Daily Brief

The UK Ministry of Defence is accelerating the recruitment and training of cyber defense specialists, aiming to fill up to 50 roles by 2025. The cyber recruits will undergo a condensed training program, reducing ten weeks of basic training to one month, followed by three months dedicated solely to cyber operations. Starting salaries for these roles are notably high at £40,939, with potential additional skills pay up to £25,000, in response to a public sector tech talent shortfall highlighted by a recent National Audit Office report. Recruits will be based at the MoD’s digital headquarters in Corsham or with the National Cyber Force in Samlesbury, focusing on network security and counter-cyber operations. These roles include critical tasks such as penetration testing, simulation of attacks, and the development of defense strategies. The initiative responds to over 90,000 low-level cyber incidents faced by the MoD in the last two years, emphasizing the increasing need for robust cyber defense capabilities. The recruitment is open to applicants aged 18-39 who are UK-born British nationals, with specific disqualifications for naturalized citizens or dual nationals other than British or Irish.

Zimbra has issued updates to address multiple security vulnerabilities in its Collaboration software. Key vulnerabilities include critical SQL injection and stored cross-site scripting (XSS) flaws. The SQL injection vulnerability, tagged CVE-2025-25064 with a CVSS score of 9.8, affects versions prior to 10.0.12 and 10.1.4. This vulnerability could enable authenticated users to perform arbitrary SQL queries, potentially accessing sensitive email metadata. A stored XSS flaw has yet to be assigned a CVE but has been mitigated in recent Zimbra software patches. Another patched security issue involves a medium-severity SSRF (CVE-2025-25065) that affects the RSS feed parser, allowing unauthorized internal network access. Zimbra recommends users update their software to the latest version to ensure protection against these vulnerabilities.

U.S. District Judge Paul A. Engelmayer issued an order demanding the destruction of all improperly accessed Treasury Department data, identifying a heightened risk of hacking. The ruling responded to concerns that Trump administration policies, under Elon Musk's Department of Government Efficiency, exposed the Bureau of Fiscal Service to increased vulnerabilities. Several states' attorneys general have challenged these policies in court, claiming they violated laws and constitutional provisions. The court's order also prohibits future access to sensitive Treasury data containing personal and financial information unless stringent security protocols are met. Following Judge Engelmayer's ruling, Musk publicly criticized him and hinted at further administrative data management reforms under discussion with the Treasury. The US Consumer Financial Protection Bureau faced operational disruptions, possibly linked to policy changes advocated by Musk's department. Elon Musk's associates, now entrenched in various federal agencies, are under scrutiny, with calls from some quarters for Musk to be subpoenaed over his extensive federal engagements.

XE Group, a Vietnam-origin cybercrime organization active since 2010, is exploiting VeraCore zero-day vulnerabilities to deploy persistent web shells. The group shifted from credit card skimming to targeted theft, focusing on the manufacturing and distribution sectors' supply chains. Exploited vulnerabilities like CVE-2025-25181 allow unauthorized system access, capabilities to enumerate, exfiltrate, and compress files. Updated web shells include features for network scanning, command execution, and SQL queries to extract or modify critical data. XE Group is also using previously known vulnerabilities in Telerik UI for ASP.NET to sustain access and perform sophisticated attacks. The exploitation highlights systemic vulnerabilities and emphasizes the importance of patching systems exposed to the internet. Recent developments include CISA adding new flaws to the KEV catalog amidst ongoing exploitation by various national cybercrime groups.

India's Reserve Bank will require banks to migrate to new "bank.in" and "fin.in" domains to secure digital transactions and curb digital payment fraud. This initiative aims to foster increased trust and security in the financial sector, reducing threats from cybercrimes like phishing. Over 2,000 financial entities including state banks, private, regional, and cooperative banks will be affected by the new domain policy. The exclusive registrar for these domains will be the Institute for Development and Research in Banking Technology (IDRBT), a nonprofit organization. Implementation of two-factor authentication for cross-border transactions was also announced to strengthen fraud prevention measures. The domain change is part of a larger initiative to digitize financial services in the country, including massive investments in infrastructure and cloud services for financial institutions. The government also tracks and fines institutions for non-compliance with security measures, encouraging stricter information security practices across the board.

