Daily Brief

Academics from Germany, Hong Kong, and the UK have introduced a new cryptographic privacy method called Zero-Knowledge Location Privacy (ZKLP). ZKLP enables users to verify their location within a specific region without revealing their exact coordinates, enhancing user privacy. This technique utilizes zero-knowledge proofs, particularly zk-SNARKs, and optimizes these for floating-point calculations to align with the Geospatial Discrete Global Grid System. Despite offering usability for applications needing location data, the ZKLP technique does not address location data spoofing issues and would need interaction with third-party systems for authenticity checks. By adopting such technology, user proximity to others can be evaluated at significant speeds (470 peers per second), without compromising privacy. The method is potentially adaptable for scenarios requiring verified location data like content authenticity in media and could support machine learning and Proof-of-Personhood applications. The research, presented at the IEEE Symposium on Security and Privacy, showed that ZKLP's implementation is less error-prone than previous methods due to advancements in handling floating-point computations in cryptographic protocols.

'Defendnot' is a new tool capable of turning off Microsoft Defender by registering a deceptive antivirus on Windows systems. This tool exploits an undocumented API within Windows Security Center to fool the system into recognizing a fake antivirus product. Developed by researcher es3n1n, Defendnot succeeds a similar project that was previously taken down due to copyright issues. Defendnot bypasses enhanced security protocols by injecting its code into a trusted system process, Taskmgr.exe, to mimic legit software registration. Once activated, Microsoft Defender shuts down automatically as Windows avoids running multiple antivirus applications simultaneously, leaving systems unprotected. The tool also ensures persistence by creating an autorun task in Windows, activating upon user login. Microsoft is currently identifying and blocking Defendnot as malware under the signature 'Win32/Sabsik.FL.!ml.' While presented as a research project, Defendnot highlights vulnerabilities within trusted system processes that can be exploited to disable crucial security defenses.

Chinese front companies are posting recruitment ads to target former US federal employees, under the guise of consulting roles. These fake companies, detected by the Foundation for Defense of Democracies (FDD), appeared on platforms such as LinkedIn and Craigslist. The recruitment scheme aims to exploit the vulnerability of recently laid-off employees who might unintentionally leak sensitive information. The companies claimed to be based in the US, Singapore, and Japan, but many signs, including website domains and contact information, indicated they were controlled by Chinese entities. FDD's investigation began after noticing suspicious job listings, leading to the discovery that the firms were linked to a legitimate Chinese company, Smiao. Additional indicators such as shared IP addresses and email hosting services further confirmed the Chinese origins of these firms. This operation increases the risk of sensitive US information being accessed by foreign intelligence due to deceptive employment offers.

The Consumer Financial Protection Bureau (CFPB) has withdrawn proposed Biden-era regulations that would have classified certain data brokers as consumer reporting agencies, imposing stricter data handling requirements. The scrapped rules aimed at enhancing transparency and accuracy among data brokers to protect American consumers' sensitive information from unauthorized sales and uses. Reclassification would have limited data sale purposes to legitimate screenings like credit checks, explicitly excluding marketing uses. The CFPB cited the non-essential nature of the legislative rulemaking at this time as a reason for the withdrawal, deciding that no further action on the proposal will be undertaken. Public concerns persist surrounding data privacy, with reports of extensive personal data harvesting by app developers and telecommunication firms for sale to data brokers. Last year, major U.S. telecom operators were fined heavily for unsanctioned sharing of subscribers' location data, underscoring ongoing privacy issues. The decision leaves open significant potential for misuse of expansive personal data collections, touching on both financial fraud and national security risks. The move might signal a broader shift in regulatory focus or governmental incapacity to address complex privacy concerns amid contemporary data exchange practices.

A Seattle court dismissed with prejudice the defamation lawsuit brought against DEF CON by Christopher Hadnagy, a former conference participant. The dismissal prevents Hadnagy from refiling the lawsuit, marking a significant legal victory for DEF CON. The court found that Hadnagy failed to prove the allegations against him were false, which is crucial since truth is a key defense against defamation. Allegations included inappropriate behavior and harassment, with specific claims about Hadnagy's conduct towards female colleagues. DEF CON’s motives for banning Hadnagy were supported by multiple accounts and detailed in a transparency report, though not all facts were fully documented during the proceedings. Despite conflicting testimonies and procedural questions during the lawsuit, the core allegations were deemed truthful, dismissing the need for detailed evidence pre-ban. DEF CON expressed on social media that the victory supports their commitment to protecting conference attendees and encouraging reports of misconduct. Hadnagy expressed dissatisfaction with the court's decision, labeling the situation as escalated workplace conflict rather than sexual misconduct.

