Daily Brief

WhatsApp has launched a new feature called Advanced Chat Privacy to enhance the security of private and group chats. The feature prevents the export of chat histories and limits the automatic downloading and external use of media. Users can activate this setting by accessing the chat options, ensuring higher confidentiality within the app. While the feature adds a layer of security, sensitive information can still be captured manually, e.g., through taking pictures of the screen. This development is part of ongoing efforts to bolster privacy on WhatsApp, following the introduction of end-to-end encryption and encrypted chat backups. Additional enhancements to Advanced Chat Privacy are being developed to increase its effectiveness further. These measures align with WhatsApp's broader strategy to secure user communications and ensure privacy in digital interactions among its two billion global users.

DPRK-nexus hackers have stolen $137M from TRON users through phishing, highlighting ongoing financial motivations driven by international sanctions. Mandiant's M-Trends 2025 report identifies multiple North Korean clusters (UNC1069, UNC4899, UNC5342, UNC4736, UNC3782) targeting the cryptocurrency and Web3 sectors. These groups employ advanced tools compatible across Windows, Linux, and macOS to facilitate access to crypto wallets and blockchain entities. Apart from direct thefts, North Korea deploys IT workers internationally using fake identities and deepfake technology to infiltrate companies and secure jobs, aiding Pyongyang's financial and strategic aims. In 2023, the UNC3782 group executed a massive phishing attack against TRON users; plans in 2024 targeted Solana users with pages designed to drain cryptocurrency. The IT workers, linked to North Korea's nuclear program, contribute their earnings back to North Korea, maintaining access to victim networks and furthering extortion schemes. Techniques include leveraging deepfakes for interviews, allowing multiple applications for the same job position under different synthetic identities, increasing undetectability and operational security. At least 12 false personas were used by DPRK operatives for job applications in the U.S and Europe, some successfully gaining employment and continuing malicious activities within targeted organizations.

Blue Shield of California experienced a data breach, impacting 4.7 million members. The breach exposed protected health information to Google’s analytics and advertisement platforms due to a misconfiguration in Google Analytics. Sensitive data was potentially used by Google for targeted advertising campaigns. The exposure occurred over nearly three years, from April 2021 to January 2024. Key personal data such as Social Security numbers and financial information were not compromised. Members are advised to monitor their accounts closely for any signs of unauthorized activity. Blue Shield has not committed to offering identity theft protection services following the incident. This breach follows another significant data incident involving Blue Shield and ransomware actors last year.

The FBI recorded a record $16.6 billion stolen by cybercriminals in 2024, a 33% increase from the previous year. The Internet Crime Complaint Center (IC3) dealt with 859,532 complaints, where 256,256 involved actual financial losses. Older Americans, particularly those aged over 60, were disproportionately affected, accounting for nearly $4.8 billion of the reported losses. Ransomware remains the most significant threat to critical infrastructure, with a 9% increase in complaints over the previous year. Over the last five years, IC3 has seen more than 4.2 million complaints, amounting to $50.5 billion in losses. The report emphasizes that actual losses are likely higher as many incidents go unreported or undetected. The FBI warns about scammers impersonating IC3 employees to defraud victims further by offering fake recovery services.

ASUS has released security updates for a critical vulnerability, CVE-2024-54085, in server management software. The flaw, found in American Megatrends International's MegaRAC BMC software, affects multiple server vendors including ASUS and HPE. CVE-2024-54085 allows remote attackers to control servers, deploy malware, and cause physical hardware damage. Attackers can exploit the vulnerability through remote management interfaces, potentially leading to motherboard bricking and permanent server damage. American Megatrends had previously provided patches, and ASUS has now implemented these for four affected motherboard models. ASUS urges immediate firmware updates to prevent the exploitation of this severe security flaw, providing instructions for the update process on their website. The necessity for rapid action is underscored by the vulnerability’s remote exploitability and potential to cause irreversible damage to server hardware.