DeepSeek's iOS app, the third most popular app on the App Store, has significant security vulnerabilities according to NowSecure. The app transmits user data in plaintext, uses outdated encryption ciphers, and hardcoded keys, and doesn't securely store credentials. DeepSeek is known for sending data to China, specifically using ByteDance’s Volcano Engine public cloud service linking it to TikTok’s parent company. US regulators have expressed concerns, leading to legislative action with the proposed "No DeepSeek on Government Devices Act." Spanish police arrested an 18-year-old Spanish hacker who targeted high-profile entities including NATO and the US Army. HPE warned employees of a data breach stemming from a nation-state attack, reportedly by Russia’s Cozy Bear group. IMI and Smiths Group, both UK engineering firms, reported unauthorized access to their systems, with details on the incidents still scarce. A new Facebook phishing scam involving Salesforce’s email service has been uncovered, mainly targeting businesses in the EU, US, and Australia.

Huawei Chair Liang Hua announced a 22% revenue increase for 2024, achieving around ¥860 billion despite international sanctions. Japan's government has proposed a bill allowing preemptive cyber-defense actions to protect against daily cyber-attacks on national infrastructure. China plans to launch a 'moon hopper' on the Chang'e-7 mission in 2026 to explore the Moon's south pole and search for water ice. Infosys faces controversy, alleged to have improperly terminated 700 employees who were kept waiting for start dates for two years. Thailand intensifies crackdown on cyber-scam operations by cutting power and internet services to notorious scam camps.

Brave Browser releases a new feature in version 1.75 that allows users to inject custom JavaScript, known as "scriptlets," into web pages for customization. This feature is designed for advanced users and offers extensive control over browsing experiences, similar to functions provided by TamperMonkey and GreaseMonkey extensions. Users can use scriptlets to enhance privacy by blocking trackers, randomize fingerprinting, or replace tracking scripts like Google Analytics with harmless versions. Scriptlets also enable customization features like adjusting visual elements, enhancing accessibility, and improving website interaction by automating certain tasks. Brave emphasizes that while scriptlets are powerful tools, they should be used cautiously due to the risk of running untrusted code, which can lead to privacy and security risks. The feature is safeguarded behind a Developer mode in Brave's settings to prevent accidental misuse by inexperienced users. Brave initially developed scriptlets to debug its adblock feature but expanded its functionality to offer more user control.

Security validation has become crucial for managing security postures as attack surfaces expand and threats evolve. The Continuous Threat Exposure Management (CTEM) framework introduced by Gartner™ in 2022 has driven the adoption of security validation technologies such as BAS, RBVM, EASM, and automated penetration testing. These technologies assess security by simulating realistic attacks, analyzing the attack surface, and leveraging threat intelligence to create a prioritized mitigation roadmap. Security validation allows organizations to emulate real-world ransomware attacks, test user credentials against possible breaches, and verify the efficacy of patched vulnerabilities. Automated security validation provides comprehensive testing across all endpoints, identifying potential vulnerabilities that could be exploited by ransomware or other threats. By identifying and resolving critical vulnerabilities, security validation offers clear remediation guidance and helps prioritize the most impactful fixes. Transitioning from a reactive to a proactive security strategy involves regularly validating, remediating, and repeating these processes to ensure defenses remain robust against actual threats. Validation tools have evolved to include agentless, user-friendly options, marking significant progress in the field of cybersecurity readiness and response.

A large-scale brute force attack leveraging nearly 2.8 million IP addresses has been attempting to access networking devices from brands like Palo Alto Networks, Ivanti, and SonicWall. The attack, ongoing since last month, primarily originates from Brazil, Turkey, Russia, Argentina, Morocco, and Mexico. Most devices used in the attacks are compromised routers and IoT devices from manufacturers such as MikroTik, Huawei, Cisco, Boa, and ZTE. The attackers mainly target edge security devices like firewalls and VPN gateways, which are often exposed online for remote access. According to The Shadowserver Foundation, these IP addresses likely come from a botnet or residential proxy networks used in various cybercrime and shadow operations. Residential IP proxies make the traffic appear as though it's coming from a regular home user, thereby obscuring and facilitating malicious activities. Protective measures against these brute force attacks include implementing strong, unique passwords, enabling multi-factor authentication, utilizing trusted IP whitelists, and applying regular security updates to devices.

