Daily Brief

A new Patchstack report identifies the four most exploited WordPress plugin vulnerabilities in the first quarter of 2025. The targeted flaws, all classified as critical in severity, were initially discovered and patched in 2024, yet many remain unpatched. Hackers utilized these vulnerabilities to potentially execute arbitrary code or steal sensitive data from websites. Two of the vulnerabilities were reported as actively exploited for the first time in this quarter. Despite numerous exploitation attempts, not all lead to successful compromises due to preventive measures like security blocks. The report stresses the importance for website administrators to update security on all WordPress components and enforce strong access controls, including multi-factor authentication. The wider WordPress community remains at risk as not all sites use effective security measures such as Patchstack, increasing the possibility of successful hacker exploitations.

Mozilla has issued an update for Firefox, version 136.0.4, to rectify a critical vulnerability that allowed attackers to bypass the browser's sandbox security on Windows platforms. The flaw, identified as CVE-2025-2857, was reported internally by Mozilla developer Andrew McCreight and affects both standard and extended support release (ESR) versions. This security issue bears similarities to a recent Chrome vulnerability (CVE-2025-2783) that was exploited in cyber-espionage operations targeting Russian government and media entities. Mozilla's quick response with a patch follows the discovery of a similar exploit pattern used against Google's Chrome, involving sophisticated malware deployment via deceptive emails. Alongside the primary sandbox escape vulnerability, Mozilla previously addressed another Firefox zero-day exploited by a Russian cybercrime group that paired it with a Windows privilege escalation flaw. CVE-2025-2857 specifically impacts Firefox on Windows, with no current threats identified to other operating systems.

A newly discovered analysis reveals that RansomHub affiliates are utilizing the same EDR killing tool, EDRKillShifter, in coordination with other ransomware groups including Medusa, BianLian, and Play. EDRKillShifter uses the BYOVD tactic with a legitimate yet vulnerable driver to disable security solutions before deploying ransomware. The use of EDRKillShifter by multiple ransomware operations suggests a rare trend of sharing specialized tools among different ransomware groups. This practice is particularly notable as Play and BianLian, both operating under a restricted RaaS model, are typically guarded about their affiliate networks and tools, indicating a high level of trust and collaboration. The research links these activities to a single threat actor known as QuadSwitcher, primarily associated with Play and its operational tactics. Recent trends in ransomware attacks include the increased use of BYOVD techniques to compromise security software, emphasizing the tactical shift towards pre-emptive security disruption. Recommendations for organizations include enhancing the detection of potentially unsafe applications to prevent the implementation of vulnerable drivers, thereby mitigating the risk of such attacks.

Vivaldi has incorporated Proton VPN into its browser, enabling encrypted browsing and IP address obfuscation directly within the platform. This integration is designed to offer users enhanced protection against web tracking and 'Big Tech' surveillance without requiring additional downloads or plugins. Proton VPN was chosen for its status as a non-profit Swiss organization, noted for its independence and proven integrity. The collaboration aims to provide a European alternative to U.S. tech giants, emphasizing privacy and user control over personal data. Vivaldi users need to update their browser and create a Vivaldi account to activate the VPN function, accessible via a new toolbar button. The VPN service is free in its basic form, offering unlimited time and bandwidth but with limitations on speed and server access. Users seeking full functionality from Proton VPN, including higher speeds and expanded server options, have the option to subscribe to a paid plan. While the in-browser VPN protects user privacy during web sessions, it does not cover network traffic from other applications or background services not running through Vivaldi.

CrushFTP CEO Ben Spink expressed dissatisfaction with VulnCheck's assignment of an unofficial CVE ID for a critical vulnerability in CrushFTP's software. Spink asserts that the VulnCheck-assigned CVE is a duplicate and lacks detailed knowledge of the vulnerability. CrushFTP had previously informed customers of the vulnerability and urged an immediate update to newer software versions. The disclosed vulnerability provides unauthenticated access via specially crafted HTTP requests, making it particularly severe. CrushFTP’s communication and details provided to customers reportedly contain inconsistencies regarding the affected versions. Rapid7 highlighted past incidents where a CVE was not issued by CrushFTP for a critical vulnerability that was exploited as a zero-day. The CEO's assertive demand to VulnCheck to retract their CVE suggests a tense relationship between vendor and CNA, with potential impacts on CrushFTP's reputation and customer trust.

