Daily Brief

Cybersecurity teams face increasing pressure to meet high expectations with limited budgets as indicated by a recent SANS survey where 47% cited budget concerns. Effective communication with boards requires aligning cybersecurity initiatives with business metrics such as risk, revenue, reputation, and regulatory compliance. Security investments must be framed as essential for long-term business resilience and value, not just immediate protection. Utilize data, risk assessments, and metrics to make a compelling, evidence-based case for security investments. Illustrating investment benefits through real-world case studies can enhance the persuasive power of your proposal. Detailing the plan for implementing and maximizing the value of security tools reassures board members about potential returns on investments. Reframing security spending as a crucial business enabler is key to securing executive buy-in and funding.

Multi-factor authentication (MFA) methods like SMS and authenticator apps remain fundamentally flawed, enabling cybercriminals easy access to personal and corporate accounts. High-profile breaches at companies like Aflac and Erie Insurance highlighted vulnerabilities, with attackers employing tactics such as MFA bypass requests or sophisticated phishing attacks. Phishing emails and spoofed websites deceive users into inputting credentials, exploiting the fact that traditional authenticator apps fail to verify the requester or the origin of authentication requests. Recent advisories from entities like the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urge against using SMS as a second authentication factor due to its vulnerability to interception and breaches. Emerging solutions like biometric hardware authenticators, such as Token Ring and Token BioStick, offer enhanced security by requiring physical presence and cryptographically verifying the domain requesting access. These biometric devices are designed to be tamper-proof and phishing-resistant, addressing the core security gaps of previous MFA tools by removing reliance on possibly compromised devices or intercepted codes. The urgent need for advanced authentication methods is underscored by the continuous evolution and sophistication of cyberattacks targeting conventional MFA systems.

Suspected India-linked APT group, DoNot Team, targeted a European foreign affairs ministry using LoptikMod malware to harvest sensitive data. Identified by Trellix Advanced Research Center, DoNot Team is also known by names such as APT-C-35 and Origami Elephant, active since 2016. Phishing campaign initiated via emails containing Google Drive links leading to the download of a malicious RAR archive, impersonating defense officials. The malware, disguised as a PDF, installs the LoptikMod remote access trojan, enabling data exfiltration and long-term access by establishing persistence through scheduled tasks. LoptikMod uses advanced evasion techniques including anti-VM measures and ASCII obfuscation, complicating analysis and detection efforts. Currently, the command-and-control server utilized by the attackers is inactive, hindering further investigation into ongoing operations and data communication specifics. This operation marks a strategic expansion of DoNot APT’s interests towards European targets, extending beyond their usual focus on South Asian governmental and defense organizations.

A vulnerability in ServiceNow, identified as CVE-2025-3648, enables low-privileged users to access sensitive data inappropriately. Discovered by Varonis Threat Labs in February 2025, the flaw exploits misconfigured Access Control Lists (ACLs). Even if one ACL condition is met, users could access protected resources, contrary to intended restrictions. ServiceNow has updated its ACL frameworks with the releases of its Xanadu and Yokohama versions to mitigate this issue. Organizations are advised to manually review ACL configurations to ensure data security. Despite the fixes, the manipulation of URL-based filters can still enumerate data character by character. Vulnerability could impact multiple industries using ServiceNow, including healthcare, finance, and public sectors. No current evidence suggests the flaw has been exploited in real-world attacks, but monitoring and updates are recommended.

Qantas disclosed a data breach impacting personal information of approximately 5.7 million customers following a cyber attack on a third-party platform used by the airline's contact center. Personal data accessed includes names, email addresses, frequent flyer numbers, customer tiers, status credits, and points balances. In particular instances amounting to around 1 million people, more sensitive information such as phone numbers and physical addresses were also compromised. Qantas has corrected initial reports, clarifying that the total number of affected customers is 5.7 million, not 6 million, due to duplicate records. The airline has implemented additional security measures for its IT systems and Qantas Frequent Flyer accounts to protect against unauthorized access. Affected customers, notably those over the age of 15, will be notified directly about the specifics of the data accessed and are advised to be vigilant against potential scams and phishing attempts. Qantas is actively monitoring for any signs of the leaked data appearing on the dark web, although none has been observed thus far. The breach follows similar recent incidents at other airlines, raising concern about targeted cyber activities against the aviation sector.

