Daily Brief

CrushFTP CEO Ben Spink expressed dissatisfaction with VulnCheck's assignment of an unofficial CVE ID for a critical vulnerability in CrushFTP's software. Spink asserts that the VulnCheck-assigned CVE is a duplicate and lacks detailed knowledge of the vulnerability. CrushFTP had previously informed customers of the vulnerability and urged an immediate update to newer software versions. The disclosed vulnerability provides unauthenticated access via specially crafted HTTP requests, making it particularly severe. CrushFTP’s communication and details provided to customers reportedly contain inconsistencies regarding the affected versions. Rapid7 highlighted past incidents where a CVE was not issued by CrushFTP for a critical vulnerability that was exploited as a zero-day. The CEO's assertive demand to VulnCheck to retract their CVE suggests a tense relationship between vendor and CNA, with potential impacts on CrushFTP's reputation and customer trust.

APT36, linked to Pakistan, created a counterfeit India Post website to distribute malware targeting Windows and Android users in India. The cybersecurity firm CYFIRMA attributed this malicious campaign to APT36 with medium confidence, identifying the group by its alternate name, Transparent Tribe. When accessed from a Windows system, the fraudulent site prompts users to download a PDF that instructs them to execute a PowerShell script, potentially compromising the system. Android users are tricked into downloading a malicious app that requests extensive permissions to access and exfiltrate sensitive data, like contact lists and location. The Android malware changes its icon to resemble a Google Accounts icon to evade detection and prevent easy uninstallation. The malicious PDF and app are designed to persist in their actions, including evading battery optimization and restarting after rebooting the device. The domain used for the fake site was registered in November 2024, and the PowerShell script connects to an inactive server, indicating ongoing or future malicious activities. The tactic, dubbed "ClickFix," used in the campaign is noted for its increasing prevalence among cybercriminals, targeting both less tech-savvy and knowledgeable users.

Dozens of vulnerabilities were discovered in solar inverters from Sungrow, Growatt, and SMA, which could potentially allow attackers to manipulate or disrupt power grids. The vulnerabilities allow for remote code execution, device takeover, information disclosure, and even physical damage to the grid infrastructure. The most severe implications include unauthorized control over power generation levels, destabilizing the balance of power supply and demand. Attackers could exploit these flaws to perform broad-scale operations, potentially using hijacked inverters as a coordinated botnet to maximize disruption during peak hours. While Sungrow and SMA have patched the reported vulnerabilities, the potential for a similar type of exploit remains a significant threat to grid security. This analysis underscores the importance of robust cybersecurity measures in the energy sector, particularly as grid technologies become more integrated and reliant on internet connectivity.

SaaS applications are critical in modern enterprises, but present unique security challenges. Traditional CASB solutions are inadequate for covering both sanctioned and unsanctioned SaaS apps across various devices. CASBs typically utilize Forward Proxy, Reverse Proxy, and API Scanner but lack real-time, granular visibility and active blocking capabilities. A significant security gap exists with "shadow" SaaS—applications used without IT's knowledge or approval. The report introduces a browser-based security approach, proposing the browser as a more effective control point for SaaS security. This new approach provides full visibility and real-time protection by integrating risk analysis directly into the browser, enabling instant protective actions. Moving to browser-based security could potentially offer a more robust defense against SaaS-related security risks.

The UK's Metropolitan Police has installed its first permanent live facial recognition (LFR) cameras in Croydon, South London. These cameras will operate in the city center's high traffic areas, particularly along North End and London Road. Activation of these cameras is contingent on police presence in the vicinity, enabling immediate action if a suspect is identified. This initiative follows a two-year pilot involving mobile police vans equipped with LFR technology, which led to numerous arrests. Privacy advocates express significant concerns, fearing an expansion of the surveillance state and potential misuse without sufficient legislative oversight. The Metropolitan Police maintains a watchlist of 16,000 individuals, which includes not only suspects but also vulnerable persons and crime victims. Critics, including privacy groups and some public officials, argue the necessity of clear legal frameworks to govern the use of such technology to prevent rights infringements. Supporters, including local politicians, argue that fixed LFR cameras will enhance public safety by efficiently identifying and capturing criminals.

