Daily Brief

MirrorFace, associated with China's APT10, has escalated cyber attacks on Japanese and Taiwanese government and public entities using ROAMINGMOUSE and updated ANEL malware. Spear-phishing emails, often from compromised legitimate accounts, deliver malware through embedded Microsoft OneDrive URLs, downloading malicious Excel documents and ZIP files. Updated ANEL backdoor can execute Beacon Object Files (BOFs) in-memory, enhancing post-exploitation capabilities. The campaign also potentially uses SharpHide to launch the NOOPDOOR backdoor in secondary attack stages. Attackers employ DNS-over-HTTPS (DoH) to disguise IP address lookups during command-and-control operations. Threat actors examine the victim's environment by obtaining screenshots, analyzing running processes, and gathering domain information. Security experts recommend organizations with high-value assets to adopt proactive security measures and remain vigilant to prevent cyber attacks.

Russian-linked threat actor COLDRIVER has distributed new malware LOSTKEYS, primarily targeting Western government advisors, journalists, and NGOs using a deceptive social engineering tactic called ClickFix. This espionage-focused campaign leveraged a fake CAPTCHA site to trick victims into downloading the malware via PowerShell commands, noted for its highly selective deployment. LOSTKEYS capabilities include accessing and exfiltrating files from specified directories and extensions, gathering system information, and monitoring running processes. The malware was identified in multiple instances throughout January, March, and April 2025, with preliminary activities traced back to December 2023 involving artifacts resembling Maltego binaries. COLDRIVER, also known as Callisto, Star Blizzard, and UNC4057, has evolved from credential phishing to complex malware delivery, and strategically deploys malware to infiltrate specific high-value targets. The technique involves initial redirection to a decoy website posing a CAPTCHA challenge, misleading victims into executing a command that downloads subsequent malware payloads designed to evade detection in virtual environments. Additional context on the global rise of the ClickFix method revealed its adoption across various cybercriminal campaigns, including those distributing banking Trojans and information stealers, like in the cases of Lampion and Atomic Stealer.

Ubuntu 25.10 will implement sudo-rs, a Rust-based version of the sudo command, as its default to enhance memory safety and reduce security vulnerabilities. Memory-safe programming languages like Rust are advocated by security experts and government bodies like CISA to prevent common bugs that lead to serious system vulnerabilities. The sudo-rs project, sparked by the Internet Security Research Group's Prossimo initiative and financially backed by AWS, aims to replace traditional C-based utilities with more secure Rust versions. Historical vulnerabilities in traditional sudo have included severe memory safety issues, demonstrating the need for the transition to a memory-safe language. Other core utilities beyond sudo are also being rewritten in Rust, with adoption in various security-focused Linux distributions and support from major stakeholders like AWS and Canonical. Canonical's switch to sudo-rs aligns with broader industry movements toward enhancing core system software resilience and security through memory-safe programming practices. The shift to Rust-written utilities like sudo-rs is seen as crucial for improving system security, despite the ongoing debate and resistance within parts of the open source community.

Cisco has patched a critical vulnerability in its IOS XE Wireless Controller software, identified as CVE-2025-20188. This flaw, rated 10.0 in severity on the CVSS scale, could allow unauthenticated remote attackers to execute arbitrary commands with root privileges. The vulnerability is due to a hard-coded JSON Web Token in the system, exploitable through crafted HTTPS requests. Affected devices must have the Out-of-Band AP Image Download feature enabled, which is disabled by default, to be vulnerable. Cisco urges users to update their systems or disable the Out-of-Band AP Image Download feature as temporary mitigation. The vulnerability was discovered internally by Cisco's Advanced Security Initiatives Group with no known malicious exploitation reported so far.

PowerSchool, an educational tech provider, paid ransom to delete stolen data of over 60 million K-12 students and teachers, aiming to prevent its public release. Despite paying the ransom, extortionists allegedly retained copies of sensitive data, including names, Social Security numbers, and medical information. The Toronto District School Board, along with other North American school districts, recently reported extortion attempts demanding ransoms based on the stolen data. PowerSchool initially believed the data was deleted by the ransomware group as per their agreement, but recent events indicate the data might still exist. The ongoing extortion impacts various school districts, creating significant concern and prompting investigations by law enforcement. PowerSchool is no longer considering ransom payments and has pledged to provide two years of credit monitoring for those affected by the breach. The situation highlights the risks and challenges associated with negotiating with cybercriminals, as they may not honor their commitments.