The U.S. Treasury sanctioned Song Kum Hyok of North Korea’s Andariel group for his role in a fraudulent remote IT worker scheme. Song allegedly used U.S. identities to create aliases for foreign IT workers to appear as American job seekers. The scheme, also termed Nickel Tapestry and Wagemole, involves North Koreans impersonating U.S. nationals to siphon salaries back to North Korea. Recent U.S. Department of Justice actions include arrests and seizures linked to this North Korean IT worker fraud. Additional sanctions were imposed on a Russian national and four entities participating in similar Russia-based operations involving North Koreans. The operations fund North Korea's weapons of mass destruction and missile programs through complex cryptocurrency transactions, contributing heavily to the country's illicit revenue. International efforts and awareness are increasing, with better collaboration and intelligence sharing highlighted as key to countering these activities. Concurrently, North Korea-aligned hackers continue targeting South Korea with spear-phishing and malware attacks.

The Tines platform hosts a library with over 1,000 pre-built security workflows, freely available to security practitioners. Lucas Cantor developed a workflow leveraging tools like CrowdStrike, Oomnitza, GitHub, and PagerDuty to manage malware alerts efficiently. The workflow aims to simplify the process of security alert severity assessment and escalation based on the device owner's feedback. The integration of automated ticket creation, device identification, and threat triage helps security teams respond quickly and accurately to malware threats. By automating these processes, the workflow minimizes delays and reduces human errors in managing security incidents. The workflow is part of Tines Community Edition and can be easily imported and set up following step-by-step instructions provided. Users need to configure and test the workflow within the Tines platform before it can be fully operationalized.

Ingram Micro has partially restored its ordering processes globally after a significant ransomware attack caused a shutdown. The company believes it has contained the unauthorized access and has remediated the affected systems, implementing additional network safeguards. Although regional ordering capabilities are being reinstated daily, hardware and other technology orders continue to face restrictions. The attack, claimed by SafePay group via a ransom note, threatened data exposure unless ransom demands were met within seven days. Ingram Micro's customer communication has been criticized as insufficient, with customers experiencing long support wait times and automated responses. The financial impact is notable, with potential revenue losses each day of downtime and risks of orders moving to competitors. The security firm Huntress estimates the average cost of recovery from a ransomware attack at around $4.5 million.

Xu Zewei, a 33-year-old Chinese national, was arrested in Milan, Italy for his connections to the state-backed hacking group, Silk Typhoon, and conducting cyberattacks on U.S. entities. He faces charges including wire fraud, conspiracy, unauthorized access to protected computers, and aggravated identity theft, related to cyber intrusions from February 2020 to June 2021. Xu is implicated in exploiting vulnerabilities in Microsoft Exchange Server during the COVID-19 pandemic to target over 60,000 U.S. organizations, successfully compromising sensitive data from more than 12,700. These cyberattacks were reportedly directed by China’s Ministry of State Security’s Shanghai bureau and executed notably through the Hafnium campaign, due to which sensitive information was stolen globally. Xu, who reportedly worked for Shanghai Powerock Network Co. Ltd during the attack period, is resisting extradition, claiming mistaken identity due to a common surname and a stolen mobile phone in 2020. The Justice Department emphasized the systemic use of private firms by China to obscure government involvement in global espionage efforts. Despite the arrest, experts like John Hultquist of Google Threat Intelligence Group suggest that the capture is unlikely to deter ongoing government-backed cyber espionage or significantly reduce operations.

Privacy advocates criticize the Metropolitan Police's use of live facial recognition (LFR) technology, questioning both its effectiveness and impact on civil liberties. Data reveals that out of 715,296 arrests since 2020, only 1,035 were assisted by LFR, with 773 leading to charges—accounting for merely 0.15 percent of total arrests. Critics argue the technology's costs and privacy implications outweigh its benefits in preventing crime. Big Brother Watch emphasizes the need for more efficient use of policing resources amid other uninvestigated serious crimes. The Met defends the technology, citing its role in significant arrests and enhancing operational efficiency without always leading to arrests. Recent deployment includes setting up permanent LFR cameras in Croydon after a two-year trial amid ongoing concerns over surveillance expansion. The lack of specific legislation regulating the use of facial recognition by police in the UK adds to the controversy and calls for oversight. The Met insists on solid safeguards with LFR, ensuring non-targeted individuals' biometrics are immediately deleted, focusing only on those matched with a watchlist.

