Daily Brief

Cryptocurrency exchange BigONE was hacked, resulting in the theft of $27 million in various digital assets. The attack targeted BigONE's hot wallet, but private keys and user data were not compromised. BigONE has confirmed full reimbursement for all affected users from its available reserves. The company has identified and contained the attack method with the help of security firm SlowMist, which is now tracking the movement of the stolen funds across blockchains. No details have been disclosed about the specifics of how the hackers executed the theft, though it is attributed to a supply-chain attack. Following the cyberattack, BigONE quickly restored deposit and trading services and plans to re-enable withdrawal and OTC functions soon. Hackers involved have begun laundering the stolen assets, converting them into various cryptocurrencies including Bitcoin and Ether. BigONE's involvement in processing large amounts of funds from scams highlights broader concerns about security in the cryptocurrency industry.

Chinese state-sponsored hacking group Salt Typhoon breached a U.S. Army National Guard network and remained undetected for nine months in 2024. The hackers exfiltrated network diagrams, configuration files, administrator credentials, and personal information of service members. The stolen data includes network configurations linking every U.S. state and several territories, greatly increasing the risk of further breaches in government networks. Salt Typhoon is believed to be affiliated with China's Ministry of State Security and has previously targeted U.S. telecommunications and government entities. The Department of Homeland Security memo indicates the breach could facilitate future attacks on U.S. critical infrastructure by using the stolen data to compromise additional networks. The National Guard Bureau acknowledged the breach without disclosing specifics; operations were reportedly not disrupted. The DHS has urged cybersecurity teams in the National Guard and other government sectors to patch known vulnerabilities and enhance network security measures. The Chinese embassy responded to allegations by suggesting the U.S. has not provided substantial evidence of Salt Typhoon's links to the Chinese government.

A severe vulnerability in Cisco's Identity Services Engine (ISE), identified as CVE-2025-20337, allows unauthenticated attackers to execute commands and potentially gain root access. The security flaw, rated 10/10 in severity, arose due to insufficient validation of user-supplied input in certain API requests. The vulnerability was discovered by Kentaro Kawane and reported through Trend Micro's Zero Day Initiative. This vulnerability impacts Cisco ISE and ISE-PIC versions 3.3 and 3.4, but not earlier versions like 3.2. Cisco has released patches specifically for ISE versions 3.3 and 3.4 to address this critical issue and two other related vulnerabilities. No practical workarounds are available; system administrators are urged to apply the necessary patches immediately to mitigate risks. Although no exploits of this vulnerability have been detected in the wild, the potential for severe system compromise makes immediate action essential. Additional Cisco bulletins released address various security issues, but CVE-2025-20337 requires particular attention due to its critical nature and high potential impact.

Cybersecurity experts uncovered a new malicious campaign exploiting a vulnerability (CVE-2021-41773) in Apache HTTP Server to distribute a cryptocurrency miner named Linuxsys. The Linuxsys miner deployment utilizes compromised legitimate websites to remain undetected and leverages valid SSL certificates to evade security measures. Attackers host the malware on third-party sites, not directly on their command-and-control server, adding a layer of obfuscation. Additional payloads discovered include Windows executables, indicating that attackers are targeting multiple operating systems. The campaign uses a combination of compromised infrastructure and clever evasion techniques, enabling the long-term, stealthy operation of the cryptocurrency mining malware. Previous related attacks exploited critical vulnerabilities in other software, including OSGeo GeoServer GeoTools, pointing to a consistent pattern by the attackers. The threat actors carefully target victims, avoiding detection by security systems, which often overlook interactions from legitimate, compromised hosts.

Europol has disrupted the central server infrastructure of a pro-Russian hacktivist group known as NoName057(16), significantly hindering their capabilities. The operation, dubbed "Operation Eastwood," involved coordinated efforts across multiple countries, including France, Germany, and Spain, and resulted in two arrests. NoName057(16) has been active since March 2022, engaging in DDoS attacks against Ukraine and its allies following Russia's invasion. Participants were mobilized via Telegram and incentivized with cryptocurrency to carry out attacks using a bespoke program, DDoSia. The crackdown included issuing arrest warrants for six Russians and outreach to over 1,000 individuals involved, warning them of criminal liabilities. The group also developed a botnet consisting of several hundred servers to amplify their attack capabilities, utilizing gamified tactics to recruit and motivate participants. Recent activities have targeted a variety of entities in Sweden and Germany, involving multiple waves of cyber attacks on critical infrastructure and public institutions. The broader trend sees Russian hacktivist groups like Z-Pentest and Dark Engine focusing increasingly on strategic targets beyond typical ideological cyber vandalism.

