Daily Brief

Wilhelm Einhaus, head of Einhaus Group, confirmed that parts of his company are undergoing insolvency proceedings due to a ransomware attack in 2023. The ransom payment, made in cryptocurrency, was seized by authorities investigating the cyberattack but has not been returned, significantly affecting company finances. Einhaus Group, which had annual revenues of €70 million at its peak, partnered with major telcos like Deutsche Telekom and offered services across over 5,000 retail outlets. Despite attempts to stabilize the company by selling assets and reducing staff from more than 100 employees to just eight, financial recovery was unsuccessful. The disruption from the ransomware attack caused severe operational halts, locking staff out of systems and resulting in seven-figure losses. Following the financial and operational impacts of the attack, three of the 13 companies under Einhaus Group have started insolvency proceedings. The plight of Einhaus Group highlights the broader, devastating impact ransomware can have on businesses, with similar collapses reported by other companies in different sectors.

Microsoft France's legal director admitted to the French Senate that U.S. laws could force them to surrender French data, regardless of its storage location. Microsoft has attempted to address EU concerns about data sovereignty with enhanced service agreements, promising to legally challenge any U.S. requests for data access. The concept of data sovereignty complicates international relations, as states must balance sovereignty with the realities of global interdependence. The UK government's failed attempt to require Apple to create an encryption backdoor highlights the difficulty of maintaining data control amidst international pressures. The European Union is considering regulations to prevent non-EU entities from accessing sensitive data, which could significantly impact U.S.-based cloud providers reliant on AI strategies. The emerging legal and regulatory changes worldwide introduce unpredictability in data management and storage, necessitating robust on-premises solutions to ensure data security. The discussed changes underscore a global trend towards a balkanized internet, where data sovereignty laws could inhibit international commerce and digital innovation.

Mozilla has issued an advisory to browser extension developers about phishing attacks aimed at Mozilla’s AMO platform accounts. The phishing campaign impersonates the Mozilla AMO team, suggesting that developers need to update their accounts to maintain feature access. Developers are advised to validate the authenticity of the source by checking if the emails are sent from Mozilla-owned domains and through standard email authentication checks. Mozilla specifically warned developers against clicking on links in suspicious emails and recommended directly navigating to official Mozilla websites. The exact scale and the primary objectives of the phishing attacks are not yet disclosed, but at least one developer has reportedly been compromised. Mozilla promises further updates on the phishing campaign as more details become available. Mozilla recently introduced a security feature to block malicious Firefox extensions, particularly those involved in cryptocurrency thefts, acknowledging the removal of numerous harmful extensions in recent years.

Rapid proliferation of Shadow IT creates significant security risks as employees adopt SaaS and embedded AI tools without proper oversight. Current security frameworks are inadequate due to decreased visibility; IT can no longer solely manage or control the technology used within the organization. Increasing use of AI and its integration into everyday tools enhances productivity but introduces vulnerabilities like data leaks and unmonitored API connections. Supply chain vulnerabilities emerge as apps integrate with each other through APIs and OAuth tokens, expanding potential attack surfaces drastically. Compliance complications arise as employees engage with numerous unvetted SaaS tools, complicating adherence to industry standards like GDPR and SOC 2. Offboarding presents risks as access by former employees to SaaS applications can remain, leading to potential unauthorized data access. Wing provides a comprehensive tool to detect, monitor, and manage both shadow IT and AI applications, enhancing security by improving visibility and control over these technologies. The necessity for continuous, sophisticated monitoring to manage the expanded attack surface and ensure organizational security amidst these challenges.

The UK Online Safety Act, effective from July 25, requires stringent age verification to access specific internet content, aimed at safeguarding minors from harmful material. Users must verify their age through methods like facial scans, photo IDs, and credit card checks; non-compliance can lead to heavy fines up to 10% of global revenue or £18 million. The Age Verification Providers Association reports over five million additional daily checks since the act’s implementation. The UK government ensures that personal data will only be stored when "absolutely necessary" and advocates for minimum data collection during the verification process. Despite assurances, privacy concerns persist among critics who worry about the potential for data misuse and overreach of surveillance. VPN services, which can bypass age verification requirements, remain legal in the UK, reflecting a balance between enforcing online safety and maintaining personal freedoms. Debates continue over the impact of the act on freedom of expression, with significant public discourse about the balance between protection and privacy.

