Daily Brief

Google has issued updates for 62 vulnerabilities in the April 2025 Android security patch, including two actively exploited zero-days. One zero-day, CVE-2024-53197, a privilege escalation flaw in the Linux USB-audio driver, was used by Serbian police to unlock devices with tools from Cellebrite. This exploit is part of a chain that includes other zero-days targeting USB Video Class and Human Interface Devices, revealed by Amnesty International. Another critical fix, CVE-2024-53150, addresses an out-of-bounds read in the Android Kernel that could expose sensitive data without user interaction. The security update includes fixes for 60 additional vulnerabilities, primarily severe elevation of privilege issues. Google ensures immediate update distribution to Pixel devices, with other manufacturers requiring more time for implementation. Previous incidents noted include the exploitation of another zero-day, CVE-2024-43047, by Serbian authorities using NoviSpy spyware against dissenters.

Nine VSCode extensions in the Microsoft Visual Studio Code Marketplace are infected with a cryptominer, posing as legitimate development tools. The malicious extensions include hidden PowerShell scripts that install and operate the XMRig miner to mine Ethereum and Monero. These extensions have collected over 300,000 installs since their release on April 4, 2025, possibly due to artificially inflated popularity metrics. The PowerShell script disables critical Windows services, establishes persistence, escalates privileges, and evades detection using various techniques. The malware mimics system binaries and uses DLL hijacking for privilege escalation, and it maintains persistence through tasks and registry modifications. Infected users are advised to uninstall the deceptive extensions immediately and manually remove all traces of the miner and associated malware. BleepingComputer has reached out to Microsoft regarding the presence of these extensions in their marketplace, awaiting an official response.

WK Kellogg Co disclosed a data breach affecting employee and vendor data, linked to an attack on Cleo software by the Clop ransomware gang. The breach exploited two zero-day vulnerabilities, tracked as CVE-2024-50623 and CVE-2024-55956, in Cleo’s managed file transfer utility. Unauthorized access was first noted on December 7, 2024, while WK Kellogg became aware of the potential breach on February 27, 2025. Stolen data includes sensitive information such as names and social security numbers of individuals connected to the company. The company provided affected parties with free one-year access to identity monitoring and fraud protection services via Kroll. WK Kellogg has worked with Cleo to strengthen security measures and prevent future incidents following the breach. This incident is part of a larger series of attacks by the Clop ransomware gang targeting organizations using Cleo’s file transfer software.

Microsoft has implemented a safeguard hold on the Windows 11 24H2 update for systems using SenseShield's sprotect.sys driver due to compatibility issues causing BSODs. Affected systems include those with any version of the sprotect.sys driver, used primarily in security software and enterprise solutions for encryption protection. SenseShield Technology is collaborating with Microsoft to resolve the issue, and further updates will be provided as they become available. IT administrators can check for affected endpoints by referencing safeguard ID: 56318982 in Windows Update for Business reports. Users of Windows Home or Pro editions can check for upgrade holds via the Windows Update section in Settings. Microsoft advises against manually updating Windows 11 on affected PCs using the Installation Assistant or Media Creation Tool until the issue is resolved. Previously, compatibility holds were removed for certain users of AutoCAD, Asphalt 8: Airborne, and specific ASUS devices, demonstrating ongoing efforts to manage upgrade impacts.

Google's Chrome 136, set for release in 2025, will finally patch a historical browser privacy issue that has allowed websites to check if visitors have been to other specific pages, based on the color of hyperlinks. The flaw revolves around CSS’s :visited pseudo-class, which changes the color of visited links and has been exploitable through methods like the window.getComputedStyle to detect web browsing history. Previous attempts to fix this privacy loophole were only partially successful, leading to various other methods being used to infer if a link had been visited based on its color. The new solution involves partitioning visited link history so that the :visited status of a hyperlink can only be determined if the link URL, the top-level site, and the frame origin match, which significantly reduces the risk of privacy breaches. This update comes years after significant privacy concerns were raised and is seen as a major development in enhancing user privacy and trust in web interactions. Researchers and developers have pursued various mitigations over the years, but this comprehensive fix will treat the root cause of the issue by reducing the ability of third parties to access and infer browser history.

