Daily Brief

Microsoft announced on World Password Day that it is shifting all new consumer accounts to use passkeys by default, promoting a passwordless security environment. Passkeys, utilizing methods such as biometrics, PINs, or codes, are set to replace traditional passwords, enhancing login security and user experience. Existing Microsoft users are urged to switch to passkeys through their account settings, as the company begins to prioritize passwordless sign-in methods. The initiative is part of Microsoft's ongoing efforts to eradicate passwords, deemed less secure and efficient compared to modern authentication technologies. In related news, Raytheon settles federal charges for failing to meet cybersecurity regulations on defense contracts, agreeing to pay $8.4 million. Cybersecurity researchers have identified critical vulnerabilities in Apple's AirPlay protocol, potentially affecting multiple devices and enabling various attacks. Ecommerce platforms face renewed threats from a six-year-old backdoor affecting software based on the Magento platform, impacting major global retailers. The FBI released a list of 42,000 defunct dark web phishing domains previously associated with the LabHost service, aiding cybersecurity professionals in threat analysis.

Nearly 44,000 attendees converged at the RSAC cybersecurity conference in San Francisco, highlighting emerging technology trends. AI was a dominant theme, with warnings about the vulnerabilities introduced by "agentic AI," which grants operational autonomy to AI systems. The conference emphasized AI's potential in both enhancing security and its exploitation for fraudulent activities, such as phishing and the creation of deceptive documents. China was repeatedly labeled as the top cyber threat to America, with their AI advancements and participation in various cyber espionage activities being focal topics. North Korean IT workers infiltrating companies, including disguised attempts to penetrate Google, were notably buzzworthy discussions, reflecting a growing concern about this tactic. U.S. cybersecurity leadership presence at RSAC was reportedly lower than previous years, amid discussions about federal budget cuts and the impact on private-public sector cooperation. The North Korean infiltration is recognized as a significant concern, highlighted by real cases of detections and disclosures to affected companies.

StealC, an information stealer and malware downloader, has recently been updated to version 2.2.4, including several stealth and data theft upgrades. Originally launched on the dark web in 2023, StealC gained prominence for its effectiveness in stealing sensitive data, available for a subscription of $200 per month. In its latest iteration, StealC has removed previous features like anti-VM checks and DLL downloading but has introduced significant enhancements including mechanisms to bypass Chrome's cookie theft defenses. Version 2.2.4 enables expired cookie regeneration, facilitating unauthorized access to Google accounts. Recent deployments of StealC have been executed through Amadey, another malware loader, showcasing variation in delivery methods amongst cybercriminals. Zscaler's research and analysis highlight the ongoing evolution and active development of StealC, suggesting potential re-introduction of removed features in future updates. Recommended protection measures include avoiding the storage of sensitive information in browsers, using multi-factor authentication, and avoiding downloads from unreliable sources.

Altman's "Tools for Humanity" startup launched retail stores across six U.S. cities, introducing biometric blockchain orbs for human verification. The initiative encourages users to verify their identity through iris scanning, providing proof of personhood via blockchain, and offering cryptocurrency incentives. Concerns raised about privacy and data collection, following international scrutiny and legal actions in various countries. World aims to mitigate online fraud by ensuring that online profiles used in gaming, dating, and social media are linked to genuine individuals. The technology involves downloading an app, linking with an orb for a biometric scan, which encrypts and converts user data into a unique identity token. Despite the controversy, there are plans for significant expansion in the U.S., with a goal of 7,500 orbs and partnerships targeting online social interactions. World introduced partnerships for the use of biometric-based IDs with major platforms, including a Visa-backed debit card and Match.com in Japan.

Cybersecurity experts discovered three malicious Go modules designed to fetch destructive payloads that overwrite Linux system disks, rendering them unbootable. The targeted modules check if the system is Linux-based; if so, they execute a script that deletes all data on the primary disk by writing zeroes. This attack highlights the risks of supply chain attacks, where trusted components are manipulated to deliver harmful outcomes. Additional compromised npm and PyPI packages were found attempting to steal cryptocurrency keys and facilitate data exfiltration using trusted services like Gmail. These packages have been used to set up covert channels for data theft, leveraging Gmail SMTP and WebSocket connections to evade detection and maintain persistence. Over 6,800 downloads of the harmful packages were recorded, indicating significant exposure. Security recommendations for developers include verifying package authenticity, regularly auditing dependencies, and watching for unusual network traffic patterns to prevent similar attacks.