During Pwn2Own Berlin 2025, contestants successfully exploited zero-day vulnerabilities in enterprise technology, totaling $435,000 in rewards on the second day. Significant exploits included Nguyen Hoang Thach from STARLabs SG breaching VMware ESXi for $150,000 and Dinh Ho Anh Khoa from Viettel Cyber Security breaking into Microsoft SharePoint for $100,000. Other notable feats included hacking into Mozilla Firefox, Red Hat Enterprise Linux, and Oracle VirtualBox with various sophisticated zero-day vulnerabilities. The contest introduced an AI category for the first time, featuring exploits against AI technologies like Redis and Nvidia's Triton Inference Server. This event is a part of the OffensiveCon conference running from May 15 to May 17, targeting fully patched products across multiple categories, including AI, web browsers, virtualization, and more. Competitors have the chance to earn over $1,000,000 in rewards with Tesla vehicle hacking attempts also on the agenda, although no attempts were registered initially. After the contest, disclosed zero-day vulnerabilities will give vendors 90 days to patch before details are publicly released by the Trend Micro Zero Day Initiative.

Procolored, a printer manufacturer, unintentionally distributed malware-included drivers and software for at least six months. Security software identified a Remote Access Trojan (RAT) and cryptocurrency-stealing malware in Procolored's software downloaded from their website. The compromised software was available for six printer models hosted on the file-sharing service Mega.nz. Cybersecurity firm G Data confirmed the presence of malware which managed to steal nearly $1 million in cryptocurrency. Procolored initially denied the accusations, attributing the detections to false positives, but later admitted the possibility of an infected USB being used to upload files. Following the discovery, Procolored removed all software from its site, conducted a thorough malware check, and re-uploaded clean versions. Procolored advised customers to install the updated software and conduct full system scans to remove any traces of the malware. Despite the resolution, Procolored's communication about the malware's impact to customers remains unclear.

Skitnet malware, also known as "Bossnet," is being increasingly adopted by ransomware gangs for post-exploitation activities in network breaches. Initially offered on the RAMP underground forum since April 2024, Skitnet's popularity among criminals has surged notably by early 2025. Prodaft researchers have observed its deployment in real-world attacks by notable ransomware groups like BlackBasta during Microsoft Teams phishing campaigns and others like Cactus. Skitnet features a Rust-based loader that decrypts and executes a Nim binary which then sets up a DNS-based reverse shell for robust C2 communication. The malware is capable of managing communication and command execution via HTTP or DNS, enhancing its stealth and effectiveness. Additional capabilities include executing PowerShell scripts in memory using a .NET loader, enabling deeper and more customizable attacks. The use of ready-made tools like Skitnet is preferred by some criminal groups due to their cost-effectiveness, rapid deployment, and the difficulty in attributing attacks to specific actors. Prodaft has released indicators of compromise (IoCs) related to Skitnet on its GitHub page to assist in defense against these threats.

A ransomware attack on Business Systems House (BSH), a Middle Eastern subsidiary of payroll provider ADP, resulted in the theft of Broadcom employee data. The attack occurred in September, and the stolen data was discovered online in December, though Broadcom was only informed by May the following year. Broadcom had already been in the process of changing payroll providers away from ADP/BSH when the incident occurred. The El Dorado ransomware group, believed to be linked to the Russian-speaking BlackLock group, claimed responsibility for the attack. The breach affected a limited number of ADP's clients and was localized to certain countries in the Middle East; ADP confirmed no impact to its own systems. Personal data released was in an unstructured format, complicating the identification of exactly which employees and data were affected. Local law enforcement and data protection authorities have been notified, and measures to harden BSH’s security environment are underway. Broadcom recommended affected individuals to enable multi-factor authentication and monitor their financial records closely.

New botnet malware, HTTPBot, has been actively targeting the gaming and technology sectors, specifically in China. HTTPBot, which operates on Windows systems, employs HTTP protocols to execute targeted distributed denial-of-service (DDoS) attacks. By using dynamic feature obfuscation and HTTP Flood attacks, HTTPBot avoids detection by traditional rule-based security systems. Since April 2025, HTTPBot has orchestrated over 200 precise attack commands against key business areas, particularly affecting game login and payment platforms. The malware conceals its operations by hiding its graphical user interface and manipulating the Windows Registry to run at system startup. HTTPBot communicates with a command-and-control server to receive instructions for launching high-volume HTTP request attacks to disrupt specific target operations. The botnet is designed to occupy server resources through complex URL paths and cookie mechanisms, setting it apart from typical DDoS attacks focused on overwhelming traffic volume. This emergence of HTTPBot signifies a strategic shift in DDoS tactics from broad traffic disruption to targeted business disruption.

