Daily Brief

Oxford City Council experienced a cyberattack earlier this month, compromising 21 years of election worker data from 2001 to 2022. Unauthorized attackers accessed personal information of current and former council officers via compromised legacy systems. No evidence suggests that the accessed data has been shared with third parties or extracted in mass from the council’s systems. Affected individuals have been directly contacted by the council with details about the breach and the support available. External cybersecurity experts were involved in managing the cleanup and securing the systems; key services have been restored. The council’s automated security systems detected and counteracted the unauthorized access, preventing further intrusion. This incident is part of broader security concerns as local authorities digitize services, making them attractive targets for cyberattacks. Similar cyberattacks have targeted other UK councils recently, highlighting the persistent cybersecurity threats faced by local government entities.

Establishing a 24/7 Security Operations Center (SOC) is crucial for constant threat monitoring, especially during off-peak hours. Effective SOC operation requires a mix of skilled staff, cutting-edge tools, continuous education, and a robust management system. Building a foundation with a mission aligned with business goals is vital for determining security needs and resource allocation. Prioritizing sustainability in team management, such as diverse hiring and manageable shift rotations, is essential to prevent burnout and maintain alertness. Artificial intelligence plays a critical role in automating threat detection, enabling quicker responses and reducing human error. Regularly updating training and simulation exercises ensure that the SOC team can effectively handle real incidents. It’s important to use AI-enhanced tools and platforms like Radiant that cater to specific business needs and streamline SOC operations. Governance and continuous improvement practices, including setting clear metrics and regular reviews, help optimize SOC efficacy and team performance.

In mid-May 2025, Cloudflare thwarted the largest DDoS attack in history, reaching a peak of 7.3 Tbps, against an unnamed hosting provider. The attack delivered a staggering 37.4 terabytes of data within 45 seconds, targeting nearly 22,000 destination ports per second on average. This assault was identified as multi-vector, involving UDP floods, reflection attacks (QOTD, echo, NTP), Mirai UDP floods, portmap floods, and RIPv1 amplification. The offensive utilized a vast array of over 122,145 source IP addresses from 5,433 Autonomous Systems across 161 countries. Major contributors to the attack traffic were from Brazil, Vietnam, Taiwan, and China, with Telefonica Brazil alone accounting for 10.5% of the traffic. Cloudflare's report also mentioned the activity of the RapperBot DDoS botnet, which targeted various industries globally since 2022 and employed tactics such as encryption to secure its command-and-control communications.

Cybersecurity researchers from ReversingLabs have uncovered a new malicious campaign involving 67 GitHub repositories. These repositories impersonated legitimate tools offering Python-based hacking utilities, but instead distributed trojanized payloads that steal information. The campaign targeted gamers and developers, promising utilities like game cheats and account management tools, but ultimately harvesting sensitive data. Analysis found these repositories acted as vectors for malware that could inject malicious code into apps such as the Exodus cryptocurrency wallet. All compromised repositories have been identified and subsequently removed by GitHub. Earlier research indicated a broader trend, with GitHub increasingly being used to disseminate malware across various user groups including inexperienced cybercriminals. Additional campaigns discovered prolong the misuse of GitHub, involving entities like the Stargazers Ghost Network aiming at Minecraft users. Cybersecurity professionals highlight the continuous rise in software supply chain attacks via public code repositories, urging developers to verify the integrity of repositories they utilize.

The initially reported 16 billion credentials leak is not a new data breach but a compilation of existing stolen data. Credentials were aggregated from various sources, including infostealers, old breaches, and credential stuffing attacks. The aggregated credentials were exposed online, though there is no evidence of any new or unseen data in this compilation. Infostealer malware, which collects user credentials from infected machines, played a significant role in the accumulation of this data. Recent crackdowns on cybercrime, such as Operation Secure and the disruption of LummaStealer, highlight the ongoing battle against credential theft. Cybersecurity recommendations include adopting strong, unique passwords, using password managers, and enabling two-factor authentication. The use of authentication apps is advised over SMS texts for receiving 2FA codes to avoid risks like SIM-swapping. Services like Have I Been Pwned provide users a way to check if their credentials are compromised in known breaches.

