Daily Brief

CoinMarketCap, a popular cryptocurrency tracking site, was compromised in a supply chain attack, resulting in a crypto wallet drainer campaign. On January 20, visitors experienced unauthorized Web3 popups prompting them to connect their crypto wallets, which led to the theft of cryptocurrency. The attackers injected malicious JavaScript through a vulnerability in the site's homepage "doodle" image. The malicious script executed a fake wallet connect popup with CoinMarketCap branding, deceiving users into a transaction that drained their wallets. Cybersecurity analysis revealed the attack was executed by modifying the API for retrieving homepage images, inserting a malicious script that pulled wallet-drainer code from an external server. The attack compromised 110 victims, stealing a total of $43,266, with the attackers communicating in French on a Telegram channel. In response, CoinMarketCap removed the problematic content, secured the vulnerability, and assured users the site is now secure.

Oxford City Council experienced a data breach impacting systems containing two decades of data. Personal information of former and current council officers, specifically involved in elections from 2001 to 2022, was accessed. While most systems have been restored, some service delays persist due to existing backlogs. Initial investigations reveal no evidence of widespread data dissemination or mass data extraction. Affected individuals are being contacted directly with information about the breach and support resources. The council has notified relevant government and law enforcement agencies about the breach. Increased security measures are being implemented to strengthen systems against future attacks. The breach did not reportedly compromise citizen data, focusing instead on personnel associated with election administration.

Russian hackers impersonated U.S. State Department officials in sophisticated phishing attacks to bypass Gmail multi-factor authentication. The attackers targeted academics and critics of Russia, using social engineering to obtain app-specific passwords. Security researchers identified the group as UNC6293, possibly linked to APT29, a known Russian state-sponsored group. The phishing campaign was meticulously planned, involving credible-looking emails and platforms to gain the trust of the targets. Upon deceiving the targets into making app-specific passwords, these were used to gain full access to their Gmail accounts. The campaign utilized residential proxies and VPS to maintain the attackers' anonymity. Google advised targeted users to enroll in its Advanced Protection Program to prevent such breaches.

Hackers are actively exploiting a critical vulnerability in the "Motors" WordPress theme to hijack admin accounts. The vulnerability, identified as CVE-2025-4322, allows attackers to escalate privileges by altering admin passwords without authorization. Wordfence first reported the issue on May 19, 2025, after discovering the flaw earlier in the month, with exploits seen from May 20. Despite a patch released on May 14, many users did not update, leading to widespread exploitation, with over 23,100 attacks blocked by Wordfence by early June. Attackers manipulate the theme's password reset feature using malformed data to bypass security checks and reset admin passwords. Post-intrusion activities include creating new admin accounts for persistent access and potential lockout of legitimate administrators. Observations note the use of specific malicious IP addresses, which Wordfence recommends blocking to mitigate risk. The incident underscores the critical importance of timely application of security patches to prevent unauthorized access and control.

Scattered Spider, a notorious cybercrime group, executed coordinated cyberattacks on UK retailers Marks & Spencer and Co-op in April 2025, causing significant financial damage estimated between £270 million ($363 million) and £440 million ($592 million). The Cyber Monitoring Centre (CMC), an independent U.K.-based body, has categorized these incidents as a single "Category 2 systemic event" due to the similarity in tactics and close timing of the attacks. The cybercriminal group employed social engineering tactics targeting IT help desks to gain unauthorized access, demonstrating sophisticated methods of attack. The attacks had a 'narrow and deep' impact on the targeted retailers, with significant implications for their suppliers, partners, and service providers. Concurrently, Google Threat Intelligence Group highlighted that Scattered Spider has started targeting major US insurance companies, indicating a shift in focus and a potentially broader threat. Tata Consultancy Services (TCS) confirmed that their systems were not compromised in the attack against Marks & Spencer, amid internal investigations on whether their systems were used as a launchpad for the attacks. The Qilin ransomware operation's new strategy involves legal tactics and media manipulation to intensify pressure during ransom negotiations, highlighting evolving cyber threat tactics.

