Daily Brief

A phishing campaign is targeting WooCommerce users, prompting them to download a fake "critical security patch" that actually installs a malicious WordPress plugin. The phishing emails mimic WooCommerce support, using deceptive domain names that closely resemble the legitimate WooCommerce domain, employing homograph attack techniques. This malicious plugin creates hidden admin accounts, enables web shell payload downloads, and grants attackers persistent unauthorized access to the victim's website. This scheme is reminiscent of a previous phishing operation targeting WordPress users with fake patches for non-existent vulnerabilities. Once installed, the malicious software initiates cronjobs to maintain control, downloads further obfuscated malware payloads, and conceals its tracks by hiding its files and the new admin accounts from plain view. Threat actors could potentially use the access to inject ads maliciously, redirect visitors, participate in DDoS attacks, steal sensitive data, or deploy ransomware. Security firm Patchstack advises vigilance regarding unusual admin accounts, cron jobs, and specific, obscure directories but warns that specifics may change as attackers adapt to security measures being publicized.

Cybersecurity experts have identified an initial access broker (IAB) known as ToyMaker, involved in selling access to ransomware groups like CACTUS. ToyMaker uses a custom malware named LAGTOY, also referred to as HOLERUN, to infiltrate and control systems. Researchers from Cisco Talos attribute the malware's use to UNC961, also called Gold Melody or Prophet Spider, active since late March 2023. The IAB capitalizes on security vulnerabilities in internet-facing applications to gain initial access, perform reconnaissance, and collect credentials. After initial infiltration, ToyMaker facilitates the deployment of CACTUS ransomware by handing over stolen credentials to the ransomware operators. The malware LAGTOY communicates with a command-and-control server to execute commands, create reverse shells, and run processes with specific privileges on targeted machines. There is evidence of the use of tools like Magnet RAM Capture by attackers to extract memory dumps and gather more sensitive information from the compromised systems. CACTUS ransomware affiliates typically continue with their own reconnaissance, maintain persistence, and prepare for data exfiltration and encryption using methods such as OpenSSH and AnyDesk.

US Defense Secretary Pete Hegseth used Signal on personal devices to discuss sensitive military details. Multiple incidents involve senior White House officials using personal devices and apps to share classified information. National Security Council members reportedly used personal Gmail for communication about military operations. Incidents expose critical national security data to potential interception by foreign intelligence. Secure communication protocols established by Pentagon were bypassed, risking sensitive intelligence. Former tech advisor to the White House and encryption expert, John Ackerly, highlighted the ongoing risks from adversaries like China. The Trump administration neglected cybersecurity norms and dissolved the Cyber Safety Review Board amidst investigations. Continued underestimation of security lapses by officials, even after leaks were publicized, undermines US military and national defense.

The Common Vulnerabilities and Exposures (CVE) program, operated by MITRE under US government contract since 1999, faced a sudden notification of non-renewed funding. Board members, including founding member Kent Landfield, were unexpectedly informed via social media about the funding issue, highlighting communication failures within the governance structure. Despite historical funding challenges, this incident exposed significant weaknesses in the CVE's sustainability and dependence on single government sponsorship. Following the revelation, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed an extension of the funding contract until March 2026, alleviating immediate concerns but not securing long-term stability. Concurrently, discussions within the CVE board culminated in the formation of the CVE Foundation, aiming to diversify funding and maintain the program's neutrality and effectiveness in global cybersecurity. The CVE Foundation received quick positive feedback and support offers from various global entities, indicating widespread recognition of the program’s importance. Detailed planning and collaboration efforts are underway to ensure the CVE program’s transition to a more sustainable, diversified funding model and to enhance its role in global cybersecurity defense.

