Daily Brief

BleepingComputer and SC Media are hosting a webinar on how cybercriminals are using stolen credentials to access network systems. Identity security expert Darren Siegel will discuss the shift from exploiting vulnerabilities to credential abuse in cyberattacks. The webinar will explore tactics like password-spray attacks, weak MFA setups, and brute-force methods targeting VPN portals. Insights on the infostealer malware economy will be shared, including how it has led to billions of stolen credentials fueling cybercrime markets. Participants will learn defensive strategies to protect against credential-based attacks and modern identity threats. The event aims to provide practical insights from cybersecurity practitioners on mitigating increasing threats from stolen credentials.

The U.S. Department of Justice successfully seized over $225 million in cryptocurrency linked to investment fraud and money laundering operations. Investigators utilized advanced blockchain analysis techniques to trace back funds stolen from more than 400 victims by a sophisticated laundering network. This operation marks the largest crypto seizure in the history of the U.S. Secret Service, involving collaboration with agencies such as the FBI and private entities including Tether and TRM Labs. Criminals used multiple cryptocurrency addresses and accounts to disperse and conceal the origins of the fraudulently obtained funds. The laundered funds were ultimately consolidated into seven USDT wallet groups, where significant gas fees were intentionally applied to hamper traceability. Notably, one victim, a bank CEO, was deceived into transferring $47.1 million to scammers under the guise of legitimate crypto investments. Tether assisted in the recovery process by freezing and burning the compromised tokens, reissuing their equivalent to the U.S. government for civil forfeiture under specific legal statutes. The Department of Justice plans to identify and reimburse victims through a claims process, although detailed plans for restitution remain pending.

Verizon's 2025 Data Breach Investigations Report (DBIR) outlines critical cybersecurity trends, notably in credential theft, GenAI risks, and third-party vulnerabilities. A special webinar hosted by LayerX will feature Alex Pinto, a lead author of the DBIR, discussing these issues and the evolving threat landscape. Credential theft and phishing are highlighted as primary tactics for attackers, underlining significant security weaknesses within enterprises. The increasing threats of ransomware are emphasized, stressing the necessity for more effective defensive strategies. Recent research from LayerX complements DBIR findings by discussing additional dangers posed by new technologies like GenAI. Many companies continue to use outdated security solutions, lacking the necessary defences against modern cyber threats. The webinar aims to provide actionable insights and strategies, urging enterprises to adapt to more comprehensive and integrated security approaches. This initiative underscores the urgency for enterprises to reassess their cybersecurity postures in light of emerging threats.

Microsoft has introduced new security defaults for Windows 365 Cloud PCs effective from the second half of 2025, impacting new and reprovisioned systems. Critical features include the disabling of clipboard, drive, USB, and printer redirections by default to prevent data theft and block malware transmission. USB redirection will be blocked for low-level device access, but basic peripherals like USB mice, keyboards, and webcams will still function due to high-level redirection allowances. The security updates extend to host pools for Azure Virtual Desktop, with similar restrictions enforced. Windows 365 Cloud PCs running Windows 11 now have virtualization-based security (VBS), Credential Guard, and hypervisor-protected code integrity (HVCI) activated by default to enhance kernel-level security protections. Microsoft will inform IT administrators of these changes through notification banners in the Intune Admin Center and provide options to adjust these settings if necessary via Intune device configuration policies or Group Policy Objects. Microsoft is also updating security across Microsoft 365 tenants to block access to SharePoint, OneDrive, and Office files via outdated authentication protocols and disable all ActiveX controls in upcoming Windows versions of Microsoft 365 and Office apps.

Krispy Kreme disclosed a significant data breach impacting 161,676 individuals, including employees and their families, following a cyberattack in November. Sensitive information compromised includes biometrics, medical info, military IDs, credit card security codes, financial account passwords, and government IDs like passports. Security experts criticized the donut company's pre-breach security measures, highlighting the improper storage of highly sensitive data and weak encryption practices. Despite the breach, Krispy Kreme has not offered any public apologies but provided 12 months of credit monitoring and identity protection services to the affected parties. The company reported spending approximately $4.4 million on cybersecurity improvements and other advisory fees, with the incident also causing a projected $5 million loss in EBITDA. Krispy Kreme continues to enhance its IT systems' security to protect personal data and is facing potential class action lawsuits from those affected by the breach.