Peter Gutmann, a computer science professor, dismisses the practicality of quantum cryptanalysis, calling it "nonsense" in a detailed presentation. The US National Institute for Standards and Technology (NIST) has been promoting the development of post-quantum cryptographic (PQC) algorithms since 2016 due to potential quantum computing threats. Gutmann argues that quantum computers, as they currently exist, are more like physics experiments and have not demonstrated the ability to effectively crack complex cryptographic algorithms. His skepticism extends to the hype around quantum computing's promise, comparing unfounded claims to other undelivered technological promises like fusion power. Gutmann challenges the efficacy of recent quantum achievements, noting that effective public key cracking would require quantum processors much larger than those currently available. He views the current shift towards PQC as premature and a diversion from addressing real issues in encryption and cybersecurity. The piece reflects an ongoing debate in the scientific community about the timeline and impact of quantum computing on encryption and security.

The cybersecurity landscape in 2025 demands proactive, adaptive, and actionable security measures. Continuous Threat Exposure Management (CTEM), Vulnerability Management (VM), and Attack Surface Management (ASM) are crucial, overlapping strategies. CTEM offers a systematic approach to constantly monitor, assess, and respond to security exposures across an organization. VM focuses on identifying, analyzing, and managing vulnerabilities within known assets proactively to prevent potential cyberattacks. ASM provides a broader approach by identifying both known and unknown assets, offering insights into critical attacker entry points. Effective CTEM programs incorporate VM and ASM tools along with advanced offensive security techniques like penetration testing. BreachLock offers a unified platform that integrates CTEM, VM, and ASM, simplifying comprehensive security management with a single source of truth. BreachLock's integrated approach helps elevate defense strategies by unifying security testing and validating attack paths.

Three Chinese state-sponsored groups, UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp, engaged in spear-phishing campaigns against Taiwan's semiconductor sector between March and June 2025. UNK_FistBump used phishing emails targeting HR departments with fake resumes to deploy Cobalt Strike and custom malware known as Voldemort, previously linked to Chinese cyber-espionage group APT41. UNK_DropPitch focused on investment analysts within the semiconductor industry, using malicious DLL payloads via email to execute backdoor activities and gather intelligence. UNK_SparkyCarp attempted to capture credentials from a Taiwanese semiconductor company using phishing emails disguised as security alerts, employing a sophisticated adversary-in-the-middle (AitM) kit. The activity reflects China's strategic interest in achieving semiconductor self-sufficiency and reducing reliance on international technologies amid heightened US-Taiwan export controls. Proofpoint also reported evidence of shared infrastructure and tactics among these groups, suggesting a coordinated effort potentially directed by a centralized authority within China. The incidents are consistent with the targeting patterns and technical capabilities historically associated with Chinese cyber espionage aimed at gaining a competitive edge in critical technologies.

Microsoft announced a 6-month extension of security updates for Exchange Server 2016 and 2019, and Skype for Business 2015 and 2019, beyond their official support ending in October 2025. The extension allows users additional time to migrate from these older systems, acknowledging difficulties experienced by a significant customer base. Extended Security Updates (ESU) will only cover Critical-or-Important-rated security updates that may be issued after the support end date. Microsoft will not guarantee the release of updates during the extension and will not provide updates through regular channels like Windows Update. Access to these extended updates will require registration and purchase, details of which can only be obtained through direct communication with Microsoft’s account teams. Microsoft emphasized that this extension is a one-time offer and will definitely conclude on April 14, 2026, with no further extensions to be granted.

Cisco has revealed a critical vulnerability in Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC), allowing unauthenticated attackers to execute arbitrary code. The flaw, tracked as CVE-2025-20337, has a maximum CVSS score of 10.0, indicating a severe risk. Similar to previously patched CVE-2025-20281, this vulnerability involves insufficient validation of user-supplied input through a specific API. Attackers can exploit the flaw by sending a crafted API request to obtain root privileges without needing valid credentials. The issue affects ISE and ISE-PIC releases 3.3 and 3.4 and has been patched in subsequent versions. Releases prior to 3.2 are not impacted. No current evidence suggests this vulnerability has been exploited in malicious activities. The report follows another concerning series of attacks involved CVE-2025-25257, targeting Fortinet FortiWeb appliances for unauthorized access.

