Daily Brief

Google has decided against introducing a new standalone prompt for third-party cookies in Chrome, continuing with its existing setup within the browser's Privacy and Security Settings. This decision is part of Google's broader Privacy Sandbox initiative, which balances user privacy enhancements with feedback from industry stakeholders. Instead of deprecating third-party tracking cookies, Google is focusing on enhancing privacy features in Incognito mode, which already blocks these cookies by default. A significant upcoming feature in Chrome’s Incognito mode is the IP Protection feature slated for release in Q3 2025, aiming to hide users' original IP addresses to prevent cross-site tracking. Google's approach reflects the divergent perspectives among publishers, developers, regulators, and the advertising industry regarding changes to third-party cookie usage. The company plans to continue engaging with the industry to refine its Privacy Sandbox technologies and will update its strategic roadmap in the months to come. Notably, Google's strategy differs from competitors like Apple Safari and Mozilla Firefox, which have blocked third-party cookies by default since 2020, as Google juggles its roles as a browser vendor, advertising platform, and search engine. These changes come amidst intense regulatory scrutiny of Google’s market influence in search and advertising, including recent U.S. Department of Justice proposals to potentially divest parts of its business.

Marks & Spencer (M&S) has experienced a cyberattack affecting its operations and Click and Collect service. Despite the ongoing incident, M&S stores, website, and app remain functional, assuring minimal disruption to everyday consumer access. The company engaged external cybersecurity experts to assist with the investigation and management of the cyber incident. M&S has reported the incident to data protection supervisory authorities and the National Cyber Security Centre. Customers have been advised of potential delays with the Click and Collect service and to await notification before pickup. M&S has issued an apology for the inconvenience caused by the cyberattack and is actively working to resolve the disruptions. No specific details about the nature of the cyberattack or the identity of the attackers have been disclosed as yet.

A zero-day remote code execution (RCE) vulnerability in Active! Mail is actively exploited, predominantly affecting large Japanese organizations. Active! Mail, a web-based email client used by over 11 million accounts in Japan, suffers from a critical stack-based buffer overflow issue. The flaw, identified as CVE-2025-42599 with a CVSS v3 score of 9.8, potentially allows arbitrary code execution or causes a denial-of-service condition. Following the vulnerability disclosure, IT service providers like Kagoya Japan and WADAX reported attacks, leading to temporary service suspensions. Japan's CERT confirms the exploitation and has issued an update recommendation to mitigate risks associated with the vulnerability. Security experts from Macnica noted at least 227 Active! servers exposed online, including 63 in educational institutions, heightening the risk of cyber attacks. Companies unable to immediately implement the update are advised to configure Web Application Firewalls (WAF) to inspect and manage HTTP requests to prevent exploitation.

Google has decided to continue using third-party cookies in Chrome, abandoning its Privacy Sandbox initiative aimed at enhancing user privacy. This reversal comes after opposition from advertising technology rivals and regulatory pressures, with concerns that the Sandbox would unfairly advantage Google's already dominant ad services. Third-party cookies, criticized for compromising privacy by tracking users across multiple sites, will remain integral to Chrome's functionality. Privacy Sandbox, announced in 2019, was intended to replace third-party cookies with a system that still allows targeted ads while complying with rising privacy regulations. Google had planned an opt-in screen allowing users to choose between the Privacy Sandbox or traditional third-party cookies, but this has now been scrapped. Some components of the Privacy Sandbox, like the IP Protection scheme, will still be implemented, aiming for a Q3 2025 deployment. Critics like the Electronic Frontier Foundation accuse Google of prioritizing its business model over user privacy, especially when compared to other browsers that block third-party cookies by default. Google asserts that it will work with industry stakeholders to revise its roadmap and possibly continue developing other Privacy Sandbox technologies.

A hacking group called 'Elusive Comet' is exploiting Zoom's remote control feature to access and steal cryptocurrency from users. The group employs social engineering tactics, mimicking methodologies used by the Lazarus group in the recent $1.5 billion Bybit crypto heist. Victims are lured into a phony interview setup via Zoom, orchestrated through convincingly fraudulent Bloomberg or crypto-focused journalist profiles on X or emails. During the call, attackers trick victims by renaming their display name to "Zoom," prompting them to grant remote access under the guise of a legitimate Zoom request. Once access is granted, attackers can control the victim’s system, enabling them to extract sensitive data, install further malware, and complete unauthorized cryptocurrency transactions. Trail of Bits, the cybersecurity firm reporting this issue, uncovered the scam after their CEO was targeted and suggests stringent control measures including avoiding Zoom for high-security environments. Recommendations for defense include implementing specific Privacy Preferences Policy Control profiles to block unsolicited access requests.

