Daily Brief

Amazon will pay $2.5 billion to resolve allegations from the FTC about deceptive practices in its Prime membership enrollment process, impacting millions of users. The settlement includes a $1 billion civil penalty and $1.5 billion in refunds to approximately 35 million affected consumers, addressing concerns about unauthorized subscription enrollments. The FTC accused Amazon of using dark patterns to manipulate users into Prime subscriptions, making cancellation processes intentionally difficult and confusing. Internal Amazon documents revealed awareness among executives about the deceptive nature of their subscription practices, referring to it as a "shady world." This legal action follows a previous $25 million fine against Amazon for alleged violations of children's privacy laws related to its Alexa service. The settlement aims to prevent future deceptive practices by Amazon, reinforcing consumer protection and transparency in subscription services. The case underscores the importance of regulatory oversight in safeguarding consumer rights against manipulative online business practices.

Two malicious Rust packages, faster_log and async_println, were downloaded nearly 8,500 times from Crates.io, targeting developers' crypto wallet keys and sensitive information. The packages mimicked the legitimate fast_log crate, retaining its functionality to avoid detection while embedding malicious code that exfiltrated data. Attackers exploited the log file packing feature to scan systems for sensitive data, sending it to a Cloudflare Worker URL not affiliated with Solana RPC. Crates.io swiftly removed the malicious packages and suspended the accounts 'rustguruman' and 'dumbnbased' responsible for their publication. Developers affected by these packages are advised to clean their systems and transfer digital assets to new wallets to mitigate potential theft. This incident serves as a reminder to verify the reputation of package publishers and review build instructions to avoid inadvertently downloading harmful software. The attack had limited impact due to the absence of dependent downstream crates and no other submissions from the banned publishers.

Salesforce's Agentforce platform was affected by a critical vulnerability named ForcedLeak, potentially allowing data exfiltration via AI prompt injection. The flaw, discovered by Noma Security, carries a CVSS score of 9.4 and impacts organizations using Salesforce's Web-to-Lead functionality. The vulnerability exploits weaknesses in context validation and AI model behavior, enabling unauthorized command execution and data leakage. Attackers could leverage an expired Salesforce-related domain to exfiltrate sensitive data, highlighting risks associated with domain management. Salesforce has patched the vulnerability by enforcing a Trusted URL allowlist, preventing unauthorized data output to untrusted URLs. Organizations are advised to audit lead data for anomalies, implement strict input validation, and sanitize data from untrusted sources to mitigate risks. This incident underscores the need for robust AI security measures to prevent significant financial and reputational damages.

The rise of passkeys as a passwordless authentication method is gaining traction, driven by their resistance to phishing and brute-force attacks compared to traditional passwords. According to the FIDO Alliance, passkeys leverage public key cryptography, relying on devices like phones or security keys rather than memory-based credentials. Passkeys offer enhanced security by ensuring that only public keys are stored on company databases, rendering them useless without the corresponding private key on the user's device. Despite their advantages, passkeys face challenges such as implementation complexity, costs, and compatibility issues with legacy systems, limiting their immediate widespread adoption. Organizations are likely to adopt hybrid models, integrating passkeys while maintaining strong password hygiene for systems where passkeys are not feasible. Verizon's 2025 Data Breach Investigations Report indicates that stolen credentials are involved in 88% of breaches, underscoring the need for robust authentication methods. Specops Software promotes its Password Policy tool to enhance password security by blocking compromised passwords, highlighting the ongoing importance of password management.

North Korean threat actors linked to the Contagious Interview campaign have introduced a new backdoor, AkdoorTea, targeting global cryptocurrency and Web3 developers across multiple operating systems. The DeceptiveDevelopment campaign utilizes social engineering tactics, posing as recruiters offering fake job roles on platforms like LinkedIn and Upwork to distribute malware. The attack chain involves malicious scripts in Python and JavaScript, leveraging multi-platform backdoors and a dark web project in .NET to compromise targets. Malware such as BeaverTail, InvisibleFerret, and WeaselStore is deployed for data exfiltration, focusing on sensitive information from browsers and cryptocurrency wallets. The TsunamiKit toolkit is used for cryptocurrency theft, employing components like TsunamiLoader and TsunamiHardener to establish persistence and evade detection. Tropidoor, a sophisticated payload linked to the Lazarus Group, shares code with other malware used in past campaigns, demonstrating advanced capabilities in stealth and data manipulation. The campaign's reliance on open-source tools and creative social engineering illustrates a volume-driven approach, compensating for technical limitations with scale. The operation is part of a broader North Korean strategy, including fraudulent IT worker schemes, blending traditional crime with cybercrime tactics.

