Daily Brief

The FBI has issued warnings about Scattered Spider, a cybercrime group targeting the airline industry. Social engineering tactics are used by the group to gain initial access to systems. Cybersecurity firms Palo Alto Networks and Google Mandiant corroborate the threat and urge heightened security measures. Recommendations include strong authentication, strict identity controls, and segmented user identities. Enhanced security protocols are advised for password resets and multi-factor authentication setups. The aim is to fortify organizational defenses against the specific strategies employed by Scattered Spider. These alerts emphasize the ongoing risks within crucial infrastructure sectors like aviation and the need for constant vigilance and upgraded security practices.

Incognito mode in browsers like Chrome does not provide the complete privacy many users expect; it fails to obscure user IP addresses and browser fingerprints. Fingerprinting tracks users by collecting data such as browser settings, system configurations, and even installed fonts, which browsers willingly provide to sites. Despite growing awareness of IP tracking and the popularization of VPNs and Tor for better privacy, these tools remain underutilized or misunderstood by the general public. New solutions like Psylo offer better privacy controls through a blend of browser and VPN functionalities, but at a monthly cost. More robust privacy solutions involve using virtualization technology or containerization to create isolated browsing environments that prevent data leakage. Kasm, an open-source platform, allows users to operate browsers within a clean, isolated Docker container, offering a high level of privacy and security. These technologies highlight a significant potential for integrating stronger privacy features directly into browsers, reshaping user expectations and possibly impacting the business models built on data surveillance.

Canada's government has ordered Chinese CCTV vendor Hikvision to cease operations, citing national security threats. The Minister of Industry, Mélanie Joly, highlighted that the company's activities could harm Canadian national security. All existing Hikvision equipment in governmental uses is to be discontinued, and further purchases are banned. Hikvision has criticized the move, attributing the decision to geopolitical tensions rather than the actual cybersecurity merits of their technology. In other news, Starbucks China faced criticism for improper ad placement and privacy policy handling in its app, which has since been corrected. India has approved a new $50 million electronics manufacturing hub expected to attract substantial private investment. Japanese telecom SoftBank announced plans to deploy broadband services via blimps to enhance rural and emergency connectivity. New Zealand's Xero acquires Israeli payment service Melio for $2.5 billion, aiming to streamline the accounts payable process for businesses.

Despite advice against paying ransomware, 49% of affected organizations paid ransoms in 2025. Payment sums have decreased by one-third since 2024, with median payments dropping by 50%. Companies are becoming more adept at minimizing ransomware impacts, negotiating payments below initial demands. Common vulnerabilities exploited in 32% of ransomware cases, while 40% were due to unknown security gaps. Use of data backups for recovery has declined, hitting a six-year low with only 54% opting for this approach. Sophos reports an acceptance of ransomware risk, with enhanced defenses to limit damage advised. Critical firmware vulnerabilities like the AMI MegaRAC and exploits in Microsoft 365's Direct Send feature underline ongoing security challenges.

Researchers at ERNW discovered three vulnerabilities in Airoha Bluetooth chipsets used in various audio devices, affecting brands like Beyerdynamic, Bose, and Sony. These flaws potentially allow attackers within Bluetooth range to eavesdrop or steal sensitive information from 29 different audio products including earbuds, speakers, and headphones. The vulnerabilities require high technical skills for exploitation and physical proximity to the targeted device. Attack scenarios could enable hackers to hijack Bluetooth connections, issue phone commands, or even initiate calls without the user's knowledge. The researchers were also able to prove a concept where they could retrieve currently playing media information and discuss potential for remote code execution and deployment of a wormable exploit. Despite the potential severity, practical attacks are complex and likely confined to high-value targets due to the requirement for proximity and technical expertise. Airoha has issued an updated SDK to address these vulnerabilities, but many device manufacturers have yet to release patches incorporating these mitigations.

