Daily Brief

Cybercrime, particularly ransomware and business email compromises, poses a significant risk to US organizations, overshadowing threats from nation-states. Michael Daniel, former White House cybersecurity advisor, emphasizes the broad scope of cyber threats that the US faces, including from China, Russia, Iran, North Korea, and cybercriminal organizations. Budget reductions under the Trump administration have led to significant cuts in cybersecurity staffing and funding, particularly impacting the Cybersecurity and Infrastructure Security Agency (CISA) and related sector-risk management agencies. The ongoing government cost-cutting threatens the nation's ability to manage cybersecurity risks effectively across its 16 critical infrastructure sectors. Daniel advocates for increased federal efforts to assist businesses in protecting against cyber threats and improve their resilience against potential cyber-attacks. Despite the growing need for skilled cybersecurity professionals, the federal government faces staffing challenges due to non-competitive pay scales compared to the private sector. Daniel calls for transparency concerning the number of federal cybersecurity staff reductions and emphasizes the importance of federal support for local governments, healthcare, and educational institutions to enhance their cybersecurity infrastructure.

Bumblebee malware is being distributed via fake versions of popular open-source tools such as Zenmap and WinMTR. Typosquatting domains like zenmap[.]pro and winmtr[.]org mimic legitimate sites, with the former still active showing counterfeit content. SEO poisoning is used to drive traffic to these malicious sites, ranking them high on search engine results for related search terms. The malware, delivered via compromised installers, evades detection by most antivirus engines referenced on VirusTotal. Users are tricked into downloading what appears to be legitimate software which installs a malicious DLL capable of executing a backdoor for further malicious activities. Additional malware payloads include ransomware and infostealers, expanding the threat beyond the initial breach. A similar campaign targets users of Hanwha’s WisenetViewer and Milestone XProtect, distributing trojanized versions via spoofed domains. Official recommendations emphasize only downloading software from trusted sources and verifying installer hashes before execution.

John Young, co-founder of the influential document leak site Cryptome, has died at 89. Cryptome was instrumental in initiating the first digital crypto war and setting the stage for other leak sites like WikiLeaks. Young and his partner Deborah Natsios started Cryptome to share sensitive data about government activities and cryptography, influencing global discourse on data privacy and public access to information. Young was skeptical of fundraising and profit motives in disclosure platforms, notably criticizing WikiLeaks for its approach to financial matters. Despite legal challenges and pressure from entities like Microsoft, Cryptome persisted in hosting controversial materials, serving as a robust archival resource. Young's life experiences and career as an architect deeply influenced his commitment to the unrestricted flow of information, steering clear of traditional journalistic practices by focusing on raw data archival. His steadfast belief in the public's right to know remained unwavering, even in the face of governmental and legal adversities. Young’s enduring legacy underscores his philosophy of transparency and anti-censorship, contrasting sharply with other platforms' handling of similar disclosures.

Nova Scotia Power confirmed a ransomware attack initially detected on April 25 and traced back to March 19, impacting IT systems and customer data. The breach exposed sensitive information such as names, contact details, Social Insurance Numbers, and bank account numbers for autopay clients. Despite the significant data leak, the utility has opted not to pay the ransom, in line with sanctions laws and law enforcement advice. Operations remained unaffected; however, billing, customer portals, and outage reporting services are disrupted. Affected customers are offered a two-year free credit monitoring service by TransUnion to guard against potential fraud. The company has engaged cybersecurity experts to understand the extent of the breach and strengthen defenses. In response to the incident, Nova Scotia Power noted an increase in phishing attempts through various communication platforms urging vigilance.

Researchers discovered 60 malicious NPM packages aiming to collect and transmit critical host and network data. These packages were identified by the Socket Threat Research team and utilized names mimicking legitimate packages to deceive developers. The post-install script in these packages detects the execution environment to evade analysis and collects sensitive data without delivering further payloads. Despite being reported, the packages remained online at the time of discovery, accumulating over 3,000 downloads, but were later removed. Another discovered NPM campaign involved 8 data-wiping packages, targeting popular JavaScript ecosystems and camouflaging as legit tools. The data-wiping packages were capable of file deletion, data corruption, and system shutdown, downloaded 6,200 times over two years. Socket’s findings highlight the need for continuous vigilance and immediate system checks if suspicious packages are installed.

