Daily Brief

SolarWinds has issued a hotfix for a critical remote code execution vulnerability in Web Help Desk, tracked as CVE-2025-26399, affecting version 12.8.7 and earlier. The vulnerability arises from unsafe deserialization in the AjaxProxy component, allowing unauthenticated attackers to execute commands on the host machine. This is the third patch attempt, following previous flaws CVE-2024-28986 and CVE-2024-28988, which were also exploited in attacks and listed in CISA's Known Exploited Vulnerabilities catalog. The vulnerability was reported to SolarWinds by the Trend Micro Zero Day Initiative, although no active exploitation by threat actors has been publicly reported. Organizations using Web Help Desk are advised to install the hotfix via the SolarWinds Customer Portal to mitigate potential security risks. The ongoing patching efforts reflect the complexity of securing software against evolving threats and the importance of timely updates.

GitHub is enhancing npm registry security following a surge in phishing attacks and malware infections affecting JavaScript package maintainers. Over 500 compromised npm packages have been removed, with additional uploads blocked through enhanced security scanning measures. Upcoming changes include the removal of legacy authentication methods and the introduction of 2FA-enforced local publishing as a default security measure. Trusted publishing, leveraging OpenID Connect, will verify package sources and issue short-lived tokens to mitigate risks associated with long-lived tokens. The transition to trusted publishing will be gradual to minimize disruption, though attackers' activities necessitate swift implementation. Current trusted publishing support is limited to GitHub Actions and GitLab CI/CD pipelines, with plans to expand to more providers. Concerns remain among developers about potential risks with OpenID Connect, prompting calls for additional security measures and review processes.

SonicWall has issued a firmware update for its SMA 100 series devices to remove rootkit malware, following threats identified by the Google Threat Intelligence Group. The update, version 10.2.2.2-92sv, includes additional file checking to eliminate known rootkit malware and is crucial for devices nearing end-of-support status. The OVERSTEP rootkit, deployed by threat actor UNC6148, allows attackers to maintain access by hiding malicious components and creating reverse shells on compromised devices. This malware compromises sensitive files, including credentials and OTP seeds, raising significant security concerns for affected organizations. SonicWall advises administrators to upgrade immediately and follow security measures from a prior advisory to mitigate risks associated with outdated firmware. Previous incidents linked to Abyss ransomware suggest a pattern of exploiting SonicWall devices, emphasizing the need for timely updates and security vigilance. SonicWall has also addressed other security issues, including a critical vulnerability (CVE-2024-40766) exploited by the Akira ransomware group, reinforcing the importance of patch management.

The White House announced a deal for Oracle to store all US TikTok user data on American servers, enhancing data security and privacy measures. Oracle will serve as TikTok's trusted security provider, ensuring protection against foreign surveillance and interference, particularly from Chinese entities. TikTok's algorithm will be managed in the US, with majority ownership by American investors and oversight by a board with national security expertise. The agreement extends Oracle's existing relationship with TikTok, transitioning US user data storage entirely to Oracle Cloud Infrastructure. The partnership aims to generate significant economic activity, with projections of $178 billion within the US over the next four years. The deal maintains TikTok's global interoperability, allowing seamless content sharing between US users and international audiences. The US government asserts that this arrangement will bolster national security while maintaining TikTok's operational integrity and user engagement.

SolarWinds has released a hotfix for CVE-2025-26399, a critical remote code execution vulnerability in its Web Help Desk software, rated at a CVSS score of 9.8. The flaw involves deserialization of untrusted data, potentially allowing attackers to execute arbitrary commands on affected systems without authentication. This vulnerability affects versions up to SolarWinds Web Help Desk 12.8.7 and is a patch bypass for previous vulnerabilities CVE-2024-28988 and CVE-2024-28986. An anonymous researcher, in collaboration with Trend Micro's Zero Day Initiative, identified and reported the vulnerability. Users are strongly advised to update to SolarWinds Web Help Desk 12.8.7 HF1 to mitigate potential exploitation risks. While no active exploitation of CVE-2025-26399 has been reported, the original flaw CVE-2024-28986 was previously added to CISA's Known Exploited Vulnerabilities catalog. The recurring nature of these vulnerabilities calls for heightened vigilance and prompt patch management practices to safeguard systems.

