Daily Brief

A new malware, SparkKitty, identified on Google Play and Apple App Store, targets photos and cryptocurrency data. SparkKitty is likely an evolution of SparkCat, using optical character recognition (OCR) to detect and steal crypto wallet seed phrases from images. The malware has spread through legitimate app stores and affects both Android and iOS devices via apps and fake frameworks. Malicious activities involve stealing all images from device galleries, which could be used for crypto theft or potentially for extortion. Detection methods on mobile devices include requesting access to photo galleries and indiscriminately uploading images and text. The official response includes app removals from stores, developer bans, and protective measures like Google Play Protect. Recommendations for users include enhanced scrutiny of app permissions and avoiding storing sensitive wallet information on mobile devices.

The U.S. Department of Homeland Security (DHS) issued a warning about escalating dangers of cyberattacks from Iran-backed hackers and pro-Iranian hacktivists. A National Terrorism Advisory System bulletin highlighted a heightened threat environment in the U.S. due to ongoing conflicts involving Iran. DHS advisory noted an increased likelihood of U.S.-based violent extremists incited by potential religious rulings from Iranian leadership. Previous attacks have involved poorly secured U.S. networks, often targeted by Iranian government-affiliated hackers and independent hacktivists. U.S., Canadian, and Australian authorities noted increased Iranian hacker activities in sectors like healthcare, government, and energy, employing methods like password spraying and MFA fatigue. The advisory named an Iranian threat group, Br0k3r, linked with state-sponsored activities including selling access to breached networks for ransomware attacks. The escalated cyber threat level follows recent U.S. military actions against key Iranian nuclear facilities. Iran's Foreign Minister warned of "everlasting consequences," signaling potential escalatory actions in cyberspace and beyond.

Researchers have identified a new method, "Echo Chamber," which effectively manipulates large language models (LLMs) like those from OpenAI and Google to produce undesirable content despite implemented security measures. Echo Chamber uses indirect references and multi-step reasoning to subtly guide LLMs into generating responses that violate content policies. This method contrasts with previous tactics by progressively steering the conversation without obvious adversarial prompts, making it harder for models to detect and block. In tests, Echo Chamber attacks showed over a 90% success rate in prompting LLMs to generate harmful content on topics like sexism, violence, and hate speech. The technique highlights significant vulnerabilities in model safety mechanisms, suggesting that as LLMs enhance their inference capabilities, they also become more susceptible to indirect forms of manipulation. Another related method, coined "Crescendo," involves a series of progressively malicious questions, demonstrating that multiple attack vectors are possible by exploiting AI's extensive context window. The study underscores the ongoing challenges in aligning LLM behaviors with ethical standards and maintaining robust defenses against evolving exploitation strategies.

McLaren Health Care experienced its second major cybersecurity incident within a year, affecting 743,131 individuals at Detroit’s Karmanos Cancer Institute, which is part of McLaren’s network. The breach, which occurred on July 17, 2024, but was undetected until August 5, involved unauthorized access that compromised personal and protected health information. McLaren is currently notifying affected individuals and has filed a breach notification with Maine's attorney general; the incident was not explicitly labeled as a ransomware attack, although it was claimed by a group called INC. In response to the incident, McLaren is implementing additional safety measures and offering 12 months of free credit monitoring to those impacted. No evidence suggests that the stolen data has been misused, according to McLaren’s communication. This recent breach follows a prior incident in July 2023, where data pertaining to 2.5 million people was reportedly compromised by the ALPHV/BlackCat group. Despite these breaches, McLaren has not faced regulatory penalties, though several law firms are investigating and considering class action lawsuits. McLaren and Karmanos have yet to respond to requests for further information regarding the breach.

The Chinese state-sponsored hacking group, Salt Typhoon, exploited a critical vulnerability in Cisco IOS XE software to breach a Canadian telecom provider in February 2025. This vulnerability, identified as CVE-2023-20198, allows unauthenticated remote attackers to create accounts with admin-level privileges. It was initially disclosed and exploited as a zero-day in October 2023. Despite previous breaches and warnings, the affected telecom provider had not applied the necessary patches to prevent exploitation. Salt Typhoon's activities included retrieving and modifying configuration files of network devices to establish a GRE tunnel for traffic interception. Canadian authorities had observed reconnaissance activities by the same group targeting multiple sectors in October 2024, but no breaches were confirmed at that time. The attacks, which have extended beyond telecommunications to other critical industries, involve data theft potentially used for lateral movements and supply chain attacks. The Canadian Cyber Centre warned that such attacks are likely to continue, urging increased network protection especially for telecommunication providers handling sensitive data. Salt Typhoon has previously targeted multiple major telecom companies globally, demonstrating a pattern of strategic, state-sponsored espionage.