Hackers are now using TikTok videos to distribute Latrodectus malware, leveraging a technique called ClickFix that runs malicious code directly in memory, evading many security measures. The campaign utilizes AI-generated videos on TikTok to trick users into executing harmful PowerShell commands, pretending to offer activation for applications like Windows and Spotify. Latrodectus acts primarily as a downloader for other dangerous payloads, including ransomware, and is believed to be a successor to the IcedID malware. A related discovery involves malicious campaigns using cloned Ledger Live apps to steal seed phrases from Mac users, aiming to drain cryptocurrency wallets. The malware inside these fake Ledger apps can also steal passwords and other sensitive information, exacerbating threats to crypto wallet security. Security firms advise disabling the Windows Run command and modifying Group Policy settings to prevent such attacks. Recent international law enforcement operation, Operation Endgame, has temporarily disrupted these malware networks by shutting down servers and seizing domains.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about increasing attacks targeting SaaS providers, particularly exploiting cloud applications with default configurations and elevated permissions. Commvault experienced a breach in its Microsoft Azure environment, following a report from Microsoft about potential nation-state actor penetration. A zero-day vulnerability in Commvault's system (CVE-2025-3928) was used by attackers to access M365 backup SaaS solutions hosted on Azure, endangering customer M365 environments. This zero-day was added to CISA's Known Exploited Vulnerability catalog, emphasizing the criticality of the breach, with the potential effects still largely unquantified. Commvault has confirmed that while customer data remains secure, attackers aimed to obtain credentials that could exploit M365 environments, with the broader campaign possibly affecting multiple SaaS companies. CISA has urged organizations to utilize Microsoft logs for threat detection and to set incident response plans in motion should any deviations from standard configurations be detected. Recommendations for organizations include rotating secrets and credentials, restricting access to trusted networks, applying necessary patches, and minimizing admin rights to bolster security defenses.

Cetus Protocol announced the theft of $223 million in cryptocurrencies, halting its operations temporarily to investigate. The theft exploited a vulnerability in the DEX's software, which was identified and subsequently fixed to prevent further breaches. Cetus offers a $5 million bounty for information leading to the hacker's arrest, alongside a whitehat deal to forgo legal pursuit if funds are returned. Some of the stolen funds, amounting to $162 million, have been frozen on the Sui blockchain following an emergency intervention by network validators. Elliptic's analysis indicates the exploit might involve automated market maker logic, manipulating pool prices for flash loan-style attacks. The hacker’s wallet address has been identified, with transactions tracked from Sui to Ethereum, and is now flagged on major exchanges to prevent funds laundering. Blockchain analytics and collaboration with law enforcement are ongoing to trace and potentially recover the stolen crypto assets.

The FBI issued warnings regarding the Silent Ransom Group (SRG), also known as Luna Moth, for extortion attacks specifically targeting U.S. law firms. SRG employs social engineering to impersonate IT support through emails, fake websites, and phone calls to gain unauthorized network access. Unlike traditional ransomware, SRG does not encrypt data but threatens to leak stolen sensitive information unless a ransom is paid. The attack method includes the installation of remote access tools on victims' devices, enabling data theft using software like WinSCP and Rclone. SRG has been active since separating from the Conti cybercrime syndicate in 2022 and continues to pose significant threats by also impersonating other legal and financial institutions. The FBI advises strengthening cybersecurity measures including robust passwords, enabling two-factor authentication, conducting regular data backups, and training employees to recognize phishing attempts. EclecticIQ's report highlights that ransom demands by SRG can range up to eight million USD depending on the size of the targeted firm.

Cybersecurity researchers have identified ViciousTrap compromising 5,300 routers across 84 countries using a Cisco flaw. The exploitation primarily uses a shell script, NetGhost, to reroute specific network traffic to an infrastructure controlled by the attacker. These compromised devices, primarily located in Macau, form a honeypot-like network to intercept and study network flows. This strategy likely helps in capturing zero-day exploits and observing multiple exploitation attempts across varied environments. The threat actor leveraged CVE-2023-20118, impacting Cisco Small Business routers, downloading malicious scripts to execute the attacks. Despite similar methods, no direct connection is found between ViciousTrap's activities and another botnet, PolarEdge. All documented attacks originated from IP addresses based in Malaysia, associated with a hosting provider named Shinjiru. The exact purpose of this honeypot network remains uncertain, though the operation seems well-orchestrated to gather crucial cyber intelligence.

