Daily Brief

Former NSA head Mike Rogers emphasizes the importance of integrating security into AI development from the start to avoid later vulnerabilities. Rogers highlighted past failures in cybersecurity where systems lacked built-in security, leading to costly retrofits and increased risks. At the Vanderbilt Summit, he discussed potential dangers of not securing AI, ranging from data leaks to biased algorithms impacting critical decisions. The U.S. Cybersecurity and Infrastructure Security director encouraged secure practices by having technology vendors sign the Secure By Design Pledge. Contrasting policies between the Biden and Trump administrations show differences in handling AI regulation and tech company liabilities. Rogers references Project Maven to illustrate the significance of aligning technology with ethical and practical usage, pointing out the cultural divide between government objectives and tech company values. Historical shifts in Google’s AI policies reflect broader changes in the tech industry's approach to ethical considerations in AI applications.

The Trump administration has been accused of severely undermining America's cyber defenses, including the possible lapse of the crucial Common Vulnerabilities and Exposures (CVE) database due to lack of funding and support. CISA, the agency responsible for the CVE, faced significant budget and staff cuts, jeopardizing the continuity of the CVE database system, which is set to run out in March 2026. Key figures like General Timothy D. Haugh, who played a critical role in national cyber defense, were dismissed under the administration, further weakening the cybersecurity framework. Cybersecurity advisory bodies such as the Cyber Safety Review Board were effectively disbanded, halting investigations into major cyber incidents like the "Salt Typhoon" hacks. The administration promoted the decentralization of cyber defense responsibilities to state and local levels, potentially increasing vulnerabilities due to inconsistent capabilities across states. Critical federal cybersecurity grant programs saw funding cuts, impacting the ability to hire and maintain skilled cybersecurity professionals at the state level. The administration's approach has raised concerns about the security of sensitive federal systems and data, with risky implications for national and individual security.

Ripple's npm JavaScript library, xrpl.js, was compromised, affecting versions 4.2.1 through 4.2.4 and 2.14.2. Attack orchestrated through software supply chain mechanism aimed at exfiltrating private keys from users. The malicious code was added by a user named "mukulljangid", suspected to be a hacked Ripple employee's account. A particular backdoor function, checkValidityOfSeed, transmitted stolen data to an external domain. Over 2.9 million downloads of xrpl.js with significant weekly activity raise concerns about extensive exposure. No evidence found of compromise on the associated GitHub repository, attack confined to the npm package versions. Updated package versions 4.2.5 and 2.14.3 released to rectify malicious alterations and secure user data. Users are urged to upgrade immediately to the latest versions to avert potential security risks.

Google has decided against introducing a new standalone prompt for third-party cookies in Chrome, continuing with its existing setup within the browser's Privacy and Security Settings. This decision is part of Google's broader Privacy Sandbox initiative, which balances user privacy enhancements with feedback from industry stakeholders. Instead of deprecating third-party tracking cookies, Google is focusing on enhancing privacy features in Incognito mode, which already blocks these cookies by default. A significant upcoming feature in Chrome’s Incognito mode is the IP Protection feature slated for release in Q3 2025, aiming to hide users' original IP addresses to prevent cross-site tracking. Google's approach reflects the divergent perspectives among publishers, developers, regulators, and the advertising industry regarding changes to third-party cookie usage. The company plans to continue engaging with the industry to refine its Privacy Sandbox technologies and will update its strategic roadmap in the months to come. Notably, Google's strategy differs from competitors like Apple Safari and Mozilla Firefox, which have blocked third-party cookies by default since 2020, as Google juggles its roles as a browser vendor, advertising platform, and search engine. These changes come amidst intense regulatory scrutiny of Google’s market influence in search and advertising, including recent U.S. Department of Justice proposals to potentially divest parts of its business.

Marks & Spencer (M&S) has experienced a cyberattack affecting its operations and Click and Collect service. Despite the ongoing incident, M&S stores, website, and app remain functional, assuring minimal disruption to everyday consumer access. The company engaged external cybersecurity experts to assist with the investigation and management of the cyber incident. M&S has reported the incident to data protection supervisory authorities and the National Cyber Security Centre. Customers have been advised of potential delays with the Click and Collect service and to await notification before pickup. M&S has issued an apology for the inconvenience caused by the cyberattack and is actively working to resolve the disruptions. No specific details about the nature of the cyberattack or the identity of the attackers have been disclosed as yet.

