Daily Brief

A hacker known as "Rey," linked to the Hellcat Ransomware group, has allegedly breached Spanish telecom giant Telefónica, threatening to leak 106GB of data. Rey has already leaked a 2.6GB archive to validate their claims of the data breach which supposedly includes internal communications, customer records, and employee data. The breach reportedly occurred on May 30, facilitated by a misconfiguration in a Jira server previously compromised. Despite multiple inquiries by BleepingComputer, Telefónica has not acknowledged the recent breach, and one representative dismissed it as an extortion attempt with outdated data. Files in the leaked data include emails and invoices from Telefónica's operations across several countries, with some content dated as recent as 2021. The hacker has shifted to distributing the stolen data through various platforms, after initial takedown due to legal issues, increasing the risk of widespread data exposure.

Ingram Micro is facing a significant global outage affecting its websites and internal systems. The technology distribution giant has not disclosed the cause of the outage, prompting concerns about a possible cyberattack. The outage began on a Thursday morning, making it impossible for customers worldwide to place orders. Employees are also unable to access certain internal systems, further complicating operations. Visitors to the Ingram Micro website encounter messages indicating access restrictions or maintenance. Despite speculation of a ransomware attack amongst the online community, the exact nature of the incident remains unconfirmed. The extended unavailability of services is typical of a major breach, making this situation alarming for partners and businesses relying on Ingram Micro. The company has yet to respond officially about the ongoing issues or any steps being taken to resolve them.

NightEagle APT (aka APT-Q-95) exploits Microsoft Exchange servers using a zero-day exploit chain, primarily targeting China's government, defense, and technology sectors. Active since 2023, this threat actor alters network infrastructure rapidly, complicating tracking and mitigation efforts. Attacks focus on high-value sectors such as high-tech, chip semiconductors, quantum technology, AI, and military, aiming to gather sensitive intelligence. NightEagle was identified by QiAnXin's RedDrip Team, revealing their findings at CYDES 2025 in Malaysia. The APT uses a modified version of the Chisel tool, setting up persistent access and data exfiltration mechanisms on compromised networks. A .NET loader delivers the NightEagle Trojan via IIS service in Microsoft Exchange, enabling unauthorized data access and remote control. QiAnXin researchers suggest a North American origin for NightEagle, based on the attack timing aligned with nighttime hours in Beijing. Microsoft has been contacted for comments on the breach, indicating ongoing investigation and response efforts.

Two significant vulnerabilities found in Sudo, impacting various Linux distributions, allow local users to gain root access. CVE-2025-32462 and CVE-2025-32463 are severe flaws that bypass Sudo's security protocols to execute unauthorized commands. CVE-2025-32462 exploits the "-h" host option in Sudo, which has been flawed since its inclusion in September 2013. CVE-2025-32463 utilizes the "-R" chroot option, enabling arbitrary command execution without any Sudo rules for the user. The vulnerabilities were disclosed responsibly on April 1, 2025, and have since been patched in Sudo version 1.9.17p1. Both vulnerabilities primarily affect systems using common sudoers files distributed across multiple machines or LDAP-based sudoers. Linux users are urged to update their systems with the patched version of Sudo to mitigate the risk of these vulnerabilities. The discovery underscores the need for continuous vigilance and timely patching of foundational security tools like Sudo.

Generative AI (GenAI) introduces risks for unintended data leaks in businesses, affecting sensitive enterprise data. AI agents interact with corporate systems like SharePoint and S3 buckets, potentially exposing confidential information without proper controls. Lack of stringent access controls, governance policies, and oversight can lead sensitive data to be revealed to unauthorized parties or even online. Real-world instances include AI revealing internal salary details or unveiling unreleased product designs during routine operations. The upcoming free webinar titled "Securing AI Agents and Preventing Data Exposure in GenAI Workflows" aims to address these issues by offering guidance on securing AI implementations. The session, hosted by Sentra's AI security experts, will discuss common AI misconfigurations and their causes, emphasizing the need for careful management of permissions and outputs from large language models (LLMs). The event targets professionals involved in AI development, deployment, or management, stressing the importance of proactive data protection measures in the era of GenAI.

