Daily Brief

The UK Information Commissioner's Office (ICO) fined 23andMe £2.31 million for failing to secure sensitive genetic and personal data. A credential stuffing attack compromised the data of approximately 4.1 million people in the UK and Germany, including 1 million Ashkenazi Jews. The breach, undetected from April to September 2023, led to the unauthorized release of data on platforms like Reddit and BreachForums. Post-breach, 23andMe enhanced security measures, including mandatory two-factor authentication and forced password resets. The ICO considered 23andMe's cooperative behavior before finalizing the penalty, which aligns with their Data Protection Fining Guidance. 23andMe, amid financial troubles and bankruptcy, settled a related lawsuit for $30 million in September 2024.

Uzado Inc., a Canadian IT service provider, leverages a Tines Pages AI-powered workflow to automate IT ticket responses. The automated system allows employees to submit IT issues via a form, automating responses and directing tickets to appropriate IT personnel. This system is designed to handle repetitive and simple tickets such as password resets, reducing manual workload for IT teams. The AI workflow automatically resolves about 10% of total tickets, allowing IT staff to focus on more complex issues. Users benefit from faster resolutions and prefer the AI-guided troubleshooting process to traditional methods. The guide includes detailed steps for deploying the AI workflow in various IT environments, including optional tool integrations for broader functionality. The solution aims to enhance both operational efficiency and security postures, adapting to the fast-paced changes in IT threats.

The UK's Information Commissioner's Office (ICO) fined 23andMe £2.31 million for a significant data breach exposing the genetic data of nearly 7 million users. The breach was uncovered after a joint investigation by the ICO and the Office of the Privacy Commissioner of Canada, focusing on security lapses at 23andMe. Attackers used credential-stuffing techniques from April to September 2023, directly affecting approximately 14,000 accounts but leading to wider exposure due to the DNA Relatives feature. Sensitive data, including personal, familial, and health information of 155,592 UK residents was compromised, with overall impacted users around 6.9 million. 23andMe acknowledged the breach five months after it began, and it was delayed in implementing preventative measures until nearly a year after initial findings. 23andMe has filed for Chapter 11 bankruptcy, raising questions about its ability to pay the fine; however, the ICO expects compliance with enforcement actions. Enhanced security and privacy measures have been promised by TTAM Research Institute, which is set to acquire 23andMe.

Email hosting provider Cock.li confirmed a data breach impacting over one million user records. The breach exploited old vulnerabilities in the now-retired Roundcube webmail platform. Detailed user information from 1,023,800 accounts and contact entries for 93,000 additional users were exposed. Cock.li, known for its privacy-focused services, is used by various groups including cybersecurity professionals and cybercriminals. Sensitive user data was offered for sale online, but passwords, email content, and IP addresses remained secure. Cock.li has discontinued the use of Roundcube due to security vulnerabilities and is considering alternatives. All users active since 2016 are urged to reset their passwords and will be directly notified if their third-party contact information was compromised. The breach provides valuable data for researchers into the activities and affiliation of users, especially prevalent cybercriminal groups.

Researchers have identified a phishing campaign by Silver Fox APT targeting Taiwanese users with HoldingHands RAT and Gh0stCringe malware. The campaign uses phishing emails mimicking Taiwan's National Taxation Bureau, delivering malware via PDF or ZIP files. Both malware strains, HoldingHands and Gh0stCringe, derive from the widely used Gh0st RAT, often employed by Chinese hacking groups. Phishing lures include government or business-related topics like taxes, invoices, and pensions, urging recipients to open malicious attachments. The multi-stage attack involves shellcode loaders decrypting and executing encrypted shellcode, using legitimate executables for DLL side-loading. Malware capabilities include anti-VM, privilege escalation, command-and-control communications, and modules for file management and remote desktop access. Continuous evolution in malware and distribution tactics has been noted across different campaigns by the threat group.