The U.S. has conducted airstrikes on Iranian nuclear sites, escalating the Iran–Israel war since June 13, 2025. Following these military actions, the Department of Homeland Security (DHS) has issued warnings about potential retaliatory cyber attacks from pro-Iranian groups. The DHS indicates a likely increase in low-level cyber attacks and potential significant threats from Iranian government-affiliated cyber actors targeting U.S. networks. These cyber threats primarily aim at poorly secured U.S. networks and Internet-connected devices, raising concerns over cybersecurity vulnerabilities. The attacks include potentially disruptive actions, with a recent example being the DDoS attack by pro-Iranian group Team 313 on Trump's Truth Social platform. President Trump has deemed the strikes a “spectacular military success” and has threatened further action if peace overtures are not made by Tehran.

Four members of the REvil ransomware gang were released by the Russian courts after pleading guilty to carding and malware distribution, having served their pre-trial detention. Arrested initially in January 2022, these individuals were part of a larger group involved in significant global cybercrimes, including the notorious Kaseya attack. Other REvil members who did not plead guilty received sentences ranging from 4.5 to 6 years on various charges including illegal circulation of payment means and distribution of malware. REvil, known for demanding large ransoms, had allegedly accrued over $100 million within a year before law enforcement pressures led to a temporary cessation of their operations. The group resumed activities briefly before being infiltrated by law enforcement, leading to further arrests and the eventual claim by Russian FSB that they had dismantled the criminal community. The breakdown in U.S.-Russia cybersecurity communications following the Ukraine conflict has affected negotiations and cooperative efforts to manage cybercrime activities linked to REvil. The history of REvil’s activities and the recent legal outcomes highlight significant challenges in international efforts to combat ransomware and cybercrime.

McLaren Health Care suffered a significant data breach impacting 743,000 patients, attributed to the INC ransomware gang's attack in July 2024. The data breach was discovered on August 5, 2024, following an IT and phone systems outage at the beginning of that month. Forensic investigations were completed by May 5, 2025, determining the extent of the affected patients and data, with notifications beginning shortly thereafter. The breach affected systems including those of the Karmanos Cancer Institute, with ongoing implications on patient data security. An employee inadvertently exposed the ransomware attack after ransom notes were automatically printed at a Bay City hospital. McLaren Health Care has a history of cybersecurity issues, having previously suffered another ransomware attack in July 2023 by the ALPHV/BlackCat group that compromised sensitive data of 2.2 million individuals. The latest incident underscores persistent vulnerabilities in healthcare systems to ransomware attacks and the critical need for enhanced cybersecurity measures.

Go-based XDigo malware used to attack governmental entities in Eastern Europe in March 2025. Attacks leveraged a Windows LNK file exploit, exploiting a remote code execution flaw publicized by Trend Micro. The flaw allows attackers to execute code under the guise of the current user by manipulating LNK file data. Malware deployment includes a complex chain involving ZIP archives, decoy files, and a rogue DLL, ultimately leading to data theft. XDigo can harvest files, capture screenshots, extract clipboard content, and exfiltrate data via HTTP. Evidence suggests XDigo is a new version of malware previously analyzed by Kaspersky in 2023, with expanded capabilities. The targeting strategy of the attackers aligns with a focus on Eastern European governments, highlighting ongoing nation-state cyber espionage activities.

Nucor, North America’s largest steel producer, confirmed a data breach involving stolen data from its systems. The incident led to the shutdown of certain production operations at several locations as a precautionary measure. Following the breach, Nucor notified law enforcement and engaged external cybersecurity experts to aid in recovery and investigation. The breach caused temporary limitations on access to some IT applications affecting operational aspects. The company confirmed that “limited data” was exfiltrated by the attackers and is currently assessing the impact. Nucor has restored access to affected systems and believes the threat actors no longer have access to its network. The company has committed to notifying all potentially affected parties and regulatory bodies as necessary. Details regarding the specific type of attack or whether ransomware was involved remain unclear.