Google faced a court ruling requiring them to pay $314 million for unauthorized data transfers on Android devices, violating California law. The lawsuit began in August 2019, with plaintiffs claiming that Google used cellular data without permission, even when devices were idle. Plaintiffs demonstrated through experiments that Google's background data transfers involved significant amounts of cellular data. Information transmitted included log files and app metrics, which were argued not to be time-sensitive and could have been delayed until a Wi-Fi connection was available. The court sided with the plaintiffs, emphasizing that the data transfers imposed unnecessary costs on users for Google’s benefit. Post-verdict, Google announced plans to appeal, stating that these data transfers were crucial for Android device performance and security. This court decision comes after Google's recent $1.4 billion settlement in Texas over similar privacy concerns involving location and facial recognition data.

Grafana Labs has issued critical security updates for its Image Renderer plugin and Synthetic Monitoring Agent, addressing four significant vulnerabilities originating from the Chromium engine. The vulnerabilities resolved include type confusion and use-after-free issues in Chromium’s V8 engine, all allowing remote code execution and arbitrary memory manipulation. Affected Grafana Image Renderer versions prior to 3.12.9 and Synthetic Monitoring Agent versions before 0.38.3 required immediate patches to reduce exposure risks. The Image Renderer plugin, though not bundled by default, is critical in production environments for dashboard rendering, having millions of downloads across various systems. The Synthetic Monitoring Agent, part of Grafana Cloud's service, plays a key role in environments requiring synthetic tests behind firewalls and is integral in high-value hybrid and multi-cloud infrastructures. Grafana has applied patches to cloud and managed instances such as Grafana Cloud and Azure Managed Grafana, hence hosted users need not take additional steps. Recent findings from a security report by Ox Security show that a significant number of users failed to promptly update their systems following previous vulnerability announcements by Grafana.

A recent Windows 11 24H2 update has led to non-critical errors in the Windows Firewall, indicated by warnings in the Event Viewer. Microsoft has acknowledged this issue, attributed to a feature still under development that was inadvertently included in the production code. Users encountering the "Config Read Failed" error are advised by Microsoft to disregard these warnings as they do not represent a threat to system security. Although the feature in question is not fully implemented, the Windows Firewall is expected to continue functioning normally despite these errors. Microsoft has not provided a specific timeline for fixing the issue but has stated it is working towards a resolution to be included in a future update. The situation raises questions about the rigor of Microsoft's development and testing processes, especially given the history of issues with Windows 11 releases. Despite the disturbing log entries, this particular anomaly does not impact overall system performance or security, reassuring users that routine operations can continue without concern.

A mobile ad fraud operation known as IconAds, encompassing 352 Android apps, was disrupted, with these apps previously hiding their icons and displaying intrusive ads. The fraudulent apps, known to generate 1.2 billion bid requests daily at peak, were primarily active in Brazil, Mexico, and the US, using obfuscation techniques to evade detection. Google has removed the malicious apps from the Play Store, many of which impersonated legitimate services to disguise their activity. A related ad fraud operation called Kaleidoscope uses a twin app strategy to serve unwanted ads and degrade device performance while evading detection by appearing legitimate. In a separate security threat, new malware named NGate and SuperCard X exploits NFC technology to commit financial fraud across several countries. An Android SMS stealer, dubbed Qwizzserial, targeted 100,000 devices in Uzbekistan, intercepting SMS codes for financial theft, with losses estimated at $62,000. Research indicates that cybercriminals are continuously adapting their strategies, employing new obfuscation techniques and shifting distribution methods to maintain their operations.

IdeaLab, a prominent U.S. technology incubator, experienced a data breach in October 2024 when its systems were compromised by ransomware. The breach was linked to the Hunters International ransomware group, which later leaked the stolen data amounting to 262.8 GB on the dark web. The data stolen from IdeaLab included information belonging to current and former employees, their dependents, and contractors. Following the breach, IdeaLab engaged third-party services to investigate, confirming unauthorized access on October 4 and detection on October 7. On October 23, Hunters International disclosed the stolen data publicly following a presumed failed extortion attempt. Compromised data included various combinations of names and other sensitive details, though the full extent of exposed data was not disclosed. In response to the breach, IdeaLab is offering affected parties two years of free credit protection, identity theft, and dark web monitoring services through IDX. Additionally, Hunters International has announced its shutdown, deleting all records from their portal, and might be rebranding into a new operation called World Leaks.