APT36, linked to Pakistan, created a counterfeit India Post website to distribute malware targeting Windows and Android users in India. The cybersecurity firm CYFIRMA attributed this malicious campaign to APT36 with medium confidence, identifying the group by its alternate name, Transparent Tribe. When accessed from a Windows system, the fraudulent site prompts users to download a PDF that instructs them to execute a PowerShell script, potentially compromising the system. Android users are tricked into downloading a malicious app that requests extensive permissions to access and exfiltrate sensitive data, like contact lists and location. The Android malware changes its icon to resemble a Google Accounts icon to evade detection and prevent easy uninstallation. The malicious PDF and app are designed to persist in their actions, including evading battery optimization and restarting after rebooting the device. The domain used for the fake site was registered in November 2024, and the PowerShell script connects to an inactive server, indicating ongoing or future malicious activities. The tactic, dubbed "ClickFix," used in the campaign is noted for its increasing prevalence among cybercriminals, targeting both less tech-savvy and knowledgeable users.

Dozens of vulnerabilities were discovered in solar inverters from Sungrow, Growatt, and SMA, which could potentially allow attackers to manipulate or disrupt power grids. The vulnerabilities allow for remote code execution, device takeover, information disclosure, and even physical damage to the grid infrastructure. The most severe implications include unauthorized control over power generation levels, destabilizing the balance of power supply and demand. Attackers could exploit these flaws to perform broad-scale operations, potentially using hijacked inverters as a coordinated botnet to maximize disruption during peak hours. While Sungrow and SMA have patched the reported vulnerabilities, the potential for a similar type of exploit remains a significant threat to grid security. This analysis underscores the importance of robust cybersecurity measures in the energy sector, particularly as grid technologies become more integrated and reliant on internet connectivity.

SaaS applications are critical in modern enterprises, but present unique security challenges. Traditional CASB solutions are inadequate for covering both sanctioned and unsanctioned SaaS apps across various devices. CASBs typically utilize Forward Proxy, Reverse Proxy, and API Scanner but lack real-time, granular visibility and active blocking capabilities. A significant security gap exists with "shadow" SaaS—applications used without IT's knowledge or approval. The report introduces a browser-based security approach, proposing the browser as a more effective control point for SaaS security. This new approach provides full visibility and real-time protection by integrating risk analysis directly into the browser, enabling instant protective actions. Moving to browser-based security could potentially offer a more robust defense against SaaS-related security risks.

The UK's Metropolitan Police has installed its first permanent live facial recognition (LFR) cameras in Croydon, South London. These cameras will operate in the city center's high traffic areas, particularly along North End and London Road. Activation of these cameras is contingent on police presence in the vicinity, enabling immediate action if a suspect is identified. This initiative follows a two-year pilot involving mobile police vans equipped with LFR technology, which led to numerous arrests. Privacy advocates express significant concerns, fearing an expansion of the surveillance state and potential misuse without sufficient legislative oversight. The Metropolitan Police maintains a watchlist of 16,000 individuals, which includes not only suspects but also vulnerable persons and crime victims. Critics, including privacy groups and some public officials, argue the necessity of clear legal frameworks to govern the use of such technology to prevent rights infringements. Supporters, including local politicians, argue that fixed LFR cameras will enhance public safety by efficiently identifying and capturing criminals.

Malicious Microsoft Office documents continue to be a prevalent attack vector for hackers targeting businesses in 2025, using techniques such as phishing and zero-click exploits. Phishing attacks via Office files commonly involve misleading recipients with fake invoices or reports, which redirect users to fraudulent login pages to steal credentials. The CVE-2017-11882 vulnerability, discovered in 2017 but still exploited, allows attackers to execute malware by simply opening an infected Word document, even when macros are disabled. The Follina exploit (CVE-2022-30190) remains effective, requiring no user interaction beyond viewing an Office document to execute remote code via embedded URLs. Cybercriminals often use multi-stage attacks, combining exploits like Follina with other techniques, increasing the potential damage from a single compromised Office file. Persistent use of outdated Microsoft Office versions exposes organizations to risks, as they lack the security patches that address known vulnerabilities. The inclusion of ANY.RUN’s new Android OS support highlights a growing need for mobile security analysis to combat the rising threat from malicious mobile apps and files.

