Daily Brief

Breach and Attack Simulation (BAS) serves as a critical tool for CISOs, providing real-world testing of security defenses similar to crash tests in the automotive industry. Traditional security dashboards and compliance reports often offer a false sense of security, lacking the rigorous testing BAS provides to identify exploitable weaknesses. The Blue Report 2025, based on 160 million adversary simulations, reveals hidden vulnerabilities that only emerge under simulated attack conditions. BAS provides continuous, controlled attack scenarios, offering proof of defense effectiveness rather than relying on hypothetical security measures. By using BAS, organizations can prioritize real threats, reducing noise and focusing resources on critical exposures that matter most. The integration of AI with BAS is set to enhance predictive capabilities, ensuring defenses are robust against future threats. The upcoming Picus BAS Summit 2025 will explore advancements in attack simulation and AI, offering insights into the evolving landscape of security validation.

The US CISA and UK NCSC have issued urgent directives to patch vulnerabilities in Cisco's ASA and FTD firewalls, exploited by an advanced threat actor. Federal agencies have a 24-hour deadline to identify affected devices, check for compromises, and apply necessary patches to mitigate risks. The vulnerabilities, CVE-2025-20333 and CVE-2025-20362, allow attackers to implant malware, execute commands, and potentially exfiltrate data from compromised systems. Cisco has released patches and confirmed that these vulnerabilities have been exploited since May, linked to the ArcaneDoor campaign targeting government and telecom networks. The ArcaneDoor campaign is attributed to a group dubbed UAT4356, suspected to have state-sponsored backing, using custom tools for espionage. Security researchers have identified connections between attacker IPs and major Chinese networks, raising concerns about state involvement. The incident follows another zero-day exploit in Cisco's IOS software, raising questions about the company's vulnerability management practices.

The UK government aims to implement a mandatory digital ID system for all legal residents by 2029, requiring it for employment verification. Prime Minister Keir Starmer promotes the initiative as a means to enhance border security and streamline access to services, despite previous government opposition. Digital IDs will be stored on mobile devices, with plans to accommodate those without smartphone access, addressing concerns for digitally excluded groups. The proposal has sparked civil liberties concerns, with critics arguing it could lead to increased surveillance and unnecessary bureaucracy for law-abiding citizens. The digital ID will not be required for accessing benefits or healthcare services, aiming to balance security with ease of access for citizens. Critics, including campaign group Big Brother Watch, argue the scheme may not effectively deter illegal immigration and could impose undue burdens on the public. The government plans public consultations to address concerns and refine the digital ID system, ensuring inclusivity and practicality.

Cybersecurity firm watchTowr Labs reported active exploitation of a critical flaw in Fortra GoAnywhere MFT software a week before its public disclosure. The vulnerability, CVE-2025-10035, involves a deserialization issue in the License Servlet, allowing command injection without authentication. Attackers can exploit this flaw via a crafted HTTP GET request, leveraging inadequate deserialization protections to gain unauthorized access. Fortra released updated software versions 7.8.4 and Sustain Release 7.6.3 to address the vulnerability following its discovery. Evidence of exploitation includes activity from IP address 155.2.190[.]197, previously linked to brute-force attacks on Fortinet FortiGate SSL VPNs. Rapid7's analysis suggests the vulnerability comprises a chain of three separate issues, complicating the remediation process. Organizations using GoAnywhere are urged to apply patches immediately to mitigate potential security risks.

Microsoft Threat Intelligence reports a new XCSSET variant targeting macOS, emphasizing browser data exfiltration and clipboard hijacking, specifically affecting Firefox users. The malware uses sophisticated encryption and obfuscation, leveraging run-only compiled AppleScripts for stealth, and expands its persistence via LaunchDaemon entries. XCSSET infects Xcode projects, potentially spreading through shared developer files, though the exact distribution method remains uncertain. Enhancements include a clipper sub-module monitoring clipboard content for cryptocurrency wallet patterns, substituting addresses to reroute transactions. The latest version modifies the infection chain, using AppleScript to execute shell commands and collect system information, with added checks for Firefox and Telegram. New modules and altered logic in the malware's structure suggest ongoing evolution and adaptation to bypass security measures. Users are advised to maintain updated systems, scrutinize Xcode projects, and exercise caution with clipboard data to mitigate risks associated with XCSSET.