Cloudflare has introduced end-to-end encryption (E2EE) and open-sourced its video calling app, Orange Meets, focusing on transparency and security. Orange Meets uses Messaging Layer Security (MLS), an IETF-standardized protocol, to ensure continuous group key agreement and secure communication. The encryption process is completely handled client-side using WebRTC, preventing intermediaries like Cloudflare from accessing sensitive communication data. A unique "Designated Committer Algorithm" facilitates secure dynamic group membership changes during video calls. To safeguard against "Monster-in-the-Middle" attacks, each video session displays a safety number to verify the cryptographic state externally. Cloudflare has mathematically verified the Designated Committer Algorithm using TLA+, enhancing the reliability of the protocol. Although feature-rich, Orange Meets is positioned more as an open-source prototype for developers and privacy enthusiasts rather than as a mainstream consumer product. The platform does not require installation for testing, promoting accessibility through a live demo and available source code on GitHub.

Candan Bolukbas, former NATO hacker, stresses that cyber conflicts endure despite geopolitical ceasefires. Bolukbas, founder of cyber-risk firm Black Kite, highlights the ubiquity of cyber threats, especially targeting supply chains as a weak point. He predicts Iran may target the supply chains of Israel and U.S. Department of Defense suppliers, a method previously employed by Russia. His experiences in Ukraine's power grid attack illustrate the effectiveness of targeting less secure, third-party suppliers to breach critical systems. Cyberattacks from Iran likely to focus on lower-security targets, given the high defenses of prime U.S. and Israeli systems unless supported by major powers like Russia or China. Bolukbas advises vigilance against phishing, misinformation from state actors like Iran, Russia, and China, and stresses the importance of promptly patching systems. He emphasizes ongoing U.S. cyber operations, including espionage and cyber infrastructure poking, which occur regularly despite no formal wartime engagements.

Let's Encrypt will stop sending emails about certificate expirations starting June 4, 2025, to reduce costs, enhance privacy, and simplify operations. As a major Certificate Authority, Let's Encrypt issues millions of certificates and advocates for automated renewal processes through the ACME protocol. The shift away from email alerts is largely due to the adoption of automated technologies which diminish the need for manual email notifications. Recent standards changes leading to shorter certificate lifespans make manual management less practical and promote the use of automated systems. The operation costs of maintaining the email notification service are significant, prompting a reallocation of funds to more critical infrastructure needs. Handling a large database of email addresses for notifications adds unnecessary complexity and potential privacy issues to Let's Encrypt's operations. Users are advised to adopt ACME-compatible tools for automated certificate management and consider external services for renewal alerts if needed.

The FBI has documented expanding cyber assaults by Scattered Spider, specifically targeting the airline industry via sophisticated social engineering tactics. These attacks often involve impersonating employees to manipulate IT help desks into granting unauthorized access and adding devices to multi-factor authentication (MFA) systems. Palo Alto Networks and Mandiant have noticed similar patterns, emphasizing the necessity for the aviation sector to enhance help desk verification processes to prevent security breaches. Scattered Spider exploits human factors by building false trust with help desk personnel, leading to significant data theft, extortion, and ransomware incidents. The group uses a combination of social media research and public breach data for precise impersonation, elevating their threat across both on-prem and cloud environments. Recently, Scattered Spider focused on high-value targets, such as CFOs, to gain access to critical systems by circumventing strong technical defenses through social engineering. Recommendations for the industry include tightening internal processes around identity verification and training personnel with real-world attack simulations to counter such threats effectively. This evolving threat landscape requires continuous reassessment of ID verification protocols to mitigate risks associated with human error in securing sensitive information.

GIFTEDCROOK malware, initially a basic browser data stealer, has evolved into a sophisticated intelligence-gathering tool targeting Ukrainian military and government entities. Recent versions of the malware can exfiltrate sensitive documents and browsing data, indicating a shift from simple credential theft to comprehensive espionage. The malware is deployed via phishing emails with macro-laced Excel documents, exploiting common workplace file expectations to bypass security measures. Enhanced features include document theft, specifically targeting files created or modified within the last 45 days and smaller than 7 MB, across a variety of file types. Stolen data is packaged into ZIP archives and discreetly exfiltrated to an attacker-controlled Telegram channel, avoiding large-file detection methods to slip past network defenses. A final cleanup stage involves a batch script that erases evidence of the malware from the infected systems, covering the tracks of the cyber espionage activity. The timing and focus of the GIFTEDCROOK campaigns align with significant geopolitical events, suggesting that malware development is being driven by strategic objectives related to Ukraine-Russia relations.

