Daily Brief

Threat landscapes are rapidly expanding, exposing new vulnerabilities that attackers are eager to exploit using sophisticated techniques such as Attack Surface Management (ASM). Sprocket Security's Attack Surface Management Tool focuses on understanding attacker behavior and provides capabilities for real-time asset mapping and change detection. Attackers utilize publicly available tools and automation to discover assets, highlighting the necessity for organizations to continuously monitor and protect their digital infrastructures. A highlighted case within the article is the mass exploitation of VMware ESXi servers, demonstrating the critical need for timely patches and proactive security measures. Sprocket Security emphasizes the importance of seeing an organization’s digital infrastructure from an attacker's perspective to effectively prevent breaches. The article encourages the integration of ASM tools into daily security workflows to enhance visibility, proactive defense, and efficiency in testing and validation phases. Sprocket ASM provides free tools that offer continuous penetration testing capabilities, notifications on new discoveries, and the ability to track manually added assets not visible on the internet.

Cybersecurity researchers identified a new remote access trojan (RAT) exploiting corrupted DOS and PE headers to avoid detection on Windows systems. The malware was discovered by Fortinet's FortiGuard Incident Response Team after persisting undetected for several weeks on a compromised machine. Fortinet acquired memory dumps from the machine to analyze the malware, which concealed its operations within a dllhost.exe process. The malware decrypts C2 server information from memory and establishes secure communication over TLS, enhancing its stealth and persistence. Despite corrupted headers obstructing direct payload analysis, Fortinet successfully deconstructed the malware in a controlled environment after multiple attempts. The RAT has capabilities for capturing screenshots, managing system services, and handling incoming connections, effectively turning the infected host into a multipurpose remote-access platform. The communication with the C2 server and the complex multi-threaded architecture of the RAT support simultaneous operations and evolving attack strategies.

Billions of stolen cookies are actively sold on the dark web and Telegram, with 7-9% still exploitable. Stolen cookies, often underestimated in danger, can allow cybercriminals access to sensitive personal and financial data without needing passwords. The majority of these cookies carry ID data for user identification and ad targeting; only a minor portion contains critical information such as passwords. Cybercriminals use stolen session cookies to impersonate users, bypass multi-factor authentication, and potentially access corporate systems and data. Infostealer malware like Redline, Vidar, and LummaC2, although targeted by law enforcement, facilitate the theft and sale of these cookies. NordVPN advises careful consideration before accepting website cookies and recommends regular updates and cleaning of browser data to mitigate risks.

Victoria's Secret has temporarily shut down its website and certain in-store services due to a security incident. The fashion retailer operates around 1,380 stores globally and reported annual revenues of $6.23 billion for the fiscal year ending February 2025. Stores under the Victoria's Secret and PINK brands remain open as the company works to restore full operations. CEO Hillary Super communicated to employees that the recovery process from the incident would be prolonged. Specific details regarding the nature of the cyberattack, such as whether it involved ransomware or if a ransom was demanded, have not been confirmed. The incident at Victoria's Secret is part of a larger trend, following recent cybersecurity breaches at other major retailers like Dior and Adidas. Recent attacks against UK retailers like Harrods, Co-op, and Marks & Spencer have been linked to the DragonForce ransomware group, with indications of similar tactics being used in the US.

DragonForce threat actors exploited security vulnerabilities in the SimpleHelp tool to deploy ransomware via a Managed Service Provider (MSP). Accessed data included device names, user info, and network configurations across multiple customer environments. Exploitation of three specific CVEs in SimpleHelp allowed unauthorized access, leading to data theft and ransomware attacks on various endpoints. Some MSP clients successfully blocked the attack, but others experienced significant impacts, including double-extortion tactics. Recent developments position DragonForce as a prominent ransomware cartel, often reshuffling within the cybercrime ecosystem. Cyberint suggests another group, Scattered Spider, may have facilitated initial access, highlighting complex alliances in ransomware operations. The attacks have prompted a reevaluation of security strategies around AI-driven malware and remote access tools. Sophos identifies ongoing risks and recommends enhanced employee training and stricter remote access controls to mitigate similar threats.