Bob Lord and Lauren Zabierek, both key figures in CISA, announced their resignations, specifically highlighting their involvement in the Secure by Design program. The Secure by Design initiative focused on enhancing cybersecurity by requiring software makers to integrate better security features from the initial stages of development. Zabierek's mission included persuading over 250 software companies to commit to better security practices, like implementing multi-factor authentication. The resignations occur as CISA faces significant workforce reductions, with potential cuts impacting up to 40% of its staff due to budget constraints imposed by the Trump administration. Concerns are rising about a "brain drain" at CISA that may weaken U.S. national cybersecurity, especially as the program changes under current administration were hinted. Recent cuts at CISA include a 50% reduction in funding for the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the discontinuation of multiple advisory committees focused on cybersecurity.

SK Telecom, South Korea's leading mobile operator, experienced a malware attack that exposed sensitive USIM-related customer data. Detected on April 19, 2025, the malware was identified during a weekend when staffing was reduced, potentially increasing vulnerability. The compromised data includes crucial USIM information such as IMSI, MSISDN, and authentication keys, which could be exploited for surveillance or SIM-swap attacks. Immediately upon discovery, SK Telecom removed the malware, isolated affected hardware, and reported the incident to Korea Internet & Security Agency (KISA) and the Personal Information Protection Commission. To date, there are no confirmed instances of misuse of the leaked information, although the full extent and origin of the breach are still under investigation. SK Telecom has enhanced security measures, including tightened controls on USIM swaps and abnormal authentication attempts, and introduced a USIM protection service to prevent unauthorized SIM changes. Customers are urged to enroll in the USIM protection service to safeguard against potential SIM card portability fraud.

Fog ransomware group incorporates satirical Elon Musk policy reference in updated ransom demands, demanding victims list their weekly accomplishments. The ransom note mimics a policy from Musk’s tenure as head of the US Department of Government Efficiency (DOGE), where federal employees must submit five-point recaps of their weekly achievements. The unusual demand in ransom notes reflects a trend of cybercriminals merging political satire with their illegal activities, possibly to mock victims and government inefficiencies. Fog ransomware, active for about a year, targets both Windows and Linux systems across multiple industries, but little is known about its origins or group composition. Trend Micro researchers have provided indicators of compromise and methods to defend against the Fog ransomware, highlighting the need for increased vigilance and protective measures. Speculation surrounds Elon Musk’s future with the US government, with reports suggesting Musk may resign from DOGE by May due to frustrations with political opposition. DOGE, under Musk’s guidance, aimed to drastically reform federal operations but has not reached its expected efficacy and budget-cutting goals.

Halcyon has launched the Threat Research Incentive Program (TRIP), allocating $250,000 to reward researchers for ransomware-specific intelligence. Each approved submission can earn researchers up to $10,000, aiming to aid the development of Halcyon's anti-ransomware technologies. The program's goal is to enhance ransomware prevention efforts by incorporating new intelligence into Halcyon's products rather than making all findings publicly available. The rewards program is structured into four tiers, with the most critical intel (Tier 1) yielding the highest payouts of up to $10,000. Salinas emphasized that while the program benefits the security community by rewarding independent research, the primary beneficiaries will be Halcyon and its customers. Submissions are vetted to ensure they do not inadvertently reveal victim identities or provide threat actors with insights that could compromise further investigations. Payouts are made through official, traceable channels, and researchers must verify their independence and lack of affiliation with sanctioned entities or ransomware groups.

Cybersecurity firms Darktrace and Cado Security have exposed a new malware campaign which exploits Docker environments to mine cryptocurrency. The malware leverages an innovative method where it falsely interacts with the Web3-based Teneo service to generate rewards, bypassing traditional direct crypto mining approaches. Teneo operates a decentralized platform where participants can earn points by running nodes that scrape social media data; however, the malware fakes activity to accumulate points without real data scraping. The offending Docker container, labeled "kazutod/tene:ten", contains an obfuscated Python script that interacts with Teneo's system just enough to mimic activity and earn rewards. The malware’s strategy includes sending keep-alive pings to simulate engagement, exploiting the system's reward for 'heartbeat' actions rather than actual data scraping. This Docker-based approach is part of a broader trend of cybercriminals moving away from easily detectable mining tools like XMRig to more surreptitious methods of exploiting computing resources for financial gain. The discovery also aligns with recent findings of increased botnet activities and IoT device exploitations aimed at conducting DDoS attacks, highlighting ongoing vulnerabilities in network security.

