Daily Brief

'Hazy Hawk' cyber gang hijacks subdomains of prominent organizations through DNS misconfigurations. Targets include governments, universities, and Fortune 500 companies, using abandoned CNAME records of cloud services. The threat actor creates malicious sites that appear legitimate by inheriting the trust score of the hijacked domain. Hijacked domains are used for various scams, distributing fake apps, and serving malicious advertisements. Victims redirected to these sites are subjected to profiling and targeted with tech support scams, false security alerts, and phishing operations. Persistent browser push notifications are used to continue scamming victims even when they leave the initial site. The exploitation relies heavily on organizations not removing outdated DNS records, making it easy for attackers to take control. Increased awareness of the vulnerability of CNAME records is suggested to help defend against such attacks.

Researchers uncovered over 100 fake Chrome browser extensions involved in data theft and session hijacking. The malicious extensions masqueraded as useful utilities, including ad blockers and VPN services, but facilitated credential theft, ad injections, and phishing. The threat actor lured potential victims to download these extensions through websites that impersonated legitimate services and manipulated search results. The extensions were granted excessive browser permissions, allowing them to interact with all sites visited, execute arbitrary code, and perform malicious redirects. Malicious activity included fetching scripts from attacker-controlled domains and setting up proxy connections via WebSocket. Victims' routes to these deceptive sites remain unclear but may involve phishing and social media strategies. DomainTools highlighted that even ratings and feedback might be manipulated, casting doubts on the reliability of Chrome Store reviews. Google has since removed the identified malicious extensions from the Chrome Web Store.

RVTools' official website was compromised to distribute a DLL hosting Bumblebee malware, impacting users downloading the tool. The malware was first identified by ZeroDay Labs, noting discrepancies in file hash and size, suggesting a supply chain attack. After discovery, the RVTools website was temporarily taken down and later restored with the correct version of the software. Bumblebee malware is known for downloading additional harmful payloads such as Cobalt Strike beacons, information stealers, and ransomware. The malware's ties to the now-defunct Conti ransomware operation and its derivatives indicate a high threat level and potential wide impact. Arctic Wolf reported spotting trojanized RVTools installers spreading via typosquatted domains, indicating further spread of the threat. RVTools, essential for VMware vSphere management, was advised only to be downloaded from official sites to prevent malware risks. Executives are urged to verify the integrity of downloaded software files using hashes and to maintain awareness of phishing or malvertisement schemes.

Cybercriminals target service desks through social engineering, tricking agents into providing sensitive information. Recent incidents involved the DragonForce ransomware affecting major British retailers, initiated via compromised service desk operations. Attackers often impersonate executives or trusted vendors to manipulate service desk employees, leveraging empathy and urgency. The Verizon Data Breach Investigation Report highlights that stolen credentials feature in 44.7% of data breaches. Implementing strict verification processes and training could thwart social engineering efforts. Enforcing least privilege and segmenting critical systems can limit the potential damage from compromised service desk agents. Tools like Specops Secure Service Desk enhance security by integrating multi-factor verification and customizable challenge flows. Regular training and phishing simulations are recommended to keep service desk teams vigilant against potential security threats.

High-level government entities in Sri Lanka, Bangladesh, and Pakistan have been targeted by the SideWinder APT group. SideWinder used spear-phishing emails with geofenced payloads, ensuring only intended victims in specific countries received the malicious content. The attacks exploited outdated Microsoft Office vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to deploy the StealerBot malware. Targeted organizations include Bangladesh’s Telecommunication Regulatory Commission and Ministries of Defence and Finance, among others in the region. StealerBot is capable of dropping additional malware, launching reverse shells, and extracting sensitive data like keystrokes, passwords, and files. The campaign utilizes DLL side-loading methods for persistence and employs controlled delivery tactics to manage the scope of the attack. SideWinder’s operations show a pattern of consistent activity and strategic execution, highlighting their sustained threat presence in the geopolitical landscape.

