Daily Brief

The CEO of Co-op Group confirmed that all 6.5 million members had their data stolen in a recent cyberattack attributed to the group Scattered Spider. The data breach included personal details like names and contact information; no financial data was compromised. Attackers were blocked before they could deploy ransomware, allowing Co-op IT staff to monitor and track their activities comprehensively. In response to rising cyber threats, Co-op has partnered with The Hacking Games to engage neurodiverse youth in ethical cybersecurity roles. The National Crime Agency arrested four young individuals concerning the cyberattacks on British retailers, including Co-op. All were released on bail pending further investigation. The attack has prompted discussions on the importance of cybersecurity in both the public and private sectors, emphasizing the need for robust protections against such incidents. Co-op is also emphasizing the broader impact and necessity of cybersecurity education among stakeholders including parents, educators, and industry professionals.

Air Serbia was forced to delay issuing June 2025 payslips due to an ongoing cyberattack affecting the airline's operations. The cyberattack, which began around early July 2025, led to a deep breach of the company's Active Directory, compromising business processes and internal communications. In response to the attack, Air Serbia's IT team implemented multiple security measures including staff-wide password resets, installation of security scanning software, and internet access restrictions. IT management actions included terminating all service accounts, adding datacenters to a demilitarized zone, and deploying a new VPN client to counter identified security vulnerabilities. Despite these efforts, as of mid-July, the internal source reported that the threat actors’ access has not been fully eradicated, and the exact entry point of the attackers remains unknown due to lack of proper security logs. Concerns were raised about the potential compromise of personal data and a lack of public disclosure about the breach. The recent cyber incidents at Air Serbia included malware likely being involved, specifically an infostealer, with no extortion demands made up to the reported date.

Google has issued an update for Chrome, rectifying six vulnerabilities, including an actively exploited zero-day. The critical flaw, CVE-2025-6558, allowed attackers to bypass Chrome's sandbox security through a specially crafted HTML page. Chrome's sandbox is a vital security feature that isolates browser operations from the operating system, preventing potential malware spread. The exploited zero-day vulnerability lies within the ANGLE abstraction layer, which processes GPU commands from untrusted websites. Users are urged to update their Chrome browser to version 138.0.7204.157/.158 to safeguard against the flaw. Other vulnerabilities fixed include issues within Chrome's V8 engine and WebRTC but were not actively exploited. This zero-day exposure marks the fifth similar incident tackled by Google's security team this year, highlighting ongoing security challenges.

Cybersecurity researchers have identified a sophisticated new variant of the Konfety Android malware. Konfety uses an "evil twin" technique, where a malicious app mimics the package name of a legitimate app from the Google Play Store but is distributed via third-party sources. This variant is designed to evade detection by tampering with the APK structure, using malformed APKs and dynamic code loading. Features include encrypted assets, runtime code injection, and deceptive manifest declarations to thwart analysis tools and reverse engineering. The malware exploits the CaramelAds SDK to deliver ads, install unwanted apps, and generate spam-like notifications while hiding its app icon. Geofencing capabilities allow Konfety to alter its functionality based on the user's geographic location. Related findings include Ducex, a Chinese Android packer that conceals payloads and blocks debugging, and TapTrap, a novel technique that can bypass Android's permission system.

Rise in social engineering attacks employing generative AI and deepfake technology to create highly personalized scams. Attackers utilize stolen branding, mimic executives, and clone communication channels such as emails and websites to deceive targets. Multi-channel impersonation campaigns are pervasive across emails, LinkedIn, SMS, and support portals, targeting a broad audience. Increased use of AI by attackers results in faster adaptation and automation, reducing the effectiveness of traditional security measures. The webinar introduces Doppel's AI platform which can detect and disrupt these sophisticated impersonation threats in real time. Key learning points include understanding attacker behavior, tracking campaigns across platforms, and instant threat response. Intended audience includes security leaders, SOC teams, and professionals in risk, fraud, or threat intelligence. Urges immediate proactive measures to defend against these evolving cyber threats before they cause reputational or financial damage.

