Daily Brief

Cellebrite has finalized a $170 million acquisition of Corellium, enhancing their capabilities in accessing encrypted devices. Corellium, renowned for its virtual iOS and Android systems, allows researchers to explore mobile systems for security weaknesses without risking the original device. The merger unites two prominent players in legal hacking and is poised to create one of the largest "white-hat" hacking enterprises globally. Chris Wade, co-founder of Corellium and a controversial figure previously pardoned by President Trump, will become Cellebrite's Chief Technical Officer. The acquisition aligns with Cellebrite's commitment to innovation and public safety, offering enhanced forensic exploration tools for law enforcement. The deal awaits approval from the Committee on Foreign Investment in the United States, with expectations to close by this summer. This strategic move is set to increase Cellebrite's clientele, already robust with contracts from Western law enforcement agencies.

President Trump’s nominee for national cyber director, Sean Cairncross, affirmed a pro-offensive stance against cyber threats from foreign adversaries during his Senate nomination hearing. Cairncross, previously a White House advisor and RNC official with limited cyber experience, defended the president's decision to reduce funding for the Cybersecurity and Infrastructure Security Agency (CISA). The proposed budget cuts include a $495 million reduction and the elimination of 1,083 jobs at CISA, raising concerns among senators about weakening the nation's cyber defenses. Senator Elissa Slotkin voiced significant concerns, comparing the situation to pre-9/11 security levels and questioning the justification behind the budget cuts given the increasing cyber threats. Meanwhile, Sean Plankey’s nomination for director of CISA was delayed, leaving the agency without a confirmed leader amid ongoing security concerns. Senator Ron Wyden has placed a hold on Plankey’s nomination, demanding the release of an unclassified report on the security of American telecommunications networks. Wyden’s office criticized the Trump administration for neglecting cybersecurity, highlighting several breaches and inadequate responses that could expose the U.S. to significant cyber risks.

A 2021 AT&T data breach, involving 70 million users, has been repackaged showing linked Social Security numbers and birth dates to phone numbers. AT&T is investigating a new claim of the data being sold on the dark web, although it likely stems from the 2021 breach. The data was originally fragmented, but recent leaks on a Russian hacking forum showed it in a consolidated format useful for malicious use. An analysis by BleepingComputer suggests that the origin of the leak is from a known breach executed by ShinyHunters, not a new incident. The complete data set now includes names, addresses, unencrypted SSNs, DOBs, and over 48 million unique phone numbers. The refined leak is free to access on cybercrime forums and adds clean and unduplicated records for over 86 million unique entries. AT&T had initially denied the ownership of the data but later confirmed it derived from their systems and impacted 73 million customers.

BidenCash, a dark web marketplace trafficking in stolen credit card information, has been shut down by U.S. authorities after operating for over two years. The operation involved the seizure of 145 domain names associated with BidenCash and an undisclosed amount of cryptocurrency tied to the marketplace's transactions. Over its operational period, BidenCash amassed more than $17 million in illicit revenue and trafficked over 15 million stolen credit card records. Promotional activities included giving away 3.3 million stolen credit card details for free to attract more business. The platform served over 117,000 customers and also sold SSH credentials that could potentially facilitate broader cyberattacks. BidenCash offered automated purchasing tools and a loyalty program, enhancing the scale and efficiency of cybercrime activities. Despite the platform's takedown, the history of similar operations suggests potential for quick resurgence or rebranding under new names. Operations like Cronos and Magnus aim to tarnish the reputation of cybercrime gangs before dismantling them. With previous successful law enforcement actions against other significant threats like the Lumma malware, ongoing efforts continue to combat dark web operations effectively.

A critical vulnerability in Roundcube webmail, identified as CVE-2025-49113, allows for remote code execution and has been present for over a decade. This flaw impacts versions from 1.1.0 to 1.6.10, with a patch released on June 1st; however, attackers quickly reversed engineered this patch to create an exploitable weapon. The exploit, demanding authenticated access, was advertised for sale on hacker forums, showing that the requirement for login credentials does not notably hinder malicious activity. The vulnerability exploits lack of sanitization in the $_GET['_from'] parameter, which can lead to object injection by corrupting session variables. Kirill Firsov, CEO of cybersecurity firm FearsOff, published technical details and a demonstration video of the exploit to aid in defense efforts, even as underground markets offered up to $50,000 for such exploits. Roundcube's popularity among hosting providers and its inclusion in web hosting control panels make it a significant target, with over 1.2 million hosts detected online. This widespread use in various sectors underscores the high risk and broad potential impact of the exploit termed "email armageddon" by researchers.