Phishing attacks in 2025 are increasingly sophisticated, evading traditional detection by using MFA-bypassing phishing kits, and launching attacks that appear novel each time. Current phishing detection relies heavily on blocklists incorporating domains, URLs, and IPs identified post-attack, which fails to prevent initial phishing attempts. Attackers exploit disposable domains and dynamically change attack vectors, making traditional indicator-based detection methods ineffective. Phishing often involves email, but attackers are using multi-channel approaches to avoid detection, complicating the identification of malicious pages. New evasion techniques include CAPTCHAs and complex JavaScript, stymieing sandboxes and static analysis tools in identifying malicious content. Phishing's inherent post-attack detection nature delays effective responses, often allowing attackers to harvest credentials before being identified. A browser-based detection solution, where phishing detection occurs in real-time as the user interacts with the page, is proposed as the future to effectively combat phishing attacks. Push Security advocates real-time, browser-based phishing detection, claiming significant advantages in visibility and response over traditional methods.

Iranian threat group UNC2428 deployed MURKYTOUR malware via fake job recruitment campaign targeting Israel. Malicious campaign mimicked Israeli defense contractor Rafael to lure victims into downloading a disguised installer. The installer, called LONEFLEET, featured a graphical user interface prompting victims to enter personal data and submit resumes, triggering the malware. The backdoor, once launched, provided the attackers persistent access to the victims' systems. Mandiant linked the activity to broader Iranian cyber espionage efforts against various Israeli sectors. This malicious operation was part of a pattern of diverse cyber threats from Iran, including other groups using phishing and malware to gather intelligence. The report highlighted the use of legitimate-looking interfaces and cloud infrastructure by Iranian actors to avoid detection and maintain payload delivery. Over 20 different malware families were identified as part of Iranian cyber operations in the Middle East in 2024.

Stolen credentials have surpassed email phishing as the most common method for initial access in cyberattacks, particularly in cloud environments. Mandiant's 2025 report indicates a significant increase in the use of stolen credentials, accounting for 35% of cloud compromises. Financially motivated attacks constituted 55% of the observed cyber activities in 2024, with only 8% related to espionage, marking a shift from previous years. The report tracked a new high of 737 threat clusters in 2024, showing the expanding scope and complexity of cyber threats. Ransomware attacks often began with brute-force methods, but stolen credentials played a substantial role in gaining initial entry. The resurgence of infostealer malware contributes to the high incidence of credential theft, compromising both personal and corporate data security. Multi-factor authentication (MFA) is stressed as a critical defense, highlighting the gaps in security where MFA is not enabled. The report emphasizes the need for heightened security measures across both personal devices and corporate networks to combat these evolving cyber threats.

Cybersecurity researchers discovered Android spyware disguised as Alpine Quest mapping software aimed at Russian military personnel. The spyware, known as Android.Spy.1292.origin, was embedded in older versions of Alpine Quest Pro and distributed via Russian Android app catalogs and a fake Telegram channel. Once installed, the malware mimics the legitimate app, remaining undetected while transmitting sensitive data such as location changes and supporting the theft of files sent via communication apps like Telegram and WhatsApp. The malware's capabilities can be expanded by downloading additional modules allowing for a broader range of malicious activities. To protect against such threats, users are advised only to download apps from reputable sources and to be wary of downloading unofficial "free" versions of paid apps. Separately, Kaspersky reported that Russian organizations across government, finance, and industrial sectors are targeted by a sophisticated backdoor masquerading as an update for ViPNet secure networking software. The backdoor, embedded within LZH archives, is capable of stealing files and launching additional malicious components from infected computers.

Phishing attacks are increasingly leveraging identity-based techniques, with phishing-linked stolen credentials now the primary cause of breaches. Traditional detection controls like Secure Email Gateways and network layers are being bypassed by attackers using sophisticated methods such as malvertising and multi-channel attacks. Browser-based detection offers a new frontier in responsibility for phishing defense, focusing directly on the content within the browser environment. In-browser security tools can analyze dynamic web pages and JavaScript, enabling detection of tactics, techniques, and procedures (TTPs) instead of just indicators of compromise (IoCs). Real-time interception of phishing attempts is feasible with browser-based solutions that observe user interactions directly on malicious pages. Such advancements in detection from within the browser help shut down phishing attacks before they cause harm, contrary to the delayed response of non-browser solutions. Push Security's browser extension is highlighted as a proactive tool in real-time phishing prevention, offering comprehensive protection against varied identity attack techniques.