Microsoft will discontinue the password storage and autofill feature in the Authenticator app, transitioning it to Microsoft Edge by August 2025. The Authenticator app will continue to support multi-factor authentication but will end support for autofill and password management. Users are required to export their saved passwords from Authenticator to Microsoft Edge or another password manager by August 1, 2025, to avoid data loss. For continued autofill functionality, users must install Microsoft Edge and sync it with their Microsoft account. Password export steps include navigating to Autofill settings in Authenticator and saving the exported file to a chosen location. Microsoft assures that the shift will centralize credential management and enhance security by syncing passwords directly with user Microsoft accounts. Payment information will not be migrated automatically and must be manually re-entered for security reasons. Microsoft reaffirms continued support for Passkeys in Authenticator, emphasizing its commitment to multifactor authentication security.

Iranian threat group utilized VPN flaws to infiltrate Middle Eastern critical national infrastructure for nearly two years. The attack, attributed to the nation-state actor Lemon Sandstorm, involved extensive intelligence gathering and prepositioning within the network. FortiGuard Incident Response identified the attack as part of a long-term espionage campaign dating back to at least May 2023. Tools used by hackers included open-source command-and-control frameworks and commodity malware, indicating preparedness for ransomware deployment. Lemon Sandstorm has previously targeted sectors like aerospace and energy in multiple regions, including the U.S. and Middle East. The security breach allowed persistent internal access through chained proxies and custom malware, bypassing network segmentation. Despite comprehensive reconnaissance, there was no evidence of penetration into the Operational Technology (OT) network. Examination revealed possible unauthorized network access dating as far back as May 2021, highlighting deep-rooted security challenges.

The U.S. Department of Justice has charged a Yemeni national, Rami Khaled Ahmed, with deploying Black Kingdom ransomware impacting 1,500 systems, including businesses and healthcare facilities. The charges include conspiracy, damage to protected computers, and threats of further damage, with Ahmed allegedly still residing in Yemen. Ransomware encrypted or claimed to steal data, demanding $10,000 in Bitcoin, with payments directed to a conspirator-controlled cryptocurrency address. Attacks exploited a Microsoft Exchange Server vulnerability, ProxyLogon, previously associated with other ransom campaigns. Despite its amateurish nature, the Black Kingdom ransomware has been effectively propagated by exploiting security vulnerabilities. The broader ransomware landscape suggests a shift towards decentralized operations by attackers adopting a "lone-wolf" strategy, as sustained law enforcement pressures reduce traditional group activities. Despite a slight rise in companies opting to pay ransoms in early 2025, overall trends show a declining willingness to meet the demands, with 64% of organizations refusing to pay ransoms.

Co-op reported a significant data theft affecting a large number of current and past members following a cybersecurity breach. Personal data including names and contact details were compromised; however, passwords and financial information were not accessed. Initial reports underestimated the impact, later confirmed to be a serious breach by DragonForce ransomware affiliates. The method of attack involved social engineering which led to resetting an employee's password and accessing network data including Windows account password hashes. Co-op is now rebuilding its IT infrastructure and strengthening security measures with assistance from Microsoft DART and KPMG. The threat actors, identified as affiliates of the DragonForce ransomware operation, boast about stealing data from approximately 20 million people registered in Co-op’s membership program. They have also engaged directly with Co-op executives through Microsoft Teams, displaying the urgency and personalized approach of their extortion tactics. This ransomware-as-a-service operation threatens to publish stolen data if ransoms are not paid, significantly raising stakes for affected organizations.

A supply chain attack compromised 500 to 1,000 e-commerce stores by injecting backdoors into 21 Magento extensions. Extensions from Tigren, Meetanshi, and MGS were affected, including a prominent plugin by Weltpixel concerning GoogleTagManager. The malicious code was hidden in licensing files, enabling attackers to take over admin functions and upload malicious PHP scripts. Sansec discovered that compromised extensions had been planted as early as 2019, but were only activated in April 2025. The backdoors allow significant backend access, potentially enabling data theft, unauthorized admin account creation, and more. Sansec alerted the affected vendors; MGS did not respond, Tigren denied the breach, and Meetanshi acknowledged a server hack but not extension tampering. Sansec and BleepingComputer urge users of the impacted extensions to conduct thorough server scans and restore systems from clean backups if possible.

