Daily Brief

Proton, a Swiss provider of encrypted communications, has filed a legal complaint against Apple, alleging anticompetitive behavior in its management of the iOS App Store. The lawsuit argues that Apple's control over app distribution and its in-app payment system reduces competition and harms developers, consumers, and user privacy. Proton has joined an ongoing lawsuit initiated by Korean developers, which similarly criticizes Apple's monopolistic control and its pricing model's impact on developers. The company advocates for alternative app stores and more open developer access to Apple's APIs and payment systems, as enforced in the EU but not yet in the US. Proton points to previous conflicts with Apple, such as the rejection of Proton’s VPN update, as evidence of Apple's prioritization of profit over privacy. The Swiss firm emphasizes that free app developers are often forced to monetize through user data sales, whereas Proton’s subscription model is penalized financially by Apple’s policies. Apple has not commented on the allegations, which include removing VPNs and privacy apps in countries with restrictive regimes.

Microsoft announces it will cease password management on its Authenticator app by August 2025. The update includes discontinuation of the autofill feature in July 2025, with password accessibility ending the following month. Users can no longer add or import new passwords to the Authenticator app as of last month. Saved passwords and addresses will sync with Microsoft accounts, and will be accessible via Edge browser as the default autofill provider. Users utilizing passkeys must set Authenticator as their passkey provider to maintain functionality; removing Authenticator disables passkeys. Microsoft suggests users export their existing passwords from Authenticator to import into alternate password managers like Apple iCloud Keychain or Google Password Manager.

U.S. cyber agencies, along with the FBI and NSA, have issued an urgent warning about potential Iranian cyber threats targeting American critical infrastructure. Although there are currently no active attack campaigns detected, there is a heightened alert due to ongoing tensions in the Middle East and Iran's historical cyber activity patterns. Defense Industrial Base companies, particularly those linked to Israeli defense sectors, and other critical areas such as energy, water, and healthcare, are urged to heighten their cybersecurity vigilance. Iranian hackers, known for exploiting unpatched systems and utilizing default passwords, have previously breached critical systems, including a notable incident at a Pennsylvania water facility in 2023. These threat actors often engage in politically motivated cyber attacks like DDoS, website defacement, and spreading ransomware, sometimes coordinating with Russian hacker groups. Attacks targeting Israeli entities have included data encryption, theft, and the use of destructive data wipers instead of typical ransomware. To counter these threats, U.S. authorities recommend implementing best cybersecurity practices and consulting resources like CISA's Iran Threat Overview for enhanced defensive strategies.

The US Department of Justice disrupted operations involving North Korean IT workers who infiltrated over 100 US companies using fake identities. These workers were stealing salaries and critical data for North Korea, and also targeting virtual currency. Notable seizures included 137 laptops, and the arrest of Zhenxing "Danny" Wang, who allegedly funneled $5 million to North Korea. Operations date back to at least January 2021, exploiting remote work trends accelerated by the COVID-19 pandemic. Two cases spotlight schemes where North Koreans, posing as remote IT workers in the UAE and using stolen identities, stole over $900,000 in digital currency. These crimes involved sophisticated methods including the use of laptop farms in the US to mask real working locations. North Korean operatives remain largely untraceable post-indictment, likely returning to North Korea. The US government is offering up to $5 million for information leading to the disruption of financial mechanisms supporting North Korean activities.

A British IT employee, Mohammed Umar Taj, was sentenced to over seven months in prison for intentionally disrupting his employer's network following his job suspension. Taj exploited retained network access to alter critical login and multi-factor authentication settings, causing significant operational disruption. The criminal activities resulted in roughly £200,000 in direct business losses and reputational damage to the company, affecting clients in Germany and Bahrain. Taj's retaliation involved changing access credentials which left the company and its clients locked out of essential systems. The attack was thoroughly planned and logged by Taj, as revealed by phone call evidence retrieved by the police. Despite the incident, Taj is still listed as the director of TJ Performance, an electrical company based at his residence. The case highlights ongoing issues with companies failing to immediately revoke network access of terminated or suspended employees with privileged access rights.

The Berlin Commissioner for Data Protection has demanded that Google and Apple remove the DeepSeek AI application from their app stores due to GDPR non-compliance. DeepSeek, owned by Hangzhou DeepSeek Artificial Intelligence from Beijing, is accused of illegally collecting and transferring German users' data to servers in China. Under GDPR Article 46 (1), personal data transferred outside the EU must meet EU data protection standards, which are not met by China's lax data protection laws. Despite the app's popularity with 50 million downloads on Google Play and numerous ratings on Apple’s App Store, it faces serious security and privacy challenges. The request for removal follows a refusal by DeepSeek to voluntarily withdraw their apps from German stores after a request on May 6. The Berlin authorities are leveraging Article 16 of the Digital Services Act to potentially enforce the application's removal through Apple and Google. Coordination exists between multiple German regulatory bodies, including state regulators and the Federal Network Agency, to address this matter.