Cybersecurity experts identified security vulnerabilities in AWS default IAM roles, impacting services like SageMaker, Glue, and EMR. Default IAM roles grant overly broad permissions which could be exploited for lateral movement and privilege escalation within AWS accounts. Researchers explained that attackers could utilize these roles to modify AWS resources like CloudFormation templates and SageMaker resources, facilitating across-account movements. A similar security flaw was found in an open-source framework, Ray, which confers full access to S3 resources upon IAM roles, broadening potential attack vectors. AWS has responded by revising the AmazonS3FullAccess policy to tighten default service roles' scope and urged organizations to audit and update roles to minimize risks. A related vulnerability in Azure's AZNFS-mount utility could allow unprivileged users to escalate privileges to root, impacting Azure AI and HPC workloads. These findings underscore the need for strict access controls and vigilance in cloud environments to prevent unauthorized access and potential data breaches.

Ransomware attack on Peter Green Chilled occurred on May 14, impacting major UK supermarket chains. The company informed customers of the attack and ceased processing new orders on May 15, while continuing its transport operations. Communication channels such as phone and email were disrupted, with the company's website not accepting external messages. The attack affected not only Peter Green Chilled but also its clients, including The Black Farmer, which faced potential losses of around £100,000 due to immobilized stock. The broader impact on the supply chain highlights the dire consequences for small businesses and the potential wastage of fresh goods. M&S, another affected entity, is preparing a substantial cyber insurance claim to cover the financial fallout from the attack. Experts emphasize the shift in ransomware tactics from data theft to operational disruption to compel quicker payments and increase pressure on the victims. The incident underlines the need for enhanced operational resilience and security measures within the retail sector to mitigate the risks and impacts of such cyberattacks.

Pentera's 2025 State of Pentesting Report surveyed 500 CISOs globally to gain insight into current cybersecurity practices and challenges. Despite the adoption of more security tools—average of 75 per organization—67% of U.S. enterprises faced a breach within the last 24 months. Larger security stacks contribute to a significant increase in alert volumes, with some enterprises managing over 2000 alerts per week, necessitating better prioritization to combat alert fatigue. Software-based pentesting is on the rise, with 50% of CISOs adopting these tools as their primary security testing method due to increased trust and the need for scalable solutions. Cyber insurance providers are increasingly influencing cybersecurity strategies, with 59% of CISOs implementing solutions based on their recommendations. Confidence in government cybersecurity support is low among CISOs, with only 14% satisfied with the help provided, while a majority find it insufficient or unreliable. The report highlights a need for continuous, scalable, and effective security practices to address the increasing complexity of threats and tool management.

Chinese-affiliated hackers, known as UnsolicitedBooker, targeted a Saudi organization using spear-phishing with flight ticket lures. Attacks involved multiple backdoors, including Chinoxy, DeedRAT, Poison Ivy, and the newly deployed MarsSnake. MarsSnake was delivered via a malicious Word document disguised as a flight ticket PDF, triggering a harmful VBA macro. The persistent targeting of the organization since 2023 suggests a high strategic interest by the threat group. UnsolicitedBooker's activities show affiliation with larger Chinese cyber operations, sharing methods with groups like Space Pirates. Other Chinese groups, such as PerplexedGoblin and DigitalRecyclers, continue to target European and governmental entities using sophisticated espionage tools. The discovery highlights the ongoing and evolving threat from state-aligned actors against international and governmental organizations.

Virgin Media O2 resolved a privacy issue in its 4G Calling feature that allowed callers to pinpoint the recipients' location. Researcher Daniel Williams discovered that metadata from VoLTE could locate users within 100 meters using IMS, IMEI, and cell ID data. Williams highlighted this vulnerability in May after engaging with the MNO in March, with initial unresponsiveness from the company. Fixes were confirmed by a company spokesperson, stating comprehensive testing and implementation had occurred by May 19. Detailed findings from Williams showed IMSI and IMEI numbers returned by the server identified both caller and recipient's devices on the VMO2 network. The information leakage was demonstrated using tools like CellMapper, which could provide location data up to city center precision. Disabling 4G Calling occasionally halted data transmission but was not deemed a reliable solution to prevent the privacy breach. This resolution came after extensive research by Williams, who has stopped replicating the issue following the repair.

