Daily Brief

Illicit crypto-mining group JINX-0132 is exploiting vulnerabilities in popular DevOps tools to hijack cloud computing resources and mine cryptocurrency. Tools targeted include HashiCorp's Nomad and Consul, Docker Engine API, and Gitea, with specific focus on settings left at insecure defaults. An estimated 25% of all cloud environments use one of these affected technologies, with 20% specifically utilizing HashiCorp Consul. About 5% of these deployments are directly exposed to the internet, and 30% of those exposed are misconfigured, making them susceptible to JINX-0132 attacks. Wiz Threat Research identified HashiCorp Nomad as particularly vulnerable due to default settings that lack necessary security measures. Docker API's misconfigurations allow attackers to control the Docker CLI, potentially escalating to Kubernetes or other hosts. Older Gitea versions have known vulnerabilities, but even secure versions risk exploitation if default settings are altered or the installation page is left unlocked. Immediate actions recommended include securing DevOps tools by changing default configurations and restricting internet exposure.

The article discusses the increasing prevalence and impact of help desk scams, focusing on significant losses faced by UK retailers such as Marks & Spencer and Co-op as a result of these attacks. Help desk scams involve attackers impersonating users to gain access to their accounts by convincing help desk personnel to reset credentials, including Multi-Factor Authentication (MFA). The attackers use a variety of social engineering tactics, often leveraging native English-speaking skills to build trust and manipulate the help desk process. These scams have proven effective for bypassing security measures like MFA and gaining control of high-value accounts with admin privileges, setting the stage for further malicious activities like data theft and ransomware deployment. Organizations are advised to introduce friction into their help desk processes, recognizing and mitigating risks, especially when dealing with high-privileged accounts. Despite the focus on help desk scams, the article emphasizes considering broader security strategies as these scams are part of a wider toolkit employed by threat actors like Scattered Spider, which includes identity-based tactics and advanced phishing methods. The article underscores the need for organizations to reinforce their help desks against such vulnerabilities, improving security protocols and employee training to prevent social engineering attacks.

Google has released an emergency update for a Chrome zero-day vulnerability identified as CVE-2025-5419. The vulnerability, a severe out-of-bounds read/write issue in Chrome's V8 JavaScript engine, was reported by Google's own Threat Analysis Group. This is the third zero-day exploit found in Chrome since the beginning of the year, with prior vulnerabilities patched in March and May. The latest versions of Chrome addressing this security flaw—137.0.7151.68/.69 for Windows/Mac and 137.0.7151.68 for Linux—are being rolled out over the coming weeks. Users are advised to manually update their Chrome browsers via the Help section to install the security patch immediately. Google has restricted details of the exploit to prevent further abuse until a majority of users have implemented the update. Previous zero-day vulnerabilities patched by Google this year involved serious risks including malware deployment and account takeover upon exploitation.

Cartier has notified its customers about a cyber incident where an unauthorized party accessed limited client information. The affected data includes names, email addresses, and countries of residence, but no payment or sensitive personal information was compromised. The jewelry giant has enhanced its system security and is collaborating with top external cybersecurity experts to address the breach. Cartier emphasizes the minor impact of the breach, suggesting that the exposed information is basic and possibly already available through previous breaches or open sources. Authorities have been informed of the breach, though Cartier has not revealed the total number of customers affected. The incident is part of a broader trend of recent digital security breaches impacting major brands like Adidas and Victoria’s Secret. Cartier urges all affected clients to stay vigilant for unusual or suspicious communications.

A new Android banking trojan named Crocodilus is actively targeting users in Europe, South America, and other regions, masquerading as legitimate applications. ThreatFabric reports that Crocodilus uses advanced obfuscation techniques to evade detection and has capabilities to launch overlay attacks to steal banking and cryptocurrency credentials. The malware abuses Android accessibility services to capture cryptocurrency wallet seed phrases, enabling theft of virtual assets. Recent developments show the malware extending its operational scope to countries like Poland, Argentina, Brazil, India, Indonesia, and the United States. Distribution methods include deceptive ads on social platforms mimicking banks and e-commerce sites, and fake prompts for web browser updates or online casino applications. New features in the malware include the ability to add contacts in victims' phones, possibly to bypass new security measures introduced by Google. Crocodilus also features an automated seed phrase collector that targets specific cryptocurrency wallets, further enhancing its threat to financial security. These updates indicate not only enhanced technical sophistication but also a strategic expansion of the malware's reach globally.

