Daily Brief

Google has enhanced its sovereign cloud offerings to address growing global concerns about data sovereignty and security. The move includes air-gapped and region-specific solutions. Google Cloud Air-Gapped provides a fully standalone ecosystem for users with stringent security needs, such as those in intelligence and defense, ensuring operational continuity without reliance on external networks. Google Cloud Dedicated, developed in collaboration with Thales, aims to meet local sovereignty standards and is prepped to serve AI workloads with specialized hardware. Google Cloud Data Boundary lets customers control data storage and processing locations, enhanced with a new User Data Shield to secure applications further. The expanded cloud services are a response to increased customer unease over U.S. dominance in digital infrastructure and potential foreign governmental access to sensitive data. Google's approach offers a suite of tailored solutions to fit various regulatory requirements and business needs, contrasting with one-size-fits-all models. Major competitors like Amazon and Microsoft have also recently intensified efforts to cater to European demands for data sovereignty amid escalating geopolitical tensions. Google's president of customer experience, Hayete Gallot, emphasizes the importance of providing flexible and secure options for clients as global instability increases demand for cloud sovereignty options.

Patching vulnerabilities remains a crucial yet challenging cybersecurity task due to operational constraints and the rapid exploitation of vulnerabilities by adversaries. Traditional patch management strategies often fall short, as hasty deployments can introduce additional risks, despite patches being available for extensive periods. ThreatLocker's approach integrates Ringfencing to secure fully patched apps from being exploited, aiming to prevent attacks and unauthorized lateral movements. Designed for Zero Trust environments, ThreatLocker treats every patch as untrusted until verified through rigorous internal reviews and testing by application engineers. During a recent zero-click vulnerability in Microsoft Outlook, ThreatLocker users were able to mitigate risks much faster than those with traditional patch management systems. ThreatLocker provides tools for automation and control, enabling precision in patch management, essential for modern cybersecurity strategies. The narrative emphasizes that effective patch management transcends compliance, integrating into strategic security operations for serious security-focused organizations.

President Trump has announced the "Golden Dome" defense initiative, a plan to cover the US with a network of missile interceptors, satellites, and radar systems. The initiative includes a $25 billion initial funding segment, part of a projected overall spend possibly reaching beyond $175 billion. The system is designed to counteract various types of missiles including ballistic, hypersonic, and cruise missiles through a combination of space-based and terrestrial technologies. Trump referenced the historical context of missile defense dating back to Reagan’s era, indicating this as a continuation and completion of Reagan's vision to neutralize missile threats. The implementation involves major domestic production with Trump highlighting Silicon Valley's role and potential collaborations with Canada under conditions of financial contribution. A Congressional Budget Office report estimates the potential cost for a functional space-based intercept system between $161 billion to $831 billion over 20 years. Skepticism remains about the effectiveness of the Golden Dome, particularly against large-scale missile attacks or those using advanced decoy tactics. The project is seen by some as a lucrative opportunity for defense contractors and commercial entities like those owned by Elon Musk.

The European Union has sanctioned Stark Industries, a web-hosting provider, for supporting Russian cyber efforts and destabilising activities. CEO Iurie Neculiti and owner Ivan Neculiti of Stark Industries are specifically targeted due to their roles in enabling these cyber activities. Stark Industries is noted for being a historically bulletproof hosting provider, facilitating cyberattacks, including DDoS and disinformation campaigns advantageous to Russia. Investigations reveal Stark Industries had provided infrastructure for notorious cyber groups like FIN7, facilitating severe security threats. Despite Stark Industries' recent collaboration with cybersecurity firms to dismantle malicious infrastructure, EU sanctions proceed based on their prolonged enabling of harmful cyber activities. Additional sanctions by the EU target various other entities and individuals involved in propagating Russian foreign policy and misinformation. Sanctions include asset freezes and travel bans into the EU for the designated individuals and entities. Alongside Stark Industries, media outlets, news agencies, and companies tied to Russian espionage and electronic warfare activities faced EU sanctions.

