Daily Brief

Infosec expert Troy Hunt's Mailchimp mailing list was phished, impacting roughly 16,000 records, including subscribers and unsubscribed individuals. Hunt fell victim to a sophisticated phishing email disguised as an urgent notice to review his Mailchimp campaigns due to a spam complaint. The attack led to the export of the mailing list within two minutes after Hunt entered his credentials and a one-time passcode, indicating an automated attack process. Hunt criticizes Mailchimp’s lack of phishing-resistant two-factor authentication options, suggesting that OTP by itself provided little security against this type of automated phishing. The phishing domain and page used in the attack have been taken down by Cloudflare shortly after the incident. Hunt plans to investigate why unsubscribed users' data was retained by Mailchimp and stressed the importance of verifying web domains in phishing prevention. The incident occurred while Hunt was in London discussing strategies to promote phishing-resistant authentication methods with government partners.

Chinese state-sponsored hackers infiltrated a major Asian telecom, undetected for over four years. The cyber espionage group, named Weaver Ant by Sygnia, employed web shells and tunneling techniques for maintaining persistent access. The attackers exploited a public-facing application to insert China Chopper and the novel INMemory web shells for espionage purposes. INMemory web shell facilitated stealth operations by executing code entirely in memory, avoiding forensic detection. Attackers used encoded web shells and an HTTP tunnel tool for lateral movement and post-exploitation activities within the targeted network. The campaign exhibited characteristics typical of Chinese-nexus operations, including the use of shared tools and infrastructure, with activities typically during Chinese working hours. The revelation followed accusations by China against Taiwanese military personnel for alleged espionage activities against the mainland.

Organizations are now using an average of 112 SaaS applications, increasing the challenge of managing connections and understanding security risks. Traditional security methods are inadequate for the scale and complexity of modern SaaS environments, leaving potential gaps for breaches. AI-driven security solutions, like AskOmni by AppOmni, are essential, using generative AI and analytics to deliver instant insights and actionable security measures. These AI tools aid in efficiently investigating security events, visualizing risks, and providing multilingual support to enhance global accessibility and response times. The quality of data fuels AI effectiveness; thus, high-quality, unbiased data is crucial for accurate security analysis and threat detection in SaaS environments. AI's capability to automate threat research and incident reporting is significantly enhancing workflow efficiency for cybersecurity professionals. Real-world application of AI in a global enterprise demonstrated AI's ability to quickly identify and remediate complex SaaS security risks, which would be challenging without such advanced tools. The future of SaaS security is increasingly reliant on AI technologies to stay ahead of cyber threats and protect organizational data effectively.

Cybersecurity experts have identified a new Android malware campaign exploiting .NET MAUI to create fake banking and social media apps aimed at Indian and Chinese users. These malicious apps mimic legitimate applications, deceiving users to harvest sensitive personal and financial information. Unlike traditional Android applications, the malware's functionalities are coded in C# and embedded as blob binaries, helping avoid detection by concealing their presence from typical file analyses. The malware uses advanced techniques such as encrypted communications and multi-stage dynamic loading with XOR and AES encryption to execute its payload discreetly. These fake applications are not distributed through Google Play but via fraudulent links in messages leading to unofficial app stores. An example includes an app pretending to be from an Indian bank collecting extensive personal data, while another mimics a popular social media platform in China to steal contacts and media. The strategy involves the malware granting itself unnecessary permissions and employing evasion tactics to undermine analysis tools, making detection challenging. The threat highlights the evolution and increasing sophistication of malware development platforms and tactics utilized by cybercriminals.

Researchers analyzed the privacy practices of ten AI browser extensions and found significant data privacy concerns. These extensions often transmit sensitive data such as webpage content and user details to remote servers for processing. Some extensions violated privacy commitments by collecting and sharing protected health and student data, potentially breaching US regulations like HIPAA and FERPA. The study highlighted that 90% of the AI extensions relied on server-side APIs, exposing user data to third-party trackers and misuse. Extensions like Perplexity were deemed privacy-friendly, while others like Harpa, MaxAI, and Merlin were among the least secure. The research urges extension developers to enhance privacy features and for policymakers to adopt regulations ensuring privacy by design in AI technologies. Harpa AI responded to findings by noting that while they do not collect user data, the LLM providers they work with might, depending on user settings and interactions.