Several Google Chrome extensions transmit sensitive data via unencrypted HTTP and contain hard-coded secrets, posing significant privacy and security risks to users. Extensions expose user information such as browsing domains, machine identifiers, operating system data, and usage analytics. The unencrypted transmission of data over networks like public Wi-Fi makes it prone to interception and manipulation by malicious entities. Identified extensions, including those for security, productivity, and online shopping tools, are found to have hard-coded API keys which could be exploited by attackers to inflate costs, corrupt data, or mimic transactions. Researchers recommend moving sensitive credentials off the client-side, using HTTPS for data transfers, employing secure backend storage for API keys, and regularly rotating these credentials. The findings underscore the necessity for thorough scrutiny and ongoing security vetting of all browser extensions, even those from well-established developers or with large user bases. Users are advised to disable these extensions until developers can secure the data transmission and storage methods employed.

A Sophos investigation revealed over 100 GitHub repositories containing backdoored malware variants, all linked to a single user "ischhfd83." The malware primarily targeted novice cybercriminals and video game cheaters, with the repositories linked to a Russian email address associated with the user. The compromised software included a remote access trojan (RAT) known as Sakura RAT, which installed additional infostealers and RATs rather than functioning as intended. About 58% of these repositories were disguised as video game cheats, while 24% were presented as malware projects, exploits, or attack tools. The malicious repositories used Github Actions to automate commits, creating the appearance of legitimate, frequently updated projects. Most of these repose had limited contributors, many of whom shared very similar usernames and the same email address, indicating a closely knit operation. This deceptive strategy isn't new and overlaps with tactics employed by other cybersecurity attacks seen by firms like Trend Micro and Kaspersky. Sophos reported the deceptive Sakura RAT project to GitHub, which has since removed it; however, the broader implications of such backdoored repositories remain a risk, especially for inexperienced GitHub users.

A security-focused Windows Service must adhere to key design principles for effectiveness and reliability. The architecture of a robust security service involves components that work together to safeguard systems. Implementing a Zero Trust approach is crucial for hardening Windows Servers against cyber threats. Selection of appropriate development tools and frameworks is critical in creating an effective security service. Real-time monitoring is essential for detecting and addressing threats immediately as they occur. Process and File System Monitoring, along with Network Activity Analysis, are vital for comprehensive threat detection. Together, these components help prevent malware and ransomware, ensuring system security and integrity. The article is sponsored and written by ThreatLocker, highlighting their commitment to enhancing server security.

Bitter, also known as APT-C-08 and several other aliases, is confirmed to be backing espionage activities for the Indian government. The group uses spear-phishing and diverse malware including WmRAT and MiyaRAT to target governments and defense organizations in Turkey and other regions. Attacks focus on intelligence gathering concerning foreign policy and defense, leveraging forged documents and deceptive email practices. Email campaigns mimic government entities using accounts from compromised governments such as Pakistan, Bangladesh, and Madagascar. Recent campaigns have shown a geographical expansion in target areas, now including European locations with Turkish and Chinese interests. The group operates primarily during Indian Standard Time business hours, suggesting close ties to Indian intelligence. Tools like KugelBlitz and BDarkRAT enable further intrusion and data manipulation on compromised networks following successful phishing attacks.

The German data protection authority fined Vodafone GmbH €45 million ($51.4 million) for serious privacy and security breaches. Violations involved fraudulent activities by employees at partner agencies, including unauthorized contract modifications and counterfeit contracts. A €15 million penalty was specifically for Vodafone's inadequate oversight of these partner agencies. An additional €30 million fine was imposed due to authentication flaws in Vodafone's mobile app and hotline, compromising customer eSIM profiles. Prof. Dr. Louisa Specht-Riemenschneider emphasized the importance of sanctioning data breaches and proactively preventing them, noting Vodafone's full cooperation during the investigation. Following the fines, Vodafone revamped its processes, enhanced partner agency audits, and distanced itself from partners involved in fraudulent activities. The company also contributed several million euros to charity organizations focusing on data protection and cyberbullying.