Two interconnected zero-day vulnerabilities in Craft CMS were exploited to compromise servers and facilitate data theft. The first vulnerability exploited (CVE-2025-32432) involved manipulation of a return URL saved in a PHP session file, while the second (CVE-2024-58136) exploited a flaw in the Yii framework to execute malicious PHP code. Attackers used these vulnerabilities to install a PHP file manager and further infiltrate systems with backdoors and subsequent data exfiltration. Orange Cyberdefense investigated and identified these vulnerabilities after being alerted to a compromised server. Yii framework developers and Craft CMS have since released updates to address these vulnerabilities, mitigating the exploitable attack chain. Despite updates, admins are advised to review possible site compromises and refer to SensePost’s forthcoming detailed report for full indicators of compromise. Prior to this incident, CISA had identified another code injection vulnerability in Craft CMS (CVE-2025-23209) as actively exploited.

Significant increase observed in endpoint scanning of Ivanti VPN systems, specifically targeting Connect Secure and Pulse Secure, with scans up by 800% on a single day compared to typical activity. GreyNoise identifies the activity as prelude to potential exploitation and public disclosure of new vulnerabilities, drawing parallels with past incidents. Ivanti advises customers to upgrade from unsupported versions of software, noting the increased risk of exploitation in end-of-life products. Data from the last 90 days shows that nearly a quarter of scanning activity occurred in one day, with a substantial portion of these scans categorized as suspicious or malicious. GreyNoise urges vigilance, recommending users review their logs for any signs of unauthorized access and to update software with the latest security patches. Recent history of security issues with Ivanti products, including repeated targeting by zero-day attacks and specific vulnerabilities like CVE-2025-0282. Ongoing threats and malware deployments linked to nation-state actors suggest a pattern of persistent interest and exploitation attempts by advanced threat groups.

Microsoft has addressed a critical bug in Server 2025 that caused Remote Desktop sessions to freeze, necessitating user reconnection to restore functionality. The problematic update was initially deployed in February but began causing issues prompting an urgent need for rectification. A new patch referenced as KB5055523 has been released, correcting the freezing problem for Windows Server 2025 and similar issues in Windows 11. This fix is part of Microsoft's broader efforts to stabilize recent updates that have resulted in various issues, including system crashes and error messages. Microsoft continues to prioritize updates and fixes, despite facing challenges with previous patches leading to unexpected errors and functionality issues. Users and administrators are advised to install the latest patches promptly to ensure system stability and prevent disruptions. The continuous cycle of patching software issues underlines ongoing challenges in Microsoft's software development and update processes.

Marks & Spencer has stopped taking orders on its website and app due to a worsening cyber incident. The UK retailer had already suspended contactless payments and Click & Collect services earlier in the week. Customers can still browse products online, and physical stores remain open. M&S has engaged leading cybersecurity experts to address the issues and aims to restart online and app shopping soon. There have been additional disruptions including issues with redeeming gift cards and processing returns via self-service kiosks. The cyber incident was first reported on Saturday with specific disruptions in returns and Click & Collect orders. M&S has informed regulatory bodies including the Information Commissioner's Office and the National Cyber Security Center. Cybersecurity experts have warned M&S customers to be vigilant against potential phishing attempts related to the incident.

SAP issued an emergency patch for a critical flaw in NetWeaver, rated a perfect 10/10 for severity. The vulnerability, identified as CVE-2025-31324, affects the metadata uploader in the Visual Composer tool, allowing unauthorized code uploads. Onapsis reports the flaw was exploited as a zero-day, potentially letting attackers control SAP business data and processes. The flaw raises concerns for ransomware attacks and lateral movements within networks. Limited detail available publicly as SAP has paywalled extensive information, restricting access to customers. Similarities noted between this issue and earlier SAP NetWeaver vulnerabilities described by ReliaQuest. Experts urge SAP customers to apply the patch immediately and check systems for signs of compromise. High-value targets, including large enterprises and government bodies, are at risk due to widespread SAP usage.

Marks & Spencer (M&S) paused online orders due to a cyberattack, impacting its e-commerce platform. The attack disrupted various services including contactless payments and the Click & Collect feature in stores. Despite the disruption, physical M&S stores remain open and orders can still be browsed online. The company is working with external cybersecurity experts to manage and resolve the incident. No threat groups have claimed responsibility for the attack yet, and there has been no immediate data leak. M&S has implemented offline measures for certain processes to protect its business operations and stakeholders. The company expressed gratitude for the support from customers and partners during the ongoing recovery efforts.

