Daily Brief

Microsoft is rolling out a new Recall Export feature for Windows 11 users in the European Economic Area, allowing encrypted snapshots to be shared with external apps and websites. Users will receive a unique export code for decrypting data, which must be securely stored as Microsoft won't be able to retrieve it if lost. The Recall feature has been controversial due to privacy concerns; it logs user activity on desktops and was previously pulled from development. Exports can range from the last 7 to 30 days of activity, or include all data to date, with security authorization via Windows Hello. The feature is currently available to Windows Insiders in the Beta channel and will likely reach general users soon. Additional updates include resetting Recall data and limiting the storage duration of snapshots on new Copilot+ PCs to 90 days. Microsoft hints at further updates to Windows 10 features, including enhancements to the notification center's clock display.

Apple disclosed the active exploitation of a zero-click flaw in its Messages app, targeting civil society members. The CVE-2025-43200 vulnerability was weaponized using Paragon's Graphite mercenary spyware to infect journalists in Europe. Forensic evidence was uncovered by the Citizen Lab linked to the targeted attacks on Italian journalist Ciro Pellegrino and another prominent European journalist. The vulnerability was patched across multiple Apple systems including iOS, macOS, and watchOS in the latest updates. The exploit exemplifies sophisticated nation-state-level cyber espionage tactics that bypass conventional security measures. A large variety of other critical vulnerabilities across different platforms and software were also identified this week. Tips were shared on how individuals can protect themselves from less obvious tracking and surveillance methods on the web.

The cybersecurity landscape demands providers evolve from tactical one-off projects to strategic, continuous security management services. Emphasizing cybersecurity as a strategic business function rather than merely tactical support can significantly enhance client resilience and provider revenue. Effective cybersecurity management involves long-term partnerships, with services like ongoing compliance support and proactive risk management. The playbook introduces a tiered service model starting from basic risk assessments to comprehensive virtual CISO services, aligning with client maturity and needs. Providers can augment their role to trusted advisors through closer collaboration with client leadership and translating security insights into actionable business strategies. Barriers for providers include a lack of confidence in their expertise and the challenge of scaling services, which can be overcome with structured approaches and leveraging automation. The example of Burwood Group illustrates successful transformation from basic cybersecurity services to scalable, strategic offerings that significantly increased their revenue. Strategic, automated cybersecurity management not only secures clients but also ensures predictable, high-margin revenues for providers.

Law enforcement from six countries collaborated to dismantle Archetyp Market, a notorious darknet platform dealing in various drugs. The operation, named 'Operation Deep Sentinel', led by German police with support from Europol and Eurojust, resulted in the arrest of the marketplace's administrator and key associates. Investigators shut down the market's infrastructure in the Netherlands and arrested a 30-year-old German national in Barcelona believed to be the administrator. Archetyp Market, operational since May 2020, hosted over 3,200 vendors and had more than 17,000 listings, accumulating over 612,000 users and transacting over €250 million in Monero. Law enforcement seized significant assets including 47 smartphones, 45 computers, and various drugs, with a total worth of over €7.8 million. This follows another major operation, 'Operation RapTor', which targeted dark web vendors globally, underscoring a significant crackdown on digital drug trafficking networks. The takedown represents a severe disruption to one of the dark web's most extensive drug distribution networks, emphasizing enhanced international cooperation in combating cyber-enabled crimes.

A former GCHQ intern, Hasaan Arshad, was sentenced to 7.5 years for stealing classified information from the British intelligence agency during his placement. Arshad copied secret data to a mobile phone and external hard drives before his internship concluded in August 2022. He was charged with performing an unauthorized act that significantly risked national security, pleading guilty at the Old Bailey. The breach involved top-secret software development projects funded by taxpayers, which Arshad accessed out of curiosity and a desire to continue work independently. Prosecutors highlighted the severe potential damage to national security due to the unauthorized transfer of information to insecure personal devices. In addition to the data breach, Arshad was found guilty of possessing indecent images of children, receiving separate sentences for these offenses. The judge acknowledged Arshad's neurodiversity but emphasized that it did not diminish his awareness of the risks involved in his actions.

