Daily Brief

Qilin ransomware group enhances threat tactics by integrating a "Call Lawyer" feature to pressure victims into paying higher ransoms. This innovation is part of a broader trend of Qilin filling the operational void left by rival groups such as LockBit and Black Cat, evident by its leading 72 victims in April 2025. The group offers extensive support options for clients and utilizes a sophisticated infrastructure with payloads built in Rust and C, among other advanced tools. Recent months have seen an influx of affiliates from defunct groups, which has contributed to Qilin's increased ransomware activity. Qilin positions itself as a full-service cybercrime platform, now incorporating DDoS attacks, spam services, and PB-scale data storage in addition to ransomware. The group's tactical evolution signals a strategic shift to exploit every facet of cybercrime, maximizing its impact and profitability. The group targets corporations using sophisticated phishing tactics, leveraging disguised communication to infiltrate and secure persistent access to victim networks.

Cloudflare mitigated a record-breaking 7.3 Tbps DDoS attack targeting a hosting provider in May 2025. The attack involved staggering amounts of data, totaling 37.4 TB delivered in just 45 seconds. It originated from 122,145 source IP addresses across 161 countries, with significant activity from Brazil, Vietnam, Taiwan, China, Indonesia, and Ukraine. The DDoS attack leveraged multiple destination ports, peaking at 34,517 ports per second to overwhelm firewall and intrusion systems. Cloudflare's Magic Transit service was instrumental in mitigating the attack without human intervention by dispersing traffic across 477 data centers. Key technologies like real-time fingerprinting and intra-data center gossiping helped manage real-time intelligence sharing and automated rule compilation. Nearly the total attack volume was comprised of UDP floods, with multiple vectors targeting legacy or poorly configured services. Cloudflare updated its DDoS Botnet Threat Feed with IoCs from the attack, aiding over 600 organizations in preemptively blocking malicious IP addresses.

Aflac disclosed a significant data breach, identifying stolen personal and health information amid a targeted cyberattack campaign on U.S. insurance firms. There was no ransomware deployment confirmed in the breach, though it remains unclear if an attempt was blocked or if the attack was solely for data theft. The company reacted quickly by implementing cyber incident response protocols and successfully stopped the attack within hours. Aflac's operations remain unaffected, continuing to service customers and process claims and policies as usual. The breach involved sensitive data ranging from health information to social security numbers, affecting customers, employees, and other stakeholders. External cybersecurity experts have been engaged to further investigate the breach and review potentially exposed files. The attack characteristics align with those of Scattered Spider, a group known for sophisticated social engineering techniques and previous attacks on high-profile organizations.

Organizations are still heavily reliant on passwords as a primary defense mechanism for online services. Password-related issues such as resets and expirations account for 40% of service desk inquiries, with each reset costing around $70. Self-service password reset (SSPR) solutions empower users to reset their passwords independently, reducing helpdesk load and operational costs. SSPRs require rigorous identity verification processes to prevent unauthorized access, with multi-factor authentication (MFA) being critical. Implementing SSPR can save organizations an average of $65,000 by minimizing manual IT support and enhancing productivity. Web-based SSPR portals support remote users, allowing password resets from anywhere without compromising on security. Security teams should also focus on mitigating social engineering risks through dynamic challenge-response mechanisms and risk-based authentication. Best practices for SSPR solutions include a smooth integration with systems like Active Directory and comprehensive security measures to boost adoption and protect against vulnerabilities.

Microsoft plans to periodically remove outdated drivers from Windows Update to enhance security and compatibility. This initiative targets drivers that have newer versions available, aiming to optimize the driver offerings on Windows Update. The removal process involves expiring drivers' audience assignments within the Hardware Development Center, preventing them from being distributed. Legacy drivers are the initial focus, with plans to expand the categories of drivers being removed over time. Partners can republish drivers removed in this cleanup if they provide a valid business reason. This cleanup is part of a broader effort to improve Windows security; new publishing guidelines for drivers will be introduced. Related security efforts include changes to pre-production driver signing and updated security defaults across Microsoft 365 to prevent access via outdated authentication protocols. Microsoft emphasizes the routine nature of this cleanup as a proactive security measure and driver management improvement.

