Daily Brief

Security experts uncovered that Meta and Yandex exploited Android localhost ports to connect web browsing data to specific user identities. This technique allowed both companies to circumvent standard privacy measures including cookie clearing and Incognito Mode. Following the revelations, Meta halted the disputed tracking process, and adjusted their systems to avoid potential violations of Google Play's data collection policies. The research highlighted that components like Meta Pixel and Yandex Metrica embedded in websites could silently transfer user data to native apps through localhost connections. The researchers' findings prompted browser vendors like Chrome and Mozilla to develop countermeasures; DuckDuckGo and Brave also took steps to thwart this tracking method. Investigative findings into these practices were published by notable computer scientists across several European institutions. Meta's spokesperson acknowledged the issue and mentioned ongoing discussions with Google to clarify and address policy applications and potential miscommunications.

Microsoft and CrowdStrike announced a collaboration aimed at clarifying threat actor naming conventions but fell short of creating a unified system. Despite efforts to align terminologies, major cybersecurity vendors continue to use multiple aliases for the same threat groups, complicating the landscape. The initiative includes a mapping system that correlates various names used by different organizations for the same cyberthreats. This disparity in naming conventions arises from different perspectives and intelligence frameworks used by each vendor. Stakeholders such as Google and Palo Alto Networks acknowledge the difficulty in standardizing names due to varying visibility into threats and attribution methods. The lack of a single naming standard can hinder prompt and effective response to threats, leading to potential delays in defense actions. While the collaboration aims to simplify terminologies for customers, achieving a single naming standard across the industry remains complex and unattainable currently.

Hewlett Packard Enterprise (HPE) has released patches for eight vulnerabilities in StoreOnce, a disk-based data backup system. The critical flaw, CVE-2025-37093, enables an authentication bypass with a high severity score of 9.8, potentially impacting all functional aspects of the system. Other vulnerabilities include three remote code execution issues, two directory traversal problems, and a server-side request forgery threat. All mentioned vulnerabilities affect versions of HPE StoreOnce Software prior to version 4.3.11, with an update now urged by HPE. Although discovered by the Zero Day Initiative in October 2024, the disclosed vulnerabilities took seven months before patches were made available. There are no known cases of these vulnerabilities being exploited in the wild as of the report. HPE highlights that without the essential upgrades, the security of large enterprises, data centers, and cloud service providers using StoreOnce could be at significant risk.

Google implemented an urgent configuration change to block the active exploitation of a Chrome zero-day vulnerability identified as CVE-2025-5419. The vulnerability, found in Chrome's V8 JavaScript engine, allows out-of-bounds memory read and write, potentially leading to data exposure or arbitrary code execution. Google's Threat Analysis Group discovered the flaw on May 27, and the issue was mitigated the next day across all stable Chrome platforms through a crucial update. The exploit was being used in the wild, though specific details about the attackers and their motives remain undisclosed. The recent patch, which also resolves a medium-severity flaw in the Blink engine, started rolling out in Chrome version 137.0.7151.68 and .69 for various operating systems. This zero-day is part of a series of recent urgent security updates by Google, including a March patch against CVE-2025-2783 used in espionage activities targeting Russian entities. The US Cybersecurity and Infrastructure Security Agency has since added the newly patched vulnerabilities to its catalog of known exploited vulnerabilities.

Elon Musk announced a new encrypted messaging feature on X, formerly Twitter, called XChat, promising major security enhancements including "Bitcoin-style" encryption. Critics and encryption experts quickly pointed out that Bitcoin does not use encryption in the way traditional secure messaging apps do, sparking doubts about the robustness of XChat's security claims. Musk's description of XChat includes features like end-to-end encryption, vanishing messages, and the capability to send various types of files, along with audio/video calling. Despite these announcements, XChat's updated help page still admits the platform cannot protect against man-in-the-middle attacks and may access messages due to legal requirements. The site's explanation of message encryption mirrors that of its prior version, which was critiqued for inadequate security, suggesting little to no improvements have been made. Matthew Hodgson, CEO of secure messaging platform Element, criticized XChat for lack of transparency, no audits, and no open-source framework, which contradicts the security features claimed. X has yet to release a detailed whitepaper or source code for XChat, which Musk has indicated might be available "later this year," leaving many details unclear.