The UK's Information Commissioner's Office fined two British companies £550,000 for illegal automated marketing calls targeting elderly and vulnerable individuals. Green Spark Energy and Home Improvement Marketing used offshore call centers with avatar software to impersonate local energy advisors. These calls falsely claimed health risks associated with fibreglass insulation, exploiting fears to promote sales of insulation products. A total of 9.5 million calls were made by Green Spark Energy, leading to 497 complaints, while Home Improvement Marketing made 2.4 million calls resulting in 274 complaints. The ICO's investigation involved seizing devices from Matthew Terry, a director linked to both companies, revealing attempts to evade detection. Despite the fines, both companies remain active, though Home Improvement Marketing faces potential dissolution. The incident underscores the need for stricter regulations and enforcement against deceptive marketing practices targeting vulnerable populations.

The U.K. NCSC reports exploitation of Cisco ASA firewalls by state-sponsored actors, deploying new malware families RayInitiator and LINE VIPER. The campaign, linked to the China-associated group UAT4356, targets ASA 5500-X Series devices, exploiting zero-day vulnerabilities CVE-2025-20362 and CVE-2025-20333. Attackers used sophisticated evasion techniques, including disabling logging and modifying ROMMON, to maintain persistence and evade detection. Affected devices are nearing end-of-support, lacking Secure Boot and Trust Anchor technologies, which facilitated the exploitation. Cisco has addressed a third critical flaw (CVE-2025-20363) but notes no evidence of its exploitation in the wild. The Canadian Centre for Cyber Security urges immediate updates to fixed versions of Cisco ASA and FTD products to mitigate risks. The campaign's use of a GRUB bootkit and advanced evasion tactics marks a significant increase in sophistication compared to previous operations.

Microsoft Threat Intelligence has identified a new variant of XCSSET macOS malware, targeting Xcode developers with enhanced features for data theft and persistence. The malware spreads by infecting Xcode projects, executing during the build process, capitalizing on shared project files among developers. Key updates in this variant include targeting Firefox browser data using a modified HackBrowserData tool and a clipboard hijacker for cryptocurrency theft. New persistence techniques involve creating LaunchDaemon entries and a fake System Settings.app to conceal activities on infected devices. Limited attacks have been observed, and Microsoft is collaborating with Apple and GitHub to mitigate the threat and remove malicious repositories. Developers are advised to maintain updated macOS and applications, and to thoroughly inspect shared Xcode projects before building. This incident stresses the importance of vigilance in software development environments to prevent malware propagation and data breaches.

A malicious npm package mimicking the legitimate Postmark MCP project was discovered exfiltrating user emails to an external address, affecting around 1,500 downloads. The package, identical to the authentic version in appearance, added a harmful line of code in its 1.0.16 update, compromising sensitive communications and personal data. Koi Security researchers identified the breach, which potentially exposed password reset requests, two-factor authentication codes, and customer details. Users are advised to immediately remove the affected package, rotate exposed credentials, and conduct thorough audits of MCP servers for any suspicious activity. The developer has since removed the malicious package from npm, but the incident reveals critical security lapses in server implementation and AI assistant command execution. Recommendations include verifying project sources, reviewing code changes, and running MCP servers in isolated environments to prevent unauthorized data exfiltration. This incident underscores the importance of stringent oversight and sandboxing in environments where AI assistants operate with high privileges.

ESET researchers have identified links between DeceptiveDevelopment's malware and the Lazarus Group's PostNapTea RAT, revealing advanced tactics in North Korean IT worker scams. DeceptiveDevelopment targets software developers, particularly in cryptocurrency, using fake job profiles and social engineering to deploy malware. Key payloads include BeaverTail and InvisibleFerret, which are designed to steal information and facilitate remote control, with new variants continuously emerging. The group uses Tropidoor, a sophisticated backdoor sharing code with Lazarus malware, to execute Windows commands and enhance attack capabilities. TsunamiKit, a modified malware toolkit, has been identified as part of DeceptiveDevelopment's arsenal, featuring cryptocurrency mining and multi-stage execution chains. These operations blur the lines between cybercrime and nation-state activities, emphasizing the need for comprehensive threat ecosystem awareness. North Korean IT workers infiltrate Western companies, funneling salaries back to Pyongyang and occasionally extorting employers with stolen proprietary data.