The UK Cyber Monitoring Centre (CMC) estimates the financial impact of recent cyberattacks on major UK retail to be between £270-440 million. Significant attacks targeted well-known stores such as Marks & Spencer, the Co-op, and Harrods, although Harrods sustained less damage due to continued operation. The CMC categorizes these incidents as category 2 systemic events, with severe implications for the directly affected companies and their network of suppliers and partners. While online sales for M&S were severely disrupted, leading to a notable drop in daily revenues, the Co-op experienced a lesser financial impact but a broader regional effect. The event had a marked impact on contactless and online payments, demonstrating the operational vulnerabilities businesses face from cyber threats. This incident marks the first applied use of the CMC's cyber event grading scale, introduced to clarify and manage systemic cyber risks and insurance claims. The ongoing implications of such cyberattacks are prompting discussions about national security and the need for enhanced cyber resilience strategies.

High incidence of burnout in SOCs due to fragmented tools, extensive workflows, and repetitive tasks amidst understaffing. SOC teams often consist of only 2-10 full-time analysts who manage a broad scope of infrastructures, from on-premises systems to cloud-based and SaaS platforms. Traditional methods of automation in SOCs are insufficient, relying on brittle playbooks that falter when unexpected scenarios arise. AI-powered automation can drastically improve SOC efficiency by acting as a contextual aggregator, reducing the manual burden on analysts, and enhancing decision-making processes. AI introduces adaptive automation, enabling more versatile responses to security threats and dynamic workload management based on real-time context. AI also supports analysts' skill development and job satisfaction through real-time feedback, fostering a more supportive and growth-oriented work environment. Enhanced AI capabilities allow SOC leaders to better manage team performance by providing insights into analysts' work patterns and identifying areas of improvement. The potential of AI to alleviate stress and reduce burnout in SOCs promotes better retention and job satisfaction among security analysts.

Google has introduced multiple security measures to protect its generative AI systems from indirect prompt injection attacks, which manipulate AI with hidden commands in external data like emails or documents. These attacks could potentially lead to data exfiltration or other malicious activities by tricking AI systems. The company has implemented a layered defense strategy to increase the complexity and cost of successful attacks, including model hardening and machine learning models designed to detect malicious instructions. Additional safeguards have been integrated into Google’s flagship GenAI model, Gemini, to enhance its resilience against such cybersecurity threats. However, adaptive attacks that evolve with automated red teaming efforts are proving capable of bypassing these defenses, highlighting the need for robust, multi-layered security across all aspects of AI systems. Recent research has shown that large language models (LLMs) can be used by adversaries for more precise extraction of sensitive information and to create targeted fake web pages. Studies also suggest that while AI models are becoming proficient in automating certain security tasks, they still face challenges with more complex vulnerabilities like system exploitation and model inversion. The evolving capabilities of AI models underscore the importance of continuous advancement in AI security to counteract emerging threats and exploit techniques.

Cloudflare successfully blocked the largest DDoS attack recorded at 7.3 Tbps, targeting an unnamed hosting provider. The monumental attack utilized 37.4 terabytes of data within 45 seconds, originating from over 122,145 IP addresses across 161 countries. Major sources of the attack traffic included Brazil, Vietnam, Taiwan, China, and several other countries. The report underscores the importance of robust cybersecurity measures and the continuous threat of DDoS attacks on global infrastructure. Recommendations include timely software updates and patching critical vulnerabilities listed, like CVE-2025 series affecting various software. The article also emphasized the potential security risks in using SCCM without appropriate safeguards and configuration. Provides a call to action for improving security protocols, regular credential rotations, and network segmentation to prevent silent domain takeovers.

Former US Army sergeant Joseph Daniel Schmidt has pleaded guilty to attempting to sell classified military data to China using his former top-secret clearance. Schmidt's efforts to contact the Chinese government were poorly executed, using personal email addresses and publicly searchable questions related to espionage. He faces up to 10 years in prison and a $250,000 fine for his actions. Separately, 5.4 million healthcare records from the firm Episource were stolen, including sensitive personal and medical information. New vulnerabilities in Linux and XML parsing libraries pose significant threats to system security, with some still unpatched. The use of AI in spam emails has improved quality, making malicious emails harder to detect. Critical vulnerabilities in Citrix products and TP Link Wi-Fi routers have been addressed, but patches are urged for several exploited flaws.