The official Ripple xrpl.js library was hacked, leading to theft of XRP wallet seeds and private keys. Malicious code targeted versions 2.14.2, 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of the xrpl NPM package, affecting downloads made within a specific one-hour period. A method called checkValidityOfSeed was added to these versions to forward sensitive data to an attacker-controlled server. This supply chain attack is not unique, following similar breaches in other blockchain ecosystems like Ethereum and Solana. Users are advised to immediately upgrade to the clean version 4.2.5 and consider key rotation or disabling compromised keys as per XRP Ledger documentation. Despite relatively low download numbers, the widespread use of the xrpl.js library means potential access to a large number of wallets. The malicious additions were likely made using compromised developer credentials and did not appear in the public GitHub repository, indicating a breach during the NPM publishing process.

Marks & Spencer (M&S) has notified the London Stock Exchange of a "cyber incident" impacting their operations. The specific details and nature of the incident were not disclosed, but it has been affecting customer orders for the past few days. M&S's Click & Collect service experienced disruptions, though their stores remain open, and their website and app are operating normally. Customers were informed via email about potential delays with their Click & Collect orders but were advised that no immediate actions were needed on their part. The retailer has made "minor, temporary changes" to its store operations to safeguard customer and business interests. M&S has engaged external experts for incident management and reported the situation to the National Cyber Security Centre and the Information Commissioner's Office. Social media reports from customers mentioned issues with service availability as early as Saturday, indicating possible earlier impacts of the cyber incident.

The United Nations reports that the epidemic of scam call centers, primarily rooted in Southeast Asia, is now a global issue, with operations expanding as criminal syndicates adapt and spread internationally. Recent crackdowns in Asia have led to these criminal groups relocating their operations to areas with weaker governance, including South America, Africa, and parts of Europe. These operations not only involve scam calls but also encompass money laundering and human trafficking, with estimated annual earnings between $27.4 and $36.5 billion. The UN highlighted that these criminal networks are now using online platforms to broaden their reach and are increasingly involved in other forms of cyber-enabled fraud, such as online gambling. Law enforcement agencies in several African and South American countries have conducted operations resulting in the arrest of numerous individuals linked to these scam operations. Syndicates are reportedly setting up physical operations in strategic locations, including Georgia and Turkey, to facilitate their fraudulent activities and recruitment efforts. The UNODC has urged governments across the world to strengthen their regulatory frameworks and enhance their law enforcement capabilities to combat the proliferation of these crime networks effectively.

Varonis security researchers unveiled a proof-of-concept attack, named "Cookie-Bite," utilizing a malicious Chrome extension to steal Microsoft Azure session cookies. The attack specifically targets Azure Entra ID cookies 'ESTAUTH' and 'ESTSAUTHPERSISTNT', useful for bypassing multi-factor authentication and maintaining prolonged access to services like Microsoft 365. Once the 'ESTAUTH' and 'ESTSAUTHPERSISTNT' cookies are exfiltrated, attackers can import them via legitimate extension tools to gain unauthorized access under the victim's credentials. Microsoft's conditional access policies and monitoring of unusual login activities, such as those originating from a VPN, are crucial in identifying and mitigating such credential theft. The stealth and persistence of the Cookie-Bite attack emphasize the need for stricter policies on browser extension management and development mode restrictions in enterprise environments. This type of session cookie theft isn't new but poses significant risks due to the potential for extensive unauthorized access, including email infiltration and internal system manipulation.

Cybersecurity researchers at Tenable identified a critical vulnerability in Google Cloud Platform's Cloud Composer service, nicknaming it ConfusedComposer. ConfusedComposer could let attackers with edit permissions escalate access to GCP’s default Cloud Build service account, granting them high-level permissions. Attackers could exploit the vulnerability by injecting malicious Python Package Index (PyPI) packages into a Cloud Composer environment. This flaw demonstrates how interaction between cloud services can lead to inherited security issues, known as the "Jenga" effect. Successful exploitation would allow attackers access to sensitive GCP services like Cloud Storage and Artifact Registry, potentially leading to data theft or service disruption. Google has patched this vulnerability by altering how PyPI packages are installed, using the environment's service account instead of the Cloud Build account. The update affects existing Cloud Composer 2 environments and is already implemented in new Cloud Composer 3 setups. This disclosure follows another recent vulnerability identified in Microsoft Azure and a bug in Microsoft Enra ID, highlighting ongoing security challenges in major cloud platforms.