The UK government has initiated a formal review of the cybersecurity market to identify growth opportunities and enhance the sector’s development as part of the country’s Industrial Strategy. Simon Shiu, a cybersecurity expert, leads the review with assistance from colleagues at the University of Bristol and Imperial College London, aiming to complete it by summer with strategic recommendations. The findings will influence the refreshed National Cyber Strategy, adapting to new cyber threats and enhancing national resilience. The government plans substantial investment in the cybersecurity industry, offering up to £16 million in funds to support new commercial ventures and the scaling of small businesses. The Cyber Security Growth Action Plan and additional funding aim to catalyze innovation, leading to higher quality jobs and bolstered cybersecurity. Criticisms have arisen regarding the composition of the newly formed Government Cyber Advisory Board, highlighting a lack of operational and public sector representation which could impact the effectiveness of future strategies. The investments and strategic initiatives are part of the broader "Plan For Change" targeting sustainable economic growth and innovation across various sectors, including cybersecurity.

China's cyber-espionage group, Salt Typhoon, successfully infiltrated Viasat, a major provider of satellite broadband globally, serving government, military, and other sectors. The breach was detected earlier this year and investigations have been conducted by Viasat with the help of federal authorities and a private cybersecurity firm, concluding no customer data was compromised. Past attacks by Salt Typhoon include multiple U.S.-based telecom providers such as AT&T, Verizon, and others, along with gaining unauthorized access to U.S. law enforcement's wiretapping systems and private communications of some U.S. officials. Salt Typhoon has been actively targeting telecom companies since at least 2019 and continued their cyberattacks as recently as January 2025 through exploiting unpatched network devices. Viasat had a previous cybersecurity issue in February 2022 when Russian hackers disrupted satellite services in Ukraine and Europe by deploying AcidRain malware. The firm confirmed the incident has been fully remediated and no subsequent activities related to this breach have been observed.

DuckDuckGo has updated its Scam Blocker tool to enhance protection against a wider array of online scams, including deceptive e-commerce and cryptocurrency sites. This privacy-focused browser and search engine, known for not tracking user activities, does not share data with external entities like Google. The Scam Blocker feature, a part of DuckDuckGo since 2018, now uses a local scan against a continuously updated threat list from cybersecurity firm Netcraft. To protect user privacy during threat detection, the browser employs an anonymous cryptographic process to check rare or unknown threats against DuckDuckGo servers. Users receive a clear warning when attempting to access a detected scam site, with options to either leave or proceed to the site. DuckDuckGo's Scam Blocker does not require user registration and is activated by default in the browser. Privacy Pro subscribers benefit additionally as Scam Blocker functions across all internet apps on their devices when using the DuckDuckGo VPN.

North Korea-aligned hackers, BlueNoroff, targeted a cryptocurrency foundation employee using deepfake Zoom calls to install macOS malware. The employee was lured into a meeting through a Telegram message that led to a fake Zoom environment, where deepfaked executives prompted a malware download. The malware download involved deceptive prompts to install a "Zoom extension," ultimately executing an AppleScript to covertly download further payloads. Investigations revealed multiple malicious binaries on the victim's system, hinting at a sophisticated malware deployment and control strategy. BlueNoroff is part of a broader set of financial crime activities linked to North Korea, aiming at cryptocurrency theft and espionage. The group’s modus operandi includes social engineering, leveraging software utilities like Zoom, to bypass standard cybersecurity measures. The attack underscores the heightened risk for remote workers, especially in sensitive sectors like cryptocurrency and blockchain technology. Security experts emphasize the importance of employee training to recognize and counteract social engineering tactics utilized in cyberattacks.

Vibe coding, a new AI-driven software development methodology, uses natural language inputs to generate code rapidly. Despite making software prototyping fast and accessible, it introduces severe vulnerabilities termed "silent killers" that traditional security tools often miss. These vulnerabilities, while passing functional tests, could allow exploitable flaws to persist into production environments. The article cites examples of how AI-generated code can inadvertently introduce real-world security risks without adequate safety measures. The EU is applying regulatory pressure, mandating conformity assessments for high-risk AI implementations across various sectors. Secure vibe coding practices include using AI as an augmentation tool, not a replacement, emphasizing the necessity for experience in architecture and security. To combat potential threats, organizational strategies include constructing tiered access and guided development environments for different user capacities. A comprehensive guide has been developed to detail secure coding practices, providing templates and configurations for effective AI application in software development.