Jaguar Land Rover (JLR) extended its production shutdown due to a cyberattack, impacting operations at Solihull and Halewood, with potential losses reaching £2.2 billion ($2.9 billion) in revenue. The attack has disrupted JLR's ability to order parts, affecting not only production but also the livelihoods of thousands of employees and small businesses in the supply chain. The cyberattack is believed to be orchestrated by the group Scattered Lapsus$ Hunters, though formal attribution has not been confirmed. JLR is collaborating with cybersecurity specialists, the National Cyber Security Centre (NCSC), and law enforcement to investigate and secure systems before resuming operations. Reports suggest JLR may lack adequate cyber insurance, potentially increasing financial strain as the company navigates recovery efforts. The UK government is considering emergency support measures for JLR and its supply chain to mitigate economic and employment impacts. The incident underscores the critical importance of robust cybersecurity measures and comprehensive insurance coverage to protect against operational disruptions.

GitHub is implementing new security measures, including mandatory two-factor authentication (2FA) and access tokens, to combat recent supply-chain attacks affecting npm repositories. Recent attacks such as "s1ngularity," "GhostAction," and "Shai-Hulud" compromised thousands of accounts and repositories, leading to data theft and high remediation costs. The platform's new strategy includes trusted publishing to eliminate the need for managing API tokens in build systems, enhancing security for npm maintainers. Developers are encouraged to adopt these security measures, with GitHub providing documentation and migration guides to ensure a smooth transition and minimize workflow disruptions. Ruby Central is also tightening governance over RubyGems, limiting admin access to staff until new policies are in place, following similar supply-chain security challenges. These changes reflect a broader push for community involvement in strengthening ecosystem security and mitigating risks associated with software supply chains.

Cybersecurity firm Darktrace has identified the ShadowV2 botnet, exploiting misconfigured AWS Docker containers to facilitate distributed denial-of-service (DDoS) attacks. This botnet employs a Go-based malware to convert infected systems into attack nodes, integrating them into a larger DDoS network. The attack infrastructure relies on a Python-based command-and-control framework hosted on GitHub Codespaces, showcasing advanced capabilities such as HTTP/2 Rapid Reset and Cloudflare bypass techniques. ShadowV2's approach involves deploying a generic setup container from an Ubuntu image, potentially avoiding forensic detection by operating directly on victim machines. The botnet's C2 server, shielded by Cloudflare, features a comprehensive API and user interface, indicating its development as a DDoS-for-Hire service. Cloudflare reported autonomously blocking hyper-volumetric DDoS attacks peaking at 22.2 Tbps, underscoring the scale and sophistication of current DDoS threats. The emergence of such services highlights the growing trend of cybercrime-as-a-service, presenting significant challenges for cybersecurity defenses.

Workforce reductions in major companies have left security teams with fewer resources, increasing the risk and cost of security incidents. IBM reports that 86% of breaches involve compromised credentials, with an average containment time of 292 days, highlighting the need for faster response. Hardcoded secrets present significant vulnerabilities, with potential breach costs exceeding $11 million for U.S. organizations, according to HashiCorp. Manual management of secrets is costly, wasting nearly $1.4 million annually on developer and security analyst time. The s1ngularity attack illustrated the dangers of unmanaged secrets, leading to widespread credential exposure and potential supply chain compromises. Advanced platforms now focus on contextual information to reduce false positives and streamline remediation efforts, crucial for lean security teams. Effective remediation frameworks emphasize proactive detection, clear ownership, and integration with existing developer workflows to mitigate risks efficiently.

Check Point Research reports Iranian-backed Nimbus Manticore is targeting European defense, manufacturing, and telecommunications sectors with sophisticated phishing and malware tactics. The campaign involves fake job portals mimicking companies like Boeing and Airbus, leading victims to download malware disguised as legitimate hiring software. Victims are tricked into entering credentials on spoofed login pages, triggering a multi-stage sideloading attack to deploy MiniJunk backdoor and MiniBrowse stealer. The malware uses advanced techniques, including DLL hijacking and obfuscation, to evade detection and maintain persistent access to compromised systems. The operation shows a strategic focus on Western Europe, particularly Denmark, Portugal, and Sweden, indicating a shift in targeting priorities. The campaign's tactics bear similarities to North Korea's Lazarus Group, suggesting possible tradecraft sharing between the two nations. This development underscores the evolving threat landscape, where state-sponsored actors leverage complex methods to infiltrate critical sectors.

