Daily Brief

Koi Security identified the 'GreedyBear' campaign, which infiltrated Mozilla's add-ons store with 150 malicious extensions, stealing approximately $1,000,000 from Firefox users. The extensions impersonated popular cryptocurrency wallets like MetaMask and TronLink, initially appearing benign before injecting malicious code to capture wallet credentials. Attackers utilized keylogging techniques within the extensions to exfiltrate user credentials and IP addresses to a remote server, facilitating further tracking and targeting. The operation also involved Russian-speaking pirated software sites distributing 500 malware variants, including trojans and ransomware, linked to a single command-and-control hub. Mozilla has removed the malicious extensions, but the campaign's scale and AI-driven tactics highlight the ease of executing large-scale cyber schemes. Despite Mozilla's detection systems, fraudulent extensions continue to appear, with signs of expansion to the Chrome Web Store already detected. Users are advised to verify extension authenticity by checking reviews and details, and to download official wallet extensions directly from project websites.

Researchers identified 11 malicious Go packages capable of delivering additional payloads on Windows and Linux, posing significant risks to software supply chains. The packages utilize command-and-control endpoints to execute second-stage payloads, which can gather host data and access web browser information. The decentralized nature of the Go ecosystem allows malicious modules to be easily imported, leading to potential developer confusion and inadvertent integration of harmful code. Two npm packages, naya-flore and nvlore-hsc, masquerade as WhatsApp libraries, incorporating a phone number-based kill switch that can remotely wipe systems. The npm packages have been downloaded over 1,110 times and remain available, highlighting ongoing threats within open-source repositories. Attackers exploit obfuscation techniques and discreet data exfiltration methods, underscoring the need for vigilance in monitoring open-source software dependencies. The findings emphasize the persistent supply chain risks associated with cross-platform malware, particularly as open-source software continues to expand.

Cybersecurity researchers identified multiple vulnerabilities in Axis Communications' video surveillance products, potentially allowing unauthorized remote code execution and system takeover. Over 6,500 Axis servers are exposed to the internet, with nearly 4,000 located in the U.S., posing significant security risks. Exploitation of these flaws could enable attackers to hijack video feeds, alter communications, and execute arbitrary actions on affected systems. The vulnerabilities allow attackers to assume a man-in-the-middle position, bypassing authentication and gaining system-level access to camera networks. No evidence currently indicates these vulnerabilities have been exploited in the wild, but the potential impact is severe. Organizations using Axis products should prioritize patching and securing exposed servers to mitigate these risks. This incident underscores the critical need for robust security measures in internet-connected surveillance systems.

Air France and KLM reported unauthorized access to customer data via a third-party service platform, affecting personal information but excluding sensitive data like passwords or credit card details. The breach involved customer names, contact details, Flying Blue numbers, and service request email subject lines, raising concerns about potential phishing attempts. The airlines' IT security teams, alongside the external service provider, quickly acted to halt the breach and implemented measures to prevent future incidents. Both airlines have notified the Dutch and French data protection authorities and advised customers to remain vigilant against phishing scams. The incident is part of a broader trend of data breaches at major organizations linked to third-party providers, with no specific threat actor publicly identified yet. The ShinyHunters cybercrime group is suspected of involvement, given its history of targeting similar entities, although no official attribution has been made. This breach underscores the critical need for robust third-party risk management and continuous monitoring of external platforms to safeguard customer data.

A survey by privacy group NOYB reveals only 7% of German Facebook and Instagram users support Meta using their data for AI training. 27% of surveyed users were unaware of Meta's data usage for AI, raising transparency issues and potential GDPR compliance challenges. Meta suspended AI training in Europe last year following NOYB's complaints, but resumed after EU and UK data protection authorities approved its "legitimate interests" basis. Despite Meta's notifications to users about data practices, NOYB claims less than half of users recall receiving these communications, questioning the effectiveness of Meta's consent strategy. NOYB is considering a class action lawsuit against Meta, potentially leading to significant financial repercussions for the company. German privacy officials anticipate that the EU's highest court may ultimately decide on the legality of Meta's AI data practices. The ongoing legal and public scrutiny could compel Meta to reevaluate its data handling and user consent mechanisms to align with European privacy expectations.