Cybersecurity experts identified two malicious machine learning models on Hugging Face, utilizing corrupted pickle files to bypass security measures. The models were embedded with a reverse shell payload targeting a specific IP, hinting at a platform-aware attack vector. These proof-of-concept models highlight a security flaw within the pickle serialization format commonly used in ML model distribution. The anomaly allowed the malicious code to execute before the file deserialization completes, therefore evading detection by the standard Picklescan tool. Following the discovery, adjustments were made to the open-source utilities to close off the exploited vulnerability and improve detection capability. The incident underscores ongoing challenges in securing ML supply chains and the potential for adversarial exploitation of serialization mechanisms. The use of an uncommon compression method (7z instead of ZIP) further helped the malicious models evade initial security screenings.

Hewlett Packard Enterprise (HPE) disclosed a breach of its Office 365 email environment, attributed to Russian state-sponsored hackers. Personal data including driver's licenses, credit card numbers, and Social Security numbers of at least 16 individuals were stolen in the May 2023 cyberattack. The breach was first reported to shareholders in January 2024 following notification of the incident in December 2023. The responsible group, Cozy Bear, has previously been implicated in other significant cybersecurity incidents, including the 2020 SolarWinds attack. The attack affected a specific set of employee mailboxes and began with compromised account credentials. HPE is in the process of contacting affected employees and has conducted a forensic investigation to assess the scope and impact of the breach. Additional breaches were reported in the same timeframe involving HPE's SharePoint server and previous incidents attributed to other threat actors. HPE continues its investigation while making appropriate notifications as required by law.

Hackers are exploiting a deserialization flaw in Trimble's Cityworks software, allowing them to execute remote commands on Microsoft IIS servers. The vulnerability, identified as CVE-2025-0994, has a high severity rating of 8.6 and affects Cityworks versions before 15.8.9 and 23.10. Attackers deploy Cobalt Strike beacons via the vulnerability, gaining initial access to target networks primarily used by local governments and public works. Trimble and CISA urge customers to update their systems immediately, with cloud-hosted instances receiving automatic updates. Incorrect configuration of IIS identity permissions and attachment directories in some deployments heightens risks. Indicators of compromise released by Trimble include tools for remote access like WinPutty, alongside the Cobalt Strike beacons. Simultaneously, Microsoft reports similar breaches on IIS servers using ViewState code injection with exposed ASP.NET machine keys.

The UK Home Office has reportedly issued a secret order to Apple under the Investigatory Powers Act 2016 to create a backdoor for accessing iCloud data. This order would allow the government to read encrypted data from UK users and potentially from users worldwide, but the Home Office has neither confirmed nor denied these reports. The Investigatory Powers Act, expanded by the Investigatory Powers Bill passed in April last year, enhances UK surveillance capabilities, including collecting internet connection records and accessing public digital data, like CCTV footage and social media images. Insiders suggested that Apple might stop offering encrypted backups in the UK in response to the government's order. Critics, including big tech firms and privacy advocates, have strongly opposed this move, with some like Signal threatening to exit the UK market. Apple has the option to appeal against this order on grounds of implementation cost through a secretive technical committee, though it cannot delay the implementation during the appeal process. Legal and digital rights implications include potential withdrawal of major service providers like Apple from the UK if compelled to implement such surveillance measures.

Hospital Sisters Health System (HSHS) reported a data breach affecting over 882,000 patients due to an August 2023 cyberattack. Personal and health information exposed includes names, addresses, birth dates, medical records, health insurance details, Social Security numbers, and driver’s license numbers. The breach was detected on August 27, 2023, after unauthorized access was discovered in HSHS’ network. The attack also caused a significant system outage across multiple sites. Forensic investigations indicate that files were accessed by attackers from August 16 to August 27, 2023; however, no evidence of misuse of the information has been reported yet. HSHS has engaged external security experts to assist in investigating the attack, assessing its full impact, and aiding in system restoration. There is no confirmation if the breach was due to a ransomware attack as no specific ransomware group has claimed responsibility. Affected individuals are advised to monitor their financial statements and credit reports for potential fraud and are offered one year of free credit monitoring by Equifax. The breach is part of a broader pattern of increasing cyberattacks targeting healthcare providers across the United States.