The npm package 'fezbox' was discovered using QR codes to deploy cookie-stealing malware, targeting sensitive user data like credentials. This package masqueraded as a utility library on npmjs.com, the largest open-source registry for JavaScript and Node.js developers. The package was downloaded at least 327 times before being removed by registry administrators, indicating potential exposure. Malicious code within 'fezbox' retrieves a JPG image containing a QR code, which executes a second-stage payload. The threat actor used reversed URL strings to evade detection by static analysis tools, enhancing the malware's stealth capabilities. The payload extracts cookies and credentials, sending them to a remote server via an HTTPS POST request if both username and password are present. This attack showcases a novel use of QR codes in malware delivery, bypassing traditional security measures by mimicking ordinary image traffic. The incident emphasizes the need for enhanced scrutiny and monitoring of open-source packages to prevent similar threats.

UK Chancellor Rachel Reeves attributed recent cyber incidents affecting major UK firms to Russian-backed entities, despite a lack of supporting evidence. The National Crime Agency (NCA) arrested four suspects linked to the Marks & Spencer breach, identifying them as part of the Scattered Spider group. Scattered Spider, an English-speaking social engineering crew, is believed to consist mainly of young individuals from the UK and US. The group's tactics include SIM-swapping, phishing, and manipulating call center staff, impacting companies like Co-op, Harrods, and Jaguar Land Rover. The Jaguar Land Rover attack led to factory shutdowns, resulting in significant financial losses due to halted production. Authorities and researchers have characterized Scattered Spider as a criminal gang rather than a state-sponsored entity. Reeves' claims of Russian involvement contrast with NCA findings and may undermine confidence in government messaging without concrete evidence. Businesses must distinguish between state-sponsored threats and local criminal activities to effectively address cybersecurity risks.

GitHub is enhancing npm supply chain security by mandating two-factor authentication (2FA) and introducing short-lived tokens to combat recent supply chain attacks. The Shai-Hulud attack, a recent supply chain threat, injected a self-replicating worm into npm packages, targeting developer machines to extract sensitive information. New security measures include trusted publishing from CI/CD workflows using OpenID Connect, eliminating the need for npm tokens and establishing cryptographic trust. The npm CLI will automatically generate provenance attestations, allowing users to verify the source and build environment of packages, thus boosting supply chain trust. A malicious npm package, fezbox, was discovered using a steganographic technique to harvest browser passwords via QR codes, showcasing evolving threat actor tactics. Fezbox, now removed, attracted 476 downloads and demonstrated the need for robust dependency checks to counter sophisticated obfuscation methods. GitHub's proactive measures aim to prevent future attacks and enhance the security of the npm ecosystem, safeguarding developers and users alike.

Cybersecurity experts have identified a malware campaign using BadIIS, targeting East and Southeast Asia, with Vietnam as a primary focus, through SEO poisoning tactics. The operation, named Operation Rewrite, is linked to a Chinese-speaking threat actor, sharing infrastructure with entities known as Group 9 and DragonRank. Attackers manipulate search engine results to redirect users to malicious sites, using a compromised Internet Information Services (IIS) module to intercept and modify web traffic. BadIIS employs HTTP request inspections to serve poisoned content, altering search engine indexing to mislead users into visiting compromised sites. The campaign involves creating new local user accounts and deploying web shells for persistent access, allowing source code exfiltration and BadIIS implant uploads. The operation's infrastructure and linguistic evidence suggest a high likelihood of Chinese-speaking actors behind the campaign. This disclosure follows reports of similar malicious activities, highlighting ongoing SEO fraud efforts targeting servers in Brazil, Thailand, and Vietnam.

Digital Charging Solutions (DCS) reported a security incident involving unauthorized access to customer data by a service provider, affecting names and email addresses. The breach impacts users of DCS's electric vehicle charging services, including those of Kia and BMW e-charging customers in the UK and Europe. DCS has confirmed that payment information remains secure as it is not stored or processed on the compromised databases. Immediate investigations were launched, and DCS is collaborating with the service provider to address the issue and enhance security measures. Law enforcement and data protection authorities have been notified, reflecting DCS's commitment to transparency and regulatory compliance. Affected customers have been informed out of caution, with DCS advising vigilance against potential phishing attempts. The incident currently involves a limited number of confirmed cases, with ongoing investigations to determine the full scope of the breach. DCS maintains that the charging services and billing operations continue to function without disruption.