Cybersecurity agencies from Australia, Canada, New Zealand, and the United States issued a joint advisory about the fast flux technique used by hackers to hide malicious servers. Fast flux is a method where DNS records are rapidly altered to mask the real locations of command-and-control (C2) networks and phishing infrastructures. Threat groups such as Gamaredon, CryptoChameleon, and Raspberry Robin have adopted fast flux to make their operations harder to detect and dismantle by law enforcement. The technique involves using many IP addresses, swapping them frequently, linked to a single malicious domain, enhancing anonymity and hindering IP-based blocklists. First identified in 2007 by the Honeynet Project, fast flux can be 'single' or 'double,' with the latter also frequently changing DNS name servers for added protection. Fast flux not only supports C2 communications but also aids in hosting phishing sites and distributing malware, posing a significant national security threat. Agencies recommend robust detection and mitigation strategies, including blocking IP addresses, sinkholing domains, and enhancing phishing training to combat fast flux threats.

The UK's Investigatory Powers Tribunal denied a government request to keep Apple's "backdoor order" case details confidential. The Home Office sought to keep the details secret citing national security, while Apple opposed the Technical Capability Notice (TCN) issued under the Investigatory Power Act of 2016. The tribunal conducted a secret hearing on March 14, initially believed to be about the public nature of the case itself. Legal professionals and privacy advocates argued the importance of public disclosure in maintaining the principles of open justice. The tribunal acknowledged the need to weigh national security against public interest but decided that the basic facts of the case did not threaten national security significantly to justify secrecy. Interested groups like Liberty and Privacy International, as well as global media and US lawmakers, pushed for transparency in the proceedings. The outcome may influence future cases involving government requests for technical capabilities from private tech companies.

AdGuard offers a Family Plan that eliminates all types of ads across various devices for up to nine family members. Available at a significant discount, the plan provides lifetime access to ad-blocking and privacy software. The software not only blocks ads but also secures devices from malware, phishing websites, and online trackers. Included are parental controls that allow filtering of inappropriate content and ensuring safer internet usage for children. This exclusive deal with StackCommerce ends on April 27 at 11:59 p.m. PT, with prices subject to change. BleepingComputer.com benefits through commission for sales via the StackCommerce platform. Buyers must register an account with StackCommerce, where privacy policy details are accessible.

Vanity metrics in cybersecurity are often misleading, focusing more on the volume of activities like patches applied rather than the effectiveness of these actions in reducing risk. Such metrics provide a false sense of security and progress in reports while critical vulnerabilities remain unaddressed. Real-world threats are evolving and becoming more sophisticated, exploiting the oversights that vanity metrics fail to capture. Moving to meaningful metrics involves a shift from simply tracking actions to assessing their real impact on security based on risk = likelihood × impact. Meaningful metrics provide a contextual, dynamic view of an organization's threat exposure, helping both security teams and business leaders make informed decisions. Continuous Threat Exposure Management (CTEM) frameworks are recommended to transition from static lists of vulnerabilities to prioritized, actionable insights. By focusing on metrics that matter, organizations can potentially reduce breaches significantly, with Gartner projecting a two-thirds reduction by 2026 through the adoption of CTEM. The shift from vanity to meaningful metrics not only informs better security strategies but also aligns cybersecurity measures more closely with business risks and realities.

Native AWS security tools like GuardDuty, Inspector, Config, and Security Hub offer foundational cloud security but have specific limitations. Amazon GuardDuty focuses on infrastructure threats but does not address application vulnerabilities or static misconfigurations. Amazon Inspector assesses EC2 and Lambda for vulnerabilities but lacks coverage for other services and external asset scanning. AWS Config tracks resource configurations and compliance but doesn’t provide risk ratings for effective prioritization. AWS Security Hub consolidates findings and manages alerts but relies on other services for data and does not generate its own findings. Intruder extends beyond AWS native tools by providing agentless cloud security scans, external vulnerability scanning, and detailed remediation insights. Intruder also offers risk ratings and security posture insights, which are not covered by AWS native tools. Intruder differs from AWS services in application vulnerability detection, agentless scanning, and providing a consolidated view of security posture and metrics.