Samourai Wallet's CEO and CTO pleaded guilty to laundering over $200 million for cybercriminals, facing potential prison sentences for conspiracy and operating an unlicensed money-transmitting business. The U.S. Department of Justice charged the founders with conspiracy to operate a money transmitting business and money laundering, with sentences up to 20 years. As part of their plea, the founders agreed to forfeit over $237 million, while their domains were seized and the mobile app was removed from Google Play. Samourai Wallet facilitated anonymous transactions, attracting over 100,000 downloads, and was marketed as a tool to conceal illicit proceeds, including from dark web markets. The service processed over 80,000 Bitcoins, valued at more than $2 billion, from various illegal activities, earning over $6 million in fees from its mixing services. Law enforcement actions included seizing Samourai's infrastructure and removing its app, disrupting its operations and sending a strong message against crypto-enabled money laundering. This case underscores the ongoing challenge of regulating cryptocurrency platforms and the importance of robust compliance measures to prevent misuse for illicit activities.

Microsoft has identified a significant vulnerability in on-premise Exchange Server, tracked as CVE-2025-53786, which can lead to privilege escalation in hybrid environments. The flaw, with a CVSS score of 8.0, allows attackers with admin access to an on-premises Exchange Server to escalate privileges in connected cloud setups. The vulnerability arises from shared service principals between Exchange Server and Exchange Online in hybrid configurations, complicating detection and auditing. Microsoft advises installing the April 2025 Hot Fix and reconfiguring service principal's keyCredentials if hybrid or OAuth authentication is no longer in use. The U.S. CISA warns of potential impacts on Exchange Online's identity integrity if the flaw remains unpatched, urging immediate mitigation. Microsoft plans to block Exchange Web Services traffic using shared service principals to enhance security and promote dedicated hybrid app adoption. CISA also advises disconnecting outdated public-facing Exchange or SharePoint Servers to prevent exploitation by cyber threat actors.

SonicWall clarified that recent attacks on its Gen 7 firewalls were linked to the patched CVE-2024-40766 vulnerability, not a zero-day exploit. CVE-2024-40766, with a CVSS score of 9.3, involves improper access control, potentially allowing unauthorized access and causing firewall crashes. The company is investigating fewer than 40 incidents, many linked to Gen 6 to Gen 7 firewall migrations without password resets. SonicWall's advisory stresses the importance of resetting local user passwords during firewall migrations to mitigate risks. SonicOS 7.3 has enhanced security measures, including protections against brute-force password attacks and support for multi-factor authentication. The vulnerability exploitation has been associated with Akira ransomware attacks, highlighting the need for robust security practices. SonicWall's proactive communication and guidance aim to prevent further exploitation and ensure customer security.

The Sysdig Cloud Defense Report 2025 reveals AI as both a tool and target in the evolving cloud security landscape, necessitating agile defense strategies. Attackers leverage AI for automation, exemplified by campaigns like CRYSTALRAY, which utilize open-source tools for rapid reconnaissance and credential harvesting. Sysdig Sage™, an AI cloud security analyst, reduces response times by 76%, with significant adoption in software and business services sectors. A 500% rise in AI/ML package workloads in 2024 was followed by a 25% decline, indicating improved security measures and governance. Recommendations for securing AI systems include API authentication, configuration hardening, and enforcing least privilege to safeguard digital assets. Real-time threat detection is essential, as cloud attacks can occur in under 10 minutes; the 555 Cloud Detection and Response Benchmark offers a strategic framework. CI/CD pipelines are increasingly targeted, highlighting the need for runtime visibility to prevent build system compromises and misconfigurations. Open source tools, such as Falco, are vital for modern cloud defense, offering real-time detection and compliance support, especially in regulated sectors.

The Alliance for Creativity and Entertainment (ACE) has successfully shut down Rare Breed TV, a significant illegal IPTV service offering over 28,000 channels. Rare Breed TV, based in North Carolina, provided unauthorized access to a vast library of TV channels and on-demand content, impacting copyright holders globally. A financial settlement was reached with the operators, who agreed to cease operations and cooperate with ACE, though the website remained active at the time of reporting. ACE, a coalition of over 50 major media entities, collaborates with global law enforcement to dismantle large-scale piracy operations. The shutdown of Rare Breed TV is part of ACE's ongoing efforts to combat digital piracy, following previous successful actions against various illegal streaming platforms. The enforcement action serves as a warning to piracy operators, emphasizing the legal and financial repercussions of running unauthorized streaming services. ACE's continued initiatives highlight the importance of industry collaboration in protecting intellectual property rights and combating digital piracy.