Researchers at Datadog Security Labs identified a new cryptojacking campaign, codenamed RedisRaider, targeting public Redis servers on Linux systems. The campaign uses a customized scanner to locate accessible Redis servers, checks for Linux OS via an INFO command, and then injects a cron job using the SET command. The malware changes the Redis working directory to "/etc/cron.d", setting up a database file "apache" that executes a Base64-encoded shell script. This script downloads the RedisRaider binary, which deploys a specialized XMRig miner to harness computing resources for mining Monero cryptocurrency. The malware also replicates itself to other Redis instances, expanding its impact while incorporating anti-forensics features such as short-key TTLs and database configuration alterations to evade detection. Moreover, RedisRaider supports a web-based Monero miner for additional revenue, signifying a complex, multi-pronged financial strategy by the threat actors. Additionally reported was a separate campaign exploiting Microsoft Entra ID's legacy authentication protocols for targeted brute-force attacks, primarily against accounts in Eastern Europe and Asia-Pacific.

Cybersecurity researchers discovered malicious Python packages on PyPI exploiting social media APIs to validate stolen email addresses. The packages, named "checker-SaGaF", "steinlurks", and "sinnercore", use various techniques to abuse Instagram and TikTok APIs, mimicking legit app functions to evade detection. These tools check if email addresses are associated with existing social media accounts, enabling cybercriminals to refine their attack targets and potentially threaten users through various harmful actions. Validated email lists from these attacks are often sold on the dark web, contributing to broader cybercrime activities like credential stuffing or phishing attacks. Additional functionality in these packages includes targeting Telegram user data and crypto utilities, indicating a complex and multi-purpose nature of the malware. The findings reveal significant risks not only to individual privacy but also to organizations, as these validated emails can lead to targeted and sophisticated cyber attacks. One package named "dbgpkg" served as a backdoor implant on developers' systems, demonstrating a trend in using developer tools as malware dissemination vectors. The techniques and targeted deployment indicate a high level of sophistication among the attackers, seeking to establish a long-term presence on infected systems anonymously.

CISA announced Madhu Gottumukkala as the new deputy director amidst budget reductions and staffing challenges. The agency still lacks a Senate-confirmed leader, with interim duties performed by Bridget Bean. Key focus areas under threat due to a proposed $491 million cut, about 17 percent of CISA's budget. The budget cuts align with an administrative push to limit scope to China-focused defenses, excluding certain red team functions and Russian threats. Resignations include leaders from the Secure by Design program, and other staff have taken voluntary resignation options. Senator Ron Wyden blocked the director nominee, Sean Plankey, demanding the release of a report on vulnerabilities in U.S. telecom networks. CISA's refocus on its mission includes an evaluation of election security, particularly how it handles misinformation and foreign influence. DHS remains tight-lipped about exact numbers on CISA staff reductions or restructuring details, leading to congressional inquiries.

Threat actors distributed trojanized KeePass versions for eight months to deploy Cobalt Strike beacons and ransomware. Malicious KeePass installer was promoted through Bing ads, leading to fake software download sites. The modified KeePass, named KeeLoader, included functionality that stole credentials and exported password databases in cleartext. KeePass alterations linked to Black Basta ransomware and believed to be operated by Initial Access Brokers. Researchers unearthed various signed variants fooling users through typo-squatting domains. The compromised companies' VMware ESXi servers were encrypted in the ransomware attacks. WithSecure linked the activity to UNC4696, a group associated with past Nitrogen Loader and BlackCat/ALPHV ransomware campaigns. The investigation revealed an extensive infrastructural setup for disseminating various malware and credential phishing schemes under impersonated domains.

Security flaw in O2 UK's VoLTE and WiFi Calling allowed location tracking through call metadata. Researched by Daniel Williams, the vulnerability persisted since March 2017 until its recent resolution. The breach leaked sensitive information such as IMSI, IMEI numbers, and cell tower locations. Williams used the Network Signal Guru app and public tools to pinpoint user locations accurately. O2 UK, with nearly 23 million mobile users, implemented the fix without requiring customer action. Virgin Media O2 confirmed the issue and its resolution, assuring no customer action needed. Uncertainty remains on whether O2 UK previously knew about the flaw or if any exploitation occurred.