LockBit ransomware gang's dark web affiliate control panels were compromised and defaced. The incident involved the panels displaying a message and linking to a downloadable database dump from the MySQL affiliate panel. Analysis of the database shows details from 20 tables, including negotiation chats with last entries dated April 29th, 2025. The cause and perpetrator of the data breach remain unclear, though signs suggest similarities to another recent ransomware group breach. The server was found to be running a vulnerable version of PHP that allowed remote code execution. Despite a significant law enforcement operation in 2024 that weakened LockBit, they managed to continue operations until this latest breach. It is uncertain if this breach will critically impact LockBit’s operational capabilities and reputation permanently.

CrowdStrike, a prominent cybersecurity firm, announced significant job cuts, amounting to around 500 positions or 5% of its workforce. CEO George Kurtz attributed the downsizing to an investment in artificial intelligence (AI) to enhance efficiency and speed up operations. Kurtz emphasized that AI is foundational to CrowdStrike's operations, aiming to flatten the hiring curve and expedite the development from idea to product. The use of AI could, however, introduce potential liabilities, including issues with generative AI producing errors, bias, or unreliable outputs as per the company's risk disclosures. CrowdStrike’s move is part of a larger trend where companies like Workday are also leveraging AI but facing related challenges and risks, including potential litigation related to AI usage. The implementation of AI is viewed as crucial for CrowdStrike to achieve its ambitious goal of reaching $10 billion in annual revenue. Economic uncertainties and potential tariffs also play a role in staffing decisions, as indicated by other firms like United Parcel Service making similar workforce reductions.

A federal judge has allowed parts of a class action lawsuit to proceed against Delta Air Lines, stemming from disruptions caused by a faulty CrowdStrike software update. The software issue, which occurred in July 2024, led to Delta cancelling over 4,500 flights, significantly more than other airlines affected by the same issue. Plaintiffs argue that Delta’s handling of refunds and compensation was inadequate, claiming the airline offered only partial reimbursements without clear conditions. Legal claims focus on alleged breach of contract for failing to refund and violations under the Montreal Convention, which governs international airline liability. Delta estimated its operational losses at approximately $500 million due to the outage but attempted to dismiss the lawsuit. The court's decision allows the lawsuit to continue on specific counts, emphasizing passengers' rights to seek accountability and proper compensation. Pre-trial discovery is set to proceed with a new joint report due by May 20.

PowerSchool confirmed the hacker from their December 2024 breach is now extorting individual school districts, threatening to release stolen data unless paid. Although PowerSchool paid the ransom initially to protect its data from public exposure, the threat actor is contacting schools directly to extort them. The company has involved law enforcement in the U.S. and Canada and is assisting affected school districts. Stolen data includes sensitive information like SSNs, medical records, and personal contact details of students and teachers. PowerSchool is offering two years of free credit monitoring and identity protection for students and faculty to mitigate potential fraud and identity theft risks. Security experts criticize the decision to pay ransoms, as there's no assurance that threat actors will delete the stolen data as promised. This incident highlights the growing issue of threat actors reneging on ransom agreements, as seen in similar recent high-profile cases.

CoGUI phishing kit emerged as a major threat, sending over 580 million emails from January to April 2025 to steal credentials and payment data. Proofpoint researchers tracked the massive scale of operations, noting the unprecedented volume of phishing activities associated with CoGUI. The campaigns impersonated well-known brands and institutions such as Amazon, PayPal, and various banks, primarily targeting users in Japan. Attack methodology includes sending phishing emails with urgent prompts, directing users to fake websites only if they meet specific criteria like location and device type. Users meeting the criteria are presented with fake login forms designed to harvest sensitive personal and financial information. Although initially linked to China-based operatives similar to the Darcula phishing kit, CoGUI has been determined to function independently, possibly supporting multiple Chinese cybercriminal entities. Apart from Japan, smaller campaigns have been observed in the United States, Canada, Australia, and New Zealand, with shifting tactics including smishing attempts in the U.S. Effective prevention includes cautious handling of urgent and unsolicited digital communications and verifying authenticity through direct, secure channels rather than email-provided links.