A 17-year-old linked to cyberattacks on Vegas casinos was released to parental custody after being charged with sophisticated network intrusions. The attacks, attributed to the Scattered Spider group, targeted MGM Resorts and Caesars Entertainment, deploying BlackCat/ALPHV ransomware. Operational disruptions and data breaches resulted in over $100 million in damages for MGM and a $15 million ransom paid by Caesars. Prosecutors allege the suspect holds $1.8 million in Bitcoin, yet to be recovered, and advocate for trial as an adult due to the attack's severity. The court imposed restrictions on the suspect's internet and electronics use, with any violations leading to immediate detention. Charges include extortion, conspiracy, and unlawful computer acts, with potential for additional charges as investigations progress. The case reflects ongoing challenges in managing cyber threats from younger individuals involved in sophisticated criminal activities.

Cisco confirmed a critical zero-day vulnerability, CVE-2025-20352, affecting IOS and IOS XE software, which attackers are actively exploiting. The flaw resides in the SNMP subsystem, allowing attackers with SNMP access to execute arbitrary code with root privileges. Successful exploitation can lead to full device compromise, posing significant risks to organizations relying on Cisco's networking equipment. Cisco's Product Security Incident Response Team urges immediate software updates to address the vulnerability, as no workaround is available. The company advises restricting SNMP access to trusted hosts as a temporary measure, though this is insufficient if attackers have already breached defenses. This vulnerability is part of a series of serious issues affecting Cisco's IOS, raising concerns about the security of critical network infrastructure. Organizations delaying patches risk exposure to attacks, given the historical exploitation patterns of Cisco's zero-day vulnerabilities.

Traditional vulnerability management struggles under the weight of over 40,000 CVEs annually, overwhelming security teams with alerts deemed "critical" by scoring systems like CVSS and EPSS. Continuous Threat Exposure Management (CTEM) shifts focus from volume to clarity, emphasizing prioritization and validation to manage real threats effectively. CTEM addresses both technical and nontechnical exposures, predicting that by 2028, over half will stem from issues like misconfigured SaaS apps and human error. Adversarial Exposure Validation (AEV) technologies, including Breach and Attack Simulation (BAS) and Automated Pentesting, provide real-world context to prioritize vulnerabilities. AEV technologies help distinguish between theoretical threats and those that are truly exploitable, optimizing resource allocation and response strategies. Case studies, such as the Log4j vulnerability, demonstrate how AEV can reprioritize risks based on contextual factors, enhancing operational efficiency. The upcoming State of BAS 2025 summit will explore advancements in security validation, showcasing how AI and BAS are redefining attack simulation.

SonicWall released a firmware update for SMA 100 series devices to remove rootkit malware, addressing threats from the UNC6148 group's OVERSTEP malware. The update includes additional file checks and urges users to upgrade to version 10.2.2.2-92sv due to significant vulnerabilities in legacy VPN appliances. OnePlus faces a critical permission bypass vulnerability in OxygenOS, allowing unauthorized access to SMS/MMS data, posing risks to sensitive information like MFA codes. The vulnerability, present since OxygenOS 12 in 2021, remains unpatched, though OnePlus is investigating the issue. These incidents highlight the ongoing need for timely updates and proactive vulnerability management to safeguard sensitive data and maintain operational integrity.

The European Union is implementing a Biometric Entry/Exit System (EES) for non-EU travelers, effective from October, across 29 Schengen countries to enhance border security and efficiency. The EES requires travelers, including those from the UK and US, to register fingerprints and facial images, replacing traditional passport stamping with biometric verification. Managed by eu-LISA, the system stores biometric and passport data for three years, or five if no exit is recorded, to monitor compliance with the 90-day travel rule. Eurostar and Eurotunnel have invested significantly in registration infrastructure, with Eurostar initially targeting premier passengers and Eurotunnel expanding to various transport modes by year-end. Critics, such as European Digital Rights, argue the data collection is excessive, although improvements have been made since initial proposals. The UK has allocated funds to support EES infrastructure at key transport hubs, ensuring smooth implementation and compliance with new EU travel regulations. A €20 visa waiver, ETIAS, will be introduced in late 2026 for travelers from visa-exempt countries, further streamlining entry into the Schengen area.