UK cybersecurity firm Adarma has entered administration, with all operations ceasing immediately. Joint administrators Will Wright and Alistair McAlinden from Interpath Advisory were appointed following the company's financial struggles, marked by pulled funding from investor Livingbridge and loss of major contracts. Staff were informed of the immediate termination of their roles via an urgent meeting, with follow-up communications stressing cessation of operations. Former employees reportedly express concern over unpaid wages for July and potential non-payment of owed overtime, despite having been paid for the previous month. The future of the company appears bleak as prospective buyers showed interest only in its dwindling client list, rather than its operational assets. More than 170 employees across Scotland and England are likely to lose their jobs, receiving redundancy information but facing financial uncertainty. The redundancy package, handling of the staff layoffs, and locked company devices have been managed by the administrators, indicating a structured wind-down process.

Google has issued an update for Chrome, addressing a critical vulnerability, CVE-2025-6558, actively exploited in the wild. The security flaw, rated 8.8 CVSS, involves inadequate validation of untrusted input in the browser's ANGLE and GPU components, enabling attackers to escape Chrome’s sandbox. Discovered by Google's Threat Analysis Group, the flaw's exploitation hints at possible nation-state involvement. This is one of five zero-day vulnerabilities patched in Chrome this year, all either actively exploited or demonstrated as PoC. Users are urged to update their Chrome to the latest versions available for Windows, macOS, and Linux to mitigate risk. The vulnerability allows attackers to execute attacks directly from a malicious webpage without any user interaction like downloads or clicks. Browsers using the Chromium engine, including Microsoft Edge and Opera, should also update promptly as the same vulnerabilities may affect them.

Google's AI, Big Sleep, preemptively identified a critical vulnerability in the SQLite database engine, preventing potential exploitation. The detected issue was a memory corruption flaw, categorized under CVE-2025-6965, with a high-risk CVSS score of 7.2. This AI-driven discovery was part of a collaboration between Google's DeepMind and Project Zero, highlighting the use of AI in cybersecurity. The vulnerability could allow attackers to cause significant damage through SQL statement injections, such as integer overflow and unauthorized data access. Google cited the incident as the first known instance where an AI directly prevented a cyber attack by predicting and addressing a software vulnerability before it was exploited. Concurrently, Google released a white paper outlining the implementation of secure AI systems, emphasizing a balanced approach combining traditional security controls with AI reasoning capabilities. The white paper stressed the importance of enforced operational boundaries for AI agents to prevent adverse outcomes from sophisticated attacks or unexpected inputs. Google aims to refine AI security measures by incorporating multiple layers of defense to ensure robust protection against emerging cyber threats.

Curl's bug bounty program is inundated with low-quality, AI-generated security reports, leading to consideration of its discontinuation. Daniel Stenberg, the creator of curl, has noticed a significant increase in so-called "AI slop," with about 20% of all submissions in 2025 being low-quality due to AI tools. The small curl security team, consisting of only seven members, finds it challenging to manage the growing number of reports, which are around two per week. Only about 5% of the submissions in 2025 turned out to be genuine vulnerabilities, a notable decrease in validity from previous years. The bug bounty program, managed by HackerOne, discourages but does not ban AI-assisted submissions and advises thorough verification of AI-generated reports. Stenberg is exploring potential solutions such as imposing a fee for report submissions or entirely removing the financial incentives to curb the misuse of AI in reporting. Emotional toll and significant time investment are required from the curl security team to sift through the surge of ineffective and incorrect reports.

Former U.S. Army soldier, Cameron John Wagenius, pled guilty to conspiracy-related charges including wire fraud and aggravated identity theft. Wagenius, who operated under the alias "kiberphant0m," confessed to participating in schemes that targeted telecom companies with the intention of extorting over $1 million. The hacking activities were conducted while Wagenius was still on active duty, using methods like "SSH Brute" to breach telecom networks. Alongside conspirators, Wagenius managed to access and sell telecom data, funding additional illicit activities including SIM swapping attacks. The group used cybercrime forums such as BreachForums and XSS.is to facilitate their extortion and sale of stolen data. Wagenius also explored defecting to countries without U.S. extradition and had previous interactions attempting to sell information to foreign intelligence. The illegal accesses included telecom giants like AT&T and significant public figures' data, elevating the severity of the security breaches. Scheduled for sentencing on October 6, Wagenius faces over 20 years in prison for his role in the pervasive hacking and extortion operations.