French IT firm Atos announced a critical transformation plan labeled "Genesis," aiming for sustainable growth and a projected operating margin of 10% by 2028. The plan includes significant structural changes, with a focus on six new business lines, emphasizing AI, cybersecurity, and cloud services. Atos will reduce its operational footprint globally, retaining a presence in strategic and profitable markets through six main regional hubs. Job cuts and increased offshoring are key elements of the cost reduction strategy to adapt to the company’s resized structure and new business focus. The French State has shown an interest in purchasing Atos’ Advanced Computing activities, which may suggest partial national involvement in the company’s future. Philippe Salle, the newly appointed CEO, marks the seventh leadership change in three years, reflecting ongoing instability at the executive level. The company also paused the sale of its Mission Critical Systems and Cybersecurity Products businesses, indicating a potential reevaluation of asset disposals. Atos projects a decline in revenue to €8.5 billion in 2025, attributing this to strategic business modifications and reduced business engagement prior to restructuring completion.

Understanding specific data protection needs and outcomes is essential for defining a focused strategy. Leveraging AI for automated data classification enhances efficiency and accuracy in identifying sensitive information. Implementing zero trust security models with least-privileged access controls reduces risks of unauthorized data access. Centralizing Data Loss Prevention (DLP) systems ensures consistent and efficient threat detection and response across all platforms. Regular compliance checks and adherence to data protection regulations are crucial for avoiding legal penalties and upholding brand integrity. Addressing the security challenges of Bring Your Own Device (BYOD) policies through browser isolation techniques that prevent data extraction. Continuously managing and improving cloud security posture using SSPM and DSPM tools to prevent breaches through misconfigurations. Investing in data security training and integrating it with incident management to foster a proactive data protection culture in the organization.

Researchers at ETH Zürich have identified new security flaws in modern Intel CPUs termed Branch Privilege Injection (BPI), which allow attackers to leak sensitive data. The vulnerability arises from a condition known as Branch Predictor Race Conditions (BPRC), permitting unauthorized access to information across user privileges. The flaw impacts all Intel processors, enabling potential access to cache contents and other users' working memory on the same CPU. Intel has responded by releasing microcode patches to mitigate the vulnerability, designated CVE-2024-45332 with a CVSS v4 score of 5.7. Recent studies also spotlight self-training Spectre v2 attacks, also impacting Intel CPUs, characterized by high-speed memory leaks and compromise of domain isolation. These hardware vulnerabilities lead to the potential for user-user, guest-guest, and guest-host Spectre-v2 attacks, reviving concerns from past Spectre vulnerabilities. AMD has updated its guidance on handling Spectre and Meltdown vulnerabilities, emphasizing risks from the classic Berkeley Packet Filter (cBPF) use.

Twelve suspects charged in a sophisticated RICO conspiracy involving over $230 million stolen in cryptocurrency. Suspects allegedly hacked cryptocurrency accounts, transferring funds to controlled wallets via fraudulent means. Notable tactics included phone number spoofing and impersonation of customer support at Google and Gemini to access private keys. Funds were laundered through a complex network of crypto exchanges, mixing services, and the use of virtual private networks. Majority of stolen funds converted to Monero to obscure the source, but traceable mistakes were made by the culprits. Lavish expenditures from the stolen funds included luxury cars, high-end watches, and extravagant nightclub parties. Defendants now face multiple charges including wire fraud, money laundering, and obstruction of justice.

A Darktrace report cites that 74% of cybersecurity professionals worldwide are already finding AI as a menacing challenge to their defenses. Increasing use of AI in cyberattacks includes sophisticated phishing and malware, demanding an equally advanced AI-augmented response from security sectors. In 2023, AI-based social engineering attacks have surged by 135%, coinciding with the rise of ChatGPT and similar technologies. Despite the growth in AI-powered threats, many companies feel underprepared due to a significant cybersecurity skills shortage; 45% of professionals expressed concerns over preparedness. The current focus for most companies is leveraging AI to enhance the speed and efficiency of their cybersecurity responses, with 95% acknowledging AI's potential benefits. 88% of the companies prefer AI-driven integrated cybersecurity platforms over isolated solutions, aiming for a comprehensive and preventative defense mechanism. The Darktrace study highlights a gap in understanding the specific types of AI used in cybersecurity, with only 42% of professionals fully aware of the AI models employed.