Iran's state television was hacked, transmitting anti-government protests calls, with Iran accusing Israel of the interference. Concurrently, Iran's largest cryptocurrency exchange, Nobitex, was hacked, resulting in the theft of over $90 million. These cyber-attacks are part of an ongoing and intensifying cyber conflict between Israel and Iran, linked to broader geopolitical tensions. Iranian entities are utilizing virtual assets strategically for financial workarounds and to support their geopolitical aims, including weapon technology proliferation. The hacktivist group DieNet threatened cyber-attacks on the U.S. if it intervened against Iran, showcasing the potential for global cyber impact. Israeli officials revealed Iranian attempts to hijack private security cameras in Israel for real-time intelligence, similar to tactics used by Russia in Ukraine. Cybersecurity experts warn global companies of increased risks of becoming collateral targets in the escalating cyber warfare between Israel and Iran. Analysis indicates a significant disparity in coordinated cyber-attacks between pro-Iranian and pro-Israeli groups, focusing primarily on DDoS attacks, website defacements, and data breaches.

Oxford City Council experienced a cyberattack earlier this month, compromising 21 years of election worker data from 2001 to 2022. Unauthorized attackers accessed personal information of current and former council officers via compromised legacy systems. No evidence suggests that the accessed data has been shared with third parties or extracted in mass from the council’s systems. Affected individuals have been directly contacted by the council with details about the breach and the support available. External cybersecurity experts were involved in managing the cleanup and securing the systems; key services have been restored. The council’s automated security systems detected and counteracted the unauthorized access, preventing further intrusion. This incident is part of broader security concerns as local authorities digitize services, making them attractive targets for cyberattacks. Similar cyberattacks have targeted other UK councils recently, highlighting the persistent cybersecurity threats faced by local government entities.

Establishing a 24/7 Security Operations Center (SOC) is crucial for constant threat monitoring, especially during off-peak hours. Effective SOC operation requires a mix of skilled staff, cutting-edge tools, continuous education, and a robust management system. Building a foundation with a mission aligned with business goals is vital for determining security needs and resource allocation. Prioritizing sustainability in team management, such as diverse hiring and manageable shift rotations, is essential to prevent burnout and maintain alertness. Artificial intelligence plays a critical role in automating threat detection, enabling quicker responses and reducing human error. Regularly updating training and simulation exercises ensure that the SOC team can effectively handle real incidents. It’s important to use AI-enhanced tools and platforms like Radiant that cater to specific business needs and streamline SOC operations. Governance and continuous improvement practices, including setting clear metrics and regular reviews, help optimize SOC efficacy and team performance.

In mid-May 2025, Cloudflare thwarted the largest DDoS attack in history, reaching a peak of 7.3 Tbps, against an unnamed hosting provider. The attack delivered a staggering 37.4 terabytes of data within 45 seconds, targeting nearly 22,000 destination ports per second on average. This assault was identified as multi-vector, involving UDP floods, reflection attacks (QOTD, echo, NTP), Mirai UDP floods, portmap floods, and RIPv1 amplification. The offensive utilized a vast array of over 122,145 source IP addresses from 5,433 Autonomous Systems across 161 countries. Major contributors to the attack traffic were from Brazil, Vietnam, Taiwan, and China, with Telefonica Brazil alone accounting for 10.5% of the traffic. Cloudflare's report also mentioned the activity of the RapperBot DDoS botnet, which targeted various industries globally since 2022 and employed tactics such as encryption to secure its command-and-control communications.

Cybersecurity researchers from ReversingLabs have uncovered a new malicious campaign involving 67 GitHub repositories. These repositories impersonated legitimate tools offering Python-based hacking utilities, but instead distributed trojanized payloads that steal information. The campaign targeted gamers and developers, promising utilities like game cheats and account management tools, but ultimately harvesting sensitive data. Analysis found these repositories acted as vectors for malware that could inject malicious code into apps such as the Exodus cryptocurrency wallet. All compromised repositories have been identified and subsequently removed by GitHub. Earlier research indicated a broader trend, with GitHub increasingly being used to disseminate malware across various user groups including inexperienced cybercriminals. Additional campaigns discovered prolong the misuse of GitHub, involving entities like the Stargazers Ghost Network aiming at Minecraft users. Cybersecurity professionals highlight the continuous rise in software supply chain attacks via public code repositories, urging developers to verify the integrity of repositories they utilize.