The European Commission has introduced the EU Startup and Scaleup Strategy to transform Europe into a leading global hub for technology startups, enhancing their development from inception to mature businesses. The strategy aims at reducing administrative burdens, facilitating financing through a proposed public-private fund of at least €10 billion, and improving cross-border operations within the Single Market. Key initiatives include the Scaleup Europe Fund to address financing gaps and the Lab to Unicorn program to boost university collaborations across Europe. The strategy seeks to attract and retain top talent by offering enhanced employee stock options and easing cross-border employment regulations. Measures include simplifying startup-related regulations across the EU to foster a more innovation-friendly atmosphere. Progress will be monitored through the European Startup and Scaleup Scoreboard and annual surveys, benchmarking Europe against global counterparts. This move aligns with the broader Choose Europe initiative, promising comprehensive updates on its progress by 2027. Despite current dominance by major US tech companies, the EU strategy represents a proactive step to nurture and retain homegrown tech enterprises, reducing reliance on American technology solutions.

LexisNexis Risk Solutions reported a data breach affecting 364,000 individuals, with personal information stolen. The breach originated from a compromised company account on GitHub, not affecting internal networks or systems. Data stolen includes names, contact details, Social Security numbers, and driver's licenses; financial data remained secure. The breach was discovered on April 1, 2025, but occurred on December 25, 2024. Affected individuals are advised to monitor their accounts for fraud and will receive two years of free identity protection. LexisNexis is a major global data broker with significant ties to Fortune 500 and Fortune 100 companies.

Chinese state-sponsored group APT41 used Google Calendar for malware command and control, utilizing a malware named TOUGHPROGRESS. Google discovered the activity involving compromised government websites and the targeting of multiple government entities in late October 2024. The campaign involved spear-phishing emails linked to a ZIP archive containing deceptive files and a malware-laden Windows shortcut disguised as a PDF. TOUGHPROGRESS malware employed evasion techniques, including memory-only payloads and encrypted commands in Google Calendar events. The malware was programmed to interact with Google Calendar, storing harvested data and command results in calendar events, cleverly hiding their activities. Google has dismantled the malicious operations by taking down the involved Google Calendar and terminating related Workspace projects. This incident is part of a wider pattern, with APT41 previously found using Google's services for attacks on industries and governments worldwide.

Over 100,000 WordPress sites are at risk due to a severe vulnerability in the TI WooCommerce Wishlist plugin. The flaw, rated CVSS 10.0, allows unauthenticated attackers to upload arbitrary files without user authentication. All versions up to and including 2.9.2 of the plugin are affected; no patches are available as of the last update. The vulnerability is linked to improper file type validation in the plugin's file upload function. Attack scenarios could enable malicious actors to achieve remote code execution through uploaded files. The issue is exacerbated when the WC Fields Factory plugin is installed, activated, and integrated. Plugin users are advised to deactivate and remove the TI WooCommerce Wishlist plugin to mitigate risk.

Victoria's Secret's website has been offline for three days due to a security issue, impacting both online and some in-store services. The company has enlisted third-party experts and initiated response protocols to address the incident while securing their systems. Despite the online disruptions, over 800 physical stores remain open, indicating isolated impacts on specific operational systems. The significance of the online platform is highlighted by its substantial revenue generation, accounting for about one-third of the company’s total revenue. The unavailability of the website has led to a nearly 7% drop in stock price as investors react nervously to the outage and potential financial implications. Specific details about the nature of the incident, such as whether it involves ransomware, are still unspecified as the company refrains from commenting on investigative details. The timing of the attack coincides with US Memorial Day, exploiting reduced staffing levels typically seen during public holidays. Recent similar cyber attacks have targeted major UK retailers, underscoring an ongoing threat wave against the retail sector globally.