Researchers have identified vulnerabilities in China's Great Firewall caused by efforts to censor QUIC traffic. The Great Firewall's new blocklists for QUIC are inconsistent, targeting some domains that do not use QUIC. Blocking attempts are influenced by internet traffic levels, with higher failure rates during peak usage. QUIC's encryption complicates the Great Firewall's censorship efforts, leading to inefficiencies. The study revealed potential for targeted attacks exploiting these weaknesses to disrupt China's censorship capabilities. Researchers disclosed vulnerabilities to authorities in January 2025 and observed partial remediation by March. The discoveries were published to support anti-censorship efforts, prioritizing public awareness over private disclosure to Chinese officials.

Cybersecurity researchers have identified an Android trojan, PlayPraetor, that has infected over 11,000 devices globally, focusing on users in Europe and South America. PlayPraetor exploits accessibility services on Android to control devices remotely, displaying fake overlays on banking and cryptocurrency apps to steal user credentials. The malware spreads through fraudulent Google Play Store pages and deceptive Meta ads, tricking users into downloading malicious applications. With origins traced to Chinese threat actors, PlayPraetor utilizes a command-and-control (C2) system to manage the infected devices, issue commands, and livestream device screens. The malware is part of a broader malware-as-a-service (MaaS) offering, indicating a well-organized operation capable of launching targeted scams across different regions. PlayPraetor operates in several variants, each with specialized capabilities for phishing, remote control, and fraud directly from the compromised device. Recent updates to the trojan indicate active development efforts by its creators, aiming at expanding its reach and improving its stealth and data theft functionalities.

North Korea’s Lazarus Group has shifted its focus to infiltrating open-source software by embedding malware in popular development tools. Sonatype, a software supply chain management company, identified 234 unique malware packages developed by Lazarus Group in the first half of 2025. The group utilizes advanced techniques for persistent access to high-value targets, optimizing their strategy from disruptive attacks to long-term infiltration. Lazarus Group, notoriously known for the Sony Pictures hack in 2014, the 2016 Bangladesh bank heist, and the 2017 WannaCry ransomware, is now exploiting the open-source ecosystem. Developers who download these tools without thorough verification are primarily at risk, highlighting the ongoing threats within software supply chains.

Silent Push, a cybersecurity firm specializing in cybercrime takedowns, collaborates with international law enforcement to dismantle large criminal networks. CEO Ken Bagnall reveals the extensive scope of a specific criminal operation named Funnull, which was found controlling over 1.4 million live hosting sites linked to financial scams. The US Treasury sanctioned Funnull and its operator in May, identifying it as a major player in virtual currency investment scams causing substantial losses. Once a cybercrime group realizes their activities are monitored, they alter their operations, initiating a "cat-and-mouse game" with cybersecurity firms like Silent Push. Despite the tactical challenges, these takedowns are essential as cybercriminals often operate with implicit support from their home countries, like China, North Korea, and Russia. Bagnall emphasizes the economic impact of these crimes, describing cybercrime as a significant, ongoing drain on national economies which needs more strategic national-level interventions.

State-sponsored actors, identified as CL-STA-0969, conducted an espionage campaign against Southeast Asia telecommunication entities from February to November 2024. CL-STA-0969 utilized a variety of tools to enable remote access and deploy Cordscan malware, capable of harvesting location data from mobile devices. Despite extensive intrusion, no evidence was found of data exfiltration or communication tracking within the compromised networks. The cybersecurity researchers linked CL-STA-0969's activities to Liminal Panda, a known China-affiliated espionage group targeting telecom sectors primarily for intelligence gathering. The campaign involved sophisticated techniques such as DNS tunneling and process masquerading to maintain operational security and avoid detection. No alterations were made to SELinux settings, ensuring persistence and stealth in the compromised telecommunications infrastructure. Additional tactics included using zero-day exploits in Microsoft Exchange and SharePoint, as reported in a parallel allegation by China against U.S. intelligence activities targeting Chinese military and research entities.