A significant increase in PureRAT malware attacks targeting Russian businesses has been identified, with incidents quadrupling early in 2025 compared to the same timeframe in 2024. These malware attacks begin with a deceptive phishing email that includes a malicious RAR file attachment, disguised as a reputable document. Upon execution, the malware installs a RAT (Remote Access Trojan) that can control the infected system, capture keystrokes, and access files, cameras, and microphones. The executable involved in the attack sequence not only deploys the RAT but also downloads auxiliary components capable of conducting espionage and data theft. PureLogs, another component of the malware, specifically targets and extracts sensitive data from web browsers, email clients, and cryptocurrency wallets. Kaspersky has not attributed these attacks to any specific threat actor, emphasizing the ongoing threat to Russian firms through malicious email campaigns. The comprehensive capabilities of PureRAT and PureLogs highlight a sophisticated and well-resourced malware operation aimed at acquiring confidential data and maintaining persistent access to compromised systems.

Counterfeit Facebook ads are directing users to fake Kling AI websites, ultimately downloading remote access Trojan (RAT) malware. Kling AI, a popular AI-driven image and video synthesis platform by Kuaishou Technology, has been impersonated to deceive users. Detected first in early 2025, these fake platforms like klingaimedia[.]com lure users to download harmful executable files disguised with double extensions. The malicious software establishes persistence on infected systems, monitors for analysis tools, and evades detection via legitimate system processes. The malware, specifically PureHVNC RAT, steals data from cryptocurrency wallets through browser-stored credentials and captures sensitive information via screenshots. At least 70 promoted posts from fraudulent social media accounts were identified, with links pointing back to Vietnamese threat actors. These attacks are part of a larger trend exploiting the surging interest in generative AI tools to distribute information-stealing malware via social media platforms. Meta faces broader challenges with an "epidemic of scams" on its platforms, including Facebook and Instagram.

Kettering Health, a major healthcare network in Ohio, experienced a significant cyberattack resulting in a system-wide technology outage. The attack led to the cancellation of elective inpatient and outpatient procedures, and an ongoing disruption to its call center operations. Kettering Health employs over 15,000 staff and operates 14 medical centers and over 120 outpatient facilities, all of which have been affected. CNN reports attribute the ransomware attack to the Interlock ransomware gang, who have threatened to leak stolen data unless a ransom is paid. The organization advised patients against making credit card payments over the phone due to potential scam activities linked to the incident. While emergency services continue, elective procedures have been postponed with plans to reschedule. There is still no confirmation from Kettering Health if patient data was compromised during the attack.

CI/CD practices accelerate software development but introduce security vulnerabilities such as supply chain attacks and insider threats. Continuous security monitoring and best practices enforcement are essential at all stages of CI/CD workflows to mitigate risks. Wazuh, an open-source security platform, enhances CI/CD security through unified XDR and SIEM capabilities. Wazuh enables detailed monitoring of CI/CD environments, including servers, orchestration tools, and version control systems, to detect unauthorized activities and breaches. Features such as File Integrity Monitoring (FIM) help in real-time detection of unauthorized changes, with alerts generated for suspicious file activities. Wazuh supports custom rules creation and has streamlined security monitoring tailored to specific CI/CD needs, adhering to benchmarks like CIS Docker Benchmark. Integration capabilities with third-party tools, such as container vulnerability scanners, ensure comprehensive security checks throughout the CI/CD pipeline. Automated incident response by Wazuh minimizes manual intervention and swiftly addresses threats, maintaining the efficiency and reliability of CI/CD workflows.

Phishing remains a top threat in corporate security, exploiting employee trust to gain unauthorized access. Interactive sandboxing is proposed as an effective solution for analyzing suspicious emails and links without compromising system security. ANY.RUN sandbox allows safe detonation of phishing emails, displaying behaviors such as redirects and CAPTCHA challenges typically missed by automated tools. Once a phishing attempt is confirmed, the sandbox helps trace the full attack chain and gather indicators of compromise (IOCs) efficiently. Features of ANY.RUN include a fast analysis interface, capability of auto-handling elements like CAPTCHA, and comprehensive logging of network traffic and behavior. Utilizing sandboxes like ANY.RUN simplifies the process of identifying phishing infrastructure, providing crucial evidence for quick response and future prevention. The method ensures that SOC teams can conduct thorough analyses and obtain detailed reports in less than 40 seconds, enhancing both detection and response times.

