Daily Brief

The FBI issued a public service announcement alerting that AI-based voice deepfakes have been used in phishing attacks against U.S. officials since April 2025. Perpetrators impersonate senior U.S. officials using AI-generated audio to establish rapport and subsequently gain access to personal and governmental accounts. The agency highlighted the use of smishing (text-based) and vishing (voice-based) techniques that appear to originate from high-ranking officials to deceive targets. Once access is obtained, attackers exploit the breached accounts to gather sensitive information from, and about, other government individuals and potentially fund transfers. The warning aligns with a historical pattern, referencing a 2021 FBI notification regarding the increasing sophistication and expected proliferation of deepfakes in cyber operations. Concerns about deepfakes' role in cybersecurity have been escalating, with Europol and the U.S. Department of Health and Human Services noting its potential misuse in various frauds and social engineering since 2021. The recent misuse of deepfake technology in an attack on LastPass, involving a deepfake audio of the CEO, underscores the tangible threats posed by these technologies. The announcement aims to raise awareness and encourage vigilance, providing mitigation strategies to identify and defend against such deceptive tactics.

Scattered Spider, previously targeting UK retailers, has now begun attempts on major US retailers' IT structures. The attacks involve potential ransomware deployment, specifically DragonForce, as identified by Mandiant, Google's threat intelligence branch. In response to these attacks, affected organizations have initiated stringent cybersecurity measures, sometimes resulting in operational disruptions. The group, consisting mostly of young males from the US and UK, had paused operations following multiple arrests but resumed with new vigor recently. Under 10 prominent US retail companies have been targeted, facing various levels of security breaches and preventive action impacts. Scattered Spider's patterns show a shift in focus to different sectors periodically, with a prediction of soon moving on from the retail industry. The possibility of increased law enforcement action looms due to the high-profile nature of these cyberattacks.

Meta plans to use E.U. user data for AI training without explicit opt-in consent, set to begin May 27, 2025. Austrian privacy group noyb issued a cease-and-desist letter to Meta, threatening a class action lawsuit over these plans. Meta argues it has a "legitimate interest" in using the data, bypassing the need for direct user consent which contradicts GDPR requirements. The initiative had previously been paused in June 2024 after concerns from Irish data protection authorities, but Meta intends to proceed. Noyb argues merely 10% of user consent would suffice for Meta's AI to learn about E.U. linguistic and cultural diversity. Other AI providers reportedly generate superior models without leveraging social network data, challenging Meta's necessity claim. National data protection authorities have not yet addressed the legality of this non-consensual data usage for AI by Meta. In response to the allegations, Meta insists its actions are lawful and that it provides users with an option to object to data processing.

Nova Scotia Power confirmed a significant data breach involving sensitive customer data due to unauthorized network access discovered last month. The breach was first detected on April 28, 2025, with investigations revealing that the breach occurred on March 19, 2025, nearly two months prior to alerting customers. The company, a primary utility in Canada servicing over 500,000 customers, stated the breach had no impact on electricity production and distribution but disrupted internal operations. Stolen data includes personal information, though the company has not observed any misuse of the data so far. Nova Scotia Power is offering two years of free credit monitoring to affected customers through TransUnion to mitigate potential risks. Customers have been advised to stay vigilant against phishing attempts, as threat actors may impersonate the utility company. No ransomware gangs have claimed responsibility for this cybersecurity incident.

Coinbase was targeted by cybercriminals who extorted $20 million after bribing support staff to steal customer data. Less than 1 percent of Coinbase’s monthly transacting users were affected, and no passwords or private keys were compromised. The stolen data was used in social engineering attacks to defraud Coinbase customers. Coinbase has responded by offering a $20 million bounty for information leading to the arrest of the perpetrators, rather than paying the ransom. The company terminated the involved personnel, boosted fraud monitoring defenses, and has taken steps to reimburse affected customers. Additional measures include investment in anti-fraud technologies and plans to centralize support operations in the US. Total remediation and reimbursement costs are estimated between $180 million to $400 million. Despite the breach, Coinbase states there was no access to customer funds and no material operational impact, though its shares dropped by over 7%.