Microsoft's latest Patch Tuesday resolves 130 vulnerabilities, including critical flaws in SPNEGO and SQL Server. This update marks the first of 2025 with no actively exploited zero-day vulnerabilities being patched, ending an 11-month streak. The publicly known vulnerability disclosed this month relates to Microsoft SQL Server which could allow unauthorized access to uninitialized memory, potentially exposing sensitive data. A severe remote code execution vulnerability in Windows SPNEGO Extended Negotiation could allow attackers to remotely execute code via a network, raising concerns about potential self-propagating malware akin to WannaCry. Other significant issues addressed include vulnerabilities in Windows KDC Proxy Service, Windows Hyper-V, and Microsoft Office, which could allow for remote code execution without user interaction or privileges. Microsoft also patched multiple security feature bypasses in Bitlocker which, if exploited, could permit access to encrypted data by attackers with physical access to the device. The discontinuation of SQL Server 2012 support was also noted, urging users to upgrade to receive future security patches.

Iranian ransomware group reactivates after five years, now named “Pay2Key.I2P,” offers cash for cyberattacks on the US and Israel. Updated malware builds on 2020's Pay2Key with features from Mimic ransomware, promising 80% payouts for attacks on "enemies of Iran." Morphisec researchers used undercover communication to gather intelligence on Pay2Key.I2P's operations and malware. The affiliation between Pay2Key.I2P, Pioneer Kitten, and Mimic ransomware signals a blend of Iranian state-sponsored cyber initiatives and organized global cybercrime. Pay2Key.I2P operational enhancements include the use of I2P networks for anonymity and expanded target strategies to include Linux systems. Within four months of operation, the group claimed to have collected over $4 million from 50 ransom payments. The group advertises its ransomware-as-a-service on darknet forums in Russia and China while also targeting American corporations following recent U.S.-Iran tensions. U.S. Homeland Security has issued an advisory alerting to the elevated threat level, urging increased network defenses against Iranian cyber threats.

Microsoft’s first Patch Tuesday of 2025 includes 130 new fixes, with a notable absence of actively exploited vulnerabilities. A critical vulnerability, CVE-2025-47981, rated at 9.8 CVSS, risks remote code execution through a buffer overflow in SPNEGO protocols. Office applications received significant attention with 16 patches; four critical vulnerabilities could allow remote code execution without user interaction. Critical AMD processor-related fixes were released, targeting early EPYC and Ryzen chips, emphasizing their lower risk but essential update requirement. CVE-2025-49717 in SQL Server introduces a complex remote code execution threat through a buffer overflow, though it's deemed less likely to be exploited. Updates included 16 additional fixes for Windows Routing and Remote Access Service and five for Microsoft’s BitLocker encryption system, with higher exploit likelihood. Adobe paralleled Microsoft’s patch release, emphasizing updates for ColdFusion and Experience Manager Forms due to critical vulnerabilities. SAP also issued security updates, including patches for vulnerabilities rated at a CVSS 10 in their Supplier Relationship Management and a 9.9 in S/4HANA and SCM systems.

M&S confirmed a network breach via a sophisticated impersonation attack, which led to a ransomware incident involving DragonForce malware. The breach occurred when attackers impersonated an M&S employee, deceiving a third-party IT support provider into resetting the employee's password. IT outsourcing company Tata Consultancy Services, providing help desk support for M&S, is suspected to have inadvertently facilitated the breach. The ransomware attack involved double-extortion tactics, potentially including stealing about 150GB of data and encrypting servers, threatening data release if a ransom was not paid. M&S chose not to interact directly with the ransomware operators and engaged professional negotiation services to handle the situation. Despite the attack and potential data theft, there has been no public confirmation of a ransom payment, though it was discussed with national authorities. The incident highlights ongoing vulnerabilities in retail security systems and the effectiveness of social engineering as an attack vector.

Samsung unveils major security upgrades for the upcoming One UI 8 on Galaxy devices, focusing on data security and privacy enhancements. Introduction of Knox Enhanced Encrypted Protection (KEEP), designed to create isolated environments within apps to store and encrypt sensitive data. Upgrades to Knox Matrix include stronger management of device security across all connected Galaxy devices and automatic user sign-out during identity forgery detection. Implementation of quantum-resistant technologies in Samsung’s Secure WiFi to protect against future quantum-based threats. Enhanced security features aim to safeguard user inputs and data across AI-driven tools including personalized updates, photo searches, and more. Users advised to upgrade to the new release to benefit from robust security measures and review their data privacy settings. One UI 8 expected to launch with new Galaxy Z Fold 7 and Z Flip 7 models, with updates soon to be available for older models as well.