Abacus Market, a major darknet marketplace, has abruptly gone offline, hinting at a possible exit scam. The market, which launched in 2021 and boasted a 70% market share by 2023, handled nearly $300 million in transactions, primarily in Bitcoin and Monero. TRM Labs suggests the sudden shutdown could either be an exit scam or a covert law enforcement operation, although no official announcements have been made. In its peak month of June, Abacus facilitated transactions worth $6.3 million but saw a drastic fall to $13,000 per day in early July due to withdrawal issues and diminishing user trust. The site's administrator cited a DDoS attack and a surge in new users as reasons for withdrawal delays before the site’s complete disappearance. The community and users inclined more towards an exit scam explanation for the shutdown, with no evidence of FBI involvement or law enforcement action at the time of closure.

North Korean-backed cybercriminals have deployed 67 malicious npm packages to distribute XORIndex malware, collecting over 17,000 downloads. The campaign, known as Contagious Interview, targets developers with deceptive job offers to execute malicious code and breach secure environments. XORIndex Loader, deployed via a post-install script in npm packages, profiles victims and retrieves further JavaScript payloads from a C2 server. Malicious payloads include BeaverTail and InvisibleFerret backdoors, enabling data theft and additional malware downloads. Attackers use a mix of new and retooled malware, maintaining persistent threats even after npm repository clean-ups. Socket researchers highlighted the necessity for npm users to scrutinize packages for authenticity and execute new libraries in safe, isolated conditions. Continual variations in malicious npm packages make detection and prevention challenging for defenders.

An international law enforcement operation, "Operation Elicius," successfully dismantled a Romanian ransomware gang targeting NAS devices. The gang, known as 'Diskstation,' disrupted business operations in Lombardy by encrypting company data and demanding ransoms in cryptocurrency. Diskstation targeted Synology Network-Attached Storage (NAS) devices globally, exploiting internet-exposed systems since 2021. Ransom demands ranged from $10,000 to hundreds of thousands of dollars. Forensic and blockchain analyses led to the identification and arrest of suspects in Bucharest, including a 44-year-old man believed to be the primary operator. Victims of the ransomware included graphic and film production companies, event organizers, and NGOs involved in civil rights and charity. Europol coordinated the operation involving French and Romanian police forces. Recommendations for NAS device security include updating firmware, disabling unnecessary services, avoiding internet exposure, and restricting access through VPNs.

Cloudflare mitigated a reduction in total DDoS attacks, down from 20.5 million in the previous quarter to 7.3 million in Q2 2025. There was a significant rise in hyper-volumetric DDoS attacks with 71 occurrences daily, leading to a peak 7.3 Tbps attack. Research showed that 70% of HTTP DDoS attacks were launched from known botnets, with a notable rise in application-layer threats. Geographical insights revealed that the most targeted locations were China, Brazil, and Germany, with Indonesia and Singapore as the primary sources of DDoS attacks. Hyper-volumetric attacks exceeding 100 million packets per second rose by 592% compared to the prior quarter. There was a 68% increase in ransom DDoS attacks, where attackers demand payment to cease or prevent an attack. Cloudflare highlighted the emergence of the DemonBot botnet, which primarily exploits IoT devices, emphasizing the need for improved security measures. The report suggests a growing complexity in DDoS tactics, involving both volume-based and sophisticated probing techniques to explore and exploit vulnerabilities.

GLOBAL GROUP, a new ransomware-as-a-service operation, targets various sectors globally, including in Australia, Brazil, Europe, and the United States. Originally known as BlackLock, the operation rebranded after a data leak incident and traces its lineage back to the Mamona ransomware. The operation utilizes artificial intelligence in its negotiation tools to allow non-English speaking affiliates to manage ransom negotiations more effectively. Affiliates gain network entry through partnerships with initial access brokers exploiting vulnerabilities in edge appliances and by using brute-force on Microsoft services. The ransomware can be tailored for different environments like VMware ESXi, NAS, BSD, and Windows, with a high revenue-sharing model to attract more affiliates. As of mid-July 2025, GLOBAL GROUP has claimed 17 victims across diverse sectors including healthcare, industrial machinery, automotive, and business process outsourcing. Despite a wider decline in ransomware incidents in 2025, this group indicates the evolving sophistication and persistence of cybercriminals in the ransomware arena.