually reverse the IP containment at any time through the Defender for Endpoint "Action Center". Since June 2022, Microsoft has also enabled the isolation of compromised and unmanaged Windows devices to prevent the spread of attacks within networks. The device isolation feature was extended to Linux devices, with macOS and Linux support achieving general availability in October 2023.

Fortinet has discovered that attackers can retain access to patched FortiGate devices through a symlink exploit in the SSL-VPN. The exploitation involves symlinks between user and root file systems, initially enabled by vulnerabilities like CVE-2022-42475, among others. Despite patching the known vulnerabilities, the symlink remains, allowing continued read-only access to device configurations. Devices with SSL-VPN enabled are affected; those without it are not compromised by this specific issue. Fortinet has alerted affected customers and recommended updating FortiOS to the latest versions to mitigate risks. The company urges all potentially compromised configurations be reviewed and considered breached, advising further recovery actions. CISA and CERT-FR have issued advisories calling for heightened vigilance, including resetting credentials and possibly disabling SSL-VPN features. The incident is a reminder of attackers' capabilities to exploit and maintain access despite traditional remediation efforts.

Fortinet has issued alerts to users about ongoing compromises in FortiGate VPN devices due to a symlink post-exploitation technique. Hackers initially exploited older vulnerabilities to gain access, then left behind symbolic links that facilitated continued read-only access to the systems. Even after patching initial vulnerabilities, threat actors retained access through symbolic links created in the language files folder, which link to the root filesystem. Fortinet has advised customers to urgently upgrade their devices to the latest FortiOS versions to mitigate the risk and eliminate backdoors. Attacks leveraging this technique have been occurring since early 2023, affecting numerous devices, particularly in France as reported by CERT-FR. CERT-FR and Fortinet recommend isolating compromised devices, resetting all secrets, and inspecting for any lateral movements within networks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has called for reports of any related incidents to better understand and address the scope of the compromise.

Western Sydney University disclosed several security incidents affecting personal data of its community members. A breach in the university's single sign-on system exposed information of about 10,000 students, including demographic and academic details. Another incident involved leaked personal data on the dark web, with the exact extent and nature of the exposed information still under investigation. A previous data breach in 2023 affected 7,500 individuals, compromising sensitive data like government IDs and bank details through unauthorized access to the Office 365 environment. Hackers had maintained access to WSU’s network for over eight months, during which they accessed 580 terabytes of data. The university has taken measures to block attackers and strengthen their digital security, but ongoing investigations continue to assess the full impact. Vice-Chancellor George Williams has issued an apology acknowledging the breaches' personal impact on students and staff.

Fortinet has issued a warning to FortiGate VPN device users about a symlink trick that enables threat actors to maintain read-only access even after vulnerabilities are patched. The technique leverages symbolic links created during initial exploitation of older vulnerabilities, maintaining unauthorized access through SSL-VPN panels. Affected devices had vulnerabilities identified as CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. Despite updates to FortiOS addressing the initial vulnerabilities, the symbolic link left in the language files folder remains undetected, continuing to pose a security risk. CERT-FR disclosed a significant campaign of these attacks across France, starting from early 2023. Fortinet is urging customers to upgrade to the latest FortiOS versions to remove persistent malicious files and to review configurations for anomalies. Recommendations by Fortinet and CERT-FR also include isolating compromised devices and resetting all secrets to mitigate further risk.

Microsoft's April 2025 security update creates a new "inetpub" folder in Windows systems as part of a measure to enhance security. The "inetpub" folder, associated with the Internet Information Services (IIS) platform, appeared unexpectedly on systems even without IIS installations. Once installed, the folder comes empty but is essential for security purposes, and users are instructed by Microsoft not to delete it. Deleting the "inetpub" folder does not affect Windows operation, but will cause subsequent security updates to fail. This folder introduction is linked to a fix for a vulnerability known as CVE-2025-21204, which concerns improper link resolution in the Windows Update Stack. Microsoft has not fully disclosed why the folder is crucial for protection, with further explanations still pending.

Laboratory Services Cooperative (LSC), a Seattle nonprofit providing lab services, faced a data breach impacting 1.6 million people. The breach occurred in October 2024, and LSC detected suspicious activity on October 27, 2024, prompting immediate investigation by cybersecurity experts. Detailed data may include personal, medical, and billing information of individuals primarily through select Planned Parenthood centers. No evidence yet of compromised data appearing on dark web markets; continuous monitoring is in place. Affected individuals offered free credit monitoring and medical identity protection with different coverage periods based on state laws, with enrollment closing on July 14, 2025. Separate 'Minor Defense' service provided for underage individuals without an SSN or credit history. LSC has collaborated with third-party security specialists and notified federal law enforcement, continuing the investigation into the breach. This marks the second instance in 2024 that Planned Parenthood clients have had their data compromised, following a previous incident involving RansomHub ransomware.

Threat actor Paper Werewolf, also known as GOFFEE, has been actively targeting Russian entities in sectors like media, telecommunications, construction, government, and energy. These targeted cyberattacks utilized a new implant named PowerModul, primarily for espionage and disruptive operations such as changing employee account passwords. The attacks were initiated via phishing emails containing macro-laced documents, leading to the deployment of PowerRAT, a PowerShell-based remote access trojan. PowerModul, a backdoor used since early 2024, can download and execute additional scripts and escalate privileges using tools like PsExec. Kaspersky reported that the infection methods include malicious RAR archives with executables disguised as PDF or Word documents, and Microsoft Office documents with dropper macros. Attack payloads include various tools like PowerTaskel and the Mythic framework agents, focusing on information theft and command-and-control communications. This represents a shift in techniques, with a move from using tools like PowerTaskel to employing the binary Mythic agent for lateral movements within targeted networks.