Amnesty International accuses Elon Musk's X platform of spreading misinformation that fueled violent riots in the UK following the Southport murders in 2024. The platform's algorithm prioritizes engagement over safety, lacking mechanisms to assess potential harm from promoted content, according to Amnesty's analysis. High-profile accounts, including Musk's, amplified far-right messaging, significantly influencing online discourse and contributing to racially charged violence. The UK government has initiated reviews into the riots, focusing on gaps in legislation and the effectiveness of programs like Prevent in mitigating extremist threats. The Online Safety Act, intended to protect users from harmful content, is criticized for failing to address algorithmic amplification of dangerous posts. Amnesty calls for stronger accountability measures for social media platforms to prevent the spread of inflammatory content during periods of social tension. X's spokesperson asserts the platform's commitment to safety, highlighting machine learning and human review processes to manage harmful content.

Air France and KLM reported a data breach on a customer service platform, affecting an undisclosed number of customers' data, though financial and personal information remained secure. The breach was swiftly addressed by cutting off unauthorized access, and measures were implemented to prevent future incidents, ensuring internal systems were not compromised. The airlines have informed the Dutch Data Protection Authority and France's CNIL, while notifying affected customers to remain vigilant against potential phishing attempts. This incident follows a trend of increased cyberattacks on the aviation sector, with groups like Scattered Spider targeting major airlines and transportation firms. The breach raises concerns about the security of external platforms used by airlines and the need for robust cybersecurity measures across all operational aspects. Air France and KLM's proactive response demonstrates the importance of rapid incident detection and response in mitigating potential damage from data breaches.

The cybersecurity landscape is rapidly evolving, with agentic AI emerging as a transformative tool for Managed Detection and Response (MDR) services, enhancing threat detection and response capabilities. Unlike generative AI, agentic AI autonomously completes complex tasks by breaking them into simpler ones and is predicted to be integral to one-third of AI use cases by 2028. MDR providers are leveraging agentic AI to automate tasks traditionally handled by SOC analysts, aiming to reduce human error and address the cybersecurity skills shortage. The technology enables MDR platforms to adapt and learn from real-time threats, offering quicker and more effective responses to cyber incidents, minimizing operational disruptions. Organizations must carefully evaluate MDR providers, ensuring they utilize sophisticated AI models that integrate human expertise, avoiding over-reliance on automation that may lead to false positives or negatives. eSentire's Atlas AI exemplifies effective agentic AI use, accelerating investigations from hours to minutes while maintaining human oversight for critical decision-making. The integration of agentic AI into MDR services supports compliance with data regulations, offering detailed audit trails and reports for regulatory scrutiny. Businesses are advised to assess potential MDR partners thoroughly, focusing on transparency, collaboration, and the balance between AI and human expertise in their security operations.

Python's widespread use in software development has led to increased supply chain attacks, with malicious packages frequently uploaded to the Python Package Index (PyPI). In December 2024, attackers compromised the Ultralytics YOLO package, used extensively in computer vision, affecting thousands of downloads before detection. The prevalence of Python supply chain vulnerabilities demands a shift from the traditional "pip install and move on" approach to a more secure, controlled method. Over 100 high and critical CVEs exist in the standard Python base image, complicating efforts to secure Python environments effectively. Organizations must adopt new tools and strategies to gain visibility and control over their Python dependencies, ensuring robust security without disrupting workflows. A webinar is available to guide developers and security engineers in securing their Python supply chain, emphasizing practical measures and tools. The growing sophistication of threats necessitates a proactive stance on Python supply chain security, treating it as a critical aspect of software development.

Microsoft introduced Project Ire, an AI-driven agent designed to autonomously detect malware, potentially reducing manual analysis workload for security analysts. In testing, Project Ire accurately identified 89% of malicious files but only detected 26% of total malware samples, indicating room for improvement. Project Ire employs large language models (LLMs) and reverse engineering tools to classify software, aiming to enhance Microsoft Defender's threat detection capabilities. The initiative seeks to address alert fatigue among analysts by automating malware classification, allowing focus on more sophisticated threats. Despite moderate initial performance, Microsoft's goal is to enhance Project Ire's accuracy and scalability for broader deployment across its security suite. The development reflects a broader industry trend towards integrating AI in cybersecurity, as companies aim to counter AI-driven threats with AI-based defenses. Competitors like Google and Palo Alto Networks are also advancing AI initiatives, underscoring the critical role of AI in future cybersecurity strategies.