Surfshark's study reveals Google Chrome as the top data-collecting mobile browser, capturing 20 different types of user data including financial and location information. Safari, Chrome's closest competitor in terms of market share, also ranks high in data collection but includes fewer types than Chrome. The research highlights Bing app as another major collector, pulling 12 data types, while Safari and Firefox each collect 8 types. Specific data collections such as precise location tracking were unique to certain browsers like Bing, which also shares data for third-party advertising. Less popular browsers like Brave and Tor show significantly lower data collection, promoting user privacy with minimal data retrieval. The findings underscore the privacy implications of using dominant browsers and how they might use the significant data they collect, potentially for targeted advertising or selling to data brokers. Surfshark analyzed the privacy policies of these browsers as listed on the Apple App Store to compile their report.

Hackers are exploiting a critical vulnerability in the OttoKit WordPress plugin to create rogue admin accounts on websites. The flaw allows attackers to bypass authentication and gain administrative privileges using the plugin's API. OttoKit, impacting over 100,000 sites, is a key tool for automation and connecting websites to third-party services. The vulnerability was reported on April 11, 2025, and patched by April 21, 2025, with most users updated by April 24, 2025. Attackers targeted REST API endpoints, mimicking integration attempts to exploit the system, and subsequently created new admin accounts. Patchstack has issued a strong recommendation for users to update the plugin and check logs and settings for signs of compromise. This incident marks the second critical severity flaw exploited in OttoKit since April 2025, underlining ongoing security challenges.

Play ransomware gang utilized a zero-day vulnerability in Windows Common Log File System, tracked as CVE-2025-29824, to escalate SYSTEM privileges. Microsoft detected and patched this vulnerability, revealing its exploitation in a limited set of attacks on sectors across multiple countries, including IT and real estate in the US, finance in Venezuela, software in Spain, and retail in Saudi Arabia. RansomEXX gang linked to initial attacks; they installed PipeMagic malware to facilitate ransomware deployment and encrypt files. No ransomware was deployed in the intrusion on a U.S. organization studied by Symantec; however, the Grixba infostealer, linked to the Play ransomware group, was used. Play ransomware, active since June 2022, is known for double-extortion tactics, threatening victims with data exposure if ransoms aren’t paid. The FBI, along with CISA and the ACSC, issued a warning about the Play ransomware gang after breaches affected approximately 300 organizations globally as of October 2023. High-profile victims of Play ransomware include Rackspace and Arnold Clark, indicating significant impacts on major corporations.

Universal 2nd Factor (U2F) introduces a physical device for two-factor authentication, improving login security beyond traditional passwords. Despite the strength of passwords, Verizon’s 2024 Data Breach Investigations Report indicates that stolen credentials are involved in approximately 31% of data breaches. The Specops Breached Password Report 2025 highlights that even complex passwords can be compromised, with many users still reusing passwords across multiple accounts. U2F devices work by creating a new cryptographic "key pair" that must correspond with the registered system to grant access, enhancing security significantly. Mainstream adoption faces challenges such as the cost of devices, though they are relatively inexpensive, and the need for user education on the new technology. Risks associated with losing the physical U2F device are comparable to misplacing common items like car keys, but losing the device doesn't compromise access due to the dual requirement of password and device. Passwords continue to provide foundational security benefits and remain essential alongside evolving technologies like U2F for effective cybersecurity strategies. Multi-factor authentication, including technologies like U2F, is becoming increasingly crucial for enhancing and complementing password-based online defenses.

Europol announced the takedown of six DDoS-for-hire platforms used in thousands of global cyber-attacks. Four individuals were arrested by Polish authorities, and the US seized nine related domains. The compromised DDoS services enabled attacks on schools, governments, and businesses for fees as low as EUR 10. These platforms lacked technical entry barriers, offering user-friendly interfaces for orchestrating attacks. Seized services operated under names such as cfxapi, cfxsecurity, and quickdown, offering various subscription plans. Operation PowerOFF, with Dutch and German collaboration, targets the dismantling of DDoS-for-hire infrastructure, resulting in previous arrests and service disruptions. Recent reports by cloud security firms identified a shift towards hybrid architectures in DDoS services, blending botnets with dedicated servers.