Godfather Android malware uses virtualization to create isolated environments on mobile devices, hijacking over 500 globally recognized banking, cryptocurrency, and e-commerce apps. The malware operates by mimicking the legitimate app's UI within a virtual container, misleading users while stealing sensitive data such as account credentials and transaction details. Utilizes a virtual filesystem, virtual Process ID, and StubActivity for executing apps within a controlled environment, enabling it to evade Android's security measures. Employs tactics like intent spoofing and API hooking through tools like VirtualApp engine and Xposed, allowing it to intercept and manipulate user interactions and data transmissions. Displays deceptive screens, such as a fake lock screen overlay during key operations, to trick users into entering their security details, further facilitating data theft. Once data is captured, it communicates with operators for commands that can initiate unauthorized transactions or operations from the real banking applications. Originally detected in March 2021, the malware has evolved significantly, with the latest version targeting primarily Turkish bank apps while maintaining the capability to expand its focus globally. Recommendations for protection include downloading apps only from trusted sources like Google Play, activating Play Protect, and carefully reviewing app permissions.

Researchers from Israel and India have created ASRJam, a system leveraging EchoGuard to disrupt automatic speech recognition (ASR) systems used in voice phishing (vishing). Vishing attacks have surged by 442% in one year, prompting the development of technologies like ASRJam that can hinder AI-driven scam calls. ASRJam introduces subtle audio modifications that confuse ASR systems without affecting human understanding, thus breaking the scam communication loop. While vishing involves criminals using realistic AI-generated voices, ASRJam counters by inducing errors in the scam's text conversion process, which relies on ASR technologies. ASRJam operates in real-time on user devices, remaining hidden from attackers and applicable universally across different AI models without prior samples needed. EchoGuard, the algorithm behind ASRJam, is designed to modify voice signals through reverberation, microphone oscillation, and transient acoustic attenuation, balancing clarity and pleasantness for the listener. The effectiveness of ASRJam and EchoGuard was tested against multiple datasets and ASR models, showing superior results in disrupting ASR processes compared to other existing techniques. The developers are planning further enhancements to ASRJam, with the aim of commercial rollout to effectively mitigate escalating AI-enabled voice scams.

Cybersecurity researchers have identified a new Android malware, AntiDot, utilized in 273 unique campaigns affecting 3,775 devices, sold as Malware-as-a-Service (MaaS). AntiDot exploits Android accessibility services to record screen activities, intercept SMS, and steal data from applications, with capabilities including overlay attacks and remote device control. Another malware, GodFather, uses on-device virtualization to mimic legitimate banking apps, deceiving users into entering credentials in a controlled fake environment. SuperCard X, another Android malware, leverages NFC technology for financial fraud by capturing bank card data via NFC traffic, targeting devices in Italy and now Russia. Recent findings have also exposed malicious apps on official app stores designed to harvest personal data and cryptocurrency wallet credentials. Security experts emphasize the need for proactive defense mechanisms and user caution, particularly with third-party app downloads and granting unnecessary app permissions.

The US government sought a month-long extension to consider appealing a judge's decision that tower dumps are unconstitutional. Tower dumps involve acquiring bulk records from cell towers to identify individuals’ locations and connection times, potentially exposing thousands of users. This data was intended to connect suspected gang members to violent crimes over a 14-month period. Magistrate Judge Andrew S Harris ruled the request violates the Fourth Amendment, which guards against unreasonable searches and seizures. The judge emphasized the lack of probable cause for each individual whose data would be collected. The denial reflects growing judicial concern over privacy and the scope of law enforcement's reach into personal data. A similar ruling was made in Nevada, where Judge Miranda M Du found tower dumps unconstitutional yet allowed the use of the data under a good faith exception.

BleepingComputer and SC Media are hosting a webinar on how cybercriminals are using stolen credentials to access network systems. Identity security expert Darren Siegel will discuss the shift from exploiting vulnerabilities to credential abuse in cyberattacks. The webinar will explore tactics like password-spray attacks, weak MFA setups, and brute-force methods targeting VPN portals. Insights on the infostealer malware economy will be shared, including how it has led to billions of stolen credentials fueling cybercrime markets. Participants will learn defensive strategies to protect against credential-based attacks and modern identity threats. The event aims to provide practical insights from cybersecurity practitioners on mitigating increasing threats from stolen credentials.