Facebook introduces a new AI feature requesting users to upload photos for personalized content suggestions, raising privacy issues. The feature prompts users to allow cloud processing of images from their camera roll for creating personalized Facebook Stories. Meta assures that the uploaded media will be used solely for suggestion purposes and not for ads targeting, and will be checked for safety and integrity. This AI processing is currently limited to users in the United States and Canada and is opt-in, allowing users to disable it at any time. Meta has faced similar privacy concerns globally, recently suspending AI tools in Brazil and adjusting public data usage for AI training in the EU following regulatory scrutiny. The concern extends beyond Facebook, with other tech giants like Apple and Google being urged by German authorities to halt app distributions due to unlawful data transfers to China. These tech developments come amid broader discussions on AI's impact on privacy and data protection standards globally, highlighting the tension between technological advancement and user rights protection.

Criminals are impersonating insurance companies via emails and texts to steal sensitive health and payment information. The FBI has issued a security alert warning both patients and healthcare providers about these fraudulent schemes. These attacks trick victims into revealing protected health data and financial details under the guise of addressing insurance claims or payment discrepancies. The Health Information Sharing and Analysis Center (Health-ISAC) reports a rise in similar phishing and social-engineering scams targeting the healthcare sector, exploiting its complex billing system. Criminals leverage previously stolen data to enhance the credibility of their fraudulent communications, employing common confidence tricks to mislead healthcare employees. These cybercriminal groups, possibly including state-sponsored actors, are highly organized and financially motivated, focusing on direct financial theft via fraudulent transactions. The FBI advises verifying all unsolicited messages and direct communications for authentication instead of replying or using the provided contact information. Enhanced deception tactics now include the use of AI by cybercriminals to refine scams, making them harder to detect.

Scattered Spider, a group known for social engineering and MFA attacks, has now targeted aviation and transportation sectors. Initially focusing on retail, the threat actors have been linked to attacks on major companies like M&S and Co-op, later moving to the insurance businesses like Aflac and Erie Insurance. Recent breaches include cyberattacks on Canada's WestJet and Hawaiian Airlines, disrupting services and raising security concerns. The group gains access through sophisticated tactics like self-service password resets, registering their own MFA, and targeting help desk systems. Experts from Palo Alto Networks and Mandiant have warned that organizations in these sectors should be on high alert and enhance their identity verification processes. Scattered Spider collaborates with Russian-speaking ransomware gangs and has attacked other notable companies such as Twilio and Coinbase. Recommendations have been made to secure password reset platforms and help desks, which are frequent targets of these threat actors.

Cisco is emphasizing the integration of security with network infrastructure, crucial for supporting "agentic AI" applications, using technology like their new Catalyst switches. The move necessitates significant changes in datacenters, potentially requiring complete overhauls of network arrangements to accommodate AI operations. During Cisco's Innovation Tech Talk, President Jeetendra Patel discussed the transition from basic AI to advanced AI agents capable of autonomous tasks, highlighting the evolution and subsequent infrastructure demands. Cisco's introduction of smart switches with dedicated data processing units supports real-time traffic analysis and embedded network security. The holistic approach combines networking and security into a cohesive operational fabric, a distinctive capability that Cisco believes sets it apart in the market. Potential disruptions in merging network operations (NetOps) and security operations (SecOps) are acknowledged, with implications for widespread changes in corporate IT infrastructure management. Cisco positions itself as a leader in providing the necessary tools for future-proof datacenters in the era of advanced, autonomous AI functions, though enterprise adoption remains cautious.

Hawaiian Airlines experienced a cybersecurity incident affecting IT systems but maintained normal flight operations. The incident was first noticed on June 23, with formal disclosure following on June 27 through an SEC filing. Immediate measures were taken to secure operations and systems, with assistance from authorities and cybersecurity experts. As of the latest updates, there has been no impact on passenger safety or travel schedules. The extent of data potentially accessed, including customer or employee information, remains unclear, and it is unknown if ransomware was involved. The airline is continuously working with experts and federal authorities to navigate and mitigate the cybersecurity event. The FAA has confirmed ongoing safe operations and is closely monitoring the situation in cooperation with Hawaiian Airlines. This incident follows a similar cybersecurity disruption faced by Canadian airline WestJet earlier.