Daily Brief

Apple successfully prevented over $9 billion in fraudulent App Store transactions in the past five years, including $2 billion in 2024 alone. The company identified nearly 4.7 million stolen credit card details and blocked 1.6 million accounts from any further transactions. Apple’s App Review team rejected around 1.9 million out of 7.7 million app submissions for failing to meet privacy and security standards. In 2024, Apple removed 143 million fraudulent ratings and reviews and over 9,500 deceptive apps from search results to protect users. Around 320,000 app submissions were rejected for being misleading copycats, and 43,000 were denied for using undocumented features. The company terminated 146,000 developer accounts for suspected fraudulent activities and prevented the creation of 711 million user accounts over fraud concerns. Apple advises customers to report any suspicious activities related to app downloads directly through their designated reporting channel.

In 2025, poor password management remains a critical vulnerability, linked to numerous data breaches. Verizon's 2025 Data Breach Investigations Report identifies that 38% of digital attacks involve credential abuse or phishing. Common password pitfalls include predictable passwords like '123456' or 'Password', and using easily deducible personal information. Despite advances in authentication technologies like biometrics and passkeys, passwords are still prevalent due to implementation challenges and limited adoption. Intruders continue to exploit weak passwords through brute force or credential stuffing, targeting thousands of accounts simultaneously. Specops provides tools like Specops Password Policy to enforce stringent password policies and detect compromised credentials in real-time for organizations like Mid Cheshire NHS Foundation Trust. Updated guidelines advise against routine password expiration, recommending changes only when there is suspicion of compromise to prevent insecure incremental updates. Enhanced password management features in tools like Specops Password Policy help organizations like Greater Manchester West Mental Health NHS Foundation Trust meet stricter security standards and customize password requirements for different user groups.

Browser-in-the-Middle (BiTM) attacks allow cybercriminals to control the victim's online session by using a transparent remote browser. Unlike Man-in-the-Middle (MitM) attacks that require malware and a proxy server, BiTM attacks deceive users into thinking they are on their own browser, when in fact it is controlled by the attacker. BiTM attacks focus on stealing session tokens post-multi-factor authentication (MFA), bypassing the need for additional verification. Attackers can quickly and covertly capture cookies or OAuth tokens, relaying them to their servers within seconds, putting sensitive user data at risk. The rapid exfiltration capability of these attacks makes them a significant threat to personal and organizational cybersecurity. Mitigation calls for rigorous security practices including cautious link access, strong passwords, continuous updates to password policies, and effective MFA. Despite the advanced nature of BiTM, fundamental security measures like robust passwords remain crucial in safeguarding against such attacks.

Cybersecurity firm GreyNoise detected cloud-based scanning across 75 exposure points on May 8, 2025. The scanning involved 251 malicious IPs hosted by Amazon and geolocated to Japan, targeting technologies like Adobe ColdFusion, Apache Struts, and Elasticsearch. These IPs exhibited behaviors such as exploiting known CVEs, probing for misconfigurations, and conducting reconnaissance activities. The IP addresses were previously inactive and resumed inactivity post-operation, suggesting they were temporarily rented for this specific campaign. Scanning targeted a broad set of technologies, indicating an indiscriminate approach to find exploitable systems. Significant overlap among scanned IPs for different vulnerabilities suggests a single operator or toolset was utilized. GreyNoise recommends immediate blocking of these IPs, cautioning that future attacks might use different infrastructures.

DragonForce ransomware infected a managed service provider (MSP) by exploiting vulnerabilities in the SimpleHelp remote monitoring and management (RMM) tool. The ransomware spread to multiple endpoints, involving data theft and double-extortion tactics to demand a ransom. The breach not only affected the MSP itself but extended to its numerous customers through the distribution capability of the compromised RMM tool. Researchers traced the origin of the attack to a chain of vulnerabilities in SimpleHelp, all of which had been previously patched, highlighting the importance of timely updates. The attack exemplifies a significant supply-chain risk, with attackers leveraging the MSP's infrastructure to maximize impact across multiple customer networks. Security firm Sophos initially identified the suspicious activity and has since published indicators of compromise to aid other organizations in detection and defense. Authorities in both the US and UK had previously issued warnings about attackers exploiting these specific vulnerabilities in SimpleHelp.

