Daily Brief

The Australian government has banned all Kaspersky Lab products from its systems, citing significant security risks. Stephanie Foster, Secretary of the Department of Home Affairs, highlighted concerns over foreign interference, espionage, and sabotage linked to the use of Kaspersky products. The ban targets non-corporate Commonwealth entities, with some exemptions for national security and regulatory functions. Kaspersky refuted the allegations, arguing the decision lacks specific evidence and claiming it was politically motivated due to the geopolitical climate. The company criticized the lack of due process and opportunity for engagement before the directive's issuance. Similar bans on Kaspersky products have been implemented in other countries, including the U.S., Germany, and Canada, primarily citing national security concerns.

A large botnet with over 130,000 compromised devices is conducting password-spray attacks targeting Microsoft 365 (M365) accounts globally. The botnet exploits Basic Authentication to circumvent Multi-Factor Authentication, using stolen credentials for large-scale unauthorized access. SecurityScorecard highlights a significant security risk for organizations relying on only interactive sign-in monitoring, which misses non-interactive sign-ins often used in automated processes and legacy protocols. Microsoft plans to phase out Basic Authentication by September 2025 due to its outdated security, but it remains enabled in some systems, posing a threat. Attack details reveal the botnet can validate stolen credentials without triggering MFA, accessing accounts through legacy services or further phishing attacks. Signs of the botnet's activities include increased non-interactive login attempts visible in Entra ID logs, along with multiple failed logins from various IPs. The report suggests a possible link to Chinese-affiliated operators, backed by certain technical and operational evidence, though attribution remains tentative. Recommendations for organizations include disabling Basic Auth, blocking certain IP addresses, enabling Conditional Access Policies, and universal MFA implementation to mitigate risks.

Cybersecurity researchers reported a new malware campaign utilizing cracked software to spread Lumma and ACR Stealer variants. ACR Stealer uses legitimate services like Steam and Telegram for dead drop resolver techniques to obtain command-and-control server domains. A separate campaign delivers Rhadamanthys malware via malicious files masked as MS Word documents that exploit the CVE-2024-43572 vulnerability. These malware types steal sensitive data such as web browser information and cryptocurrency wallet data from infected systems. Over 30 million computers have been reported compromised by information stealers, impacting high-stakes sectors like defense. Recent exploits also involve social engineering via customer support platforms and redirection to fake CAPTCHA pages to distribute malware. The use of I2P networks by I2PRAT malware indicates an increased difficulty for cyber professionals to track and mitigate these threats. The proliferation of these malware campaigns signals a shift towards using more sophisticated infection and concealment techniques.

North Korean Lazarus hacking group suspected in $1.5 billion theft from cryptocurrency exchange Bybit. Attack involved interception of fund transfers between Bybit’s cold and hot wallets, redirecting to a blockchain address controlled by the hackers. Over 400,000 ETH and stETH, valued over $1.5 billion, were moved to an unidentified address during a scheduled wallet transfer manipulated by the attackers. Bybit's operations remained stable with all non-affected cold wallets secure; company restored its ETH reserves and remains solvent. Connections established between the Bybit heist and the earlier Phemex hack, with stolen funds commingled and laundered through multiple blockchain addresses and cryptocurrency mixers. Researchers identified the laundered funds moving across over 920 blockchain addresses, converting mostly to Bitcoin to obscure the money trail. TRM Labs and Elliptic confirmed high confidence in Lazarus Group's involvement based on patterns and address overlaps observed from prior related thefts. eXch exchange implicated but denied involvement in laundering, stating isolated handling of the stolen funds.

Two exploits have been disclosed targeting an unpatched privilege elevation vulnerability in Parallels Desktop, potentially allowing root access on Mac devices. The vulnerability was initially patched in September following its discovery in May, but the newest exploits demonstrate a bypass of the Parallels' fix. Security researcher Mickey Jin publicly released the details of the exploits to increase awareness and prod Parallels into addressing the flaw. The first exploit involves a race condition that allows an attacker to replace a verified binary with a malicious script, gaining root access. The second exploit manipulates a function within Parallels that allows arbitrary file overwriting with root privileges. Despite repeated follow-ups by Jin, Parallels has not officially responded to the security flaw since June 2024. Jin's recent findings indicate that all current and many past versions of Parallels Desktop remain vulnerable to these exploits. The availability of these exploits increases the urgency for an official response and patch from Parallels, given the popular use of their software for running diverse operating systems on Macs.