PoisonSeed is a malicious campaign exploiting compromised CRM tool credentials to distribute spam with cryptocurrency seed phrases designed to hijack victim's digital wallets. Bulk email providers like Mailchimp, SendGrid, and Hubspot are among the systems compromised to send these phishing emails. Targets include not only individuals in the cryptocurrency sector but also external enterprise organizations. The phishing operation includes setting up fake CRM and email service pages to steal high-value targets' credentials, followed by API key creation for persistence. The ultimate goal of PoisonSeed is to convince recipients to establish new cryptocurrency wallets using the provided seed phrases, enabling attackers to access and transfer funds. Links between this campaign and known cybercrime groups Scattered Spider and CryptoChameleon have been identified, though PoisonSeed seems to use different phishing techniques. Some aspects of the attacks and associated phishing kits were previously uncovered by security researcher Troy Hunt.

Asian nations and tech companies are adapting to new U.S. import tariffs and additional reciprocal tariffs, impacting global trade and manufacturing strategies. Taiwanese tech giant Foxconn, which manufactures for major brands like Apple and Dell, has indicated the need for careful financial monitoring due to these tariffs, despite expecting growth in its forthcoming reports. Vietnam is negotiating to potentially reduce a hefty 46% reciprocal tariff imposed by the U.S., affecting multiple tech companies with manufacturing bases in Vietnam, including Samsung and Intel. Nintendo has postponed the pre-order of its upcoming Switch 2 console to evaluate the tariff's impact, signaling potential delays in product availability and launches. Qualcomm has expanded its technology portfolio by acquiring AI assets from Vietnamese conglomerate Vingroup, focusing on advancements in AI and machine learning. China accused the U.S. and Singapore of cyberattacks on the Asian Winter Games, claiming disruptions and attempts to steal sensitive information, though the motivation behind these alleged attacks remains unclear. India's national browser development competition faces controversy over alleged plagiarism of the open-source Brave browser, leading to an investigation by India's IT ministry. China initiates a crackdown on toxic online behavior among sports fans, targeting insulting content and counterfeit merchandise sales, to foster a healthier online environment.

US national security advisor Mike Waltz mistakenly saved journalist Jeffrey Goldberg's contact as another staffer's, leading to Goldberg's unintended addition to a sensitive Signal chat discussing national security matters. The incident revealed the use of Signal by Trump administration officials to discuss sensitive government information, potentially violating records-keeping requirements. Google re-issued patches for previously misaddressed vulnerabilities in its Quick Share software, pointing to ongoing challenges in effective cybersecurity patch management. Cisco alerted users about exploits targeting vulnerabilities in its Smart Licensing Utility, emphasizing the critical nature of software updates. Baltimore city suffered financial losses due to a sophisticated vendor impersonation scam, highlighting the ongoing risks of cyber fraud. Nivenly launched a bug bounty program for the Fediverse, incentivizing the identification and patching of security flaws in various open-source social media platforms. A critical vulnerability in the "WP Ultimate CSV Importer" WordPress plugin was identified and patched, underlining continued security issues in widely-used software plugins.

A significant resurgence in phishing scams impersonating toll payment authorities like E-ZPass is currently underway, with victims receiving fraudulent iMessage and SMS texts. These phishing texts are engineered to trick victims into providing sensitive information such as names, email addresses, physical addresses, and credit card details on fake websites. The scam messages employ a sense of urgency to compel immediate action, threatening additional fees or license suspensions if the tolls are not paid by a specified deadline. Despite protective measures like Apple’s automatic link disabling for unknown senders, scammers circumvent these by urging victims to reply to the texts, enabling clickable links. The phishing websites involved are designed to look authentic and are tailored to display properly only on mobile devices, not desktops. Victims report receiving up to seven scam messages in a single day, illustrating both the aggressiveness and high volume of this phishing campaign. The use of services like the phishing-as-a-service platforms Lucid, combined with encrypted messaging technologies, suggests a sophisticated and coordinated effort to evade traditional anti-spam filters. To ensure safety, individuals receiving suspicious messages are advised to directly verify any outstanding toll charges through their respective official toll authority websites and to report and block suspicious numbers.