Apple has blocked over $9 billion in fraudulent transactions within the past five years to protect App Store users. In 2024 alone, Apple prevented fraudulent activities amounting to more than $2 billion. The tech giant has terminated around 46,000 developer accounts and rejected 139,000 developer enrollments due to security concerns. Apple also rejected approximately 711 million customer account creations and disabled nearly 129 million accounts to combat spam and manipulation of App Store operations. This extensive vigilance is in response to various threats, ranging from deceptive apps that capture personal data to fraudulent payment processes targeting users. This crackdown on fraud comes as Apple faces heightened scrutiny and legal challenges regarding its App Store policies, including a recent U.S. ruling impacting in-app purchase directions. Concurrently, Google also reported blocking millions of policy-violating apps and banning numerous developer accounts in efforts to safeguard its users on the Google Play store.

ASUS is shifting its focus towards the business PC market to climb the global PC-maker rankings, currently positioned as the fifth most prolific. Emphasizing durability, ASUS business PCs feature robust USB ports and dual sockets for memory and SSDs, aiming to reduce maintenance costs and extend product life. The company installs physical Trusted Platform Modules on business PCs and commits to updating BIOSes for five years. ASUS has developed on-device AI tools like "ExpertMeet" for meeting assistance and "AI Search" for data management, offered for free to attract small-to-medium business clients. Despite integrating AI capabilities, ASUS will remove AI features for larger buyers due to data security and privacy concerns. Shawn Chang, Head of Go-To-Market at ASUS, observes high interest in AI among businesses but notes a lack of practical application, influencing their strategy to offer PCs with or without AI. ASUS announced its inaugural range of AI PCs with various form factors and processor options at the recent Computex event in Taiwan.

Malicious actors identified as UNC6032 target users on Facebook and LinkedIn with ads for fake AI video generator tools. These ads have redirected over two million users to more than 30 fraudulent websites posing as legitimate AI services. Interaction with these sites results in the download of a ZIP file containing STARKVEIL malware, which includes keyloggers and data theft components. Mandiant, a threat intelligence team from Google, traced the campaign's origins to Vietnam, highlighting extensive reach but unclear victim count. Despite the large audience reach, the actual number of malware infections remains uncertain, as reported by Mandiant officials. Meta has taken proactive measures by removing the malicious ads, blocking URLs, and deactivating related accounts, often preemptively. The malware suite utilized in these campaigns is designed to steal sensitive information such as login credentials, credit card details, and other personal data. Mandiant praised Meta’s efforts in combatting these threats and suggested that users remain vigilant against seemingly innocuous online ads.

DragonForce ransomware breached a managed service provider by exploiting vulnerabilities in the SimpleHelp tool. The attackers used SimpleHelp for reconnaissance, gathering vital information about MSP customers, including device names, configurations, and network details. Successive data theft and ransomware deployment affected several downstream customers, leading to double-extortion scenarios. Sophos, the cybersecurity firm, was enlisted to investigate and mitigate the impact, identifying older vulnerabilities exploited by the attackers. Protective measures by Sophos blocked some attacks, but other customers experienced device encryption and loss of sensitive data. Significant ransomware incidents continue with DragonForce targeting major UK retailers, with substantial customer data breaches reported. Increased affiliation strategies and ransomware-as-a-service offerings by DragonForce indicate a shift towards a 'cartel' model aiming for broader impact across industries.

DragonForce ransomware operation compromised a managed service provider (MSP) using the SimpleHelp remote monitoring and management platform. The attackers exploited older vulnerabilities in SimpleHelp identified as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726. Initial attack stages involved reconnaissance on MSP customer systems, collecting critical information like device configurations and network connections. Subsequent attack phases focused on data theft and deploying ransomware for double-extortion tactics; some attempts blocked by Sophos security solutions. Impact varied across affected networks, with several customers experiencing data encryption and significant data theft. Sophos has disseminated Indicators of Compromise (IOCs) to aid organizations in bolstering their network defenses. The incident underscores the heightened risk to MSPs from ransomware groups, given their access to multiple networks via a single entry point. DragonForce is increasing its market presence, partly through high-profile attacks and a ransomware-as-a-service (RaaS) model to attract affiliates.

