Daily Brief

Germany's Federal Criminal Police Office (BKA) has shut down the eXch cryptocurrency exchange, accusing it of laundering over $1.9 billion since its 2014 inception. The operation on April 30, 2025, led to the seizure of 8 terabytes of data and €34 million ($38.25 million) in various cryptocurrencies including Bitcoin, Ether, Litecoin, and Dash. eXch was accessible via the clearnet and dark web, and reportedly lacked anti-money laundering safeguards, advertising this as a feature in the criminal underground economy. Authorities highlighted that eXch facilitated anonymous transactions, making it ideal for hiding financial flows and involving in illicit activities. Some of the laundered funds included proceeds from the Bybit hack, with connections to North Korean threat actors. Prior to the shutdown, eXch announced plans to cease operations following indications of an impending crackdown based on accusations of facilitating money laundering and terrorism. The Dutch Fiscal Information and Investigation Service (FIOD) is further investigating individuals linked to the exchange for money laundering and other illegal activities, emphasizing the operation's intent to combat crime, not infringe on privacy rights.

Google settles two lawsuits with Texas for $1.375 billion over unauthorized tracking and biometric data collection. The settlement addresses Google's tracking of personal location and facial recognition data without users' consent. This payment surpasses previous settlements Google made with other U.S. states, including a $391 million payout to 40 states. The original allegations included illegal collection of geolocation, incognito searches, and biometric data despite disabled location settings. Texas Attorney General emphasized the settlement as a major victory for privacy and a warning to other companies about abusing trust. Google has introduced local storage of Maps Timeline data and other privacy measures to auto-delete location history. Google's practices continue to draw global regulatory scrutiny with concerns over antitrust issues. Similar to Google's case, Meta paid $1.4 billion to Texas resolving claims of illegal biometric data collection.

Ascension reported a significant data breach affecting personal and healthcare information of over 430,000 patients. The breach originated from a former business partner's system, compromised through a vulnerability in third-party software. Exposed data includes personal health details like physician's name, diagnosis, and billing codes, as well as personal identifiers such as SSNs and insurance information. Ascension offers two years of free identity monitoring services, including credit monitoring and identity theft restoration to affected individuals. The incident aligns with a pattern of attacks exploiting a zero-day flaw in Cleo secure file transfer software, used in Clop ransomware data theft attacks. Separate from this breach, Ascension faced a ransomware attack in May 2024 affecting almost 5.6 million, disrupting clinical and operational activities dramatically. The healthcare provider had to revert to manual recording and alter medical service offerings to mitigate impact during the 2024 ransomware incident.

Law enforcement has disrupted a botnet, including two proxy services, operating for over 20 years and led to the indictment of four individuals from Russia and Kazakhstan. The botnet, utilizing Anyproxy and 5socks networks, compromised thousands of end-of-life routers globally, turning them into residential proxies. The malicious network, which sold accesses via a subscription model, has reportedly collected over $46 million through its operations. Operation Moonlander involved cooperation between the U.S. Justice Department, Royal Thai Police, Dutch National Police, and others, demonstrating significant international collaboration. The U.S. Justice Department highlighted that the networks leveraged by cybercriminals helped anonymize activities such as cyber-for-hire offenses and cryptocurrency theft. The FBI has issued warnings about the botnet, which targets outdated routers with TheMoon malware, advising the public on potential security vulnerabilities. The dismantlement of the botnet and the arrests have been a crucial step in mitigating a longstanding global cybersecurity threat.

Google has announced a new security feature for Chrome, utilizing the built-in AI 'Gemini Nano' to detect tech support scams. The AI model operates directly within the browser, analyzing web page content for scam indicators such as fake virus alerts and full-screen lockouts. This functionality will be part of Chrome's 'Enhanced Protection' mode and works by analyzing data locally on the user's device to protect privacy and ensure minimal performance impact. Confirmed scams will trigger a warning to the user, with suspicious site data being further assessed by Google's Safe Browsing service. Google emphasizes the AI feature's design to conserve resources, using throttling and quota enforcement mechanisms to limit GPU usage. Chrome 137, which will include this feature, is set to release next week and will activate by default for users who opt into 'Enhanced Protection.' Future updates intend to broaden the detection capabilities to other scam types, and a similar feature is planned for Chrome on Android by 2025. This initiative follows the introduction of a similar anti-scam AI by Microsoft for its Edge browser, showcasing a growing trend of AI utilization in web security.