Ransomware attack on Advanced Computer Software Group led to theft of sensitive data including access to homes of vulnerable NHS care recipients. UK's Information Commissioner's Office (ICO) fined the company £3.07 million, reduced from an initial £6.09 million based on the company's cooperation. The attack, caused by gaps in multi-factor authentication and inadequate cybersecurity practices, significantly impacted NHS operations, forcing some services to revert to pen and paper. LockBit ransomware gang, a Russian-speaking group, was responsible for the breach that occurred in August 2022 through a compromised customer account. Among the stolen data were personal details of 79,404 individuals, including 890 vulnerable patients receiving in-home care. ICO stressed that the failure of Advanced to implement robust security measures led to significant risks to sensitive personal information. The fine is one of the largest issued by the ICO in the past two years, underlining the severity and impact of the breach. ICO underscores the increasing necessity for organizations to ensure comprehensive cybersecurity measures, including multi-factor authentication across all external connections.

Around 150,000 websites have been compromised via malicious JavaScript to promote Chinese gambling platforms. The campaign leverages iframe injections to overlay full-screen gambling ads over legitimate site content. The JavaScript responsible for these actions is hosted on multiple domains, leading to the redirection of unsuspecting visitors. This malvertising technique has been adapted and intensified with new obfuscation layers, posing a continuous threat. The operation has also mimicked legitimate betting sites, using official logos to further deceive users. Security experts highlight the rise in such client-side attacks, which adapt rapidly to enhance reach and effectiveness. The incidents share similarities with another malware operation that has infected over 20,000 global sites since 2016, primarily targeting WordPress websites. Both campaigns showcase significant impacts on website functionality and visitor experience, driving illicit profits through traffic manipulation and scams.

CISA has flagged two six-year-old vulnerabilities in Sitecore CMS and Experience Platform as actively exploited. The vulnerabilities, identified as CVE-2019-9874 and CVE-2019-9875, have mandated patching requirements for federal agencies by April 16, 2025. Sitecore acknowledged active exploitation of CVE-2019-9874 but did not confirm exploitation for CVE-2019-9875. Concurrently, Akamai detected initial exploitation attempts targeting a severe flaw in the Next.js web framework, identified as CVE-2025‑29927. The specific Next.js vulnerability allows attackers to bypass middleware-based security controls through spoofed headers, potentially accessing sensitive resources. This exploitation technique involves multiple simulated internal subrequests, leveraging Next.js's internal redirect logic. Additionally, GreyNoise has observed increased in-the-wild exploitation efforts against several known vulnerabilities in DrayTek devices across multiple countries.

A critical vulnerability was found in NetApp SnapCenter, potentially enabling privilege escalation. The flaw, identified as CVE-2025-26512, has a high severity rating with a CVSS score of 9.9. SnapCenter versions up to 6.0.1P1 and 6.1P1 are affected, impacting data management across various platforms. Users authenticated on the SnapCenter Server could escalate privileges to admin on systems with SnapCenter plug-ins. No workarounds are available; updating to fixed versions 6.0.1P1 or 6.1P1 is essential. Although no in-the-wild exploitation has been reported, organizations are urged to install updates immediately to mitigate risks.

The UK Information Commissioner's Office (ICO) fined Advanced Computer Software Group Ltd £3.07 million for a ransomware attack in 2022 that compromised sensitive NHS patient data. The incident impacted 79,404 individuals and led to significant outages in NHS services, including the 111 emergency line. The attack was traced back to the LockBit ransomware group which used compromised credentials to infiltrate via a remote desktop session. Advanced failed to implement sufficient security measures like comprehensive vulnerability scanning, robust patch management, and universal multi-factor authentication. The fine marks the first instance in the UK where a data processor, rather than a data controller, has been penalized in such a manner. Although initially considered to be around £6.09 million, the fine was ultimately set at £3.07 million after further deliberation. Past ICO fines have targeted data controllers, with high-profile cases involving British Airways and Marriott for their respective data breaches.