The North Face recently experienced a "small-scale credential stuffing attack" where attackers used previously stolen login details. The unauthorized access targeted customer accounts, potentially exposing names, order histories, shipping addresses, preferences, birthdays, and phone numbers; payment card information was not disclosed. This incident is traced back to reused credentials from multiple website breaches unrelated to The North Face's direct systems. Following the detection of suspicious activities on April 23, the company reset user passwords as a preventive measure. The breach notification stressed that the credentials came from other data breaches, as The North Face retains only a payment token, not full card details. The affected accounts are predominantly U.S. based due to the geo-targeting setup of The North Face's website. The North Face has issued warnings against the reuse of passwords and advised vigilance against possible phishing attempts related to this or similar data breaches.

A data breach at Coinbase was caused by insiders at TaskUs, a customer support outsourcing firm in India, who were bribed by cybercriminals. TaskUs discovered the breach in January 2025 after an employee was caught photographing sensitive customer data. During investigations, two TaskUs employees admitted to distributing Coinbase customer information, including financial details and SSNs, in exchange for bribes. Coinbase publicly revealed the breach in May 2025, stating rogue agents accessed data to aid in social engineering attacks. Threat actors demanded a $20 million ransom from Coinbase, which responded by offering a reward of the same amount for information leading to the arrest of the culprits. Coinbase estimated potential losses from the incident could reach up to $400 million and started notifying impacted customers, nearly 70,000 in total. Following the incident, TaskUs terminated the employees involved, ceased all Coinbase operations in Indore, India, and coordinated with law enforcement. TaskUs believes this was part of a larger, organized criminal effort that affected other service providers of Coinbase as well.

Two RubyGems packages were found impersonating the Fastlane CI/CD plugins, redirecting Telegram API requests to a malicious server. Sensitive data intercepted by the malicious packages includes chat IDs, message content, attached files, proxy credentials, and bot tokens. This cyberattack on Fastlane's Telegram plugins represents a significant supply chain threat within the Ruby development community. Socket researchers discovered the attack and have issued warnings to the RubyGems community to mitigate further risk. Despite claims on landing pages, there's no evidence that the attacker’s proxy does not store or modify stolen data. Developers using these malicious gems are advised to immediately remove them and rotate any Telegram bot tokens that have been potentially compromised. The compromised endpoints use Cloudflare Worker scripts, obscuring further investigation into their operations and extent of data leakage.

Threat hunters have discovered a malicious campaign using fake DocuSign and Gitcode sites to spread NetSupport RAT via complex PowerShell scripts. The initial contact with victims often starts through social engineering methods, using emails or social media, directing them to these malicious websites. The attack sequence begins with victims being tricked into executing a PowerShell script that triggers multi-stage downloads and installations of the malware. One distinct method involves a Clipboard poisoning attack where a CAPTCHA verification dupes users into copying a malicious script unwittingly. The PowerShell scripts facilitate downloading more scripts and eventually the NetSupport RAT from a controlled server masquerading as a legitimate service. This multi-layered execution strategy aims to bypass detection systems and remains resilient against simple security takedowns. The URLs and domain patterns used in the attack share similarities with previous campaigns known to involve SocGholish, suggesting a potentially larger organized threat. Although the NetSupport Manager is a legitimate tool, it's often abused by multiple threat actors to gain unauthorized remote access to victim's systems.

Mozilla has launched a new security feature aimed at blocking malicious Firefox extensions designed to drain cryptocurrency wallets. The feature includes a risk profile system that triggers alerts when extensions exceed a set threshold, prompting further review by human moderators. If identified as malicious, the extensions are immediately blocked to prevent them from being downloaded and used by Firefox users. The targeting of cryptocurrency wallets via browser extensions has become a prevalent attack vector, allowing cybercriminals to steal private keys and funds. Mozilla's Add-ons Operations team, led by Andreas Wagner, has removed hundreds of these harmful extensions in recent years. The team continuously adapts its detection methods to keep pace with evolving tactics by cybercriminals. Andreas Wagner advises users to only download official extensions directly from their crypto wallet's website to avoid falling victim to scams. Mozilla's efforts align with a broader trend of using automated systems to enhance cybersecurity and protect user assets.

