Daily Brief

Oracle Cloud is contesting allegations of a security breach, despite claims by a hacker, rose87168, and confirmation from infosec researchers that stolen data is genuine. Rose87168 allegedly accessed Oracle's login servers using a known vulnerability and extracted around six million records, including customer security keys and encrypted credentials. Alon Gal of Hudson Rock confirmed with customers that the data sample provided by the hacker was legitimate and originated from Oracle's production environment. The leaked data includes sensitive information that could enable supply chain and ransomware attacks if misused. Experts suggest affected organizations should change their SSO and LDAP credentials and enforce strict password policies and multi-factor authentication. Oracle maintains that there was no breach and that the credentials published are unrelated to Oracle Cloud systems. The breach's legitimacy gains credibility due to the difficulty of fabricating such a large and structured volume of leaked information.

EncryptHub, an established threat actor, has exploited a newly discovered Windows zero-day vulnerability, CVE-2025-26633, affecting the Microsoft Management Console. The vulnerability allows attackers to bypass Windows file reputation checks, enabling unsolicited MSC file executions without user warnings. Microsoft issued an advisory and a patch for this vulnerability as part of its recent Patch Tuesday updates, urging users to update their systems promptly. The attacks involving this vulnerability were first documented by Trend Micro, who noted that EncryptHub used it to deploy various malicious payloads such as backdoors and data stealers. EncryptHub has a history of cyber-attacks, having previously been linked to breaches of over 618 organizations worldwide through spear-phishing and social engineering. The threat group also affiliates with ransomware operations, using stolen data to leverage ransom negotiations after encrypting victims' files. Researchers observed the technical evolution of EncryptHub's campaign, signifying ongoing development and sophistication in their attack methods. Overall, this series of attacks highlights the continual threat posed by skilled cyber adversaries and the critical importance of timely vulnerability management and cyber defense strategies.

A phishing campaign is currently targeting Counter-Strike 2 (CS2) players using Browser-in-the-Browser (BitB) attacks to mimic Steam's login page. The BitB technique creates deceptive popup windows within legitimate browser sessions, tricking users into entering Steam credentials. Attackers are exploiting the identity of the Ukrainian e-sports team Navi to lend credibility to the fake login pages and attract fans. Victims are lured through YouTube and possibly other platforms, offering fake CS2 loot cases to entice players to log into their Steam accounts. Once deceived, the phished credentials allow attackers to access and potentially sell the victim's Steam accounts on gray markets. The extensive reach of CS2 and the popularity of e-sports significantly amplifies the potential impact of these attacks. To safeguard against such threats, users are advised to enable multi-factor authentication, utilize 'Steam Guard Mobile Authenticator,' and regularly monitor account activities for anomalies.

McAfee's Mobile Research Team discovers new Android malware utilizing Microsoft's .NET MAUI to hide malicious code. The malware, targeting users primarily in China and India, masquerades as legitimate apps to bypass security measures. Techniques used include multi-layered encryption, bloated AndroidManifest.xml files, and TCP sockets for C2 communications. The observed malware variants use blob files instead of DEX files, exploiting a gap in typical Android security tools. Cybercriminals distribute affected apps through third-party platforms, particularly in regions without access to Google Play. McAfee warns these evasion techniques allow the malware to remain undetected longer, making analysis and remediation challenging. Recommendations include avoiding third-party APK downloads and activating Google Play Protect to mitigate risks. The discovery reflects a growing trend of using sophisticated methods to deploy and conceal Android malware.

Researchers disclosed nearly 200 unique command-and-control (C2) domains associated with the Raspberry Robin malware. Raspberry Robin, emerging in 2019, operates as an access broker for multiple criminal groups, with many links to Russian entities. The malware employs diverse propagation methods, including USB-based spread and downloads via Discord message attachments. It has facilitated other cyber threats, such as SocGholish, Dridex, and LockBit, by deploying next-stage malware. U.S. authorities identified connections between Raspberry Robin and the Russian nation-state actor Cadet Blizzard. Investigation by Silent Push and Team Cymru traced the C2 infrastructure management to an IP address using Tor relays, based in an E.U. country. The top-level domains used by Raspberry Robin include a variety of international suffixes, managed using niche and often obscure registrars. Raspberry Robin’s infrastructure utilizes rapid domain rotation and fast flux techniques, complicating efforts to neutralize the threat.