The initially reported 16 billion credentials leak is not a new data breach but a compilation of existing stolen data. Credentials were aggregated from various sources, including infostealers, old breaches, and credential stuffing attacks. The aggregated credentials were exposed online, though there is no evidence of any new or unseen data in this compilation. Infostealer malware, which collects user credentials from infected machines, played a significant role in the accumulation of this data. Recent crackdowns on cybercrime, such as Operation Secure and the disruption of LummaStealer, highlight the ongoing battle against credential theft. Cybersecurity recommendations include adopting strong, unique passwords, using password managers, and enabling two-factor authentication. The use of authentication apps is advised over SMS texts for receiving 2FA codes to avoid risks like SIM-swapping. Services like Have I Been Pwned provide users a way to check if their credentials are compromised in known breaches.

Godfather Android malware uses virtualization to create isolated environments on mobile devices, hijacking over 500 globally recognized banking, cryptocurrency, and e-commerce apps. The malware operates by mimicking the legitimate app's UI within a virtual container, misleading users while stealing sensitive data such as account credentials and transaction details. Utilizes a virtual filesystem, virtual Process ID, and StubActivity for executing apps within a controlled environment, enabling it to evade Android's security measures. Employs tactics like intent spoofing and API hooking through tools like VirtualApp engine and Xposed, allowing it to intercept and manipulate user interactions and data transmissions. Displays deceptive screens, such as a fake lock screen overlay during key operations, to trick users into entering their security details, further facilitating data theft. Once data is captured, it communicates with operators for commands that can initiate unauthorized transactions or operations from the real banking applications. Originally detected in March 2021, the malware has evolved significantly, with the latest version targeting primarily Turkish bank apps while maintaining the capability to expand its focus globally. Recommendations for protection include downloading apps only from trusted sources like Google Play, activating Play Protect, and carefully reviewing app permissions.

Researchers from Israel and India have created ASRJam, a system leveraging EchoGuard to disrupt automatic speech recognition (ASR) systems used in voice phishing (vishing). Vishing attacks have surged by 442% in one year, prompting the development of technologies like ASRJam that can hinder AI-driven scam calls. ASRJam introduces subtle audio modifications that confuse ASR systems without affecting human understanding, thus breaking the scam communication loop. While vishing involves criminals using realistic AI-generated voices, ASRJam counters by inducing errors in the scam's text conversion process, which relies on ASR technologies. ASRJam operates in real-time on user devices, remaining hidden from attackers and applicable universally across different AI models without prior samples needed. EchoGuard, the algorithm behind ASRJam, is designed to modify voice signals through reverberation, microphone oscillation, and transient acoustic attenuation, balancing clarity and pleasantness for the listener. The effectiveness of ASRJam and EchoGuard was tested against multiple datasets and ASR models, showing superior results in disrupting ASR processes compared to other existing techniques. The developers are planning further enhancements to ASRJam, with the aim of commercial rollout to effectively mitigate escalating AI-enabled voice scams.

Cybersecurity researchers have identified a new Android malware, AntiDot, utilized in 273 unique campaigns affecting 3,775 devices, sold as Malware-as-a-Service (MaaS). AntiDot exploits Android accessibility services to record screen activities, intercept SMS, and steal data from applications, with capabilities including overlay attacks and remote device control. Another malware, GodFather, uses on-device virtualization to mimic legitimate banking apps, deceiving users into entering credentials in a controlled fake environment. SuperCard X, another Android malware, leverages NFC technology for financial fraud by capturing bank card data via NFC traffic, targeting devices in Italy and now Russia. Recent findings have also exposed malicious apps on official app stores designed to harvest personal data and cryptocurrency wallet credentials. Security experts emphasize the need for proactive defense mechanisms and user caution, particularly with third-party app downloads and granting unnecessary app permissions.

The US government sought a month-long extension to consider appealing a judge's decision that tower dumps are unconstitutional. Tower dumps involve acquiring bulk records from cell towers to identify individuals’ locations and connection times, potentially exposing thousands of users. This data was intended to connect suspected gang members to violent crimes over a 14-month period. Magistrate Judge Andrew S Harris ruled the request violates the Fourth Amendment, which guards against unreasonable searches and seizures. The judge emphasized the lack of probable cause for each individual whose data would be collected. The denial reflects growing judicial concern over privacy and the scope of law enforcement's reach into personal data. A similar ruling was made in Nevada, where Judge Miranda M Du found tower dumps unconstitutional yet allowed the use of the data under a good faith exception.