Insight Partners reported a data breach potentially exposing financial and personal information. Miscreants executed a sophisticated social engineering attack, gaining access to company servers. Detected on January 16, third-party cyber-investigators are assessing the extent of the accessed data. Compromised data may include banking, tax, and personal information of employees and partners. The breach could facilitate business email compromise (BEC) scams, leveraging stolen data. Insight Partners has advised all affected parties to enhance security measures like changing passwords and using multi-factor authentication. The breach highlights the growing risk of scams aided by technologies such as AI deepfakes.

North Korean threat actors have enhanced the OtterCookie malware to steal credentials from web browsers and MetaMask, now including VM detection capabilities. Versions v3 and v4 of OtterCookie were released in February and April 2025, respectively, adding features to exfiltrate various file types and browser data. The malware is distributed through malicious npm packages, tampered GitHub or Bitbucket repositories, and deceptive software like fake videoconferencing apps. OtterCookie v4 specifically targets Google Chrome and MetaMask credentials, and can determine if it's running in a virtual machine environment. This advanced persistent threat is part of the "Contagious Interview" campaign linked to the Lazarus Group, a notorious North Korean hacking collective known for both espionage and financial crimes. Researchers from NTT and other cybersecurity firms observed sophisticated tactics, including the use of deceptive applications and updated stealer modules. The recent escalation in North Korea’s cyber activities coincides with increased targeting of European and Asian firms by fraudulent North Korean IT workers aiming to infiltrate and exfiltrate funds.

Dutch and U.S. law enforcement agencies collaborated to dismantle a significant botnet comprising 7,000 IoT and EoL devices. Russian and Kazakhstani nationals were charged for operating proxy services via the botnet, profiting over $46 million from subscription fees. The botnet, active since 2004, provided anonymity for cybercriminals conducting various illegal activities, including ad fraud and DDoS attacks. The proxy services were sold on anyproxy.net and 5socks.net, offering daily access to thousands of proxies worldwide for a fee in cryptocurrency. The botnet devices were infected using TheMoon malware, targeting a range of vulnerabilities predominantly in end-of-life devices. Lumen Technologies' Black Lotus Labs discovered that most botnet control commands were communicated from servers based in Turkey. FBI and Lumen Technologies issued recommendations for mitigating risks posed by such botnets, including regular router reboots and updates. The operation highlights ongoing challenges and threats posed by compromised IoT devices and outdated technology in global cybersecurity.

Chinese hackers targeted SAP NetWeaver servers, exploiting a severe vulnerability (CVE-2025-31324) allowing unauthenticated file uploads and remote code execution. SAP issued an emergency patch for the flaw on April 24 after initial detections of exploitation attempts by cybersecurity firm ReliaQuest. Attackers uploaded malicious JSP web shells and used the Brute Ratel tool for post-exploitation activities on fully patched servers, indicating a zero-day exploit. Other cybersecurity firms including watchTowr, Onapsis, and Mandiant confirmed repeated exploitation and the uploading of web shell backdoors on vulnerable systems. Onapsis reported detection of reconnaissance activity and payload testing since January 20, with active exploitation from February 10. The Shadowserver Foundation is currently monitoring 204 exposed SAP NetWeaver servers that are susceptible to this exploit. Recent attacks from IP addresses linked to Chinese cloud providers utilized self-signed certificates mimicking Cloudflare. U.S. cybersecurity agency CISA added the security flaw to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to secure their systems by May 20.

German Federal Police (BKA) seized server infrastructure of the 'eXch' cryptocurrency exchange platform, citing money laundering violations. This operation involved confiscating eight terabytes of data and cryptocurrencies including Bitcoin, Ether, Litecoin, and Dash valued at approximately $38 million. The platform allegedly failed to adhere to 'know-your-customer' regulations, facilitating laundering activities for cybercrime syndicates. Authorities highlight that nearly $1.9 billion in cryptocurrencies transacted through eXch may be linked to criminal activities, including a portion from the Bybit hack. The Bybit exchange was reportedly hacked by the North Korean group 'Lazarus', which is believed to have used eXch to launder part of the stolen funds. Despite plans to shut down on May 1, 2025, the seizure of eXch's assets will aid in tracing stolen funds and identifying involved cybercriminals. BKA's swift action post-announcement of eXch's closure underscores a significant stride against commercial money laundering and illegal online platforms.