Gcore's latest report reveals a 41% year-on-year increase in DDoS attack volume, with technology overtaking gaming as the primary target. The largest attack recorded in Q1–Q2 2025 peaked at 2.2 Tbps, indicating a rise in both scale and ambition of attackers. Technology accounts for 30% of DDoS attacks, surpassing gaming's reduced share of 19%, due to enhanced defenses and strategic shifts by attackers. Financial services remain highly vulnerable, representing 21% of attacks, driven by their disruption potential and regulatory sensitivity. Attack durations are lengthening, with 10–30 minute assaults nearly quadrupling, while maximum durations slightly decreased, focusing on high-impact strikes. UDP flood attacks dominate network-layer threats, comprising 56%, with multi-vector strategies increasingly used to disguise malicious activity. The United States, Netherlands, and emerging source Hong Kong are key origins of network-layer attacks, stressing the need for geographically aware defenses. Gcore's advanced DDoS Protection utilizes over 200 Tbps filtering capacity and integrated API security to safeguard critical assets against evolving threats.

The Co-operative Group suffered a significant cyberattack in April 2025, resulting in an £80 million profit loss and a £206 million revenue hit. The attack led to the theft of personal data of 6.5 million members, including names and contact information, though no payment data was compromised. Operational disruptions included supply chain issues, empty shelves, and halted back-office functions, prompting Co-op to offer discounts to affected members. Despite the breach, Co-op's defenses prevented a full ransomware deployment, mitigating potentially greater financial damage. The UK's National Crime Agency arrested four suspects linked to the attack, believed to be part of the Scattered Spider hacker group. Investigations by regulators, including the Information Commissioner's Office, are underway to assess data exposure and response measures. Co-op's leadership emphasized its resilience and community focus, launching initiatives to address cyber threats and support vulnerable groups. The company anticipates reduced cyber impact in the latter half of the year but remains cautious about ongoing market challenges.

The Home Office has issued new guidance for police searches of its passport and visa facial image databases following privacy concerns and legal challenges from advocacy groups. Law enforcement searches of the passport database surged from two in 2020 to 417 in 2023, prompting privacy campaigners to demand stricter controls. New procedures require police to exhaust all other options before accessing these databases, ensuring searches are in the public interest and related to serious crime or national security. Approval for database searches now requires a police inspector's sign-off and completion of detailed forms, with urgent requests discouraged unless absolutely necessary. Matches from facial image searches must be reviewed by at least two Home Office staff members, with results not considered expert opinions. The UK Passport Office and Immigration Biometric System hold extensive data, with 53.2 million passport photos and 92 million immigration images, raising significant privacy implications. This move aims to balance law enforcement needs with privacy rights, reflecting growing scrutiny over government-held biometric data usage.

European businesses face significant risks due to heavy reliance on US cybersecurity providers, which exposes them to geopolitical tensions and regulatory conflicts, particularly concerning data sovereignty. The Schrems II ruling invalidated the EU-US Privacy Shield, complicating compliance for companies using US services, as the US CLOUD Act allows data access even when stored in Europe. Approximately 74% of European companies continue to depend on US B2B providers, risking operational disruption from potential US sanctions and trade disputes. European cybersecurity innovation is on the rise, with leaders focusing on building a robust digital ecosystem that aligns with EU regulations and enhances operational resilience. Top European cybersecurity companies offer GDPR-compliant solutions, ensuring data residency and business continuity, thereby reducing dependency on US-based services. Transitioning to European solutions involves a structured migration plan, starting with a dependency audit, followed by selecting alternatives, pilot implementation, and full migration. Embracing European cybersecurity solutions provides businesses with technological independence, compliance with EU laws, and stability against geopolitical uncertainties.

Cybersecurity researchers identified two malicious Rust crates, faster_log and async_println, designed to steal Solana and Ethereum wallet keys, accumulating 8,424 downloads. These crates impersonated the legitimate fast_log library, embedding routines to scan and exfiltrate private keys via HTTP POST to a command and control endpoint. The threat actors employed typosquatting techniques, retaining logging functionality while introducing malicious code to extract sensitive information from Rust files. Crates.io maintainers have removed the malicious packages and disabled the associated accounts, preserving logs for further analysis and response. The campaign exploited minimal code changes and deceptive practices to create a significant supply chain risk, demonstrating vulnerabilities in software distribution channels. No downstream dependencies were identified, limiting the spread, but the incident highlights the need for rigorous review processes in open-source libraries. The incident serves as a reminder of the persistent threats posed by supply chain attacks, necessitating enhanced vigilance and security measures in software development ecosystems.