Cybersecurity experts have uncovered a new scheme where attackers clone an antivirus website to spread Venom RAT and steal cryptocurrency. The fake site, mimicking Bitdefender, encourages downloads of a compromised “BitDefender.zip” file, initiating malware installation. The ZIP file contains Venom RAT for persistent access, StormKitty for stealing passwords and digital wallet information, and SilentTrinity to help attackers remain undetected and maintain control. DomainTools Intelligence links the false Bitdefender site to other phishing domains used for credential theft from institutions like Royal Bank of Canada and Microsoft. The approach utilizes open-source components in a "build-your-own-malware" method, increasing the attacks' efficiency and stealth. This campaign is part of a broader trend involving sophisticated modular malware and coordinated phishing attempts to exploit social media and financial accounts. Additional threats include a deceptive Google Meet page and phishing attacks leveraging Google's AppSheet platform to bypass security measures and harvest credentials and 2FA codes.

Iranian citizen Sina Gholinejad pleaded guilty to attacks involving Robbinhood ransomware. The cyberattacks, spanning from 2019 to 2024, targeted U.S. cities and health organizations. Victims included Baltimore, Greenville, and several nonprofit entities; ransom was demanded in Bitcoin. Ransomware operations involved data theft and using stolen information to pressure victims further. Attacks utilized a compromised Gigabyte driver to disable antivirus software and facilitate the malware deployment. Gholinejad and accomplices used advanced tactics like VPNs and cryptocurrency mixers to obscure their identities. The guilty plea was entered in a North Carolina federal court; Gholinejad faces up to 30 years in prison.

A new Russian cyber-spy group, referred to as Laundry Bear by Dutch intelligence and Void Blizzard by Microsoft, has been actively conducting espionage since at least April 2024. The group, believed to be backed by the Russian government, has targeted Dutch police, NATO members, Western tech firms, and organizations linked to defense, aerospace, and space technology. Laundry Bear has been involved in credential-stealing attacks and has also breached several Ukrainian aviation organization user accounts. Microsoft reports that the group uses stolen credentials to access organizations' systems, where it then collects large amounts of emails and files. In a recent development, Void Blizzard has added spear-phishing with typosquatted domains to its tactics, enhancing its ability to target NGOs in Europe and the US through deceitful European Defense and Security Summit invitations. The campaign uses sophisticated methods such as the Evilginx kit to intercept data during the fake registration process, posing an increased risk to critical sectors. Microsoft has observed that, in some instances, the threat actor has accessed Microsoft Teams conversations and heavily utilized legitimate cloud APIs for extensive data extraction. Dutch and Microsoft intelligence state that while Laundry Bear shares tactics with another Russian group, APT28, they operate as separate entities.

A new self-spreading malware campaign targets misconfigured Docker API instances for cryptocurrency mining. The malware exploits insecurely published Docker APIs to initially access containerized infrastructures, then uses these to create and propagate a cryptojacking network. Designed with worm-like capabilities, the malware autonomously searches for other vulnerable Docker instances to infect and incorporate into the mining botnet. Two main components drive the attack: a propagation tool disguised as "nginx" to evade detection and a "cloud" miner specifically for Dero cryptocurrency mining. The "nginx" component not only mimics the legitimate nginx server but also generates and infects new Docker containers remotely, installing necessary tools to perpetuate further spread. This campaign includes mechanisms for persistence in infected systems, ensuring continued operation and spread of the mining malware. Overlaps with previous campaigns targeting similar infrastructures were noted, suggesting an ongoing or evolving threat targeting Docker and Kubernetes environments. Security experts warn of the increased exploitation of containerized environments and the necessity of securing Docker APIs to prevent such attacks.

Over 40,000 new vulnerabilities reported in 2024, with over 60% ranked as high or critical, raising concerns about the efficacy of current vulnerability prioritization methods. Traditional scoring systems like CVSS and EPSS may misrepresent the actual threat level to individual environments, often overstating the impact due to lack of contextual understanding. Exposure Validation approach utilizes real-world simulations to test vulnerabilities in specific network environments, determining true exploitability against existing defenses. Techniques like Breach and Attack Simulation (BAS) and Automated Penetration Testing provide detailed insights into how attacks could realistically unfold, informing more accurate risk assessments. Exposure Validation helps recalibrate vulnerability scores based on actual defense capabilities and system criticality, reducing the perceived severity when defenses are effective. Organizations using exposure validation see significant decreases in the number of vulnerabilities classified as critical, focusing efforts on genuine threats and improving overall security posture. Picus Security’s Exposure Validation solution combines attack surface management with realistic testing methods to provide a pragmatic approach to vulnerability management, emphasizing real threats over theoretical risks.