Marks & Spencer (M&S) anticipates a potential £300 million ($402 million) profit loss due to a recent cyberattack. The attack led to significant disruption in online sales and operations, with system downtimes impacting the retailer heavily. Recovery includes additional costs in waste, logistics, and stock management as M&S manually operates. Online retail systems remain disabled; disruptions expected to continue affecting operations until at least July. Attack performed using DragonForce ransomware by the cyber group Scattered Spider, also responsible for attacks on other UK retail chains. M&S confirmed theft of customer data during the attack, adding to potential long-term reputational damage. UK National Cyber Security Centre has issued warnings and guidance in light of these attacks targeting UK retailers. Scattered Spider has expanded its operations, now also targeting U.S. retailers, signaling a broader threat landscape.

Coinbase, a major cryptocurrency exchange, disclosed a data breach affecting 69,461 customers. Personal information exposed includes names, dates of birth, social security numbers, email addresses, and partial bank account details. Sensitive data about government IDs, account transactions, and balances were also stolen, increasing the risk of social engineering attacks. The breach was facilitated by support staff or contractors outside the U.S., compromising less than 1% of Coinbase's customer base. Coinbase received a $20 million extortion demand from the attackers, which they refused to pay, opting instead for a reward fund to capture the culprits. Estimated financial impact due to the breach ranges from $180 million to $400 million for remediation and customer reimbursements. The exchange has committed to reimbursing affected customers and is urging all users to enhance security measures like withdrawal allow-listing and two-factor authentication. Coinbase also highlighted a broader cybersecurity framework analysis identifying top threats and defensive strategies to mitigate such risks.

Marks & Spencer anticipates a £300 million reduction in operating profits for the fiscal year 2025/26 due to a sophisticated, ongoing cyberattack. The impact includes significant disruptions, increased costs from manual logistics, and loss in sales, particularly from online platforms. M&S plans to utilize its cyber insurance, expecting to claim up to £100 million to offset some of the financial damage. CEO Stuart Machin emphasized the company's focus on recovery and technical transformation to strengthen business post-attack. Despite disruptions, M&S reported a 22.2% increase in pre-tax profits from the previous year and a sales growth of 6.1%. The attack led to the theft of customer data, although sensitive payment card information was not compromised. Share prices have fallen approximately 12% since the attack began, reflecting investor concerns over the company’s immediate financial health.

Cybersecurity experts have uncovered a malicious campaign targeting mobile users with JavaScript injections. The attack redirects users to a Chinese Progressive Web App (PWA) featuring adult-content scams. The scheme activates specifically on mobile platforms such as Android and iOS, ignoring desktop environments. Attackers employ Progressive Web Apps to mimic native applications and potentially evade standard browser security measures. The malicious code is injected into websites and triggers redirection only when accessed via mobile devices. Victims are led through several intermediary pages before arriving at fraudulent app store listings. This strategy indicates a shift towards more sophisticated, persistent methods of phishing on mobile devices.

Dr. Bleddyn Bowen highlighted the UK's significant reliance on the US for space technology and military capabilities during a House of Lords committee hearing. The UK abstained from developing independent satellite-launching and nuclear capabilities during the Cold War, relying instead on US provisions after extensive negotiations. Recent rhetoric and policies from the Trump administration have raised concerns about the future of UK-US relations, especially in areas of military and space cooperation. The importance of maintaining strong UK-US relations was emphasized given the deep integration in intelligence, space, and military sectors. The UK government committed to a defense spending increase to 2.5% of GDP by 2027, which was positively received by President Trump. Despite current political tensions, day-to-day military cooperation between the UK and US remains robust, with ongoing integration between UK Space Command and US Space Force. Shifts in the UK's defense procurement from the US towards European suppliers have been observed, indicating a potential diversification of defense alliances.

Scattered Spider initially focused on cryptocurrency theft and business process outsourcing before moving to the financial sector and now retail. Palo Alto Networks' Unit 42 observed the shift of this cybercrime group towards customer-facing retail sectors in the UK and US. The group's operatives, who tend to move across industries, leverage their insider industry knowledge to conduct crime efficiently. Social engineering tactics employed by Scattered Spider include using their native-English fluency to manipulate employees into bypassing internal security protocols. Despite recent retail and cryptocurrency exchanges' attacks, no direct evidence links these incidents specifically to Scattered Spider; however, their past involvement in similar cases leads experts to not rule out connections. Both major cryptocurrency exchanges, Binance and Kraken, have recently countered social engineering attacks, with discussions around potential losses if systems were breached. Coincidentally, Coinbase is working with the DOJ and international law enforcement to address the security incidents, indicating a serious concern over these breaches.