Malicious Microsoft Office documents continue to be a prevalent attack vector for hackers targeting businesses in 2025, using techniques such as phishing and zero-click exploits. Phishing attacks via Office files commonly involve misleading recipients with fake invoices or reports, which redirect users to fraudulent login pages to steal credentials. The CVE-2017-11882 vulnerability, discovered in 2017 but still exploited, allows attackers to execute malware by simply opening an infected Word document, even when macros are disabled. The Follina exploit (CVE-2022-30190) remains effective, requiring no user interaction beyond viewing an Office document to execute remote code via embedded URLs. Cybercriminals often use multi-stage attacks, combining exploits like Follina with other techniques, increasing the potential damage from a single compromised Office file. Persistent use of outdated Microsoft Office versions exposes organizations to risks, as they lack the security patches that address known vulnerabilities. The inclusion of ANY.RUN’s new Android OS support highlights a growing need for mobile security analysis to combat the rising threat from malicious mobile apps and files.

Ransomware attack on Advanced Computer Software Group led to theft of sensitive data including access to homes of vulnerable NHS care recipients. UK's Information Commissioner's Office (ICO) fined the company £3.07 million, reduced from an initial £6.09 million based on the company's cooperation. The attack, caused by gaps in multi-factor authentication and inadequate cybersecurity practices, significantly impacted NHS operations, forcing some services to revert to pen and paper. LockBit ransomware gang, a Russian-speaking group, was responsible for the breach that occurred in August 2022 through a compromised customer account. Among the stolen data were personal details of 79,404 individuals, including 890 vulnerable patients receiving in-home care. ICO stressed that the failure of Advanced to implement robust security measures led to significant risks to sensitive personal information. The fine is one of the largest issued by the ICO in the past two years, underlining the severity and impact of the breach. ICO underscores the increasing necessity for organizations to ensure comprehensive cybersecurity measures, including multi-factor authentication across all external connections.

Around 150,000 websites have been compromised via malicious JavaScript to promote Chinese gambling platforms. The campaign leverages iframe injections to overlay full-screen gambling ads over legitimate site content. The JavaScript responsible for these actions is hosted on multiple domains, leading to the redirection of unsuspecting visitors. This malvertising technique has been adapted and intensified with new obfuscation layers, posing a continuous threat. The operation has also mimicked legitimate betting sites, using official logos to further deceive users. Security experts highlight the rise in such client-side attacks, which adapt rapidly to enhance reach and effectiveness. The incidents share similarities with another malware operation that has infected over 20,000 global sites since 2016, primarily targeting WordPress websites. Both campaigns showcase significant impacts on website functionality and visitor experience, driving illicit profits through traffic manipulation and scams.

CISA has flagged two six-year-old vulnerabilities in Sitecore CMS and Experience Platform as actively exploited. The vulnerabilities, identified as CVE-2019-9874 and CVE-2019-9875, have mandated patching requirements for federal agencies by April 16, 2025. Sitecore acknowledged active exploitation of CVE-2019-9874 but did not confirm exploitation for CVE-2019-9875. Concurrently, Akamai detected initial exploitation attempts targeting a severe flaw in the Next.js web framework, identified as CVE-2025‑29927. The specific Next.js vulnerability allows attackers to bypass middleware-based security controls through spoofed headers, potentially accessing sensitive resources. This exploitation technique involves multiple simulated internal subrequests, leveraging Next.js's internal redirect logic. Additionally, GreyNoise has observed increased in-the-wild exploitation efforts against several known vulnerabilities in DrayTek devices across multiple countries.

A critical vulnerability was found in NetApp SnapCenter, potentially enabling privilege escalation. The flaw, identified as CVE-2025-26512, has a high severity rating with a CVSS score of 9.9. SnapCenter versions up to 6.0.1P1 and 6.1P1 are affected, impacting data management across various platforms. Users authenticated on the SnapCenter Server could escalate privileges to admin on systems with SnapCenter plug-ins. No workarounds are available; updating to fixed versions 6.0.1P1 or 6.1P1 is essential. Although no in-the-wild exploitation has been reported, organizations are urged to install updates immediately to mitigate risks.