Russian-linked cyber actors are aggressively targeting entities tied to Ukraine and human rights, focusing on unauthorized access to Microsoft 365 accounts. They employ sophisticated social engineering tactics involving Microsoft OAuth 2.0 Authentication workflows to deceive victims into providing Microsoft-generated OAuth codes. The attackers use compromised identities, impersonating European political officials and leveraging platforms like Signal and WhatsApp to coordinate meetings and share malicious links. These tactics enable the attackers to generate Microsoft Authentication Tokens, gaining control over victims' Microsoft 365 accounts. The targeted attacks have been linked to several Russian threat groups, with potential connections to known entities like APT29. Methods involve redirecting victims to manipulated URLs that appear as legitimate Microsoft login portals, where the OAuth authorization codes are harvested. Once the OAuth code is shared, attackers can register a new device to the victim's Microsoft Entra ID, potentially gaining permanent account access. Organizations are advised to increase awareness of phishing attacks, audit newly registered devices, and tighten conditional access policies to mitigate these threats.

Former NSA head Mike Rogers emphasizes the importance of integrating security into AI development from the start to avoid later vulnerabilities. Rogers highlighted past failures in cybersecurity where systems lacked built-in security, leading to costly retrofits and increased risks. At the Vanderbilt Summit, he discussed potential dangers of not securing AI, ranging from data leaks to biased algorithms impacting critical decisions. The U.S. Cybersecurity and Infrastructure Security director encouraged secure practices by having technology vendors sign the Secure By Design Pledge. Contrasting policies between the Biden and Trump administrations show differences in handling AI regulation and tech company liabilities. Rogers references Project Maven to illustrate the significance of aligning technology with ethical and practical usage, pointing out the cultural divide between government objectives and tech company values. Historical shifts in Google’s AI policies reflect broader changes in the tech industry's approach to ethical considerations in AI applications.

The Trump administration has been accused of severely undermining America's cyber defenses, including the possible lapse of the crucial Common Vulnerabilities and Exposures (CVE) database due to lack of funding and support. CISA, the agency responsible for the CVE, faced significant budget and staff cuts, jeopardizing the continuity of the CVE database system, which is set to run out in March 2026. Key figures like General Timothy D. Haugh, who played a critical role in national cyber defense, were dismissed under the administration, further weakening the cybersecurity framework. Cybersecurity advisory bodies such as the Cyber Safety Review Board were effectively disbanded, halting investigations into major cyber incidents like the "Salt Typhoon" hacks. The administration promoted the decentralization of cyber defense responsibilities to state and local levels, potentially increasing vulnerabilities due to inconsistent capabilities across states. Critical federal cybersecurity grant programs saw funding cuts, impacting the ability to hire and maintain skilled cybersecurity professionals at the state level. The administration's approach has raised concerns about the security of sensitive federal systems and data, with risky implications for national and individual security.

Ripple's npm JavaScript library, xrpl.js, was compromised, affecting versions 4.2.1 through 4.2.4 and 2.14.2. Attack orchestrated through software supply chain mechanism aimed at exfiltrating private keys from users. The malicious code was added by a user named "mukulljangid", suspected to be a hacked Ripple employee's account. A particular backdoor function, checkValidityOfSeed, transmitted stolen data to an external domain. Over 2.9 million downloads of xrpl.js with significant weekly activity raise concerns about extensive exposure. No evidence found of compromise on the associated GitHub repository, attack confined to the npm package versions. Updated package versions 4.2.5 and 2.14.3 released to rectify malicious alterations and secure user data. Users are urged to upgrade immediately to the latest versions to avert potential security risks.

Google has decided against introducing a new standalone prompt for third-party cookies in Chrome, continuing with its existing setup within the browser's Privacy and Security Settings. This decision is part of Google's broader Privacy Sandbox initiative, which balances user privacy enhancements with feedback from industry stakeholders. Instead of deprecating third-party tracking cookies, Google is focusing on enhancing privacy features in Incognito mode, which already blocks these cookies by default. A significant upcoming feature in Chrome’s Incognito mode is the IP Protection feature slated for release in Q3 2025, aiming to hide users' original IP addresses to prevent cross-site tracking. Google's approach reflects the divergent perspectives among publishers, developers, regulators, and the advertising industry regarding changes to third-party cookie usage. The company plans to continue engaging with the industry to refine its Privacy Sandbox technologies and will update its strategic roadmap in the months to come. Notably, Google's strategy differs from competitors like Apple Safari and Mozilla Firefox, which have blocked third-party cookies by default since 2020, as Google juggles its roles as a browser vendor, advertising platform, and search engine. These changes come amidst intense regulatory scrutiny of Google’s market influence in search and advertising, including recent U.S. Department of Justice proposals to potentially divest parts of its business.