Business Value Assessments (BVA) are increasingly essential as they quantify cybersecurity's financial and operational impacts on businesses. Traditional security metrics often fail to communicate the real business impact to executive boards, focusing on technical data like CVEs and patch rates. BVAs bridge this gap by linking security exposures directly to financial consequences, investing in prevention, and showcasing tangible returns on security investments. The average breach cost is now estimated at $4.88 million, encompassing not only immediate response but also downstream effects such as operational downtime and reputational damage. Delays in addressing security vulnerabilities can exacerbate costs, with prolonged incidences raising expenses and disrupting business operations for extended periods. Effective deployment of automation and AI-based tools can potentially reduce breach-related costs by up to $2.2 million. A BVA provides a clear framework for cybersecurity decision-making, aligning IT, security, and financial strategies and facilitating more informed, strategic resource allocation. The introduction of BVAs into regular security practices helps transform security from a cost center into a strategic business ally, promoting proactive risk management and alignment with business goals.

Iran-aligned BladedFeline cyber group targeted Kurdish and Iraqi government officials, conducting espionage activities since early 2024. Medium confidence links BladedFeline to OilRig, an established Iranian cyber actor, with active operations against regional entities since September 2017. Use of sophisticated malware like Whisper, Spearal, and various backdoors to infiltrate and maintain access within Iraqi and Kurdish networks. ESET report highlights significant investments in gathering diplomatic and financial information, crucial to Tehran’s regional strategic objectives. Suspected initial access through internet-facing application vulnerabilities, deploying tools like the Flog web shell for sustained access. Attacks also compromised a regional Uzbekistani telecom provider, indicating a broader regional espionage agenda. Deployment of advanced tunneling tools and malicious modules such as PrimeCache to stealthily manage command and control communications. The targeting strategy includes maintaining surveillance and strategic positioning within high-value governmental and diplomatic entities in Iraq and Kurdistan.

HMRC revealed a £47 million loss due to unauthorized access and fraudulent claims, affecting 0.22% of the UK's PAYE taxpayers. Although 100,000 individuals were involved, HMRC confirmed no financial loss to these taxpayers, attributing the incident to sophisticated phishing rather than a system breach. The criminals accessed tax accounts using valid user credentials acquired through phishing or external data leaks. A criminal investigation spanning multiple jurisdictions concluded with several arrests, and affected accounts have since been suspended. HMRC's actions prevented further fraud, saving approximately £1.9 billion in potential losses the previous tax year. HMRC stressed the importance of security measures, citing ongoing enhancements and upcoming government investments in IT security. The incident prompted a reevaluation of HMRC's definition of "cyberattack," focusing on the misuse of customer credentials rather than direct system exploitation.

The U.S. Department of Justice announced the seizure of cryptocurrency funds and 145 related domains of the carding marketplace BidenCash. BidenCash facilitated the sale of stolen credit cards and personal data, generating at least $17 million in revenue. Since its launch in March 2022, the platform has amassed over 117,000 customers and trafficked more than 15 million payment card numbers. The stolen data included sensitive information such as credit card numbers, CVV codes, and personal details like addresses and phone numbers. BidenCash also offered compromised credentials and unauthorized access services, posing threats such as data exfiltration and ransomware attacks. The international crackdown involved the U.S. Secret Service, FBI, Dutch Politie, Shadowserver Foundation, and Searchlight Cyber. Recent related law enforcement activities included the seizure of domains offering counter-antivirus services and the arrest of a Ukrainian national for unauthorized cryptocurrency mining. The broader operation showcases ongoing international efforts to combat cybercrime and safeguard sensitive financial information.

Two members of the cybercriminal group ViLE, specializing in doxing and extortion, were sentenced this week. They obtained sensitive personal information by impersonating law enforcement officers and breaching a federal law enforcement web portal. The criminals employed methods such as tricking customer service staff, submitting fake legal requests, and using stolen law enforcement credentials. Using the accessed data, they threatened victims with the release of their personal information unless they received payment. The sentenced members, Sagar Steven Singh and Nicholas Ceraolo, received 27 and 25 months in prison respectively for aggravated identity theft and conspiracy to commit computer intrusion. Their tactics included threatening victims with harm to their family and taking over private social media accounts to enforce compliance. Messages between the defendants reveal awareness of the illegality and potential consequences of their actions.