The UK Information Commissioner's Office (ICO) fined Advanced Computer Software Group Ltd £3.07 million for a ransomware attack in 2022 that compromised sensitive NHS patient data. The incident impacted 79,404 individuals and led to significant outages in NHS services, including the 111 emergency line. The attack was traced back to the LockBit ransomware group which used compromised credentials to infiltrate via a remote desktop session. Advanced failed to implement sufficient security measures like comprehensive vulnerability scanning, robust patch management, and universal multi-factor authentication. The fine marks the first instance in the UK where a data processor, rather than a data controller, has been penalized in such a manner. Although initially considered to be around £6.09 million, the fine was ultimately set at £3.07 million after further deliberation. Past ICO fines have targeted data controllers, with high-profile cases involving British Airways and Marriott for their respective data breaches.

The Atlantic's editor-in-chief, Jeffrey Goldberg, released messages from a private Signal group including high-ranking US officials discussing classified military actions against Houthi insurgents in Yemen. Initially added by mistake by National Security Advisor Michael Waltz, Goldberg observed plans for the timing of F-18 airstrikes and drone launches. Despite claims by officials that the discussed content was not sensitive, the leaked chats clearly detailed specific military operations. High officials like the VP, Defense Secretary, and others were involved in these chats, discussing operational details including the exact times of strikes. The White House tried to downplay the incident; however, Goldberg released the messages publicly after this attempt. Goldberg withheld one message to protect the identity of a CIA operative named in the discussions. This incident raises serious questions about operational security and information handling within the US government.

Oracle denies a breach of its Cloud services despite evidence presented by BleepingComputer and confirmation from affected companies. A threat actor identified as ‘rose87168’ allegedly breached Oracle Cloud, claiming to have access to data of 6 million users including SSO and LDAP passwords. The threat actor shared data samples and an Archive.org URL proving potential unauthorized file creation on Oracle's server. Multiple company representatives anonymously confirmed the authenticity of their data present in the samples shared by the threat actor. Leaked data includes LDAP display names, email addresses, given names, and more. The cybersecurity firm Cloudsek discovered a URL on Archive.org indicating a vulnerability in Oracle Fusion Middleware 11g, which was allegedly exploited in the breach. Oracle has taken the affected server offline after the alleged breach was reported and continues to deny any data loss or breach occurrence.

MORSE Corp, a Massachusetts-based defense contractor, will pay $4.6 million in a settlement for failing to meet cybersecurity standards on military contracts. The cybersecurity lapses were highlighted in a whistleblower lawsuit under the False Claims Act by the company's former head of security. Violations included failing to ensure cloud security compliance, incorrect incident reporting, and inadequate malware handling by a third-party email provider. Between 2018 and early 2021, MORSE did not have comprehensive written security plans, despite the contractual necessity to document system boundaries and configurations. MORSE significantly misrepresented its cybersecurity posture, reporting a near-perfect score in early 2021 while actual assessments later showed only 22 percent compliance with required controls. The discrepancies and delayed reporting of score adjustments emerged after a federal subpoena raised further security concerns. A portion of the settlement, $851,000, will be awarded to the whistleblower for exposing the company's non-compliance and risking government data security.

StreamElements confirmed a data breach at a third-party service provider, impacting user data but not their own servers. The breach exposed older data including full names, addresses, phone numbers, and emails of StreamElements customers. A hacker using the nickname "victim" leaked samples of the data on a hacking forum, claiming data theft from 210,000 StreamElements customers from 2020 to 2024. Twitch-focused journalist Zach Bussey verified the data's authenticity by requesting his personal details from the hacker. The threat actor alleged that they gained access through an information-stealing malware and breached a StreamElements internal account. Users of StreamElements are urged to be vigilant against potential phishing and scamming attempts following the breach. StreamElements has initiated contact with affected customers, though official data breach notifications are yet to be issued. The company is currently conducting an investigation into the incident, with the responsible hacker's forum post now deleted.