Scammers are manipulating search results to display ads with embedded fake help-desk numbers for companies such as Netflix, Apple, and Bank of America. The fraudulent scheme involves crafting malicious URLs that direct users to legitimate brand websites, yet sneakily incorporate a false phone number into the site’s search functionality. This type of attack, known as search poisoning or SEO poisoning, takes advantage of the search engines' algorithms to promote malicious websites that mimic legitimate ones. Despite leading to the real brand’s domain, these malicious ads escape detection by traditional security tools like Chrome’s Safe Browsing due to their seemingly authentic nature. The scam is facilitated by a flaw in Netflix's and other sites’ search functions that do not properly sanitize input, creating opportunities for reflected input vulnerabilities. Victims are deceived into believing these fake numbers are genuine customer support, leading to potential disclosure of personal and financial information, or even granting remote access to their devices. Malwarebytes warns users about this scam and suggests vigilance, particularly scrutinizing URLs for suspicious terms and encoded characters. Tips to avoid falling victim include being wary of pre-populated phone numbers in search bars and not disclosing sensitive information like username and passwords to unverified sources.

Aflac disclosed a security incident linked to cybercrime group Scattered Spider, revealing unauthorized network access detected on June 12. The breach involved possible theft of sensitive data, including claims details, health information, Social Security numbers, and personal data of various stakeholders. Unlike other similar attacks, Aflac’s network was not stricken with ransomware, and the company contained the intrusion swiftly, mitigating major operational disruptions. The breach appears coordinated with recent attacks on other insurance firms such as Erie Insurance and Tokio Marine, as part of Scattered Spider's focus on the insurance sector. Aflac is collaborating with top cybersecurity experts for incident response and has begun a thorough investigation using indicators linked to social engineering tactics. This series of incidents comes shortly after Google threat intelligence warned the insurance sector of potential cyber threats mirroring the tactics of Scattered Spider. Scattered Spider, known for sector-focused attacks and prior targeting of retail and casino industries, has shown patterns of shifting attack vectors quickly after exploiting one sector.

The Taiwanese cryptocurrency exchange BitoPro linked a $11 million theft of cryptocurrency to the North Korean hacking group Lazarus. BitoPro reported that unauthorized withdrawals were made from an outdated hot wallet system during an update on May 8, 2025. The cyber thieves then laundered the stolen funds using decentralized exchanges (DEXs) and mixers, complicating the tracking process. Initial investigations revealed that the attack methodologies and intrusion patterns resembled those associated with Lazarus in prior global incidents. An internal investigation confirmed no BitoPro employees were complicit, but a social engineering tactic had allowed malware installation on a cloud operations manager’s device. Attackers exploited this malware to hijack AWS session tokens, bypass multi-factor authentication, and control the exchange’s cloud infrastructure. After the compromise was detected, BitoPro secured its systems by shutting down the affected wallet services and rotating cryptographic keys. Following the incident, BitoPro replenished impacted wallets using its reserves and continued operations unimpeded, while cooperating with cybersecurity experts and authorities for thorough investigation and mitigation.

Qilin, a ransomware group, is now offering their affiliates access to lawyers to intensify ransom negotiations, effectively using legal threats to compel payment. These legal advisers are part of a broader strategy to portray a sophisticated criminal operation, aiming to attract more affiliates and increase attack success rates. The lawyers can also orchestrate negotiations, advising victims on the potential maximum damage Qilin could cause if ransoms are not paid. This move is seen primarily as a marketing stunt by cybersecurity experts, questioning the viability and authenticity of such services. In addition to legal services, Qilin claims to have added features like 1 petabyte of storage and capabilities for email and phone spamming, network propagation, and initiating DDoS attacks. Cybereason identifies Qilin as a dominant player in the ransomware-as-a-service (RaaS) industry, noting it has overtaken former leading groups partly due to law enforcement actions. The group has a notorious history of targeting critical infrastructure and is affiliated with Scattered Spider, a group known for significant cyber attacks. Overall, these enhancements to Qilin's affiliate panel mark a shift towards presenting themselves as a full-service cybercrime platform.

Qilin ransomware group enhances threat tactics by integrating a "Call Lawyer" feature to pressure victims into paying higher ransoms. This innovation is part of a broader trend of Qilin filling the operational void left by rival groups such as LockBit and Black Cat, evident by its leading 72 victims in April 2025. The group offers extensive support options for clients and utilizes a sophisticated infrastructure with payloads built in Rust and C, among other advanced tools. Recent months have seen an influx of affiliates from defunct groups, which has contributed to Qilin's increased ransomware activity. Qilin positions itself as a full-service cybercrime platform, now incorporating DDoS attacks, spam services, and PB-scale data storage in addition to ransomware. The group's tactical evolution signals a strategic shift to exploit every facet of cybercrime, maximizing its impact and profitability. The group targets corporations using sophisticated phishing tactics, leveraging disguised communication to infiltrate and secure persistent access to victim networks.