Modern cyberattacks often leverage "Living Off Trusted Sites" (LOTS) tactics, exploiting well-known platforms like Google and Microsoft. LOTS attacks hide malicious code in normal internet traffic, eluding traditional cybersecurity measures. Many security teams fail to detect these threats due to their non-suspicious appearance, lacking identifiable malware signatures or unusual IP traces. Zscaler's upcoming webinar will offer insights into detecting and counteracting stealthy attacks harbored in commonly used SaaS applications and cloud platforms. The session is designed for security leaders, threat hunters, and IT or SOC teams, focusing on reducing the impact of false positives and uncovering hidden threats. Key takeaways include expert analysis, real-world detection stories, and effective strategies for handling cyber threats embedded in everyday digital tools.

Krispy Kreme confirmed a data breach affecting 161,676 individuals following a cyberattack in November 2024. Personal information compromised includes social security numbers, financial account details, and driver’s license information. Krispy Kreme detected unauthorized IT activity on November 29, 2024, and publicly disclosed the breach in mid-December. The Play ransomware group claimed responsibility for the breach, alleging theft of a wide variety of confidential corporate and client data. Following failed negotiations with Krispy Kreme, the ransomware group released the stolen data on a dark web site in December 2024. Play ransomware uses double-extortion tactics and has previously targeted several high-profile organizations, including Rackspace and the City of Oakland. The FBI, CISA, and the Australian Cyber Security Centre have issued advisories noting the Play ransomware gang's global impact on approximately 300 organizations as of October 2023.

Russian threat actors, suspected to be part of APT29, used Google app passwords in a sophisticated phishing campaign to bypass two-factor authentication and access email accounts. From April to June 2025, the campaign specifically targeted prominent academics and critics of Russia with personalized social engineering tactics, including rapport building and tailored lures. Methods involved sending benign-looking phishing emails disguised as U.S. Department of State meeting invitations to establish credibility and manipulate targets into creating and sharing application-specific passwords. Attackers then used these passwords to set up mail clients and gain persistent access to victims' mailboxes, monitoring email correspondence under the guise of promoting "secure communications." The operations were meticulously planned to avoid detection, utilizing residential proxies and VPS servers when logging into compromised accounts. Google and Microsoft detected and publicly disclosed these activities; Google took measures to secure affected accounts and highlighted the dual use of similar social engineering strategies in related campaigns. The Citizen Lab and Google Threat Intelligence Group both highlighted the precision and calculated pacing of the approaches to minimize suspicion and maximize victim compliance.

Securonix identified an ongoing malware campaign, dubbed Serpentine#Cloud, leveraging Cloudflare tunnel subdomains to execute malicious Python-based code. The campaign, still very active, uses phishing emails with Windows shortcut files disguised as PDFs to initiate multi-stage infection processes. Attackers employ a combination of batch files, VBScript, and Python to deploy shellcodes that load Donut-packed payloads like AsyncRAT or Revenge RAT directly into memory. The usage of Cloudflare's legitimate tunneling service complicates domain blocking and increases the stealthiness of the malware delivery, making it difficult for security researchers to attribute and take down. There is no sector, industry, or country-specific target; infections are widespread across Western nations such as the US, UK, Germany, and also noted in Singapore and India. The entire attack process illustrates a focus on stealth and persistence, allowing attackers significant control over infected machines to steal data or move laterally to other systems.

Meta Platforms announced the introduction of passkey support for Facebook on Android and iOS, enhancing user security and login convenience. Passkeys serve as a more secure alternative to traditional passwords, utilizing biometrics or device PINs for authentication. This feature is aligned with efforts by major tech companies like Microsoft and Apple to adopt passkey technology. Meta has also enabled passkeys on WhatsApp and plans to extend this feature to Messenger and potentially Instagram. The introduction of passkeys not only secures accounts against phishing and other cyber threats but also streamlines payment processes through Meta Pay. Tech industry giants are progressively moving towards passwordless sign-in options, citing enhanced security and user experience.