The global spending on security and risk management is projected to reach $215 billion in 2024, indicating significant organizational investment in cybersecurity. Effective asset management is crucial; however, many organizations struggle with it due to the complexity of modern IT environments and frequent changes like Shadow IT and misconfigurations. Credential leaks provide attackers a cost-effective means to gain access to organizational systems, emphasizing the need for robust measures like two-factor authentication and regular testing against stolen credentials. With thousands of new vulnerabilities emerging annually, the prioritization of vulnerabilities based on exploitability and business impact is critical to prevent critical breaches. Organizations should make informed cybersecurity investments, testing tools in their specific network environments to ensure that they meet actual needs while maintaining system resilience. Implementing simple security measures can significantly strengthen an organization's defense systems and make it tougher for attackers to cause damage. The ongoing pressure and complexity in managing cybersecurity risks demand a strategic approach to security investment and policy enforcement to shift the odds in favor of defenders.

Following UK government pressure, Apple has disabled its Advanced Data Protection (ADP) feature, compromising end-to-end encryption for iCloud users in the UK. This regulatory move was reportedly an alternative to the installation of a more invasive backdoor that UK authorities had previously requested. Apple acknowledges disappointment, emphasizing that the lack of ADP undermines data security and privacy amid rising data breaches. Users heavily relying on iCloud for storing sensitive information like notes, reminders, and photos have been encouraged to transition to alternative applications that offer robust encryption. Alternatives such as Standard Notes, Joplin, Lunatask, Ente, and various encrypted services by Proton are highlighted as viable solutions for maintaining data privacy. Legal experts anticipate this decision could potentially conflict with European Court of Human Rights rulings and affect the UK's data-sharing adequacy with the EU. Privacy advocates criticize the move as detrimental, warning that it sets a dangerous precedent that could extend beyond the UK, influencing global data privacy norms.

The North Korean hacker group Lazarus has stolen over $1.5 billion in cryptocurrency from Bybit's cold wallet. This theft is the largest recorded crypto heist, surpassing previous major thefts in the sector. The unauthorized access occurred during a routine transfer process on February 21, 2025. Bybit detected the breach promptly but was unable to prevent the loss of funds. This incident has heightened concerns over the security of digital assets and the capabilities of nation-state actors in cyber theft. The breach has triggered discussions on enhancing security protocols and regulatory measures in the cryptocurrency industry. Authorities and cybersecurity experts are closely monitoring the aftermath to prevent future occurrences and trace the stolen assets.

Google Cloud has introduced quantum-safe digital signatures for their Cloud Key Management Service (KMS) to counteract potential future quantum computing threats. The service aligns with the National Institute of Standards and Technology's (NIST) newly formalized post-quantum cryptography (PQC) standards, including FIPS 203, 204, and 205. This initiative aims to protect encrypted data from being compromised by future technologies through a strategy called Harvest Now, Decrypt Later (HNDL). Quantum-safe digital signatures are available in a preview phase with implementations such as ML-DSA-65 (FIPS 204) and SLH-DSA-SHA2-128S (FIPS 205). Google is also partnering with Hardware Security Module (HSM) vendors and External Key Manager (EKM) partners to expand quantum-safe cryptography solutions across its platform. The development includes plans for API support for hybridization schemes, dependent on future consensus in the cryptographic community.

Ransomware attacks progress through stages, starting subtly before escalating to encryption and ransom demands. Most organizations fail to detect early Indicators of Compromise (IOCs), allowing attackers to disable backups and escalate privileges unnoticed. Continuous ransomware validation emulates attack paths, enabling detection systems to identify and respond to IOCs before significant damage occurs. Key IOCs include shadow copy deletion, mutex creation, process injection, and service termination—all aimed at evading detection and ensuring successful encryption. Regular automated testing of cybersecurity measures ensures preparedness against evolving ransomware tactics and IOCs. Annual testing of security is insufficient due to the continual evolution and sophistication of ransomware attacks. Continuous validation helps security teams adapt and respond quickly, minimizing potential damage and costs associated with recovering from ransomware attacks.