UK retailer Co-op confirmed a significant data breach affecting 6.5 million members, involving theft of personal data during a cyberattack in April. The breach included member contact information but did not expose financial or transactional details. CEO Shirine Khoury-Haq publically apologized, expressing the breach as a personal attack on the community of members and employees. The attack forced the shutdown of vital IT systems and led to the deployment of DragonForce ransomware, causing disruptions including food shortages. The breach initially began with a social engineering attack enabling attackers to reset an employee's password and access the network. Exposed data included a critical Windows Active Directory Services database, enhancing the threat actors' ability to spread within the network. The cyberattack was linked to known cybercriminal group Scattered Spider, also tied to similar attacks on other major companies. Following the cyber incidents, UK’s National Crime Agency arrested four individuals suspected of involvement in the attacks.

Former U.S. Army soldier, Cameron John Wagenius, pleaded guilty to hacking and extorting telecommunications and technology companies, including AT&T and Verizon. Wagenius, operating under aliases such as 'kiberphant0m', engaged in cybercrimes from April 2023 to December 2024. The charges include wire fraud conspiracy, aggravated identity theft, and extortion related to computer fraud, carrying a maximum potential sentence of 27 years. He and his co-conspirators used methods like SSH Brute for unauthorized access and discussed tactics in Telegram group chats. Their criminal activities involved SIM-swapping and selling stolen data on cybercrime forums, with ransom demands reaching up to $1 million. Wagenius's cybercrimes were conducted while he was on active duty, complicating the case and indicating security lapses in military personnel monitoring. The convicted hacker's sentencing is scheduled for October 6, considering this case and another involving unlawful transfer of phone records.

Ukrainian hacking groups, including BO Team and the Ukrainian Cyber Alliance, launched a cyberattack against Gaskar Integration, a key Russian drone manufacturer. The hackers claimed to have destroyed 47TB of technical data and 10TB of backup files essential for drone production at Gaskar. The attack reportedly disabled the entire IT infrastructure of Gaskar, affecting operations to the extent that building access systems malfunctioned, requiring manual override via fire alarms. Attackers also alleged collaboration between Gaskar and China in drone production and training, hinting at international implications. Confidential employee data from Gaskar was also leaked online by the hackers as part of their claims. The extent of the data breach and damage to Gaskar's production capabilities could potentially delay Russian drone deliveries to conflict zones. Neither Gaskar nor the Ukrainian Ministry of Defence provided comments on the incident according to media inquiries.

Louis Vuitton confirmed the data breaches in the UK, South Korea, and Turkey were caused by the same cyberattack, likely orchestrated by the ShinyHunters group. The company has been actively notifying affected customers and has involved relevant authorities, including the Information Commissioner's Office. Personal data, but not payment information, was compromised in the breach, originating from unauthorized system access on July 2, 2025. Immediate actions to contain the breach included blocking the unauthorized access and deploying additional technical security measures. The breaches at Louis Vuitton are part of a pattern of similar incidents at other high-profile companies, indicating a targeted approach by the ShinyHunters. ShinyHunters is known for multiple significant data thefts and remains partly active despite recent arrests related to the group. Louis Vuitton is continuing its investigation with cybersecurity experts to prevent future incidents and assess the extent of the breach.

International law enforcement, led by Europol, executed Operation Eastwood to dismantle over 100 servers tied to the pro-Russian NoName057(16) network. The operation, which involved 19 countries, led to the arrest of two Russian nationals in France and Spain, and seven additional arrest warrants were issued. NoName057(16), a group of Russian-speaking sympathizers, launched attacks targeting websites of governments and institutions supporting Ukraine. Europol estimates that the network includes over 4,000 supporters who utilize a botnet built from several hundred servers to amplify their DDoS attacks. Recent attacks by this group include disruptions to Swedish banks, German companies, and government websites in Switzerland and the UK. Thirteen individuals were questioned regarding their involvement with the NoName057(16), with two main instigators identified but not publicly named. The crackdown was supported by cybersecurity forces from multiple countries and assisted by nonprofits like ShadowServer and abuse.ch for technical operations.