75% of financial institutions are currently using AI, with an additional 10% planning to integrate it within the next three years, per a survey by the Bank of England and Financial Conduct Authority. A profound gap in understanding AI technologies exists, with only about a third of institutions confident in their AI knowledge. Adversarial AI poses significant threats by manipulating algorithms or data, benefiting attackers through distorted market forecasts or unnoticed fraudulent transactions. Traditional cybersecurity measures like firewalls and malware detection are insufficient against adversarial AI tactics that involve data poisoning and model contamination. Financial companies and regulators need to adapt to these emerging threats by expanding compliance requirements to include adversarial AI risks and ensuring a more flexible security risk management approach. Training and awareness are crucial; financial entities must develop a strong training regime to both leverage AI benefits and mitigate potential adversarial risks effectively. QA's role extends to educating and lobbying for regulatory updates to incorporate best practices for tackling adversarial AI issues in the financial sector.

Chinese hacking group APT41 employs new malware, 'ToughProgress', utilizing Google Calendar for command-and-control communications to disguise their activities. Google's Threat Intelligence Group uncovered and dismantled the attacker's infrastructure on Google Calendar and Workspace, implementing safeguards against future misuse. The initial stage of the attack involves a malicious email containing a link to a ZIP file hosted on a compromised government website, appearing to contain ordinary files but actually housing malicious payloads. The malware uses Windows LNK files masquerading as a PDF document and image files to hide and launch encrypted payloads entirely in memory, minimizing detection by conventional security tools. Google identified and terminated all related accounts and events associated with the misuse, updating its Safe Browsing blocklist to protect users from these threats. Reported targets and organizations potentially affected by APT41's campaign were directly notified by Google, in collaboration with Mandiant, and supported with malware samples and traffic logs to aid in mitigating the attack.

A new Go-based Linux botnet, PumaBot, has been discovered specifically targeting IoT devices by brute-forcing SSH credentials. PumaBot operates by receiving a list of targeted IPs from its command-and-control server and proceeds with brute-force attacks on port 22 to gain SSH access. The malware is programmed to specifically look for the “Pumatronix” string during its operations, indicating a likely focus on surveillance and traffic camera systems. Once access is gained, PumaBot verifies the legitimacy of the device, ensures persistence via systemd service installation, and manipulates 'authorized_keys' to maintain access. The botnet has the capability to steal data, deploy additional malware, and execute commands from the control server, including data exfiltration of SSH credentials stored locally. Security countermeasures recommended including upgrading IoT firmware, changing default credentials, using firewalls, and segregating IoT networks from critical systems. The extent of PumaBot’s spread and its success rate are currently unreported, though its targeted approach suggests potential for significant impact on infected networks.

LexisNexis Risk Solutions experienced a cyberattack where data on 364,333 individuals was stolen via a third-party software development platform on December 25, 2024. The intrusion was discovered on April 1, 2025; however, the company confirmed its own networks or systems were not directly impacted. The breach involved unauthorized access to software artifacts and personal information; sensitive personal data like financial and credit card details remained secure. LexisNexis has initiated notifications to approximately 360,000 affected individuals and communicated with regulators and law enforcement. The company's response included an extensive investigation with cybersecurity experts, enhancements to security controls, and an in-depth review of affected data. Affected parties are advised to monitor for fraud and offered 24 months of free credit monitoring and identity protection services by Experian. LexisNexis's breach is among several recent high-profile data incidents, including those at Adidas and Coinbase.

The Interlock ransomware gang has introduced a new remote access trojan, NodeSnake, aimed at infiltrating educational institutions. Researchers at QuorumCyber identified NodeSnake in at least two incidents involving UK universities in early 2025, with evidence of ongoing development to enhance its functionalities. Initial infection vectors include phishing emails with malicious attachments or links leading to the deployment of the NodeSnake RAT. NodeSnake utilizes sophisticated evasion techniques such as heavy code obfuscation, XOR encryption, and uses PowerShell or CMD scripts to mimic legitimate software updates. Once installed, NodeSnake gathers critical system information and can execute additional malicious activities, including process termination and loading further malware. The trojan modifies its command and control communication dynamically, complicating detection and mitigation efforts. The report by QuorumCyber details the indicators of compromise for NodeSnake, providing essential information for early detection and prevention of further attacks by the Interlock group. The discovery underscores Interlock's strategic shift towards sustained, stealthy operations within target networks, particularly in the education sector.