A threat actor exploited link-wrapping services from Proofpoint and Intermedia to mask phishing links targeting Microsoft 365 credentials. These services typically rewrite URLs in emails to a trusted domain and scan them for malicious activity, which in this case was circumvented. By compromising protected email accounts, the attacker used these trusted services to legitimize and distribute phishing URLs. The phishing campaigns featured fake notifications from Microsoft Teams and voicemails to lure victims into clicking malicious links. The final destination of these links was a Microsoft Office 365 phishing page designed to capture user credentials. In one specific instance, the attacker impersonated a secure message notification, which led to a phishing page hosted by Constant Contact. Cloudflare's Email Security team identified these activities, noting the sophisticated use of multi-tiered redirect abuse and URL shortening to obfuscate the attack chain. This approach not only increases the credibility of phishing attempts but also highlights a novel misuse of security features designed to protect users.

Cybersecurity experts have uncovered a new Linux backdoor named Plague, which has evaded detection for over a year. The Plague backdoor functions as a malevolent Pluggable Authentication Module (PAM), allowing attackers to clandestinely bypass authentication. This malware provides attackers with persistent SSH access, enabling long-term exploitation without detection. Researchers observed multiple samples of Plague, hinting at ongoing development and sophistication in its deployment strategy. Key features of Plague include static credentials, anti-debugging, and string obfuscation capabilities to thwart analysis efforts. It enhances its stealth by eliminating SSH session traces and preventing shell command logging, leaving almost no forensic evidence. Plague’s integration into the authentication stack and resistance to system updates amplify its danger, complicating detection via standard security tools. Despite multiple uploads of Plague to VirusTotal since July 2024, antimalware engines have failed to identify any samples as malicious.

CISA and US Coast Guard revealed significant security lapses in an unnamed critical infrastructure organization, highlighting risks from poor cybersecurity hygiene. Key vulnerabilities identified include plaintext storage of local admin credentials, usage of non-unique passwords, and inadequate operational technology (OT) environment segmentation. The use of shared local admin accounts across multiple hosts raises the threat of unauthorized widespread access and facilitates lateral movement by potential attackers. Insufficient logging practices hindered ability to detect unauthorized access or malicious activities, increasing the risk of undetected threats within the network. Issues with the organization’s SCADA and HVAC systems could potentially lead to real-world safety hazards due to unauthorized system accesses. CISA's report emphasized the need for enhanced security measures and provided general recommendations for improving cybersecurity defenses. The findings are used by CISA to underline the broader implications of inadequate security measures in critical national infrastructures.

SonicWall SSL VPN devices have been identified as the primary targets in a recent series of Akira ransomware attacks. A potential zero-day vulnerability in SonicWall devices is suspected as multiple fully-patched devices were compromised. The increase in ransomware incidents began in mid-July 2025, although suspicious activity dates back to October 2024. Ransomware attackers often utilize Virtual Private Server hosting to authenticate against the compromised VPNs. Organizations are urged to disable SonicWall SSL VPN services temporarily and implement multi-factor authentication. Akira ransomware has extorted approximately $42 million since its emergence in March 2023, impacting over 250 entities. The ransomware group has been particularly active in Italy, disproportionately targeting Italian companies.

OpenAI has discontinued a feature that allowed ChatGPT conversations to be indexed by search engines, addressing privacy concerns. The decision came after discovering that users were sharing sensitive information through indexed chats, despite warnings. Dane Stuckey, CISO of OpenAI, labeled the feature as a harmful experiment and affirmed the removal of the search-indexing option. Efforts are underway to remove already indexed contents from search engines, with changes to be fully implemented by tomorrow morning. This feature rollback mirrors a similar privacy issue encountered by Venmo, highlighting ongoing privacy challenges in tech innovations. The exposure was not by default; users had to actively opt-in to make their chats discoverable via a shareable link. Search engines like Bing and DuckDuckGo still show thousands of results, indicating a partial success in the ongoing purge of indexed chats. OpenAI continues to face privacy-related challenges, including legal demands to retain customer data, posing conflicts with user privacy commitments.