Operation Endgame led by Europol seized 300 servers and €3.5M in cryptocurrencies, targeting ransomware infrastructure globally. Approximately 650 domains have been neutralized, and international arrest warrants were issued against 20 key suspects. The operation focused on new malware variants and groups such as Bumblebee, Lactrodectus, and others, aiming to dismantle the ransomware delivery services. The total amount seized during the Operation Endgame accumulated to over €21.2 million, demonstrating significant financial impact. Germany's Federal Criminal Police initiated criminal proceedings against 37 individuals, some now listed on the EU's Most Wanted. The operation is a continuation of efforts to disrupt cybercriminal ecosystems and prevent further ransomware attacks. Europol's latest actions indicate the adaptability and resilience of law enforcement in the face of evolving cyber threats.

SafeLine is the leading open-source Web Application Firewall (WAF) on GitHub, offering preeminent features for self-hosted security solutions. Unlike cloud-based alternatives, SafeLine provides enhanced visibility and total sovereignty over data by operating on local servers. Features comprehensive attack prevention strategies against a wide range of web threats, including SQL injection, XSS, and more. Uses a semantic analysis engine for zero-day attack detection, boasting a 99.45% detection rate and a 0.07% false positive rate. Offers multi-layered defenses against bot attacks and includes HTTP Flood DDoS mitigation through rate limiting and a virtual waiting room for traffic spikes. Supports modern authentication protocols and Single Sign-On (SSO) aligning with Zero Trust security principles to verify and secure user access. Designed for quick deployment and easy management, with a user-friendly configuration interface and wizard-based setup. Provides advantages over cloud-based WAFs by ensuring autonomy in deployment and operation, ideal for a wide range of web application security needs.

Cybercriminals exploit TikTok videos to distribute Vidar and StealC information-stealing malware via ClickFix attacks. These TikTok campaigns use AI-generated videos encouraging users to execute PowerShell commands under the guise of activating software like Windows, Office, Spotify, and CapCut. One deceptive video promoting enhanced Spotify features quickly amassed nearly 500,000 views, demonstrating the effectiveness of social platform algorithms in spreading such malicious campaigns. Executed commands disguise the downloading and running of remote scripts that install malware, enabling theft of credentials, credit card details, and other sensitive data. Infected devices are further manipulated to download additional scripts ensuring persistence with startup registry keys. Similar tactics have been employed by state-sponsored groups in recent espionage efforts, showing the adaptability and dangerous evolution of the ClickFix tactic. Previous malware distribution via TikTok includes the ‘Invisible Challenge’ leading to vast infections by WASP Stealer malware.

Tonny Iheoma Ezeh, a cyber fraudster, manipulated elderly victims into smuggling methamphetamine disguised as chocolates. Ezeh, involved in a West African crime syndicate, operated from Mexico and targeted pensioners through email scams. Two German victims, aged 80 and 67, were caught at Heathrow Airport with 3 kg of meth hidden in chocolate truffle boxes. Initially charged with drug smuggling, the pensioners were acquitted after the investigation revealed they were scammed. Ezeh was arrested as he entered the UK and was convicted at Isleworth Crown Court, receiving a nine-year and three-month prison sentence. The National Crime Agency emphasized the predatory nature of Ezeh's crimes, highlighting the exploitation of vulnerable elderly individuals. Authorities continue to caution the public against too-good-to-be-true offers involving the transport of goods internationally.

The U.S. Department of Justice announced the disruption of DanaBot malware infrastructure and charged 16 individuals linked to a Russia-based cybercrime group. DanaBot infected over 300,000 computers globally, enabling large-scale fraud and ransomware activities, causing damages of at least $50 million. Primary accused, Aleksandr Stepanov and Artem Aleksandrovich Kalinkin, remain at large, facing charges including conspiracy, wire fraud, and aggravated identity theft. Malware's self-infection incidents led to accidental data compromise of the criminals, aiding in their identification. Law enforcement seized DanaBot's command-and-control servers as part of Operation Endgame, significantly disrupting the malware's operations. DanaBot, active since 2018, started as a banking trojan and evolved into a multi-functional malware-as-a-service, capable of stealing a wide range of personal and financial data. Several private sector firms provided assistance in the operation, highlighting the importance of public-private partnerships in combating cyber threats.