Cisco has identified two zero-day vulnerabilities in its Secure Firewall ASA and FTD Software, urging immediate patching due to active exploitation attempts. The vulnerabilities allow attackers to bypass authentication and execute malicious code, posing significant risks to affected systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive for federal agencies to address these vulnerabilities within 24 hours. The campaign is linked to the ArcaneDoor threat cluster, known for targeting network devices and delivering malware such as Line Runner and Line Dancer. CISA's directive includes adding the vulnerabilities to the Known Exploited Vulnerabilities catalog, requiring swift action to mitigate potential compromises. The threat actor, identified as UAT4356 (aka Storm-1849), has shown the capability to modify ASA ROM, maintaining persistence through reboots and upgrades. Collaboration with international cybersecurity agencies, including those from Australia, Canada, and the UK, has been crucial in investigating these vulnerabilities. Organizations using affected Cisco appliances should prioritize patching and review their security posture to prevent unauthorized access and potential data breaches.

The Co-operative Group reported a $107 million loss in operating profit due to a cyberattack attributed to Scattered Spider affiliates in April 2025. The attack resulted in £20 million in one-off costs and £60 million in lost sales, impacting the group's financial performance significantly. Personal data of 6.5 million members was compromised, including names and contact details, during the ransomware-linked breach. The group had to rebuild its Windows domain controllers, causing further system unavailability and operational disruptions. The U.K.’s National Crime Agency arrested four suspects aged 17-20 linked to the Co-op attack and others at Marks & Spencer and Harrods. Co-op's response involved manual processes, rerouting of 350,000 items, and issuing discount coupons to mitigate trading disruptions. Despite the financial hit, Co-op maintained strong liquidity with £800 million available, ensuring no funding concerns arose from the incident. The incident serves as a reminder of the critical need for robust cybersecurity measures to protect against evolving threats.

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, compelling U.S. federal agencies to patch critical Cisco firewall vulnerabilities. Two zero-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, are actively exploited, allowing unauthorized remote code execution and access to restricted endpoints. The directive requires agencies to identify all Cisco ASA and Firepower devices, disconnect compromised units, and apply patches by September 26, 2025. Devices reaching end-of-support must be permanently disconnected by September 30, 2025, to mitigate potential security risks. Cisco's analysis links these exploits to the ArcaneDoor campaign, which has targeted government networks globally since November 2023. Attackers have used advanced evasion techniques, including disabling logging and modifying ROMMON for persistence across reboots. The UAT4356 threat group, also known as STORM-1849, is identified as the actor behind these sophisticated attacks. This incident underscores the critical need for timely patch management and robust security protocols within federal agencies.

Vane Viper, a threat actor, is identified as a key player in global malvertising and ad fraud, leveraging a complex network of shell companies to obscure its operations. The group exploits vulnerable WordPress sites to create a vast network of compromised domains, distributing riskware, spyware, and adware through deceptive advertising techniques. A significant tactic involves abusing push notification permissions to deliver ads, using service workers to maintain persistent browser processes even after users leave the initial page. Vane Viper's infrastructure is linked to numerous fraudulent activities, including fake shopping sites, survey scams, and malware distribution, impacting about half of Infoblox's customer networks. The operation involves 60,000 domains, with some active for over 1,200 days, while others are frequently registered and discarded, reaching a peak of 3,500 new domains in October 2024. Connections to entities like URL Solutions and Webzilla suggest shared infrastructure with Russian disinformation sites, indicating broader implications for cybersecurity and information integrity. The group's activities highlight the challenges in distinguishing legitimate ad networks from those facilitating cyber threats, emphasizing the need for enhanced vigilance and regulatory oversight.

Radiant Group, a new cybercriminal entity, breached Kido International, compromising sensitive data of preschoolers and their parents, including images and home addresses. The attack represents the group's first data leak on its dark web platform, employing aggressive extortion tactics by publishing detailed profiles of ten children. Kido International, specializing in early childhood development, operates globally, but affected individuals are currently reported in the UK. The group's tactics involve contacting regulators and associates to amplify pressure, reflecting a shift towards more aggressive ransomware strategies. Experts emphasize the moral degradation of targeting such vulnerable populations, raising ethical concerns even among other cybercriminals. This incident underscores the necessity for organizations handling sensitive data to enhance security measures to prevent such breaches. Law enforcement and cybersecurity experts predict increased resistance to negotiations with groups displaying such blatant disregard for human decency. The attack highlights the critical need for robust security frameworks to deter opportunistic cyber threats and protect vulnerable sectors.