Young Consulting (now trading as Connexure) confirmed that over 1 million individuals were affected by a data breach, originally suspected to be a ransomware attack by the BlackSuit group. The breach was initially detected when the company experienced "technical difficulties" in April 2024, leading to the discovery of unauthorized network access and data copying. Initially reported to Maine's attorney general in 2024, approximately 950,000 people had their personal data such as names, social security numbers, and insurance information compromised. Cybercriminal group BlackSuit claimed responsibility and alleged that additional sensitive data including passports and internal documents were stolen. Young Consulting has revised the number of affected individuals multiple times, suggesting ongoing identification of compromised data, with recent updates bringing the count to 1,071,336. Victims have been offered 12 months of credit monitoring and identity theft restoration services, consistent with the company’s initial response. The lengthy process of identifying affected individuals exemplifies the complex and time-consuming nature of digital forensic analysis in data breach scenarios. IBM's 2024 report highlights that it can take an average of up to 292 days to fully identify and contain data breaches of this nature.

Meta is appealing a €200 million fine imposed by the European Commission, which it deems "incorrect and unlawful." The fine targets Meta's "pay-or-consent" advertising model as conflicting with the Digital Markets Act (DMA). Meta argues that the EU's decision forces it to offer a less personalized, ad-supported service for free, impacting user and business outcomes negatively. According to Meta, it is being singled out, as it cannot offer a dual model of a subscription service alongside a free ad-supported version. Meta cites backing from national courts and data protection authorities in countries like France, Denmark, and Germany for similar business models. The company insists that in a market economy, it should be compensated for providing valuable services, essential for fostering innovation and economic growth. The ongoing dispute highlights the broader tension between large tech companies and regulatory bodies in Europe regarding data privacy and business operations.

Ransomware gang Hunters International officially ceased operations, deleting all victim data from its dark web site. As part of their closure, they provided decryption keys to victims, describing it as a gesture of goodwill. The gang's decision to shut down follows its leaders' remarks in April about ransomware being a high-risk and low-reward activity. Although distributing free decryption keys, the method to obtain them isn't public; victims must request access via the gang's official website. Security experts suspect that the individuals behind Hunters International are likely to continue cybercrime activities under a new name, possibly as rebranded group World Leaks. World Leaks, ostensibly run by the same team, uses an extortion-only model without deploying ransomware, maintaining a similar operation to Hunters' previous methods. Hunters International notoriously targeted high-profile organizations, including episodes that severely compromised personal and sensitive data.

Cybersecurity researchers identified over 40 harmful Mozilla Firefox extensions designed to steal cryptocurrency wallet details. These extensions mimic well-known wallet tools like Coinbase, MetaMask, and others, using fake reviews to appear legitimate. Launched since at least April 2025, the malicious campaign uses cloned open-source extensions with added harmful code. The malicious extensions steal keys and seed phrases, transmitting them along with users' IP addresses to a remote server. Evidence suggests a Russian-speaking group is behind this high-impact, low-effort cyber attack. Mozilla has taken down nearly all related extensions and introduced an "early detection system" to block such scam extensions. Users are urged to download extensions from verified publishers and regularly check for any unauthorized changes.

Hunters International Ransomware-as-a-Service (RaaS) group has ceased operations and is distributing free decryption tools to its victims. This decision follows increased law enforcement scrutiny and diminishing profitability, influenced by changing dynamics in the cybercrime landscape. The group, referencing their past operations, intends to alleviate the burden of ransom payments for affected companies by offering these decryption aids. Previously engaged in a combination of encryption and extortion, Hunters International has signaled a shift away from these tactics with the emergence of an extortion-only affiliate called World Leaks. World Leaks focuses exclusively on data theft and extortion, employing advanced exfiltration tools previously developed by Hunters International. Over its active period, Hunters has executed nearly 300 high-profile attacks globally, targeting major corporations and government entities, demanding substantial ransom fees. The organization claimed numerous victims, including the U.S. Marshals Service, Hoya, Tata Technologies, and various other significant entities across different sectors. Hunters International originally emerged as a potential new brand of the Hive due to notable code similarities, adapting over time to include broad platform support such as Windows, Linux, and VMware.