Microsoft recently confirmed that their June 2025 security updates for Windows Server are causing DHCP service issues, including service freezes. The issues affect the Dynamic Host Configuration Protocol (DHCP) Server service, which is vital for automating network configurations such as IP address assignments. This problem particularly impacts the renewal processes of unicast IP addresses, hindering their correct application across network devices. Microsoft has acknowledged the problem and is preparing a solution, promising more information and a resolution in the coming days. This situation follows other Patch Tuesday efforts by Microsoft in June, where fixes for domain controller accessibility and authentication issues were also released. The issue underscores the critical nature of diligent software update and patch management processes, especially in complex IT environments. Microsoft's recent pattern includes several rapid-response updates to address unexpected bugs from earlier patches, highlighting ongoing challenges in software maintenance.

95% of data breaches involve human error, underscoring the significance of managing human risks in cybersecurity. OutThink's 2025 report indicates organizations with active employee-security team collaboration report a 32% increase in profitability. Shifting from traditional security awareness programs to ongoing, adaptive human risk management enhances data security and business performance. Highly engaged security cultures within organizations decrease non-compliance among privileged users from 27% to 6%. Security champions are more prevalent in collaborative environments, leading to stronger security cultures and improved team performance. There is a strong correlation (0.78) between line managers' cyber engagement and the overall performance of their teams. Recommendations include moving beyond one-time training to continuous engagement and employing line managers as pivotal drivers of security culture.

Cybersecurity researchers have identified a malicious Python Package Index (PyPI) module designed to steal sensitive data from developers. The deceptive package, named chimera-sandbox-extensions, was downloaded 143 times, simulating functionality for the Chimera Sandbox tool developed by Grab. It targets AWS tokens, CI/CD environment variables, and macOS configurations, collecting these via a complex, multi-stage malware attack. Data captured by the stealer is transmitted to an attacker-controlled server, which then determines the potential for further exploitation of the infected system. This advanced threat highlights the significant evolution in malware sophistication, emphasizing the need for vigilant updating and proactive security measures by development teams. Additionally, various npm packages infected with malware have been removed after being downloaded multiple times, showcasing similar threats in JavaScript libraries. These incidents underline growing vulnerabilities within the open-source ecosystem, stressing the urgency for enhanced security practices and awareness among developers and corporations.

Australian Federal Police charged four individuals related to a sophisticated AU$190 million money laundering scheme. The scheme involved mixing legitimate business cash flows with illicit funds through a security company's armored cash transport service. Laundered funds were channeled through various businesses, including a sales promotion company, a classic car dealership, and cryptocurrency exchanges. The culprits returned the cleaned money to clients as cryptocurrency or via third-party businesses. Key suspects include the security company’s director, its general manager, a major client, and an individual handling the illicit fund transfers. This incident spotlights the challenges and complexities involved in detecting and combating financial crimes in the digital currency space. The case emphasizes the ongoing risks and regulatory concerns surrounding the use and abuse of cryptocurrencies in illegal activities.

Congressional Democrats Bennie Thompson and Zoe Lofgren have requested a GAO audit of the CVE (Common Vulnerabilities and Exposures) program due to concerns about continuity and funding. The Cybersecurity and Infrastructure Security Agency (CISA) managed to extend the funding for the CVE program for eleven months after original federal support ended in April. The request aims to evaluate the efficiency and effectiveness of government programs that support the National Vulnerability Database (NVD) and CVE, essential for global cybersecurity efforts. The Trump administration has proposed budget cuts to CISA, which have sparked concerns among Democrats and led to senior staff turnovers. New cybersecurity vulnerabilities identified include a critical XSS flaw in the Roundcube webmail platform, already being exploited in the wild. Multiple cybersecurity issues and incidents have been reported, including misuse of Discord invite links, a late-reported data breach at McLean Mortgage, and malicious use of the TeamFiltration tool against Microsoft Teams accounts. Researchers at Palo Alto Networks discovered a new JavaScript obfuscation method, dubbed JSF*ck, used to inject malicious code on numerous websites, highlighting ongoing threats and the need for robust cybersecurity defenses.