A 25-year-old from California, Ryan Mitchell Kramer, confessed to hacking Disney and stealing 1.1TB of data, initially thought to be the work of Russian activists. Kramer is charged with illegally accessing a computer to obtain information and threatening to damage a protected computer. He faces up to ten years in prison under a plea agreement following his admission of guilt to the U.S. Department of Justice. The breach originated from a deceptive AI art generation app created by Kramer, which installed malware granting him remote access. Using stolen login credentials, Kramer infiltrated Disney’s Slack workspace, accessing thousands of channels and downloading sensitive information. He threatened an employee via email and Discord to leak personal data, proceeding to do so upon non-compliance, including sensitive banking and medical details. The incident prompted Disney to switch communication platforms from Slack to Microsoft Teams, affecting employee workflows. Kramer also admitted to similar offenses involving at least two other victims who downloaded his malware-infected software.

Generative AI has significantly improved the quality and localization of phishing and scam messages, reducing spelling and grammatical errors that were typical identifiers of spam. Scammers are now able to target non-English speaking regions more effectively by crafting messages in local dialects, like Québécois and European Portuguese, which previously helped residents identify spam. The conversational capabilities of AI systems are enhancing the effectiveness of romance scams by managing initial interactions before human scammers take over for financial exploitation. Real-time audio deepfakes are currently being used to impersonate individuals in sensitive positions, misleading employees into revealing confidential information. Skepticism exists around the state of real-time video deepfakes as truly convincing versions are not yet affordable or technologically feasible without significant investment, though this is expected to change within a few years. Future threats are anticipated to require strengthened personal verification processes to counter sophisticated AI-enabled scams and impersonations.

A 36-year-old Yemeni, Rami Khaled Ahmed, is indicted for orchestrating 1,500 ransomware attacks on Microsoft Exchange servers globally. The malware deployed, known as Black Kingdom, demanded $10,000 in Bitcoin as a ransom for each attack. Victims of these attacks included diverse U.S. entities such as medical billing companies, ski resorts, school districts, and health clinics. Black Kingdom ransomware exploited the ProxyLogon vulnerability in Microsoft Exchange servers to gain unauthorized access. This vulnerability suite in Microsoft Exchange was first identified and exploited widely in early 2021. In addition to Exchange server attacks, Ahmed had previously targeted vulnerabilities in Pulse Secure VPN to breach networks. If convicted on all counts, Ahmed faces up to 15 years in federal prison, charged with conspiracy and causing intentional damage to protected computers. The suspect, Rami Khaled Ahmed, is currently believed to be residing in Yemen.

The UK's National Cyber Security Centre (NCSC) has issued a warning regarding multiple cyberattacks on UK retail chains, highlighting these incidents as a critical wake-up call for the sector. These attacks have affected prominent retailers including Harrods, Marks & Spencer, and the Co-operative Group, with varying impacts on their operations and services. Harrods responded to the cyber threats by restricting internet access, although it has not confirmed if its systems were breached. The Co-op experienced disruptions which prompted the disablement of VPN access, suggesting containment measures following a breach. Marks & Spencer suffered a ransomware attack that disrupted online ordering and contactless payment services, attributed to the Scattered Spider threat group deploying DragonForce ransomware. The NCSC is actively collaborating with impacted organizations to understand the nature and consequences of these cyber incidents. Advisory statements have been issued urging business leaders to follow recommended cyber defense strategies available on the NCSC website to enhance resilience against such threats.

Three young men from the UK have been charged with making false emergency calls across the US and Canada, a practice known as swatting. The charges follow a joint effort between the FBI and Merseyside Police after a recent crackdown on politically motivated swatting incidents in the US. The individuals involved, Liam White, Dylan Ash, and Keiron Ellison, are accused of belonging to an online group that organized and executed these fake emergency calls. Swatting incidents can provoke dangerous police responses, and in a noted case in 2017, led to the fatal shooting of an innocent man in Wichita, Kansas. This case in the UK marks an increasing attempt to legislate and prosecute swatting under existing laws due to the significant dangers it poses. The FBI has also launched a public awareness campaign to educate on the reality and dangers of swatting, contrary to perceptions of it as a harmless prank. There is currently no specific legislation for swatting in the UK; those involved are typically charged with perverting the course of justice.