VanHelsing ransomware, a new Ransomware-as-a-Service (RaaS), exclusively targets Microsoft Windows despite claiming cross-platform capabilities. Since its launch on March 7, the malware has infected three organizations, with each facing ransom demands of $500,000. The ransomware appears to be a new creation, distinct from rebranded existing malware, demanding a $5,000 deposit from new affiliates. Affiliates receive 80% of ransom payments, incentivizing them to spread the malware through strategies like deceptive emails and downloads. Check Point researchers found only Windows systems impacted thus far but noted incomplete features and rapid updates in the ransomware's development. The affiliate program includes a user-friendly control panel, lowering entry barriers for potential cybercriminals. A strict rule within the VanHelsing community prohibits targeting Russia or any nation within the Commonwealth of Independent States, reflecting possible tacit state tolerance or cooperation.

DrayTek router users experienced widespread issues with devices entering a continuous reboot cycle, particularly affecting UK customers. The disruptions started suddenly over the weekend and were linked by ISPs and users to potential firmware vulnerabilities. DrayTek recommended disconnecting affected routers from the internet and updating the firmware, including using alternative methods like TFTP if standard updates failed. The manufacturer suggested disabling remote access and using additional security measures such as access control lists and two-factor authentication until routers are fully patched. ISPs like Gamma, Zen, ICUK, and A&A identified the problem as related to DrayTek equipment, with some pointing to recent security flaws that might have been exploited. DrayTek had previously issued patches for critical security vulnerabilities, including a "10-out-of-10" severity issue, possibly connected to exploitation attempts. There were indications that even after updating to the latest firmware, some routers still required reverting to older versions to resolve the reboot issues. This incident occurs in the context of previous warnings by the Five Eyes alliance about Chinese operations using malware-infected devices, including DrayTek routers, to create botnets.

Law enforcement in seven African countries, coordinated by INTERPOL, arrested 306 individuals and seized 1,842 electronic devices under Operation Red Card. The operation targeted mobile banking, investment scams, and compromised messaging apps, affecting over 5,000 victims. Key arrests included 130 people in Nigeria for online casino and investment scams, with several being foreign nationals involved in human trafficking. South African officials apprehended 40 suspects and confiscated over 1,000 SIM cards used in large-scale SMS phishing schemes. In Zambia, 14 members of a syndicate were caught hacking phones and installing malware to access banking apps and messaging platforms. Rwandan authorities arrested 45 individuals for social engineering scams, posing as telecom employees or injured family members to deceive victims. Over $103,000 of the defrauded money was recovered in Rwanda with 292 devices also recovered. The success highlights the importance of international collaboration in combating complex, cross-border cybercriminal activities.

Wiz researchers identified significant vulnerabilities in the Ingress-Nginx controller of Kubernetes clusters, impacting over 6,500 public deployments. The flaw in the admission controller can enable remote injection of arbitrary Nginx configurations, leading to potential remote code execution (RCE). Exposed Kubernetes clusters, when exploited, allow attackers to access all cluster secrets and gain complete control, escalating network-wide threats. The vulnerabilities, collectively known as IngressNightmare, manifest in five specific CVEs with severity ratings as high as 9.8/10 on the CVSS. Fixes and updates for affected Nginx Controller versions were released in March, following a responsible disclosure by Wiz in late 2024 and early 2025. Wiz advises immediate upgrading of systems, where possible, or enforcing strict network policies and temporarily disabling critical components to mitigate risk. Despite available fixes, the risk remains high due to clusters running mission-critical applications that cannot be easily paused for security updates.

The Open Technology Fund (OTF) has filed a lawsuit in a Washington DC court against the Trump administration to block cuts to its federal funding. OTF funds critical internet security projects like the Tor anonymizing network and the Let's Encrypt certificate authority, which are used worldwide to promote democracy and protect online privacy. The Trump administration, through an executive order, aims to eliminate the United States Agency for Global Media (USAGM) which supports OTF, among others. OTF argues that the proposed funding cuts are unconstitutional as they go against specific congressional allocations amounting to $43.5 million dedicated to supporting internet freedom initiatives. OTF technology is crucial for bypassing censorship, especially in countries like China, and is used by over two billion people globally. The funding supports vital technologies like the Messaging Layer Security Protocol used by major tech companies and VPNs crucial in countries with restrictive regimes. OTF's lawsuit is part of a larger movement to maintain funding for US soft power outlets like Voice of America, with multiple organizations and individuals also filing related lawsuits.