Over 46,000 internet-facing Grafana instances are vulnerable to an exploitable bug, CVE-2025-4123, due to lack of timely patching. The vulnerability enables attackers to execute malicious plugins and take over user accounts by exploiting client-side open redirect flaws. Discovered by bug bounty hunter Alvaro Balada, Grafana Labs issued security updates on May 21, but approximately 36% of instances remain unpatched. OX Security demonstrated the potential for attackers to execute arbitrary JavaScript and hijack user sessions without needing elevated privileges. Attackers can exploit the bug by tricking victims into clicking malicious URLs, which load harmful plugins altering user credentials and permissions settings. The default Content Security Policy in Grafana partially mitigates the risk; however, it does not fully prevent the exploitation of this vulnerability. Administrators are urged to update vulnerable Grafana instances to the corrected versions as listed to minimize exposure to potential cyberattacks.

WestJet, Canada's second-largest airline, reported a cyberattack affecting their internal systems and mobile app. The attack prevented users from logging into the WestJet website and mobile application, though these services have since been restored. WestJet has engaged internal specialist teams, law enforcement, and Transport Canada to investigate the breach and mitigate impacts. The airline strives to ensure continual safe operations and protection of sensitive data including personal information of guests and employees. The nature of the cyberattack, whether ransomware or another form, remains unconfirmed as systems' access loss details are still undetermined. WestJet issued an apology for any inconvenience to guests due to the disruption of services. An update on Saturday morning indicated that the company's operations remain secure despite the attack affecting certain software and services.

The Anubis ransomware-as-a-service (RaaS) has integrated a wiper module that destroys files beyond recovery, even if the ransom is paid. Anubis, not associated with Android malware of the same name, began as a RaaS in December 2024 and recently increased its operational activity. Operators launched an affiliate program through the RAMP forum as of February 23, offering various earnings percentages to partners based on role. Although only eight victims are currently listed on Anubis' extortion page, enhancements in the RaaS could potentially lead to an increase in attack volume. Trend Micro reports new Anubis samples featuring a wiper function intended to coerce quicker payments by making data recovery impossible. Essential system and program directories are excluded from the attack to maintain usability, while encryption uses the ECIES scheme with a unique '.anubis' file extension. Anubis deploys its attacks primarily via phishing emails containing malicious links or attachments, according to Trend Micro’s findings.

A new malware campaign targets Discord users by hijacking invite links to deliver Skuld Stealer and AsyncRAT, focusing on crypto wallets. Attackers use expired or deleted Discord invite links, redirecting to malicious servers by exploiting a vulnerability in Discord's invite system. The campaign employs phishing, multi-stage loaders, and evasion techniques, using legitimate services like GitHub and Pastebin for stealth. The malware includes a customized Skuld Stealer and AsyncRAT, designed to steal sensitive data and provide remote access control. Users are deceived into downloading the malware through a social engineering tactic, where a PowerShell command disguised as a verification process is initiated. Stolen data includes information from browsers, Discord, and crypto wallets, particularly targeting seed phrases and passwords. The attack also uses a custom ChromeKatz version to evade Chrome encryption, with data exfiltration done via Discord webhook. Discord has disabled the malicious bot involved, disrupting the campaign; other similar campaigns by the same actors target users globally.

The ongoing Israel-Iran military conflict has evolved into a hybrid war, with both nations leveraging cyberattacks alongside traditional military operations. Iran is expected to escalate its cyber operations against Israel, potentially extending these activities to target the United States, in retaliation for recent Israeli airstrikes. Experts including former White House advisor Michael Daniel emphasize that both countries possess advanced cyber capabilities, ranging from DDoS attacks to destructive wiper attacks, used for both espionage and potential sabotage. There is increasing concern that Iranian cyberattacks could target U.S. critical infrastructure and private sectors, following demonstrated intrusions into U.S. water systems using basic security flaws. Despite their technical capability, Iranian groups like CyberAv3ngers have shown limited understanding of the systems they have infiltrated, reducing the immediate impact of their past cyberattacks. Cybersecurity professionals warn that Iran might activate more cyber operatives or encourage pro-regime hackers to intensify attacks against both Israeli and U.S. targets in response to military setbacks. The U.S. is particularly vulnerable to Iranian cyberattacks due to existing cybersecurity weaknesses in small utilities and critical infrastructure. Officials also caution against overestimating the impact of these cyberattacks, as Iran and its allies, including Russia and China, might use exaggerated claims for psychological effect.