Charles Carmakal of Mandiant has recently highlighted that the Scattered Spider cybercrime group, also known as UNC3944, is now targeting the aviation sector following its focus on retail and insurance industries. Carmakal emphasized the necessity for the aviation industry to enhance security protocols, especially around help desk operations, to prevent social engineering attacks that could compromise multi-factor authentication (MFA) systems and access to sensitive employee details. Sam Rubin from Unit 42 of Palo Alto Networks corroborated these concerns, noting an uptick in social engineering attacks and suspicious MFA reset requests in the aviation sector, warning that immediate action is necessary. This shift in focus comes after cybersecurity incidents were reported by major airlines like Hawaiian Airlines and Canada’s WestJet, which are still investigating the extent of the data potentially compromised. Previous targets in the insurance industry, including companies like Aflac, Erie Indemnity, and Philadelphia Insurance Companies, reported cyber attacks, stressing ongoing investigations and enhanced monitoring despite no direct evidence of ransomware being deployed. Aflac disclosed the involvement of social engineering tactics in the inferred breach, highlighting the sophisticated methods utilized by attackers to infiltrate networks. Experts warn all sectors to bolster their cyber defenses, as Scattered Spider’s targeting is unpredictable and can change rapidly, underscoring the necessity for vigilance across all industries.

U.S. cybersecurity and intelligence agencies have issued warnings about increased cyber threat activities from Iranian state-sponsored groups targeting defense and critical infrastructure. Recent alerts from agencies including CISA, FBI, DC3, and NSA stress the importance of heightened security measures for Defense Industrial Base companies and entities with connections to Israeli organizations. Iranian threat actors commonly exploit vulnerabilities such as outdated software, unpatched systems, and weak passwords for initial access into networks. Techniques used by these actors include using automated password-guessing methods, exploiting default manufacturer passwords, and employing remote access tools and keyloggers for deeper network penetration. The mentioned groups also utilize system engineering tools to infiltrate Operational Technology (OT) networks, posing significant risks to industrial control systems. U.S. and Israeli firms face potential threats of DDoS attacks and ransomware campaigns, accentuating the need for robust cybersecurity defenses. The advisory suggests preventative measures like utilizing tools to review external attack surfaces, ensuring systems are updated, and aligning with frameworks like MITRE ATT&CK to mitigate risks.

Microsoft Defender for Office 365 has introduced a feature to automatically detect and block email bombing attacks. This detection capability is designed to protect organizations from overwhelming quantities of emails meant to hinder operations or mask critical security threats. The update, rolled out in late June 2025, applies to all users by late July without requiring manual configuration, filtering detected threats directly to the Junk folder. Email bombing is typically utilized by cybercriminals to overload systems and facilitate subsequent phishing or malware attacks. Notable cybercrime groups like BlackBasta and ransomware affiliates such as 3AM and the FIN7 group have employed this tactic to compromise corporate networks. The feature addition enhances visibility for security teams, helping them identify genuine threats amidst the flood of spam emails. The tool updates will be visible in various Microsoft Defender for Office 365 interfaces, including Threat Explorer and Advanced Hunting.

Switzerland's government announced a ransomware attack on Radix, a third-party organization, resulting in the theft of sensitive federal data. The data stolen from Radix was later published on the dark web; analysis is ongoing by the Swiss National Cyber Security Centre (NCSC) to assess the impact on government agencies. Radix, a Zurich-based non-profit focused on health promotion, was compromised by the Sarcoma ransomware group on June 16. Sarcoma is known for its phishing tactics, exploiting old vulnerabilities, and targeting RDP connections to facilitate network lateral movements. Post-extortion failure, Sarcoma released 1.3TB of data, including financial records and contracts, freely on their leak portal as of June 29. Despite assurances from Radix about the security of partner data, impacted individuals are urged to remain vigilant against fraud attempts. This incident marks another significant data breach involving the Swiss government's data, following a previous breach in May 2023 by Play ransomware group. No immediate response was available from NCSC regarding the details of the stolen data as the investigation continues.