Pwn2Own Berlin 2025 showcased successful hacks on Windows 11, Red Hat Linux, and Oracle VirtualBox, distributing $260,000 in prizes to participants. Security researchers demonstrated multiple zero-day exploits, securing root or SYSTEM privileges through various vulnerabilities including use-after-free, integer overflow, and out-of-bounds write. The DEVCORE Research Team, among others, highlighted critical security flaws in enterprise technologies by exploiting previously unknown vulnerabilities. Notable achievements included an exploit chain that allowed code execution on the underlying OS of Oracle VirtualBox and Docker Desktop. Pwn2Own 2025 targets a wide range of technologies including AI, web browsers, virtualization tools, and enterprise applications, with potential earnings exceeding $1,000,000. No attempts were made on the Tesla models available despite being included as targets in this year's competition. Following the competition, vendors have a 90-day window to patch the security vulnerabilities exposed during the event.

Socket has acquired Coana, a startup aimed at improving how security vulnerabilities are prioritized by letting users know which alerts can be ignored. Coana, founded by researchers from Aarhus University, employs reachability analysis to determine if attackers can realistically exploit reported vulnerabilities. The tool's efficiency lies in its use of static analysis, which allows for rapid, scalable evaluations with minimal false negatives or positives. Traditional security tools produce an excessive number of alerts, creating noise and increasing workload for developers, which Coana’s approach aims to reduce. Reachability analysis by Coana is especially effective for dynamic languages like JavaScript and Python, where static analysis is more challenging. The acquisition helps Socket address its users' concerns regarding overwhelming security alerts from dependency scans in application software libraries. Socket's CEO noted an ongoing challenge with the volume of security alerts and mentioned catching around 500 malicious packages weekly.

Tor has launched Oniux, a new tool to anonymize network traffic of any Linux application through the Tor network. Unlike torsocks, Oniux employs Linux namespaces for creating isolated network environments, enhancing security by preventing data leaks. Oniux isolates applications at the kernel level, ensuring all traffic is routed through Tor, utilizing a virtual interface and custom DNS settings. The tool is designed to be leak-proof with kernel-enforced isolation, which significantly surpasses the capabilities of torsocks. Despite its innovative approach, Oniux is still in an experimental phase and not recommended for critical operations until further testing. Tor has published the source code and calls for community engagement to test and refine Oniux to ensure its reliability for broader deployment. Users interested in testing the tool can install it using Rust and specific commands provided by the Tor Project.

Coinbase suffered a data breach orchestrated by cyber criminals who bribed internal customer support agents in India, leading to unauthorized data access. The attackers copied account data of less than 1% of Coinbase's 9.7 million monthly users to potentially deceive them into transferring cryptocurrency. The threat actors attempted to extort $20 million from Coinbase by threatening to release sensitive customer and internal information. No critical data such as passwords, private keys, or customer funds were compromised, and Coinbase Prime accounts remained secure. Coinbase has terminated the employment of the involved customer agents and is taking measures to reimburse affected customers. Enhanced security measures, including additional ID checks for large withdrawals and strengthened defenses against insider threats, are being implemented. Coinbase has announced a $20 million reward for information leading to the arrest and conviction of the responsible parties. Customers are advised to enhance security by enabling withdrawal allow-listing, two-factor authentication, and remaining vigilant against impostors.

Researchers identified a malicious NPM package named 'os-info-checker-es6' that employs Unicode steganography to conceal command-and-control links within Google Calendar events. Originally benign when added to NPM on March 19, the package began incorporating malicious elements in subsequent updates, significantly changing by May 7 to include sophisticated malware delivery mechanisms. The package, downloaded over 1,000 times, mimics a utility tool while secretly acting as a malware vector, impacting multiple users. 'os-info-checker-es6' is linked as a dependency in four other questionable NPM packages that pose as accessibility and development tools, potentially expanding its reach. The complex attack involves fetching a base64-encoded URL obscured within a Google Calendar event, which then directs to the actual malicious payload. Despite discoveries and reporting by Veracode, the harmful NPM packages remain available for download, posing ongoing risks to unsuspecting developers. The incident underscores the need for increased vigilance and robust security measures within software development environments, particularly in package management ecosystems.

