Daily Brief

Feras Khalil Ahmad Albashiti, a Jordanian national, pled guilty to acting as an initial access broker for cyberattacks on over 50 U.S. companies. Albashiti sold network access to an undercover FBI agent, revealing vulnerabilities in companies using specific firewall products. The transactions included $20,000 in cryptocurrency for access credentials and malware capable of disabling endpoint detection and response (EDR) systems. During an FBI sting operation, Albashiti inadvertently exposed his IP address, linking him to a $50 million ransomware attack on a U.S. manufacturer. U.S. law enforcement identified Albashiti using email and financial records, leading to his extradition from Georgia in 2024. He faces a potential maximum sentence of ten years in prison and a $250,000 fine, with sentencing scheduled for May 11, 2026. This case underscores the ongoing threat posed by initial access brokers in facilitating significant cyberattacks globally.

In 2024, DevOps SaaS platforms like GitHub and Azure DevOps experienced 502 incidents, leading to over 4,755 hours of service degradation, impacting business operations significantly. The 2025 report indicates a 69% increase in critical incidents, with service disruptions totaling over 9,255 hours, highlighting growing challenges for cloud-dependent enterprises. The Shared Responsibility model places data protection on businesses, revealing vulnerabilities in relying solely on native SaaS backups, which can lead to single points of failure. Downtime costs are escalating, with large enterprises facing hourly losses up to $5 million, posing severe financial risks, particularly for smaller vendors. Service outages can paralyze R&D and disrupt operations, leading to project delays, reputational damage, and potential SLA violations, resulting in contractual penalties. Outages may drive teams to use Shadow IT, increasing security risks by sharing sensitive information through unsanctioned channels, potentially compromising organizations. To mitigate these risks, businesses are advised to adopt proactive resiliency strategies, including robust backup and recovery solutions, to ensure swift recovery and continuity.

A critical vulnerability in Fortinet FortiSIEM, CVE-2025-64155, is actively exploited, allowing unauthorized code execution and system compromise. The flaw, rated 9.4 on the CVSS scale, involves an argument injection vulnerability leading to remote code execution and privilege escalation. Attackers gain full control of the affected appliance by targeting the phMonitor service, a crucial component in FortiSIEM's operational workflow. Horizon3.ai's analysis reveals the vulnerability's potential for complete system takeover, posing significant risks to organizations using FortiSIEM. Rapid exploitation of this flaw underscores the urgency for organizations to apply patches and reinforce their security posture. The incident highlights the broader trend of attackers leveraging automation and existing systems to exploit vulnerabilities swiftly. Organizations are advised to treat all connected systems as potential entry points and maintain vigilant monitoring to prevent similar breaches.

A security flaw in Google Gemini allowed unauthorized access to private calendar data via malicious invites, bypassing privacy controls and creating deceptive events without user interaction. Attackers embedded a natural language prompt in calendar invites, triggering Gemini to summarize and expose private meeting details when users queried their schedules. The vulnerability was addressed after responsible disclosure, but it underscores the potential risks AI features pose by expanding the attack surface. This incident demonstrates how AI applications can be manipulated through language, indicating vulnerabilities now extend beyond code to include context and AI behavior. The findings stress the importance of evaluating AI systems for security dimensions, including hallucination, factual accuracy, and jailbreak resistance, to safeguard against similar threats. Recent analyses of AI systems reveal multiple vulnerabilities, emphasizing the need for enterprises to audit AI service accounts and ensure robust security controls are in place. The case highlights the critical role of human oversight in AI security, as coding agents often fail to implement essential security controls without explicit guidance.

Ingram Micro, a major IT service provider, experienced a ransomware attack in July 2025, compromising personal data of over 42,000 individuals. The breach involved unauthorized access to internal file repositories, resulting in the theft of sensitive information, including Social Security numbers and employment records. The attack led to significant operational disruptions, causing system outages and forcing employees to work remotely. SafePay ransomware group, known for double-extortion tactics, claimed responsibility for the attack, adding Ingram Micro to its dark web leak portal. SafePay has emerged as a prominent threat actor in 2025, exploiting gaps left by other ransomware groups like LockBit and BlackCat. Ingram Micro has not publicly confirmed SafePay's involvement, although the group has been linked to the incident by security researchers. This incident underscores the ongoing threat of ransomware and the importance of robust cybersecurity measures to protect sensitive data.