Infosec expert Troy Hunt's Mailchimp mailing list was phished, impacting roughly 16,000 records, including subscribers and unsubscribed individuals. Hunt fell victim to a sophisticated phishing email disguised as an urgent notice to review his Mailchimp campaigns due to a spam complaint. The attack led to the export of the mailing list within two minutes after Hunt entered his credentials and a one-time passcode, indicating an automated attack process. Hunt criticizes Mailchimp’s lack of phishing-resistant two-factor authentication options, suggesting that OTP by itself provided little security against this type of automated phishing. The phishing domain and page used in the attack have been taken down by Cloudflare shortly after the incident. Hunt plans to investigate why unsubscribed users' data was retained by Mailchimp and stressed the importance of verifying web domains in phishing prevention. The incident occurred while Hunt was in London discussing strategies to promote phishing-resistant authentication methods with government partners.

Chinese state-sponsored hackers infiltrated a major Asian telecom, undetected for over four years. The cyber espionage group, named Weaver Ant by Sygnia, employed web shells and tunneling techniques for maintaining persistent access. The attackers exploited a public-facing application to insert China Chopper and the novel INMemory web shells for espionage purposes. INMemory web shell facilitated stealth operations by executing code entirely in memory, avoiding forensic detection. Attackers used encoded web shells and an HTTP tunnel tool for lateral movement and post-exploitation activities within the targeted network. The campaign exhibited characteristics typical of Chinese-nexus operations, including the use of shared tools and infrastructure, with activities typically during Chinese working hours. The revelation followed accusations by China against Taiwanese military personnel for alleged espionage activities against the mainland.

Organizations are now using an average of 112 SaaS applications, increasing the challenge of managing connections and understanding security risks. Traditional security methods are inadequate for the scale and complexity of modern SaaS environments, leaving potential gaps for breaches. AI-driven security solutions, like AskOmni by AppOmni, are essential, using generative AI and analytics to deliver instant insights and actionable security measures. These AI tools aid in efficiently investigating security events, visualizing risks, and providing multilingual support to enhance global accessibility and response times. The quality of data fuels AI effectiveness; thus, high-quality, unbiased data is crucial for accurate security analysis and threat detection in SaaS environments. AI's capability to automate threat research and incident reporting is significantly enhancing workflow efficiency for cybersecurity professionals. Real-world application of AI in a global enterprise demonstrated AI's ability to quickly identify and remediate complex SaaS security risks, which would be challenging without such advanced tools. The future of SaaS security is increasingly reliant on AI technologies to stay ahead of cyber threats and protect organizational data effectively.

Cybersecurity experts have identified a new Android malware campaign exploiting .NET MAUI to create fake banking and social media apps aimed at Indian and Chinese users. These malicious apps mimic legitimate applications, deceiving users to harvest sensitive personal and financial information. Unlike traditional Android applications, the malware's functionalities are coded in C# and embedded as blob binaries, helping avoid detection by concealing their presence from typical file analyses. The malware uses advanced techniques such as encrypted communications and multi-stage dynamic loading with XOR and AES encryption to execute its payload discreetly. These fake applications are not distributed through Google Play but via fraudulent links in messages leading to unofficial app stores. An example includes an app pretending to be from an Indian bank collecting extensive personal data, while another mimics a popular social media platform in China to steal contacts and media. The strategy involves the malware granting itself unnecessary permissions and employing evasion tactics to undermine analysis tools, making detection challenging. The threat highlights the evolution and increasing sophistication of malware development platforms and tactics utilized by cybercriminals.

Researchers analyzed the privacy practices of ten AI browser extensions and found significant data privacy concerns. These extensions often transmit sensitive data such as webpage content and user details to remote servers for processing. Some extensions violated privacy commitments by collecting and sharing protected health and student data, potentially breaching US regulations like HIPAA and FERPA. The study highlighted that 90% of the AI extensions relied on server-side APIs, exposing user data to third-party trackers and misuse. Extensions like Perplexity were deemed privacy-friendly, while others like Harpa, MaxAI, and Merlin were among the least secure. The research urges extension developers to enhance privacy features and for policymakers to adopt regulations ensuring privacy by design in AI technologies. Harpa AI responded to findings by noting that while they do not collect user data, the LLM providers they work with might, depending on user settings and interactions.