Cloudflare mitigated a record-breaking 7.3 Tbps DDoS attack targeting a hosting provider in May 2025. The attack involved staggering amounts of data, totaling 37.4 TB delivered in just 45 seconds. It originated from 122,145 source IP addresses across 161 countries, with significant activity from Brazil, Vietnam, Taiwan, China, Indonesia, and Ukraine. The DDoS attack leveraged multiple destination ports, peaking at 34,517 ports per second to overwhelm firewall and intrusion systems. Cloudflare's Magic Transit service was instrumental in mitigating the attack without human intervention by dispersing traffic across 477 data centers. Key technologies like real-time fingerprinting and intra-data center gossiping helped manage real-time intelligence sharing and automated rule compilation. Nearly the total attack volume was comprised of UDP floods, with multiple vectors targeting legacy or poorly configured services. Cloudflare updated its DDoS Botnet Threat Feed with IoCs from the attack, aiding over 600 organizations in preemptively blocking malicious IP addresses.

Aflac disclosed a significant data breach, identifying stolen personal and health information amid a targeted cyberattack campaign on U.S. insurance firms. There was no ransomware deployment confirmed in the breach, though it remains unclear if an attempt was blocked or if the attack was solely for data theft. The company reacted quickly by implementing cyber incident response protocols and successfully stopped the attack within hours. Aflac's operations remain unaffected, continuing to service customers and process claims and policies as usual. The breach involved sensitive data ranging from health information to social security numbers, affecting customers, employees, and other stakeholders. External cybersecurity experts have been engaged to further investigate the breach and review potentially exposed files. The attack characteristics align with those of Scattered Spider, a group known for sophisticated social engineering techniques and previous attacks on high-profile organizations.

Organizations are still heavily reliant on passwords as a primary defense mechanism for online services. Password-related issues such as resets and expirations account for 40% of service desk inquiries, with each reset costing around $70. Self-service password reset (SSPR) solutions empower users to reset their passwords independently, reducing helpdesk load and operational costs. SSPRs require rigorous identity verification processes to prevent unauthorized access, with multi-factor authentication (MFA) being critical. Implementing SSPR can save organizations an average of $65,000 by minimizing manual IT support and enhancing productivity. Web-based SSPR portals support remote users, allowing password resets from anywhere without compromising on security. Security teams should also focus on mitigating social engineering risks through dynamic challenge-response mechanisms and risk-based authentication. Best practices for SSPR solutions include a smooth integration with systems like Active Directory and comprehensive security measures to boost adoption and protect against vulnerabilities.

Microsoft plans to periodically remove outdated drivers from Windows Update to enhance security and compatibility. This initiative targets drivers that have newer versions available, aiming to optimize the driver offerings on Windows Update. The removal process involves expiring drivers' audience assignments within the Hardware Development Center, preventing them from being distributed. Legacy drivers are the initial focus, with plans to expand the categories of drivers being removed over time. Partners can republish drivers removed in this cleanup if they provide a valid business reason. This cleanup is part of a broader effort to improve Windows security; new publishing guidelines for drivers will be introduced. Related security efforts include changes to pre-production driver signing and updated security defaults across Microsoft 365 to prevent access via outdated authentication protocols. Microsoft emphasizes the routine nature of this cleanup as a proactive security measure and driver management improvement.

Iran's state television was hacked, transmitting anti-government protests calls, with Iran accusing Israel of the interference. Concurrently, Iran's largest cryptocurrency exchange, Nobitex, was hacked, resulting in the theft of over $90 million. These cyber-attacks are part of an ongoing and intensifying cyber conflict between Israel and Iran, linked to broader geopolitical tensions. Iranian entities are utilizing virtual assets strategically for financial workarounds and to support their geopolitical aims, including weapon technology proliferation. The hacktivist group DieNet threatened cyber-attacks on the U.S. if it intervened against Iran, showcasing the potential for global cyber impact. Israeli officials revealed Iranian attempts to hijack private security cameras in Israel for real-time intelligence, similar to tactics used by Russia in Ukraine. Cybersecurity experts warn global companies of increased risks of becoming collateral targets in the escalating cyber warfare between Israel and Iran. Analysis indicates a significant disparity in coordinated cyber-attacks between pro-Iranian and pro-Israeli groups, focusing primarily on DDoS attacks, website defacements, and data breaches.