Feras Khalil Ahmad Albashiti, a Jordanian national, pleaded guilty to selling unauthorized access to over 50 corporate networks, acting as an access broker within the cybercrime ecosystem. Albashiti was extradited from Georgia to the United States, where he faces a maximum sentence of 10 years in prison and a substantial financial penalty. Law enforcement identified Albashiti through an online forum investigation, where he was found selling access credentials to an undercover officer for cryptocurrency. Initial access brokers like Albashiti play a pivotal role by providing credentials that enable further cybercriminal activities, such as data theft and ransomware deployment. The case highlights the ongoing threat of access brokers, with recent warnings from Microsoft about similar actors exploiting security tools to facilitate ransomware attacks. A Russian national also recently pleaded guilty to similar charges, indicating a persistent global threat from access brokers aiding ransomware operations.

Nicholas Moore, a 24-year-old from Tennessee, pleaded guilty to hacking the U.S. Supreme Court's electronic filing system, accessing it at least 25 times with stolen credentials. Moore also breached accounts at AmeriCorps and the Department of Veterans Affairs, leaking sensitive personal and health information on Instagram. The breaches occurred between August and October 2023, with Moore using compromised credentials to repeatedly access and exploit these systems. Sensitive data exposed included personal details from AmeriCorps and private health information from the Veterans Affairs' My HealtheVet portal. Moore boasted about his activities on an Instagram account named @ihackedthegovernment, posting screenshots of the compromised data. He faces a misdemeanor charge of computer fraud, with potential penalties including a one-year prison sentence and a $100,000 fine. This incident highlights the critical need for robust cybersecurity measures and monitoring to prevent unauthorized access and data leaks.

The UK government has issued a warning about Russian-aligned hacktivist groups targeting critical infrastructure and local government entities with DDoS attacks. These attacks, while lacking sophistication, can disrupt systems and incur significant financial and operational costs for affected organizations. The group NoName057(16), active since March 2022, is behind the DDoSia project, leveraging volunteer resources for crowdsourced attacks. An international law enforcement operation, "Operation Eastwood," temporarily disrupted the group in July 2025, arresting members and dismantling servers. Despite these efforts, the group's main operators remain active, continuing their ideologically motivated attacks from Russia. The National Cyber Security Centre (NCSC) has shared a security guide for operational technology owners to mitigate DDoS risks. Russian hacktivists have increasingly targeted public and private sectors in NATO countries and others opposing Russia's geopolitical ambitions.

An ATM technician, referred to as "Phil," mistakenly took keys from a bank branch after completing routine maintenance, leading to a significant security incident. The technician realized the error at his next job and promptly reported it to his dispatcher, initiating a swift response from his employer. Upon returning to the bank, Phil found locksmiths changing locks and security personnel awaiting his arrival to retrieve the keys. Despite the technician's immediate confession and cooperation, the incident resulted in disciplinary actions against the bank staff for failing to adhere to key management protocols. All staff members at the affected branch were reassigned to different locations as a consequence of the breach in security procedures. The incident underscores the critical importance of strict adherence to security protocols in financial institutions to prevent potential breaches. This case serves as a reminder of the potential operational disruptions that can arise from seemingly minor oversights in security practices.

CyberArk researchers identified an XSS vulnerability in StealC's control panel, enabling them to gather insights into the operations of threat actors using this malware. The StealC information stealer, operating under a malware-as-a-service model, uses platforms like YouTube to distribute malicious software disguised as popular software cracks. The vulnerability allowed researchers to collect system fingerprints, monitor sessions, and steal cookies from the infrastructure designed for cookie theft. The StealC panel's source code leak further aided researchers in identifying threat actor characteristics, including location and hardware details. The flaw highlights security lapses in the StealC group's operations, particularly in cookie security, despite their focus on cookie theft. The research revealed operational security errors by YouTubeTA, a StealC customer, exposing their real IP address linked to a Ukrainian provider. This case demonstrates the dual-edged nature of the MaaS ecosystem, offering rapid deployment for threat actors while exposing them to security vulnerabilities.