Fourlis Group, operator of IKEA stores in Greece, Cyprus, Romania, and Bulgaria, suffered a ransomware attack resulting in estimated losses of €20 million ($22.8 million). The attack occurred just before Black Friday on November 27, 2024, impacting mainly IKEA's business operations including store replenishment and e-commerce. As disclosed on December 3, 2024, the technical issues with IKEA online shops were due to "malicious external action." The losses from interrupted sales operations were estimated at €15 million through December 2024 and an additional €5 million projected into 2025. CEO Dimitris Valachis reported that the company did not pay the ransom and restored systems with external cybersecurity assistance. Post-attack investigations revealed no evidence of data theft or leaks; however, data protection authorities were notified in compliance with legal requirements. Despite the attack, Fourlis Group successfully repelled several subsequent attempted cyber-attacks. Months after the incident, no ransomware group has claimed responsibility for the attack, possibly due to unsuccessful data exfiltration.

Initial Access Brokers (IABs) specialize in securing unauthorized entry into networks, selling access to other cybercriminals, thus acting as a catalyst for broader cybercrimes, including ransomware. The rise of IABs is linked to their ability to speed up Ransomware-as-a-Service (RaaS) attacks by providing ready access, which allows ransomware gangs to immediately proceed with extortion activities. In 2024, IABs have expanded their target industries beyond the business services sector, which dominated in 2023, to include a broader range of sectors, with the USA, Brazil, and France being primary targets. There has been a notable shift in IAB pricing strategy; average access costs have slightly increased to $2,047 due to a few high-priced sales, although majority of the accesses are priced under $1,000 to encourage volume sales. This strategy sees the cybercrime market shifting from fewer high-value transactions to more frequent lower-value sales, indicating that smaller organizations are now at heightened risk. IABs are increasingly cooperating directly with RaaS groups, improving the efficiency of cyber attacks and reducing the time to exploit a network after initial access is gained. With the ongoing evolution and specialization of IABs, cybersecurity defenses must adapt to address the emerging threats by enhancing threat intelligence and employee security training.

Palo Alto Networks has detected increased brute-force login attempts targeting PAN-OS GlobalProtect gateways. The suspicious activity began notably around March 17, 2025, with a peak involving 23,958 unique IP addresses. Threat intelligence firm GreyNoise first reported a spike in login scanning activities, prompting further investigation. The targeted attacks have mostly affected systems in the US, UK, Ireland, Russia, and Singapore. Palo Alto Networks highlighted that these attacks do not exploit new vulnerabilities but focus on password security. The company is actively monitoring the situation and is considering necessary mitigations to counteract these attempts. Customers are advised to update their systems, enforce multi-factor authentication, and implement security policies to defend against such brute-force attacks.

Ransomware attacks in the UK have doubled, impacting 1% of all organizations according to the latest government survey. Lack of cybersecurity specialists on company boards has fallen from 38% to 27% in four years, hindering proactive cyber defense measures. High-income charities and small businesses show diverging trends in cyber readiness, with larger businesses experiencing more frequent cybercrime. The discrepancy in board involvement in cybersecurity is cited as a leading issue, hurting effective decision-making and budget allocation. Phishing remains prevalent but has decreased slightly, credited for reduced attacks on smaller businesses. Overall, 20% of businesses and 14% of charities reported cybercrime in the current reporting year. The government emphasizes the need for improved cybersecurity defenses, highlighting ongoing national risks and the necessity of robust strategies.

Cybersecurity research indicates threat actors are using newly registered domains to host fake sites, mimicking legitimate app install pages like the Google Play Store, to distribute Android malware SpyNote. SpyNote, also known as SpyMax, has capabilities like harvesting sensitive data from Android devices, accessing cameras, microphones, manipulating calls, and executing commands remotely. The malware variants, SpyNote and Gigabud, share commonalities and are potentially linked to the same Chinese-speaking threat actor, known as GoldFactory. Recent reports show a rise in mobile-focused social engineering attacks, with millions of malicious and vulnerable app detections in 2024. Uyghur, Taiwanese, and Tibetan communities are targeted by malware families BadBazaar and MOONSHINE, with campaigns traced back as early as 2018 for BadBazaar. These malware operations, attributed to groups like APT15, involve complex spyware delivery mechanisms disguised as utility or religious apps to conduct covert surveillance. Data extracted by these operations are managed through attacker-controlled platforms, with details of the compromised devices displayed for the attacker's use. The use of these malware families by state actors highlights significant geopolitical cyber threats, especially directed toward ethnic and political minorities globally.

A new high-severity flaw in the OttoKit (formerly SureTriggers) WordPress plugin has been discovered and is being actively exploited. The vulnerability allows unauthorized users to bypass authentication and create admin accounts on websites using the plugin. Identified as CVE-2025-3102 with a CVSS score of 8.1, the bug primarily affects versions up to 1.0.78. Successful exploitation could enable attackers to gain full control over a WordPress site, potentially leading to further malicious activities such as malware distribution or data theft. The exploit has been noted to involve the creation of admin accounts with a randomized username "xtw1838783bc", indicating an automated, sophisticated attack pattern. Patchstack has identified that the attacks have originated from two different IP addresses. An update to the plugin (version 1.0.79) that addresses the vulnerability was released on April 3, 2025. Website owners are urgently advised to update the plugin, scrutinize admin accounts, and ensure no unauthorized changes have been made.