Australia has prohibited the installation of Kaspersky security software by government entities, alluding to heightened national security threats. Secretary Stephanie Foster PSM of the Department of Home Affairs emphasized the risks of foreign interference, espionage, and sabotage associated with Kaspersky products. The decision aligns with broader concerns about the exposure of sensitive user data to foreign governments that may conflict with domestic laws. The directive (002-2025) mandates the removal of all existing Kaspersky software on government systems and devices by April 1, 2025, but allows for potential exemptions under strict conditions. Exemptions for using Kaspersky's software may be granted for essential compliance and law enforcement purposes, with requisite security measures. This move mirrors similar actions taken by the U.S., which also imposed bans on Kaspersky's software in government applications, leading to the company's exit from the market.

Apple has terminated its Advanced Data Protection (ADP) end-to-end encryption for iCloud users in the UK in response to government demands for data access under the Investigatory Powers Bill. UK users attempting to enable ADP will encounter an error message, and existing users will need to disable the feature to maintain iCloud access. Certain iCloud data, including health information, iMessages, and FaceTime calls, will retain end-to-end encryption. Bybit, a cryptocurrency exchange, experienced a $1.4 billion theft due to a spoofed transaction during a wallet transfer. The US Coast Guard reported a data breach in its payroll system, with quick reporting by a junior officer helping to minimize impact. The US Securities and Exchange Commission has launched a Crypto Crime unit to combat fraud and protect investors. A new phishing toolkit, Darcula-Suite 3.0, has made launching phishing attacks easier and more accessible to individuals without technical skills. SANS Institute is promoting the development of open-source AI-powered cybersecurity solutions through a hackathon, addressing the proprietary nature of current systems and encouraging new talent in the field.

Google Cloud has introduced quantum-safe digital signatures to its Cloud Key Management Service (Cloud KMS) to combat potential future quantum computing threats. This update aligns with the National Institute of Standards and Technology (NIST) on post-quantum cryptography (PQC) standards. Quantum-safe cryptography is considered essential for protecting sensitive data of financial institutions, government agencies, and other high-stake entities against advanced decryption methods. The new cryptographic options in Cloud KMS include two algorithms: ML-DSA-65 and SLH-DSA-SHA2-128S, designed to be resistant to quantum attacks. Although fully functional quantum computers do not exist yet, the risk of future 'harvest now, decrypt later' attacks prompts the need for preemptive updates to encryption methods. Google's implementation also extends to their Cloud Hardware Security Modules (HSM), enhancing overall data security within their cloud infrastructure. These cryptographic implementations are open-source, allowing for community involvement and independent security verifications. Google encourages enterprises to begin testing these quantum-resistant algorithms to prepare for future security landscapes and provide feedback for further improvements.

PayPal’s “New Address” feature has been manipulated to send phishing emails from the official PayPal address. Scammers send legitimate-looking emails that falsely inform users of a new address addition and a MacBook purchase. These emails urge recipients to call a fake PayPal support number, leading to potential remote access to their device. The scam email passes all security checks including DKIM, as it is sent from PayPal’s authenticated server. Attackers use the address update feature to inject scam messages that are then automatically sent out. Victims are misled to download a remote access tool from a deceitful link provided by the scammers. PayPal users should not follow instructions from suspicious emails but instead check their account directly. BleepingComputer has reported this issue to PayPal and suggested limiting characters in address fields to prevent abuse.

Cybercriminals are exploiting major CS2 events like IEM Katowice 2025 by orchestrating fake tournament streams. These streams mimic real gameplay using loops of older matches to deceive viewers on YouTube. Scammers impersonate well-known CS2 players, such as s1mple and NiKo, to add credibility to their scams. Viewers are enticed with offers of free skins and cryptocurrency doubling schemes which lead to phishing sites. Victims who enter their Steam credentials on these malicious sites risk losing access to their accounts and valuable in-game items. Captured cryptocurrencies are immediately redirected to scammer-controlled wallets. Bitdefender advises using multi-factor authentication and regularly monitoring account activity to protect against these scams. It's recommended to only engage with content from verified, official esports channels to avoid falling victim to such frauds.