The U.S. Department of Justice successfully seized over $225 million in cryptocurrency linked to investment fraud and money laundering operations. Investigators utilized advanced blockchain analysis techniques to trace back funds stolen from more than 400 victims by a sophisticated laundering network. This operation marks the largest crypto seizure in the history of the U.S. Secret Service, involving collaboration with agencies such as the FBI and private entities including Tether and TRM Labs. Criminals used multiple cryptocurrency addresses and accounts to disperse and conceal the origins of the fraudulently obtained funds. The laundered funds were ultimately consolidated into seven USDT wallet groups, where significant gas fees were intentionally applied to hamper traceability. Notably, one victim, a bank CEO, was deceived into transferring $47.1 million to scammers under the guise of legitimate crypto investments. Tether assisted in the recovery process by freezing and burning the compromised tokens, reissuing their equivalent to the U.S. government for civil forfeiture under specific legal statutes. The Department of Justice plans to identify and reimburse victims through a claims process, although detailed plans for restitution remain pending.

Verizon's 2025 Data Breach Investigations Report (DBIR) outlines critical cybersecurity trends, notably in credential theft, GenAI risks, and third-party vulnerabilities. A special webinar hosted by LayerX will feature Alex Pinto, a lead author of the DBIR, discussing these issues and the evolving threat landscape. Credential theft and phishing are highlighted as primary tactics for attackers, underlining significant security weaknesses within enterprises. The increasing threats of ransomware are emphasized, stressing the necessity for more effective defensive strategies. Recent research from LayerX complements DBIR findings by discussing additional dangers posed by new technologies like GenAI. Many companies continue to use outdated security solutions, lacking the necessary defences against modern cyber threats. The webinar aims to provide actionable insights and strategies, urging enterprises to adapt to more comprehensive and integrated security approaches. This initiative underscores the urgency for enterprises to reassess their cybersecurity postures in light of emerging threats.

Microsoft has introduced new security defaults for Windows 365 Cloud PCs effective from the second half of 2025, impacting new and reprovisioned systems. Critical features include the disabling of clipboard, drive, USB, and printer redirections by default to prevent data theft and block malware transmission. USB redirection will be blocked for low-level device access, but basic peripherals like USB mice, keyboards, and webcams will still function due to high-level redirection allowances. The security updates extend to host pools for Azure Virtual Desktop, with similar restrictions enforced. Windows 365 Cloud PCs running Windows 11 now have virtualization-based security (VBS), Credential Guard, and hypervisor-protected code integrity (HVCI) activated by default to enhance kernel-level security protections. Microsoft will inform IT administrators of these changes through notification banners in the Intune Admin Center and provide options to adjust these settings if necessary via Intune device configuration policies or Group Policy Objects. Microsoft is also updating security across Microsoft 365 tenants to block access to SharePoint, OneDrive, and Office files via outdated authentication protocols and disable all ActiveX controls in upcoming Windows versions of Microsoft 365 and Office apps.

Krispy Kreme disclosed a significant data breach impacting 161,676 individuals, including employees and their families, following a cyberattack in November. Sensitive information compromised includes biometrics, medical info, military IDs, credit card security codes, financial account passwords, and government IDs like passports. Security experts criticized the donut company's pre-breach security measures, highlighting the improper storage of highly sensitive data and weak encryption practices. Despite the breach, Krispy Kreme has not offered any public apologies but provided 12 months of credit monitoring and identity protection services to the affected parties. The company reported spending approximately $4.4 million on cybersecurity improvements and other advisory fees, with the incident also causing a projected $5 million loss in EBITDA. Krispy Kreme continues to enhance its IT systems' security to protect personal data and is facing potential class action lawsuits from those affected by the breach.

The UK government has initiated a formal review of the cybersecurity market to identify growth opportunities and enhance the sector’s development as part of the country’s Industrial Strategy. Simon Shiu, a cybersecurity expert, leads the review with assistance from colleagues at the University of Bristol and Imperial College London, aiming to complete it by summer with strategic recommendations. The findings will influence the refreshed National Cyber Strategy, adapting to new cyber threats and enhancing national resilience. The government plans substantial investment in the cybersecurity industry, offering up to £16 million in funds to support new commercial ventures and the scaling of small businesses. The Cyber Security Growth Action Plan and additional funding aim to catalyze innovation, leading to higher quality jobs and bolstered cybersecurity. Criticisms have arisen regarding the composition of the newly formed Government Cyber Advisory Board, highlighting a lack of operational and public sector representation which could impact the effectiveness of future strategies. The investments and strategic initiatives are part of the broader "Plan For Change" targeting sustainable economic growth and innovation across various sectors, including cybersecurity.