A zero-day remote code execution (RCE) vulnerability in Active! Mail is actively exploited, predominantly affecting large Japanese organizations. Active! Mail, a web-based email client used by over 11 million accounts in Japan, suffers from a critical stack-based buffer overflow issue. The flaw, identified as CVE-2025-42599 with a CVSS v3 score of 9.8, potentially allows arbitrary code execution or causes a denial-of-service condition. Following the vulnerability disclosure, IT service providers like Kagoya Japan and WADAX reported attacks, leading to temporary service suspensions. Japan's CERT confirms the exploitation and has issued an update recommendation to mitigate risks associated with the vulnerability. Security experts from Macnica noted at least 227 Active! servers exposed online, including 63 in educational institutions, heightening the risk of cyber attacks. Companies unable to immediately implement the update are advised to configure Web Application Firewalls (WAF) to inspect and manage HTTP requests to prevent exploitation.

Google has decided to continue using third-party cookies in Chrome, abandoning its Privacy Sandbox initiative aimed at enhancing user privacy. This reversal comes after opposition from advertising technology rivals and regulatory pressures, with concerns that the Sandbox would unfairly advantage Google's already dominant ad services. Third-party cookies, criticized for compromising privacy by tracking users across multiple sites, will remain integral to Chrome's functionality. Privacy Sandbox, announced in 2019, was intended to replace third-party cookies with a system that still allows targeted ads while complying with rising privacy regulations. Google had planned an opt-in screen allowing users to choose between the Privacy Sandbox or traditional third-party cookies, but this has now been scrapped. Some components of the Privacy Sandbox, like the IP Protection scheme, will still be implemented, aiming for a Q3 2025 deployment. Critics like the Electronic Frontier Foundation accuse Google of prioritizing its business model over user privacy, especially when compared to other browsers that block third-party cookies by default. Google asserts that it will work with industry stakeholders to revise its roadmap and possibly continue developing other Privacy Sandbox technologies.

A hacking group called 'Elusive Comet' is exploiting Zoom's remote control feature to access and steal cryptocurrency from users. The group employs social engineering tactics, mimicking methodologies used by the Lazarus group in the recent $1.5 billion Bybit crypto heist. Victims are lured into a phony interview setup via Zoom, orchestrated through convincingly fraudulent Bloomberg or crypto-focused journalist profiles on X or emails. During the call, attackers trick victims by renaming their display name to "Zoom," prompting them to grant remote access under the guise of a legitimate Zoom request. Once access is granted, attackers can control the victim’s system, enabling them to extract sensitive data, install further malware, and complete unauthorized cryptocurrency transactions. Trail of Bits, the cybersecurity firm reporting this issue, uncovered the scam after their CEO was targeted and suggests stringent control measures including avoiding Zoom for high-security environments. Recommendations for defense include implementing specific Privacy Preferences Policy Control profiles to block unsolicited access requests.

Bob Lord and Lauren Zabierek, both key figures in CISA, announced their resignations, specifically highlighting their involvement in the Secure by Design program. The Secure by Design initiative focused on enhancing cybersecurity by requiring software makers to integrate better security features from the initial stages of development. Zabierek's mission included persuading over 250 software companies to commit to better security practices, like implementing multi-factor authentication. The resignations occur as CISA faces significant workforce reductions, with potential cuts impacting up to 40% of its staff due to budget constraints imposed by the Trump administration. Concerns are rising about a "brain drain" at CISA that may weaken U.S. national cybersecurity, especially as the program changes under current administration were hinted. Recent cuts at CISA include a 50% reduction in funding for the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the discontinuation of multiple advisory committees focused on cybersecurity.

SK Telecom, South Korea's leading mobile operator, experienced a malware attack that exposed sensitive USIM-related customer data. Detected on April 19, 2025, the malware was identified during a weekend when staffing was reduced, potentially increasing vulnerability. The compromised data includes crucial USIM information such as IMSI, MSISDN, and authentication keys, which could be exploited for surveillance or SIM-swap attacks. Immediately upon discovery, SK Telecom removed the malware, isolated affected hardware, and reported the incident to Korea Internet & Security Agency (KISA) and the Personal Information Protection Commission. To date, there are no confirmed instances of misuse of the leaked information, although the full extent and origin of the breach are still under investigation. SK Telecom has enhanced security measures, including tightened controls on USIM swaps and abnormal authentication attempts, and introduced a USIM protection service to prevent unauthorized SIM changes. Customers are urged to enroll in the USIM protection service to safeguard against potential SIM card portability fraud.