Microsoft is actively recruiting senior energy strategists to ensure reliable power for its growing datacenter operations across Asia, reflecting its commitment to sustainable energy solutions. The company seeks three Senior Energy Program Managers in Australia and Singapore to oversee energy supply contracts and power purchase agreements, vital for datacenter efficiency. This hiring initiative aligns with Microsoft's broader strategy to support AI-driven datacenters, which are known for their significant energy demands. Microsoft is also expanding its infrastructure capabilities by hiring a Principal Civil/Geotech Engineer and a regional lead for datacenter lease arrangements in Southeast Asia. The move highlights the increasing importance of energy management in tech infrastructure as companies scale operations and prioritize sustainability. This development underscores the need for robust energy strategies to support the tech industry's growth and environmental goals in the Asia-Pacific region.

Mandiant has introduced tools to crack credentials within 12 hours, targeting the outdated Microsoft Net-NTLMv1 authentication protocol, which has been vulnerable to credential theft for over two decades. The new dataset enables security professionals to recover keys using consumer hardware costing less than $600, demonstrating the protocol's significant security flaws. Mandiant advises organizations to disable Net-NTLMv1 immediately to mitigate risks associated with its continued use, echoing warnings issued as far back as 2010. The release aims to expedite the deprecation of Net-NTLMv1, encouraging a shift to more secure authentication methods. This development underscores the importance of regularly updating and retiring legacy systems to protect against evolving cybersecurity threats.

The Canadian Investment Regulatory Organization (CIRO) confirmed a data breach impacting approximately 750,000 Canadian investors, revealing the incident's full scope after an extensive forensic investigation. CIRO, a key regulatory body for investment and mutual fund dealers, detected the cybersecurity threat last August, leading to the shutdown of certain non-critical systems. The breach involved the exfiltration of personal information from member firms and registered employees, though login credentials and security questions remained unaffected. CIRO's investigation, spanning over 9,000 hours, found no evidence of the stolen data being misused or appearing on the dark web. As a precaution, CIRO is offering affected investors a complimentary two-year credit monitoring and identity theft protection service to mitigate potential risks. Impacted individuals will be directly notified with enrollment instructions, while others can contact CIRO to verify their status. This incident ranks among the most significant cybersecurity breaches in Canada last year, alongside other notable cases involving major organizations.

Ukrainian and German authorities identified two Ukrainians linked to Black Basta, a ransomware-as-a-service group, and named a Russian national as its leader. Oleg Evgenievich Nefedov, the alleged leader, is now on the EU's Most Wanted and INTERPOL's Red Notice lists, complicating his ability to operate internationally. The group specialized in hacking protected systems, extracting passwords, and deploying ransomware to extort companies across North America, Europe, and Australia. Law enforcement seized digital storage devices and cryptocurrency assets from suspects' residences in Ukraine, disrupting the group's operations. Black Basta, active since April 2022, reportedly targeted over 500 companies and earned hundreds of millions in cryptocurrency from ransom payments. Leaked chat logs revealed internal workings and unmasked Nefedov, who allegedly has ties to Russian intelligence, aiding in evasion from international justice. Despite Black Basta's apparent dissolution, former members may have joined or formed new ransomware groups, such as CACTUS, indicating ongoing threats.

Cybersecurity firm Socket discovered five malicious Chrome extensions targeting enterprise HR and ERP platforms, including Workday, NetSuite, and SAP SuccessFactors, affecting over 2,300 installations. The extensions masqueraded as productivity and security tools, stealing authentication credentials and blocking access to security administration pages critical for incident response. Attackers used cookie exfiltration, DOM manipulation, and bidirectional cookie injection to hijack sessions, maintain access, and potentially facilitate large-scale ransomware or data theft attacks. Extensions shared identical infrastructure and code patterns, indicating a coordinated operation despite being listed under different publisher names. Two extensions, Tool Access 11 and Data By Cloud 2, specifically blocked access to security pages, preventing administrators from managing authentication policies and responding to incidents. The Software Access extension enabled bidirectional cookie manipulation, allowing attackers to take over authenticated sessions without user credentials or multi-factor authentication. Socket reported the malicious extensions to Google, resulting in their removal from the Chrome Web Store; affected users are advised to report incidents and change passwords.