The term "Scattered Spider" does not represent a specific group but rather various cybercriminal activities with different names across cybersecurity platforms. Initial intrusions by the so-called Scattered Spider often involve identity-based tactics like help desk scams, which bypass multi-factor authentication (MFA) and facilitate wider attacks such as data theft or ransomware deployment. Despite widespread reporting, help desk scams have been a consistent method employed by these threat actors since 2022, highlighting a recurring vulnerability in corporate security procedures. These criminals predominantly target accounts with high-level admin privileges, enabling significant access without the need for further credentials escalation within the victim's network. The group's technique diversity includes not only help desk scams but also advanced methods like Attacker-in-the-Middle (AiTM) phishing toolkits, aimed at bypassing MFA. Recommendations for organizations include introducing deliberate friction in help desk processes and improving verification methods to counter identity-based attacks effectively. The article emphasizes the importance of adapting and enhancing corporate security strategies in response to evolving threat tactics rather than focusing only on conventional protection measures.

CISA issued a warning about exploitation of a patched vulnerability in ConnectWise ScreenConnect, capable of executing remote code. The vulnerability, CVE-2025-3935, involves ViewState code injection, potentially allowing attackers remote server control if they compromise machine keys. Recent attacks, suspected to be executed by state-sponsored actors, have reportedly involved this specific ScreenConnect security flaw. Additionally, CISA has identified critical vulnerabilities in ASUS routers and Craft CMS that are also currently being exploited. Especially concerning is the ASUS RT-AX55 device flaw, involved in forming a botnet in stealthy attacks described as orchestrated by sophisticated adversaries. These vulnerabilities are now part of CISA's Known Exploited Vulnerabilities Catalog, with federal agencies directed to apply recommended mitigations by June 23.

Microsoft issued a corrective update, KB5062170, to address a previously faulty patch that caused Windows 11 systems to enter recovery mode. The problematic patch affected a limited number of Windows 11 machines, particularly virtual machines, resulting in a boot error with an error code 0xc0000098 related to a missing or faulty ACPI.sys file. The flawed patch was part of the May Patch Tuesday updates and primarily impacted enterprise IT environments, while general consumers remained largely unaffected. Despite resolving the boot error issue, the new patch still harbors unresolved problems with CJK fonts appearing blurry in Chromium browsers at 100 percent scaling, with Microsoft suggesting a temporary scaling increase to 125 or 150 percent. Out-of-band updates, intended to fix urgent issues, are becoming increasingly common for Microsoft, raising concerns about their quality control measures. Microsoft's frequent need for remedial patches affects not only Windows client systems but also Windows Server platforms, reflecting broader challenges in software update management. While Microsoft is proactive in addressing these problems, the recurring nature of such issues has significant implications for enterprise IT administrators and their operational planning.

Victoria's Secret delayed its Q1 2025 earnings due to a cybersecurity incident on May 24, impacting their corporate systems. The breach led to necessary precautionary measures, including shutting down certain corporate and in-store systems and their e-commerce website. External cybersecurity experts have been engaged to manage the impact and assist in system restoration. Corporate system restoration efforts are ongoing, with the website back online as of May 29, 2025, though other system functionalities are still being recovered. The incident has disrupted access to essential systems and data needed for preparing and releasing the company's financial results. The earnings release and corresponding webcast, initially scheduled post-May 3, 2025, have been postponed. Details regarding the exact nature of the incident have not been fully disclosed, but indications suggest it could be related to a ransomware attack. This incident at Victoria's Secret is part of a broader pattern of cybersecurity threats targeting various retailers globally.

A critical vulnerability in Roundcube webmail software, identified as CVE-2025-49113, has been discovered with a CVSS score of 9.9, indicating severe risk. This flaw, present for 10 years, allows authenticated users to execute arbitrary code through flawed PHP object deserialization. The vulnerable versions, prior to Roundcube Webmail 1.6.11 and 1.5.10 LTS, have been patched in the latest updates to address the security issues. Kirill Firsov from FearsOff, a cybersecurity firm based in Dubai, discovered the vulnerability and reported it, with further technical details and a proof-of-concept expected to be released soon. Historically, vulnerabilities in Roundcube have been targets for exploitation by nation-state actors such as APT28 and Winter Vivern, primarily for phishing and data theft. Security teams are advised to promptly upgrade to the corrected versions to mitigate potential exploitation and safeguard sensitive information.