Scattered Spider, a notorious cybercrime group, is now focusing on the U.S. insurance sector, exploiting IT support teams through advanced social engineering. Previously involved in operations against U.K. and U.S. retailers, this shift marks a targeted strategy on a new vertical—insurance. Scattered Spider has reportedly collaborated with the DragonForce ransomware cartel, enhancing their intrusion capabilities. Tactics include impersonating employees and deceiving help desk teams to bypass multi-factor authentication systems. The group’s proficiency in English and cultural fluency heightens the effectiveness of their phishing and phone-based attacks. Google’s Threat Intelligence Group warns that insurance companies need to significantly tighten security measures, implementing improved authentication protocols and training for help desk personnel. Enhancing identity control, setting access limits, and educating IT support on security practices are recommended to mitigate these threats.

Active Directory (AD) service accounts, often forgotten and unmonitored, pose significant security risks due to practices like non-expiring passwords and minimal oversight. These service accounts can become gateways for attackers to access enterprise networks, escalate privileges, and move laterally, increasing the impact of breaches. The article highlights the importance of visibility and regular reviews of service accounts to mitigate risks and manage privileges effectively. A botnet exploiting over 130,000 Microsoft 365 service accounts in 2024 underlines the necessity to update authentication measures and enforce multi-factor authentication. Privilege creep in service accounts can inadvertently grant attackers access to critical systems, emphasizing the need for constant access reevaluation. Best practices include enforcing least privilege, using managed accounts, regular auditing, and applying strong password policies to enhance security. Automated tools like Specops Password Auditor aid in proactive AD service account management by identifying vulnerabilities and enforcing security policies. The combination of manual best practices and automated tools is essential for effectively securing AD environments against potential cyber threats.

Security researchers identified three critical vulnerabilities in Sitecore Experience Platform (XP) that allow pre-authenticated remote code execution. The vulnerabilities involve a default user account with a hard-coded password of "b," allowing unauthorized API access. Attackers can exploit these vulnerabilities by uploading specially crafted ZIP files to execute arbitrary code. The issues appear from Sitecore version 10.1 onwards—using a pre-configured user database with the vulnerable settings. Current versions of Sitecore that shipped with the default account's weak password have a significant potential impact on industries like banking and airlines. Previously identified vulnerabilities in older versions of Sitecore are already under active exploitation. Sitecore users must update their installations with the latest patches to mitigate these extensive security risks immediately.

Ransomware attacks are now targeting backup systems to prevent recovery and increase ransom likelihood. Attackers use tactics such as disabling backup agents, deleting snapshots, and encrypting backup data. Common weaknesses include inadequate separation of backup environments and reliance on a single cloud provider. The article recommends the 3-2-1-1-0 backup strategy: three copies of data, two different media, one offsite copy, one immutable copy, and zero errors. Emphasizes using image-based backups, hardened backup appliances, and regular verification to enhance backup integrity. Cloud-based backups should be segmented with separate authentication systems and multi-factor authentication (MFA) for increased security. The article highlights Datto BCDR solutions for securing backups and ensuring recoverability even during severe ransomware attacks. It encourages organizations to evaluate and strengthen backup strategies to ensure data resilience against ransomware threats.

Cybersecurity researchers have uncovered a new campaign exploiting a critical vulnerability in Langflow to distribute Flodrix botnet malware. The vulnerability, identified as CVE-2025-3248, enables remote code execution due to missing authentication and was patched in March 2025. Attackers target unpatched Langflow servers using proof-of-concept code to conduct reconnaissance and install the Flodrix malware. Once Flodrix is installed, it connects to a remote server and receives commands to carry out DDoS attacks against selected IP addresses. The malware supports connections over both TCP and the TOR network, increasing its stealth and complicating its traceability. Researchers note that the attackers are profiling vulnerable servers to identify high-value targets for future infections. This version of Flodrix, evolved from the LeetHozer botnet, features capabilities that minimize forensic traces and enhance attack obfuscation. Trend Micro highlights that this campaign is actively developing, indicating potential future enhancements and risks.