Last spring, significant data breaches at Snowflake impacted major clients like Ticketmaster and Santander, involving unauthorized data access through exposed customer credentials. The breaches affected hundreds of millions and were facilitated by the misuse of stolen user credentials lacking multi-factor authentication—highlighting gaps in the shared responsibility security model. Snowflake’s CISO, Brad Jones, emphasized a shift from a shared responsibility model to a "shared destiny" model, strengthening proactive partnerships with customers to enhance security. Following the incidents, Snowflake mandated multi-factor authentication by default for new accounts and planned the phased elimination of single-factor password logins by November 2025. To further secure customer data, Snowflake implemented uniform security controls, private networking options, default encryption, and a service to detect and lock accounts with compromised credentials found on the dark web. The CISO highlighted new security challenges, particularly with AI, stressing the importance of adapting security measures rapidly in response to AI's evolving risks and capabilities. Microsoft’s three-phase model for agentic AI development, from basic chatbots to independent operation, presents new governance and security considerations. Snowflake’s approach now focuses on enabling business needs securely, reflecting the improv rule of "yes, and" to integrate necessary controls without stifling innovation.

Coinbase disclosed a significant data breach involving compromised customer information including government IDs, organized with the help of rogue overseas support agents. Cybercriminals demanded a $20 million ransom to avoid public release of the data, which Coinbase refused to pay, instead establishing a reward fund of equal amount to find the perpetrators. No customers' private keys or passwords were stolen, and Coinbase Prime accounts and wallets remain secure. Coinbase terminated the employment of the involved insiders who facilitated unauthorized access to the systems. The breach has potential financial implications estimated between $180 million and $400 million, mainly for remediation and customer compensations for those deceived into sending funds to attackers. The company plans to open a new U.S.-based support hub and increase investments in security measures, including insider-threat detection and automated response systems. Coinbase urges customers to use two-factor authentication and be cautious of scammers impersonating company employees.

Researchers discovered a malicious npm package named "os-info-checker-es6" which initially posed as a benign utility but later included malware. The package, camouflaging malicious content with invisible Unicode characters and using Google Calendar links, was downloaded over 1,000 times. Introduced to the npm in March with a benign intent, it later received updates adding malwares and complex command-and-control mechanisms. This package, alongside four others it's listed as a dependency for, leverage developer tools aesthetics to mask underlying harmful activities. The malicious code is hidden using Unicode steganography by embedding invisible characters that lead to a Google Calendar URL hosting malware. After redirections to finally achieve an HTTP 200 OK, a base64-encoded URL is scraped and decoded to deliver the final malware payload. Despite the payload not being retrievable at the time of research, this indicates either an early stage or a temporary pause in the attack campaign. Following Veracode's discovery and report to npm regarding the suspicious packages, the packages were still live on the platform.

Annual penetration tests are insufficient due to rapid developments and new vulnerabilities in software updates. Compliance frameworks like PCI DSS and HIPAA guide security but do not ensure vulnerability protection post-assessment. Continuous security testing is crucial to identify and fix new vulnerabilities before they are exploited by attackers. Strategic pen testing incorporates regular tests, integration with other security measures, and customization based on specific threats. Resource constraints and lack of qualified personnel hinder effective penetration testing implementation in many organizations. A cultural shift in organizations toward continuous testing and proactive risk management is necessary for improved security. Combining External Attack Surface Management (EASM) and Penetration Testing as a Service (PTaaS) can optimize security effectiveness. Outpost24's CyberFlex offers integrated solutions for continuous, flexible testing tailored to specific business needs.

Ransomware has become more sophisticated, leveraging legitimate IT tools and services such as Ransomware-as-a-Service (RaaS) to conduct widespread attacks. Microsoft reported misuse of its Quick Assist tool for deploying Black Basta ransomware, highlighting the evolving tactics of cybercriminals. The economic impact of ransomware could escalate to $275 billion annually by 2031, with attacks predicted to occur every 2 seconds. A robust business continuity and disaster recovery (BCDR) strategy, including the upgraded 3-2-1-1-0 backup rule, is critical for organizational resilience against ransomware. Immutable and isolated backups, continuous backup monitoring, and regular restore testing are paramount to ensure data integrity and recovery capabilities. Enhancing backup systems with anomaly detection and integrating them with security operations can expedite threat detection and response. Regular employee training on cyber hygiene and proactive threat reporting can further fortify the first line of defense against ransomware. Incorporating comprehensive BCDR solutions like Datto can streamline the implementation of these strategies and bolster overall ransomware preparedness.