Major Incidents or Breaches

  • Forensic investigations confirmed that Paragon’s Graphite spyware was used in zero-click attacks targeting Apple iOS devices of at least two journalists in Europe.
  • Google Cloud and Cloudflare experienced widespread service outages impacting access to multiple sites and services across various regions.
  • Over 80,000 Microsoft Entra ID accounts at hundreds of organizations were targeted in password-spraying attacks using the TeamFiltration pentesting framework.
  • A ransomware campaign using the Fog ransomware strain leveraged an unusual mix of legitimate and open-source tools, including the Syteca employee monitoring software, to carry out attacks.

Newly Discovered Vulnerabilities

  • Researchers disclosed a zero-click vulnerability in Microsoft 365 Copilot, dubbed “EchoLeak,” which permits data exfiltration via prompt injection attacks without user interaction.
  • Trend Micro released patches for multiple critical-severity vulnerabilities in Apex Central and Endpoint Encryption products, including remote code execution and authentication bypass flaws.
  • GitLab patched high-severity vulnerabilities in its DevSecOps platform, including issues enabling account takeover and malicious job injection.
  • ConnectWise announced the planned rotation of code signing certificates for ScreenConnect, Automate, and RMM products due to identified security risks.
  • Microsoft issued an emergency update for Windows 11 24H2 to resolve a blue screen of death (BSOD) issue linked to incompatibility with Easy Anti-Cheat.

Notable Threat Actor Activity

  • Socure researchers reported an ongoing campaign of employment fraud by North Korean IT operatives seeking positions at foreign companies.
  • The VexTrio threat group was identified as operating a global scam network by weaponizing compromised WordPress sites and linking their Viper Traffic Distribution Service (TDS) to other TDS operations.
  • Kremlin-backed disinformation campaigns were found to be bypassing social media moderation through the use of malicious advertising infrastructure, including fake CAPTCHAs.
  • A fake cybersecurity firm, “Bastion Secure,” was revealed to have been used as a front for threat actors targeting IT professionals since 2021.
  • Security researchers observed a series of operational security failures among threat actors, leading to intelligence gains for defenders.

Trends, Tools, or Tactics of Interest

  • A novel attack technique called TokenBreak was discovered, enabling attackers to bypass large language model (LLM) moderation by making single-character text changes.
  • The Fog ransomware group demonstrated the use of both open-source pentesting tools and legitimate software in their attacks, highlighting a trend towards blending legitimate and malicious utilities.
  • Non-human identity management was highlighted as an expanding security risk, with current tools and frameworks lagging behind those for human identity governance.
  • The TeamFiltration pentesting framework was observed in use for widespread password-spraying attacks targeting Microsoft Entra ID.
  • Automated tools are being developed to aid DShield honeypot investigations, as discussed in recent SANS guest diaries.
  • Law enforcement and surveillance capabilities were noted as growing concerns for privacy, particularly in contexts such as protests and the use of consumer devices.

Regulatory or Policy Developments

  • The US Federal Trade Commission announced new rules and compliance standards under the Children’s Online Privacy Protection Act (COPPA), updating regulations to address technological changes since 2013.