CISA added a TP-Link router flaw, CVE-2023-33538, to its KEV catalog due to active exploitation. The flaw is a command injection vulnerability in certain TP-Link router models that allows arbitrary command execution. There is no public information currently available about specific exploitation tactics in the wild. TP-Link routers affected might be at their end-of-life, increasing risks; CISA recommends discontinuation if no updates are available. The issue intersects with Palo Alto Networks' findings on malware FrostyGoop, although no direct exploitation of this CVE was evidenced in the mentioned malware attack. Meanwhile, a separate vulnerability in Zyxel firewalls is being exploited to create DDoS botnets; multiple countries are affected. Agencies have a deadline until July 7, 2025, to remediate the TP-Link router vulnerability. GreyNoise observes significant recent exploit attempts targeting the Zyxel flaw, urging updates and vigilant monitoring.

Meta Platforms announced the introduction of ads on WhatsApp, specifically in the app's Updates tab through the Status feature. The company emphasizes privacy, ensuring that personal messages, calls, and statuses continue to feature end-to-end encryption. Ad targeting will use limited user data such as location, language, and interaction with ads, drawn from broader Meta account settings if the user has integrated WhatsApp into the Meta Accounts Center. Meta reassures users about not selling or sharing their phone numbers with marketers, and ad targeting will not involve tapping into personal communications. The introduction of ads on WhatsApp marks a significant shift since Meta's acquisition of the platform in 2014 for $19.3 billion, following the initial announcement in 2018 but delayed in implementation. Concerns continue to be voiced by privacy advocates, including criticism from the Mozilla Foundation regarding Meta’s handling of user data visibility on its AI chatbot. The privacy-oriented approach to advertising on WhatsApp is part of Meta's broader strategy to monetize its services while attempting to maintain user trust and privacy.

Google has issued a high alert for the insurance sector against Scattered Spider, a cybercrime group previously targeting retailers in the US and UK. Recent ransomware attacks have afflicted multiple US insurance companies, marked by system outages and compromised customer access. Scattered Spider typically initiates attacks through social engineering, exploiting help desks and call centers with fake support calls. Deployed ransomware includes the DragonForce variant, used notably in attacks on the insurance industry following retail sector breaches. Google Threat Intelligence Group advises insurers to heighten security measures, suggesting video verification or challenge-response techniques for caller identification. Networks of Erie Insurance and Philadelphia Insurance Companies experienced significant outages, suspected to be linked to Scattered Spider’s activities. Both insurance companies are working with cybersecurity experts and law enforcement to investigate and manage the incidents.

Scattered Spider, a versatile hacker group, is now aggressively targeting U.S. insurance companies after previously focusing on U.K. retail businesses. Google Threat Intelligence Group reports multiple breaches in the U.S. insurance sector that showcase typical tactics of Scattered Spider, including sophisticated social engineering. The group is known for using varied aliases like 0ktapus and UNC3944, and employs methods such as phishing, SIM-swapping, and MFA fatigue to initiate breaches. Post-breach tactics include deploying ransomware such as RansomHub and DragonForce, which can severely disrupt affected organizations. To safeguard against these cyber threats, companies are advised to segregate identities, implement strong authentication measures, and educate employees on recognizing impersonation attempts across communication platforms. NCSC has issued guidelines for organizations to improve cybersecurity defenses, focusing on enhanced authentication processes and monitoring of unusual access patterns. The shift in focus to the insurance industry suggests a need for heightened security vigilance and advanced defense strategies in this sector.

Extortionists have allegedly stolen 52.4 GB of data, approximately 42,204 files, from Freedman HealthCare, planning to release the information early Tuesday. Freedman HealthCare is a significant player in healthcare data management, working with states and healthcare providers to manage sensitive information such as insurance statuses and healthcare claims. If verified, this data breach could potentially expose sensitive financial and health information of millions of Americans, including those in California, Delaware, and Rhode Island. The data theft was claimed by World Leaks on their shame site, a group formerly known as Hunters International, which has shifted focus from ransomware to pure data theft and extortion. Previously, World Leaks has been involved in other high-profile thefts, including health insurance information from cancer patients and sensitive images from a plastic surgery center. The potential data breach poses a significant threat to the integrity of several state-run health databases and might represent one of the larger healthcare data incidents recently.