SUSE's security team has removed the Deepin Desktop Environment (DDE) from its openSUSE distribution citing multiple security vulnerabilities and poor coding practices. This decision coincides with the recent beta release of openSUSE Leap 16, featuring drastic changes in its desktop environment offerings. DDE, developed by Chinese company Uniontech, displayed superficial appeal but harbored significant security flaws including issues with D-Bus and Polkit abuses. SUSE engineers were dissatisfied with the responses and code improvements from DDE developers when concerns were raised. Despite the removal, the repository for the DDE will remain accessible for manual addition by users who still wish to use it. Observations noted that other Chinese-developed desktop environments, such as UKUI, showcase a high level of polish competing with Western free software offerings. The transition from traditional system administration tools in openSUSE to modern alternatives like the Cockpit web-based management interface and Myrlyn graphical package manager reflects broader industry trends toward simplified systems management.

Cybersecurity experts have identified a new cybercrime campaign targeting Portuguese-speaking executives in Brazil, leveraging RMM software trials since January 2025. Attack vectors include phishing emails disguised as communications from financial institutions or mobile carriers, utilizing the Brazilian NF-e electronic invoice system as a bait. The emails contain malicious Dropbox links that trick victims into installing trial versions of legitimate RMM tools like N-able RMM Remote Access and PDQ Connect, enabling remote file access. Post initial compromise, attackers can further install secondary RMM software, such as ScreenConnect, to maintain and expand their control over the victim's systems. Predominantly, C-level executives and departments like finance and human resources across various sectors, including education and government, are being targeted. The malicious use of RMM tool trials by initial access brokers suggests a strategic abuse of these platforms to facilitate unauthorized access and control. N-able has responded by disabling the compromised trial accounts associated with this scheme. The situation highlights ongoing challenges in detecting and preventing phishing campaigns despite advancements in cybersecurity defenses.

AI agents are increasingly integral to business operations, enhancing user experiences and task automation. The use of AI agents poses significant security risks including data leaks and identity theft. Vulnerable AI systems can be exploited for information theft, misinformation spread, or unauthorized system control. Michelle Agroskin, from Auth0, will host a webinar titled "Building AI Agents Securely" to address AI security strategies. The webinar aims to provide practical, actionable security measures for businesses utilizing AI technology. The session is designed to be practical and beneficial for both new and existing AI deployments. Registration for the webinar is currently open and free for all participants.

Cybersecurity researchers have identified three malicious npm packages targeting Apple macOS users of the Cursor code editor. The packages, posing as developer tools for the Cursor API, overwrite Cursor's main files and disable updates to persist on the system. Over 3,200 downloads have been reported, with the packages designed to steal user credentials and deploy further malicious payloads. The attack exploits the growing interest in AI development tools by offering compromised software at reduced costs. Infected packages connect to a remote server to replace legitimate software with malicious versions, enabling arbitrary code execution. The discovery is part of a broader observation of npm package attacks, including other npm packages targeting cryptocurrency data. The security breach reflects an ongoing issue with software supply chain attacks, potentially affecting a wide range of users and applications.

The Vulnerability Operation Center (VOC) identified over 1.3 million unique security findings across 68,500 assets, highlighting the scale of vulnerabilities. A significant portion of these findings are CVEs, many of which remain unaddressed due to the volume and reactive nature of current vulnerability management practices. The CVE system, underpinned by entities like MITRE and NIST, has faced constraints such as backlogs and bureaucratic delays, affecting the timely updating and enrichment of the CVE data. The US Department of Homeland Security discontinuation of its contract with MITRE creates uncertainty about the future administration and effectiveness of the CVE program. The EPSS developed by FIRST is used to predict and prioritize vulnerabilities most likely to be exploited, aiding in more strategic vulnerability management. Despite attempts at efficient vulnerability management, the challenge lies in the large scale and unpredictable nature of CVE discoveries and exploitations. The article advocates for a shift from reactive vulnerability management to a more dynamic and strategic approach focused on threat mitigation and risk reduction. A renewed focus on designing and implementing resilient system architectures and baselines is recommended to manage vulnerabilities more efficiently and effectively.