Europol announced the dismantling of a substantial cryptocurrency fraud network, implicating five individuals and laundering approximately €460 million from over 5,000 global victims. This large-scale operation involved cooperation between Spain's Guardia Civil and law enforcement from Estonia, France, and the U.S., with arrests made in the Canary Islands and Madrid. The syndicate employed a fraudulent investment strategy known as "pig butchering", involving social engineering techniques such as utilizing fake trading platforms and scripted communications to exploit victims. The illicit funds were funneled through a complex system using a Hong Kong-based corporation and banking network, with multiple accounts across various exchanges to obscure the money trail. The use of advanced technologies including artificial intelligence by criminal groups has escalated the sophistication and scale of such cyber-enabled frauds, posing unprecedented challenges to international law enforcement. INTERPOL's recent findings reveal that cybercrime constitutes over 30% of all reported crimes in some regions, underscoring the urgent need for enhanced legal and prosecutorial frameworks. The scam operations often entrap individuals in Southeast Asia under the guise of legitimate employment, subsequently coercing them into participating in internet scams.

The Canadian government has mandated Hikvision Canada Inc. to halt all operations, citing national security risks. This order was issued following a comprehensive National Security Review under the Investment Canada Act. No specific evidence was disclosed, but the decision is based on information from the national security and intelligence sectors. The government's directive also includes a prohibition on all governmental bodies and crown corporations from purchasing or using Hikvision equipment. Hikvision Canada, established in 2014, is known for its extensive range of security products and has faced prior scrutiny over potential espionage for the Chinese government. Hikvision has contested the Canadian government's decision, deeming it unjust and lacking evidence, transparency, and procedural fairness. The Canadian action specifically targets the use of Hikvision’s products by governmental entities and does not extend to products made by Hikvision’s affiliates outside of Canada. Canadian authorities advise the public to consider the government’s assessment when selecting surveillance technology.

Microsoft has identified a known issue causing delays in the distribution of June 2025 Windows security updates due to incorrect metadata timestamps. The problem affects both Windows 10 and Windows 11 systems that use quality update deferral policies allowing IT admins to delay installations. Although updates are intentionally delayed via deferral policies, the incorrect timestamp extends this delay unexpectedly, increasing the risk of exposure to cybersecurity threats. Typically, this issue will not change the quality or functionality of the updates but solely impacts the timing of when they are received. Microsoft advises IT administrators to either create expedited deployment policies or adjust the deferral settings to ensure timely delivery of the critical updates. The issue with the June 2025 updates arose despite earlier efforts by Microsoft to fix other update delivery issues across their Windows operating systems. Microsoft has stated they will not correct the erroneous metadata timestamp but will rely on suggested workarounds as the resolution.

Blind Eagle, identified as a persistent threat actor, exploits Russian bulletproof hosting service Proton66 to target Colombian banks through phishing and malware deployment. Trustwave SpiderLabs linked the threat actor to Proton66 by tracing digital assets and discovered an active cluster using Visual Basic Script (VBS) files for initial malware attacks. The attacker utilizes dynamic DNS services, rotating subdomains to avoid detection and continuously host malicious content, including phishing pages and VBS scripts. The VBS scripts serve as loaders for second-stage remote access trojans (RATs), such as AsyncRAT or Remcos RAT, leveraging encrypted executable files retrieved from remote servers. VBS, despite being considered outdated, remains effective for initial access on Windows systems due to its compatibility and stealthy operation. Phishing sites mimic legitimate Colombian financial entities to steal user credentials and sensitive information. Trustwave discovered a botnet panel associated with Blind Eagle’s infrastructure, indicating a sophisticated level of remote control over infected machines. Blind Eagle demonstrates adaptability in its operations, continuing its activities despite the deployment of security patches for exploited vulnerabilities.

Sinaloa drug cartel employed a cybercriminal to track and eliminate FBI informants using advanced surveillance technology. The hacker accessed mobile devices and Mexico City's camera systems to monitor and gather intelligence on FBI activities. A 2018 internal source revealed the cartel's tactics, including potential threats and assassinations of cooperating witnesses. An audit highlighted the FBI's policy gaps and inconsistent approach to managing Ubiquitous Technical Surveillance threats. Recent technological advancements have increased the ease of exploiting criminal investigation vulnerabilities. The Department of Justice has expressed urgent concerns and pushed for an improved strategy and training to mitigate these threats. The FBI has elevated the risk level of technical surveillance threats and is working on a mitigation plan, though initial drafts faced criticism for inadequacies. Recommendations include establishing a clearer authority line and leveraging FBI's existing UTS expertise more effectively.