Daily Brief

Inotiv, a U.S.-based pharmaceutical firm, experienced a ransomware attack in August 2025, affecting its operations and compromising personal data. The breach impacted 9,542 individuals, including current and former employees, their families, and others connected to Inotiv. The attack disrupted business operations by taking down networks and systems, but Inotiv has since restored access and functionality. The Qilin ransomware group, known for its Ransomware-as-a-Service model, claimed responsibility, alleging the theft of over 162,000 files totaling 176 GB. Inotiv has not confirmed the types of data stolen nor attributed the attack to a specific group, despite Qilin's claims. The incident underscores the ongoing threat of ransomware to critical sectors, emphasizing the need for robust cybersecurity measures. Inotiv's disclosure to the SEC and notification to affected individuals demonstrate compliance with regulatory requirements and transparency.

Amnesty International reports Intellexa's Predator spyware targeting a Pakistani human rights lawyer via a WhatsApp link, marking its first known use against civil society in the country. The investigation, in collaboration with international media, reveals Predator's use of zero-day exploits to infiltrate Android and iOS devices, leveraging both 1-click and zero-click methods. Technical analysis shows Predator's ability to exploit browser vulnerabilities, including CVE-2023-41993, to gain device access and exfiltrate sensitive data. Google Threat Intelligence Group links Intellexa to multiple zero-day exploits, indicating potential third-party sourcing for these vulnerabilities. The spyware can activate microphones and cameras, posing significant privacy risks, and has been detected in over a dozen countries, suggesting widespread deployment. U.S. sanctions have targeted Intellexa and its executives for civil liberties violations, yet Predator-related activities continue across various regions. Intellexa's alleged remote access to customer surveillance logs raises concerns about human rights due diligence and potential legal liabilities for misuse. Intellexa employs malicious ads to deliver exploits, with Google collaborating to dismantle associated advertising networks and accounts.

The "Getting to Yes" guide offers MSPs strategies to convert sales resistance into trust, emphasizing partnership over persuasion in cybersecurity service delivery. Traditional sales methods often fail as prospects are overwhelmed by technical jargon and fear-based messaging, leading to skepticism and stalled conversations. The guide suggests a trust-first framework with pillars of empathy, education, and evidence to align cybersecurity services with business outcomes like uptime and revenue. MSPs are encouraged to replace complex language with clear, value-driven communication, demonstrating how cybersecurity supports business continuity and compliance. Automation tools, such as Cynomi, are recommended to make trust-building scalable and consistent, enhancing client relationships and showcasing measurable progress. Successful MSPs act as trusted advisors, guiding clients to understand the intersection of risk and business impact, fostering long-term partnerships through clarity and confidence. By focusing on education and transparency, the guide aims to shift conversations from selling to collaborative problem-solving, promoting resilience and growth.

React2Shell, a critical deserialization vulnerability in React and Next.js, is being actively exploited by China-linked threat groups Earth Lamia and Jackpot Panda. The flaw, identified as CVE-2025-55182, allows unauthenticated remote code execution, affecting numerous projects using these popular frameworks. AWS reports immediate exploitation attempts following the vulnerability's disclosure, with attacks targeting sectors such as finance, logistics, and government across multiple regions. Proof-of-concept exploits have been published, raising the risk of widespread exploitation, despite security updates from React and Next.js. AWS honeypots detected activity from China-based infrastructure, complicating attribution due to shared anonymization techniques among threat actors. Observed attacks involve manual testing and iterative payload adjustments, indicating active debugging efforts by attackers to refine their techniques. Assetnote has released a scanner to help organizations identify vulnerable environments, emphasizing the need for prompt patching and monitoring.

The UK government is advancing plans to enhance police use of facial recognition, despite significant opposition from civil liberties groups. A new Home Office consultation proposes a legal framework to govern the use of facial recognition and other biometric technologies. The government argues that a unified legal regime is necessary to replace the current fragmented system of common law and data protection rules. The Home Office cites facial recognition's success in aiding 1,300 arrests, including serious offenders, as justification for its expansion. Critics, including Big Brother Watch, warn that increased use of facial recognition could lead to an authoritarian surveillance state. The Home Office has allocated £6.6 million this year for the development and evaluation of a national facial-matching service. Concerns persist regarding privacy implications, with calls for clear data storage rules and compliance with GDPR standards. The proposal aims to clarify legal ambiguities, but civil rights groups fear it may facilitate broader surveillance in public spaces.