VanHelsing ransomware, a new Ransomware-as-a-Service (RaaS), exclusively targets Microsoft Windows despite claiming cross-platform capabilities. Since its launch on March 7, the malware has infected three organizations, with each facing ransom demands of $500,000. The ransomware appears to be a new creation, distinct from rebranded existing malware, demanding a $5,000 deposit from new affiliates. Affiliates receive 80% of ransom payments, incentivizing them to spread the malware through strategies like deceptive emails and downloads. Check Point researchers found only Windows systems impacted thus far but noted incomplete features and rapid updates in the ransomware's development. The affiliate program includes a user-friendly control panel, lowering entry barriers for potential cybercriminals. A strict rule within the VanHelsing community prohibits targeting Russia or any nation within the Commonwealth of Independent States, reflecting possible tacit state tolerance or cooperation.

DrayTek router users experienced widespread issues with devices entering a continuous reboot cycle, particularly affecting UK customers. The disruptions started suddenly over the weekend and were linked by ISPs and users to potential firmware vulnerabilities. DrayTek recommended disconnecting affected routers from the internet and updating the firmware, including using alternative methods like TFTP if standard updates failed. The manufacturer suggested disabling remote access and using additional security measures such as access control lists and two-factor authentication until routers are fully patched. ISPs like Gamma, Zen, ICUK, and A&A identified the problem as related to DrayTek equipment, with some pointing to recent security flaws that might have been exploited. DrayTek had previously issued patches for critical security vulnerabilities, including a "10-out-of-10" severity issue, possibly connected to exploitation attempts. There were indications that even after updating to the latest firmware, some routers still required reverting to older versions to resolve the reboot issues. This incident occurs in the context of previous warnings by the Five Eyes alliance about Chinese operations using malware-infected devices, including DrayTek routers, to create botnets.

Law enforcement in seven African countries, coordinated by INTERPOL, arrested 306 individuals and seized 1,842 electronic devices under Operation Red Card. The operation targeted mobile banking, investment scams, and compromised messaging apps, affecting over 5,000 victims. Key arrests included 130 people in Nigeria for online casino and investment scams, with several being foreign nationals involved in human trafficking. South African officials apprehended 40 suspects and confiscated over 1,000 SIM cards used in large-scale SMS phishing schemes. In Zambia, 14 members of a syndicate were caught hacking phones and installing malware to access banking apps and messaging platforms. Rwandan authorities arrested 45 individuals for social engineering scams, posing as telecom employees or injured family members to deceive victims. Over $103,000 of the defrauded money was recovered in Rwanda with 292 devices also recovered. The success highlights the importance of international collaboration in combating complex, cross-border cybercriminal activities.

Wiz researchers identified significant vulnerabilities in the Ingress-Nginx controller of Kubernetes clusters, impacting over 6,500 public deployments. The flaw in the admission controller can enable remote injection of arbitrary Nginx configurations, leading to potential remote code execution (RCE). Exposed Kubernetes clusters, when exploited, allow attackers to access all cluster secrets and gain complete control, escalating network-wide threats. The vulnerabilities, collectively known as IngressNightmare, manifest in five specific CVEs with severity ratings as high as 9.8/10 on the CVSS. Fixes and updates for affected Nginx Controller versions were released in March, following a responsible disclosure by Wiz in late 2024 and early 2025. Wiz advises immediate upgrading of systems, where possible, or enforcing strict network policies and temporarily disabling critical components to mitigate risk. Despite available fixes, the risk remains high due to clusters running mission-critical applications that cannot be easily paused for security updates.

The Open Technology Fund (OTF) has filed a lawsuit in a Washington DC court against the Trump administration to block cuts to its federal funding. OTF funds critical internet security projects like the Tor anonymizing network and the Let's Encrypt certificate authority, which are used worldwide to promote democracy and protect online privacy. The Trump administration, through an executive order, aims to eliminate the United States Agency for Global Media (USAGM) which supports OTF, among others. OTF argues that the proposed funding cuts are unconstitutional as they go against specific congressional allocations amounting to $43.5 million dedicated to supporting internet freedom initiatives. OTF technology is crucial for bypassing censorship, especially in countries like China, and is used by over two billion people globally. The funding supports vital technologies like the Messaging Layer Security Protocol used by major tech companies and VPNs crucial in countries with restrictive regimes. OTF's lawsuit is part of a larger movement to maintain funding for US soft power outlets like Voice of America, with multiple organizations and individuals also filing related lawsuits.