The latest update of the Crocodilus malware introduces a feature adding fake contacts to deceive Android users during calls. Initially documented in late March 2025, Crocodilus has since enhanced its data theft and remote control features and broadened its geographic target scope. New evasion tactics include code packing and layered XOR encryption to complicate detection and reverse engineering efforts. The malware can now create local contacts on infected devices, causing impersonation of banks or trusted entities when receiving calls. This version also improves data parsing before exfiltration, ensuring higher-quality thefts. The Threat Fabric research highlights the rapid evolution of the malware, emphasizing its increased use of social engineering techniques. Android users are advised to download apps only from Google Play or trusted sources and to keep Google Play Protect active.

Google Chrome announces plans to remove trust for digital certificates issued by Chunghwa Telecom and Netlock after July 31, 2025, due to compliance and conduct issues. Affected certificates will mainly relate to TLS (Transport Layer Security) server authentication from these providers. This decision follows observations of compliance failures, unmet improvement commitments, and insufficient progress addressing publicly disclosed incidents over several years. Users visiting websites with certificates from these authorities after the cutoff will receive a full-screen security warning in Chrome. Google advises website operators using these CAs to transition to new publicly-trusted CAs to avoid disruptions. Enterprises can still manually trust these CAs by installing their root certificates locally on devices running Chrome. Similar actions were previously taken against Entrust’s certificates, whose certificate business was sold to Sectigo. Apple has also distrusted NetLock Arany certificates from November 2024. In March, the CA/Browser Forum adopted new security measures for domain control validation and to flag insecure X.509 certificate practices.

Microsoft and CrowdStrike have collaborated to standardize their threat actor taxonomies through a joint mapping initiative. This initiative aims to clarify and align the diverse names assigned to hackers by various cybersecurity vendors, improving response time and analysis accuracy. The mapping encompasses several categories of hackers including nation-state actors, financially motivated groups, and private sector offensive actors. Previously, a single threat actor might be known under multiple aliases across different security organizations, complicating attribution and response. The partnership has already led to the deconfliction of over 80 adversaries, enhancing the ability to correlate data and track adversary campaigns across platforms. Although the current effort is a collaboration between Microsoft, CrowdStrike, Google’s Mandiant, and Palo Alto Networks' Unit 42, other companies are expected to join. The initiative is not meant to create a universal naming standard but to assist in the correlation of threat actor aliases and improve the overall attribution process.

Google released emergency security updates for Chrome to fix a critical zero-day vulnerability (CVE-2025-5419) exploited in the wild. The vulnerability involved an out-of-bounds read and write in the Chrome V8 engine, affecting all platforms. The exploit allowed attackers to cause heap corruption through a crafted HTML page, posing significant security risks. Detected and reported by Google's Threat Analysis Group, the flaw was patched within a day of its reporting. This marks the second zero-day vulnerability in Chrome that Google has addressed this year, following CVE-2025-2783. Chrome users are urged to update their browsers to the latest versions to protect against potential exploits. Other Chromium-based browsers like Edge and Opera are also recommended to update as patches become available.

Cartier experienced a data breach that led to the exposure of customer personal information, including names, email addresses, and residency countries. The luxury fashion brand emphasized that no sensitive data like passwords or credit card information was compromised. The incident was contained swiftly, and Cartier has enhanced their system protections to secure data more effectively. Customers have been urged to remain cautious of unsolicited communications that may utilize the stolen data for targeted attacks. Cartier has notified law enforcement and is collaborating with an external cybersecurity firm to investigate and remediate the breach. This data breach comes amid a series of similar incidents affecting other major fashion brands, indicating a concerning trend in the industry targeting luxury brands. Despite the breach, Cartier reassures clients that immediate corrective actions have been implemented to prevent future incidents.