African mobile provider MTN Group disclosed a cybersecurity breach impacting the personal information of subscribers in select markets. The incident did not affect MTN's core network, billing systems, or financial services infrastructure. An unknown third party allegedly accessed customer data; however, it remains unclear what specific information was compromised. MTN has initiated contact with South African Police and regulatory and data protection authorities to assist in the ongoing investigation. The company will notify affected customers and has advised all users to take measures to protect themselves from potential cybersecurity threats. Despite the data incident, no ransomware groups have claimed responsibility for the attack. MTN Group is the largest mobile network operator in Africa, servicing nearly 300 million subscribers across 20 countries with over $11 billion in annual revenue.

A recent Windows security update inadvertently introduced a vulnerability by creating a new "inetpub" folder, which can be manipulated to prevent future updates. This folder, which is part of a security fix for a Windows Process Activation vulnerability (CVE-2025-21204), was designed to enhance system security. Cybersecurity expert Kevin Beaumont demonstrated that linking this folder via a Windows junction to a file instead of another directory can block the installation of subsequent updates. Non-administrative users can exploit this weakness using a simple command to create a junction linking the inetpub folder to any Windows file, effectively using it to deny service. This misuse results in failed update installations, displaying the error code 0x800F081F, indicating a missing source file. Microsoft has acknowledged this issue, assigning it a "Medium" severity rating and noting that a fix may be considered for future updates. The company advises against deleting the inetpub folder, as it is crucial for ongoing security enhancements, even if the Internet Information Services (IIS) is not active on the system.

North Korea-linked hackers created fake cryptocurrency consulting firms to distribute malware under the guise of job interviews. These firms, including BlockNovas LLC and Angeloper Agency, use social engineering to entice individuals to download malicious software. The campaign, dubbed Contagious Interview, results in the deployment of known malware families like BeaverTail, InvisibleFerret, and OtterCookie using deceptive job application processes. Silent Push cybersecurity identified the malwares designed to harvest data, establish backdoors, and remotely control victim's devices across multiple operating systems. The scheme not only spreads malware but also involves stealing credentials and potentially compromising cryptocurrency wallets. The operation employs sophisticated techniques including AI-generated fake employee profiles and advanced anonymization methods to hide their activities. Investigations reveal connections with Russian IP addresses, suggesting possible cooperation or shared infrastructure between North Korean actors and Russian entities.

Baltimore City Public Schools suffered a data breach in February, affecting its IT systems. A security breach compromised personal data of at least 31,000 individuals, including employees, students, and contractors. Sensitive information exposed includes social security numbers, driver's licenses, and passport details. The breach is linked to Cloak ransomware, a group active since late 2022, primarily targeting small to medium businesses. The school district has initiated complimentary credit monitoring services for impacted persons and recommended vigilance on personal account and credit report monitoring. This incident follows previous cybersecurity issues within the region, including multiple ransomware attacks on nearby government and educational systems.

SAP has released emergency updates for a critical zero-day flaw in NetWeaver Visual Composer, vulnerable to remote code execution. The flaw, identified as CVE-2025-31324 with a maximum severity score of 10.0, involves an unauthenticated file upload vulnerability. Attackers exploited this vulnerability to upload malicious JSP webshells, enabling remote code execution and full system control. Following the initial breach, attackers utilized advanced tools such as 'Brute Ratel' and 'Heaven's Gate,' enhancing stealth and system penetration. Security firms, including ReliaQuest and watchTowr, observed active exploitation leading to significant security concerns among SAP users. Despite systems being fully patched, the zero-day nature of the exploit allowed attackers to bypass existing security measures. SAP's emergency patch not only addresses this issue but also fixes additional critical vulnerabilities in their software suite. Companies unable to immediately apply the patch are advised to conduct deep scans and remove any suspicious files as a temporary measure.