Fog ransomware group incorporates satirical Elon Musk policy reference in updated ransom demands, demanding victims list their weekly accomplishments. The ransom note mimics a policy from Musk’s tenure as head of the US Department of Government Efficiency (DOGE), where federal employees must submit five-point recaps of their weekly achievements. The unusual demand in ransom notes reflects a trend of cybercriminals merging political satire with their illegal activities, possibly to mock victims and government inefficiencies. Fog ransomware, active for about a year, targets both Windows and Linux systems across multiple industries, but little is known about its origins or group composition. Trend Micro researchers have provided indicators of compromise and methods to defend against the Fog ransomware, highlighting the need for increased vigilance and protective measures. Speculation surrounds Elon Musk’s future with the US government, with reports suggesting Musk may resign from DOGE by May due to frustrations with political opposition. DOGE, under Musk’s guidance, aimed to drastically reform federal operations but has not reached its expected efficacy and budget-cutting goals.

Halcyon has launched the Threat Research Incentive Program (TRIP), allocating $250,000 to reward researchers for ransomware-specific intelligence. Each approved submission can earn researchers up to $10,000, aiming to aid the development of Halcyon's anti-ransomware technologies. The program's goal is to enhance ransomware prevention efforts by incorporating new intelligence into Halcyon's products rather than making all findings publicly available. The rewards program is structured into four tiers, with the most critical intel (Tier 1) yielding the highest payouts of up to $10,000. Salinas emphasized that while the program benefits the security community by rewarding independent research, the primary beneficiaries will be Halcyon and its customers. Submissions are vetted to ensure they do not inadvertently reveal victim identities or provide threat actors with insights that could compromise further investigations. Payouts are made through official, traceable channels, and researchers must verify their independence and lack of affiliation with sanctioned entities or ransomware groups.

Cybersecurity firms Darktrace and Cado Security have exposed a new malware campaign which exploits Docker environments to mine cryptocurrency. The malware leverages an innovative method where it falsely interacts with the Web3-based Teneo service to generate rewards, bypassing traditional direct crypto mining approaches. Teneo operates a decentralized platform where participants can earn points by running nodes that scrape social media data; however, the malware fakes activity to accumulate points without real data scraping. The offending Docker container, labeled "kazutod/tene:ten", contains an obfuscated Python script that interacts with Teneo's system just enough to mimic activity and earn rewards. The malware’s strategy includes sending keep-alive pings to simulate engagement, exploiting the system's reward for 'heartbeat' actions rather than actual data scraping. This Docker-based approach is part of a broader trend of cybercriminals moving away from easily detectable mining tools like XMRig to more surreptitious methods of exploiting computing resources for financial gain. The discovery also aligns with recent findings of increased botnet activities and IoT device exploitations aimed at conducting DDoS attacks, highlighting ongoing vulnerabilities in network security.

The official Ripple xrpl.js library was hacked, leading to theft of XRP wallet seeds and private keys. Malicious code targeted versions 2.14.2, 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of the xrpl NPM package, affecting downloads made within a specific one-hour period. A method called checkValidityOfSeed was added to these versions to forward sensitive data to an attacker-controlled server. This supply chain attack is not unique, following similar breaches in other blockchain ecosystems like Ethereum and Solana. Users are advised to immediately upgrade to the clean version 4.2.5 and consider key rotation or disabling compromised keys as per XRP Ledger documentation. Despite relatively low download numbers, the widespread use of the xrpl.js library means potential access to a large number of wallets. The malicious additions were likely made using compromised developer credentials and did not appear in the public GitHub repository, indicating a breach during the NPM publishing process.

Marks & Spencer (M&S) has notified the London Stock Exchange of a "cyber incident" impacting their operations. The specific details and nature of the incident were not disclosed, but it has been affecting customer orders for the past few days. M&S's Click & Collect service experienced disruptions, though their stores remain open, and their website and app are operating normally. Customers were informed via email about potential delays with their Click & Collect orders but were advised that no immediate actions were needed on their part. The retailer has made "minor, temporary changes" to its store operations to safeguard customer and business interests. M&S has engaged external experts for incident management and reported the situation to the National Cyber Security Centre and the Information Commissioner's Office. Social media reports from customers mentioned issues with service availability as early as Saturday, indicating possible earlier impacts of the cyber incident.