Ukraine successfully executed "Operation Spiderweb," targeting Russian airbases using 117 drones, damaging over 40 aircraft and costing Russia an estimated $7 billion. Ukrainian President Volodymyr Zelenskyy revealed that the 18-month-long operation was coordinated across three time zones, inflicting significant damage on Russia's bomber fleet. The drones were strategically hidden in prefabricated cabins within trucks, which were unknowingly driven by Russian drivers to locations near military targets. Russian defense sources confirmed attacks on five airbases and reported extinguishing fires on several aircraft without civilian or military casualties. The Security Service of Ukraine (SSU) led by Lieutenant General Vasyl Maliuk emphasized that these strikes were in retaliation to persistent bombings by Russian forces and aimed at military airfields and strategic bombers. Ukrainian and Russian narratives differ on the impact and extent of the operation, highlighting ongoing information and physical warfare between the countries. Despite Russia's claims of repelling some attacks, Ukraine plans to continue such strikes as long as their territory remains under threat from Russian missile and drone attacks.

The North Face has notified customers of a credential stuffing attack in April, compromising personal data but not payment information. Owned by VF Corporation, The North Face is a major outdoor brand with annual revenues exceeding $3 billion, with 42% derived from e-commerce. Credential stuffing involves automated login attempts using previously breached username-password pairs, posing risks primarily if accounts lack multi-factor authentication (MFA). This recent incident marks the fourth similar cyberattack on The North Face's website since 2020, highlighting ongoing vulnerabilities. Data breach notifications have been issued following the discovery of the attack on April 23, 2025. An unrelated ransomware incident in December 2023 had impacted 35 million customers, representing a severe security breach for the company. Continuing lack of mandatory MFA is criticized, given the company's history of related security breaches.

American cybersecurity firm SentinelOne experienced a seven-hour outage affecting multiple customer-facing services due to a software flaw. The outage was caused by an outdated infrastructure control system which incorrectly deleted critical network configurations. This incident occurred during a transition to a new cloud architecture built on Infrastructure-as-Code principles. Key customer services such as Unified Asset Management/Inventory and Identity services were disrupted, preventing access to vulnerability assessments and identity consoles. Programmatic access and Managed Detection and Response alerts were also affected, although direct customer endpoint protection remained unaffected. SentinelOne confirmed that the outage was not the result of a cyberattack but an internal software issue. The company has assured that threat data reporting was delayed but not lost, maintaining the overall integrity of security data.

Google Chrome plans to distrust certificates from Chunghwa Telecom and Netlock starting August 1, 2025, due to ongoing compliance failures. The browsers will display privacy warnings on websites using these certificates, urging web admins to transition to trusted CAs. Despite past opportunities for improvement, both Chunghwa Telecom and Netlock have failed to meet Google's security compliance and improvement standards. Chunghwa Telecom and Netlock, previously trusted entities in the Chrome Root Store, are major providers of digital certification in Taiwan and Hungary, respectively. The decision reflects Google's strengthened enforcement of security requirements following similar actions against other certifying authorities like Entrust. Google's updated policy could lead to more CA distrust actions as the company tightens security and compliance assessments. This action is specific to Google Chrome and does not affect other browsers like Microsoft Edge, Mozilla Firefox, or Apple Safari.

Microsoft and CrowdStrike have formed a partnership to synchronize the aliases used for identifying specific hacking groups through their security platforms. The initiative involves creating a reference guide that maps out common names for hacking groups as used by both companies, which will allow for streamlined sharing and understanding of threat data. This collaboration does not aim to create a universal naming standard, but rather facilitates better communication and rapid response by allowing security teams to translate terminology across different systems. The partnership has already addressed the naming conventions for over 80 significant and active threat actors through direct, analyst-led efforts. Additional cybersecurity firms, including Google/Mandiant and Palo Alto Networks' Unit 42, are contributing to this initiative, with the potential for more companies to join. The ultimate goal of this initiative is to offer clearer attribution and enhance the ability for network defenders to track and counteract malicious activities efficiently, reducing confusion in overlapping threat actor tracking. According to leaders from both Microsoft and CrowdStrike, the success of this mapping project depends on it becoming a broad, community-led effort.