The article addresses the pervasive issue of misinformation online, exacerbated by bots and AI-driven content, affecting platforms like X (formerly Twitter) and its AI system, Grok. A new feature on X, "About this account," revealed that many pro-Trump accounts were operated from non-US locations, indicating bot-driven propaganda. Grok, an AI system, initially identified misinformation as a major threat but was altered by Elon Musk to reflect his personal views, showcasing the influence of biases in AI responses. The article suggests skepticism, verification habits, and technical checks as essential tools for discerning truth, emphasizing the importance of recognizing bias in information consumption. It recommends using fact-checking sites and reverse image searches to verify claims and images, noting the increasing difficulty in detecting deepfakes and AI-generated content. The piece warns against the erosion of trust in traditional sources, including government websites, due to political influences, urging reliance on reputable and unbiased sources. The challenges of distinguishing real from fake content are highlighted, underscoring the need for continuous vigilance and critical evaluation of online information.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed the use of BRICKSTORM by PRC-backed hackers to maintain long-term access in U.S. systems, specifically targeting VMware and Windows environments. BRICKSTORM, written in Golang, allows threat actors to execute commands, manipulate files, and maintain stealthy access, utilizing protocols like HTTPS and DNS-over-HTTPS for secure command-and-control. The malware has been linked to Chinese groups UNC5221 and Warp Panda, targeting U.S. legal, technology, and manufacturing sectors, with intrusions detected in VMware vCenter environments. Initial access often involves exploiting internet-facing devices, with attackers moving laterally to domain controllers via Remote Desktop Protocol (RDP) and exfiltrating cryptographic keys. CrowdStrike identified Warp Panda's sophisticated operations, including the deployment of additional Golang implants, Junction and GuestConduit, to facilitate network traffic tunneling and command execution. The attackers have accessed sensitive data in cloud environments, exploiting Microsoft Azure to access OneDrive, SharePoint, and Exchange, indicating a focus on intelligence collection aligned with PRC interests. The Chinese embassy in Washington denied the accusations, asserting that the Chinese government does not support cyber attacks. The ongoing activity reflects a tactical evolution in Chinese cyber operations, emphasizing the need for robust defenses against state-sponsored threats.

JPCERT/CC has reported active exploitation of a command injection vulnerability in Array Networks AG Series gateways, affecting systems with the 'DesktopDirect' feature enabled. The vulnerability, lacking a CVE identifier, was patched on May 11, 2025, but has been actively exploited since August 2025, primarily in Japan. Attackers have leveraged the flaw to execute arbitrary commands, deploying web shells on compromised devices, with attacks traced back to IP address "194.233.100[.]138." While a prior authentication bypass flaw in the same product was linked to China-based MirrorFace, no current evidence connects them to the recent attacks. The vulnerability impacts ArrayOS versions 9.4.5.8 and earlier, with users urged to update to version 9.4.5.9 to mitigate risks. As an interim measure, disabling DesktopDirect services and applying URL filtering to block semicolon-containing URLs are recommended. Organizations should prioritize patch management and review remote access configurations to prevent exploitation of similar vulnerabilities.

Anthropic has launched SCONE-bench, a benchmark to evaluate AI's capability in identifying vulnerabilities in blockchain smart contracts, highlighting the growing sophistication of AI in cybersecurity. The benchmark dataset includes 405 smart contracts from Ethereum-compatible blockchains, derived from DefiHackLabs, showcasing real-world exploitation scenarios between 2020 and 2025. Tests revealed that AI models like Claude Opus 4.5 and GPT-5 could generate exploit code valued at $4.6 million, emphasizing the potential financial impact of AI-driven attacks. In a simulation with 2,849 newly deployed contracts, AI agents identified zero-day vulnerabilities, demonstrating the feasibility of autonomous exploitation with a net profit margin. The cost efficiency of using AI for vulnerability detection is improving, with the average cost per vulnerable contract identified at $1,738, potentially increasing the attractiveness of such attacks. Anthropic's initiative stresses the necessity for proactive AI defense strategies to counteract the risks posed by increasingly capable AI models in cybersecurity. The development of SCONE-bench serves as a warning to industries relying on blockchain technology, urging them to reassess their security measures against AI-driven threats.

Hackers are exploiting a command injection vulnerability in Array AG Series VPN devices, allowing them to plant webshells and create rogue users within targeted systems. Despite a security update in May, Array Networks has not assigned an identifier to the flaw, complicating tracking and patch management efforts. Japan's CERT has issued a warning, noting that attacks have been ongoing since August, primarily affecting organizations within Japan. The vulnerability impacts ArrayOS AG 9.4.5.8 and earlier, affecting both hardware and virtual appliances with the 'DesktopDirect' feature enabled. Macnica's security research indicates 1,831 ArrayAG instances globally, with significant concentrations in Asia, particularly Japan, China, and the U.S. The lack of global awareness and attention from security vendors outside Japan increases the risk of exploitation in other regions. Array Networks has yet to respond regarding the publication of a CVE-ID or an official advisory, leaving organizations at risk without a standardized tracking mechanism.