Senior Trump administration figures used Signal, a secure messaging app, to discuss classified military plans, including airstrikes against Houthi rebels in Yemen. A journalist from The Atlantic, inadvertently added to the group chat, observed the sharing of sensitive information, including timing and types of weapons to be used. Discussions within the group also covered public relations strategies and the financial involvement of European nations. The use of Signal, coupled with auto-delete settings for messages, raises concerns about violations of federal records-keeping laws. Criticism has surfaced regarding the lack of secure, government-approved communication methods and the potential risks posed to operational security and personnel safety. Following the incident, calls for an investigation were voiced by Senator Adam Schiff to assess the extent of sensitive information being shared via unsecured platforms within the Pentagon. The situation highlights a disconnect between the administration's public stance on security, as demonstrated in the 2016 presidential campaign, and its practices.

The FCC is scrutinizing Chinese telecom manufacturers like Huawei to ensure compliance with U.S. national security regulations. Formal inquiries and a subpoena have been issued to identify any unauthorized operations by entities on the FCC's Covered List, which includes companies flagged as national security threats. The investigation targets companies deemed aligned with the Chinese Communist Party and includes major firms such as ZTE and China Telecom. FCC Chairman Brendan Carr acknowledges ongoing unauthorized business activities by these companies, including potential unregulated business on U.S. soil. The focus is also on domestic companies that might be aiding the operations of these Chinese entities. Any breaches found will lead to appropriate actions by the FCC to safeguard America's telecommunications network integrity. During President Trump's tenure, similar actions significantly impacted Huawei’s operations and profits, although it recently reported a rebound in earnings.

Former US Air Force cyber officer Sarah Cleveland highlights increasing risks of nation-state attacks on supply chains, specifically citing concerns about China. Cleveland personally responded to these threats by installing solar panels at her home to mitigate potential disruptions to the power grid. She references recent activities by Chinese espionage groups like Silk Typhoon and Salt Typhoon, which have targeted the U.S. Treasury and telecom sectors. Attacks are no longer just about data theft but now include direct disruption to critical infrastructure through compromised third-party vendors and contractors. Cleveland urges corporations not to wait for government mandates but to proactively secure their networks and understand the flow of their data. Emphasized the need for robust cybersecurity measures like zero-trust policies, multi-factor authentication, and immediate de-provisioning of accounts when employees leave a company. She acknowledges potential conflicts of interest, as her current employer, ExtraHop, offers solutions that could benefit from higher demand for network visibility and response capabilities.

23andMe, a direct-to-consumer genetic testing company, has declared Chapter 11 bankruptcy and plans to auction its assets. The company has sold over 12 million DNA testing kits since its inception in November 2007. Despite the bankruptcy, 23andMe assures continued security and privacy protections for customer data during the asset sale. Privacy concerns have escalated as the company's substantial DNA data could potentially be acquired by unfavorable parties. The California Attorney General has issued an alert advising customers to delete their data and revoke consent for its use in research. The UK Information Commissioner's Office underscores the importance of adhering to GDPR, maintaining rigorous data protection despite the company's financial woes. A previous data breach in 2023 compromised the genetic data of 6.4 million customers, leading to a $30 million lawsuit settlement. The company's restructuring included controversial changes to its Terms of Use, hindering customers' legal recourse against it.

VanHelsing ransomware-as-a-service targets systems including Windows, Linux, BSD, ARM, and ESXi. Advertised since March 7 on underground platforms, VanHelsing charges less experienced threat actors a $5,000 deposit. Operation prohibits attacks on CIS countries, offers affiliates 80% of ransom payments, with 20% going to operators. Ransomware uses advanced security measures including a ChaCha20 algorithm for encryption, with an automated escrow payment system. Currently, VanHelsing has claimed three victims: a city in Texas and two technology companies in the U.S. and France, demanding $500,000 ransom. The malware supports complex CLI customization, enabling tailored attacks, and features both normal and stealth encryption modes. Despite its sophistication, Check Point identified several code flaws that suggest some immaturity in its development. VanHelsing is viewed as a significant and evolving threat in the cybercrime landscape.