The UK's National Cyber Security Center (NCSC) has initiated the Proactive Notifications service to alert organizations about vulnerabilities in their systems using public data and internet scanning. Partnering with Netcraft, the service identifies unpatched vulnerabilities and recommends software updates, focusing on UK domains and IP addresses from local Autonomous System Numbers (ASNs). Proactive Notifications will not cover all systems or vulnerabilities, and organizations are advised to use it alongside NCSC's Early Warning service for comprehensive security alerts. The service aims to improve cybersecurity posture by notifying organizations of risks before a direct threat is detected, helping to harden systems and mitigate potential attacks. Emails from this service are sent from netcraft.com addresses, ensuring no attachments or requests for personal information, maintaining compliance with the Computer Misuse Act. While in the pilot phase, the timeline for the broader rollout of Proactive Notifications remains unspecified, but it is part of a layered security strategy with the Early Warning service. Early Warning offers alerts on potential cyberattacks and vulnerabilities by cross-referencing threat intelligence feeds with enrolled organizations' domains and IP addresses.

Chinese cyber operatives infiltrated critical US networks, maintaining access for years using the sophisticated Brickstorm malware, affecting at least eight government and IT organizations. The malware operates across Linux, VMware, and Windows environments, enabling long-term access, data theft, and potential sabotage, posing significant risks to US infrastructure. Google Threat Intelligence and Mandiant identified the intrusions, attributing them to UNC5221, a suspected Chinese group, and recommended using open-source tools to detect the backdoor. CrowdStrike linked Brickstorm to a new group, Warp Panda, which exploits edge devices and VMware environments to access Microsoft 365 data and other sensitive information. The attackers used advanced techniques like session replay and multifactor authentication manipulation to maintain persistence and exfiltrate data from compromised networks. Security agencies, including CISA and NSA, issued warnings and are actively monitoring the situation, emphasizing the ongoing threat from state-sponsored cyber activities. The extended dwell time and persistent access complicate detection and response efforts, highlighting the need for enhanced cybersecurity measures and vigilance across affected sectors.

A Pentagon Inspector General report revealed that Defense Secretary Pete Hegseth used Signal to share sensitive information, breaching DoD communication protocols. The incident involved sharing operational details about airstrikes in Yemen, which were initially marked as secret, with a Signal group that included a journalist. While Hegseth claimed to have declassified the information, the use of a personal device and non-approved app violated Pentagon rules, risking potential data compromise. The Inspector General identified this as part of a broader issue within the DoD, where personnel frequently fail to comply with electronic messaging and records retention policies. Recommendations include mandatory cyber training for senior officials and the development of a secure, DoD-controlled messaging service. The report highlights systemic challenges in maintaining operational security and protecting classified information within the Department of Defense.

Predator spyware, developed by Intellexa, employs a zero-click infection method named "Aladdin," targeting users through malicious advertisements, as revealed by a joint investigation. This new vector, operational since 2024, uses the commercial mobile advertising system to deliver malware, exploiting public IP addresses to target specific individuals. The ads redirect targets to Intellexa’s exploit servers without user interaction, making detection and prevention challenging for cybersecurity defenses. The investigation involved leaked documents and technical analysis from Amnesty International, Google, and Recorded Future, uncovering the global network of shell companies involved. Additional delivery vectors, such as 'Triton,' exploit Samsung Exynos devices through baseband vulnerabilities, highlighting Intellexa's extensive zero-day exploitation capabilities. Despite sanctions and investigations, Intellexa remains active, prompting recommendations for enhanced mobile security measures like Advanced Protection on Android and Lockdown Mode on iOS. The complexity of defending against such sophisticated attacks emphasizes the need for robust ad-blocking and IP-hiding strategies to protect user privacy and security.

Twin brothers, Muneeb and Sohaib Akhter, were indicted for allegedly deleting nearly 100 government databases after being terminated from a federal contractor position. The databases included sensitive information related to the Department of Homeland Security and Freedom of Information Act matters. The brothers allegedly used artificial intelligence tools to assist in covering their tracks by deleting system logs and other evidence. The incident occurred within minutes of their termination, exploiting lingering access due to insufficient deactivation measures. Opexus, the contractor involved, has stated its commitment to strengthening security measures following the breach. The brothers had prior convictions for hacking-related offenses, raising questions about vetting and access control for sensitive roles. Legal proceedings are underway, with potential penalties including significant prison time for both individuals if convicted. The case underscores the critical need for robust access management and immediate revocation of credentials upon employee termination.