Daily Brief

Over 40,000 new vulnerabilities reported in 2024, with over 60% ranked as high or critical, raising concerns about the efficacy of current vulnerability prioritization methods. Traditional scoring systems like CVSS and EPSS may misrepresent the actual threat level to individual environments, often overstating the impact due to lack of contextual understanding. Exposure Validation approach utilizes real-world simulations to test vulnerabilities in specific network environments, determining true exploitability against existing defenses. Techniques like Breach and Attack Simulation (BAS) and Automated Penetration Testing provide detailed insights into how attacks could realistically unfold, informing more accurate risk assessments. Exposure Validation helps recalibrate vulnerability scores based on actual defense capabilities and system criticality, reducing the perceived severity when defenses are effective. Organizations using exposure validation see significant decreases in the number of vulnerabilities classified as critical, focusing efforts on genuine threats and improving overall security posture. Picus Security’s Exposure Validation solution combines attack surface management with realistic testing methods to provide a pragmatic approach to vulnerability management, emphasizing real threats over theoretical risks.

Adidas alerted customers about a data breach originating from a third-party customer service provider, disclosing that personal contact information was stolen. The compromised data primarily includes details from consumers who previously interacted with Adidas' customer support, though no highly sensitive information like passwords or payment details were exposed. Adidas is actively notifying affected customers and has involved relevant data protection and law enforcement authorities to address the incident. Immediate actions were taken by Adidas to contain the breach, including initiating a thorough investigation with help from top cybersecurity experts. The breach resembles a recent one at Coinbase, where customer and some corporate data were more extensively compromised via help desk staff. Adidas' incident seems less severe compared to Coinbase's in terms of data volume and sensitivity, but still poses potential risks such as phishing attacks using the stolen information. Despite no threat to payment information, security experts advise affected Adidas customers to remain cautious of potential scams and phishing attempts exploiting their stolen data.

MathWorks confirmed a ransomware attack caused recent widespread service outages. The incident led to disruptions in online applications and internal systems since May 18. Customer-facing services like the license center and MathWorks store experienced significant downtime. While multi-factor authentication and Single Sign-On were restored by May 21, issues persist in account creation and login abilities for some users. Federal law enforcement has been notified of the attack, although the specific ransomware group involved has not been disclosed. There is no information available about potential customer data theft or if a ransom was paid. MathWorks employs over 6,500 staff globally and provides software used by more than 100,000 organizations.

Ransomware attack targeted MathWorks, impacting its flagship MATLAB software, affecting over five million users globally. MathWorks confirmed the ransomware incident following a significant outage that started on May 18, initially reported as multiple application issues. Critical disruptions include MATLAB's Licensing Center remaining offline, severely affecting new license verifications for users. Although recovery efforts led by cybersecurity experts have restored most of MATLAB's functionalities, some services still show degraded performance or remain offline. The impact extended to educational sectors, particularly affecting students during peak exam periods, resulting in missed deadlines and forced workarounds such as software piracy. MathWorks has notified federal law enforcement and is progressing towards full recovery, albeit slowly, with ongoing updates posted on their status page. Some commercial customers were less affected, having their own MATLAB licensing servers, contrasting with the critical issues faced in educational use scenarios.

Russian-affiliated hackers, identified as Void Blizzard, have conducted espionage targeting various sectors in NATO countries and North America. The group has been active since at least April 2024, focusing on government, defense, transportation, media, NGOs, and healthcare. Attacks are primarily aimed at collecting intelligence to support Russian strategic goals, particularly targeting entities supporting Ukraine. The hackers use phishing techniques, stealing login credentials to infiltrate organizations and extract sensitive emails and files. Recent tactics include spear-phishing using fake Microsoft Entra authentication pages, targeting over 20 NGOs in Europe and the U.S. After initial breaches, the group uses automation tools to harvest data from Exchange Online and Microsoft Graph extensively. The group's activities sometimes overlap with other Russian state actors, indicating shared intelligence objectives. Microsoft has observed a shift toward more direct methods of credential theft, emphasizing the need for robust cybersecurity measures in targeted sectors.

A Russian cyberespionage group called Void Blizzard compromised Dutch police data in September 2024, stealing officers' work-related information. Linked to Russia, Void Blizzard accessed the Global Address List of a police employee account using stolen cookie credentials. The Netherlands' intelligence agencies warn that Void Blizzard may have targeted other national organizations due to their consistent patterns. This group, also known as Laundry Bear, has been active since at least April 2024, focusing on Ukraine and NATO member states. Void Blizzard’s activities are aligned with Russian strategic goals, especially in penetrating governmental, defense, and critical infrastructure sectors. The group employs advanced techniques like spear-phishing and credential theft to breach target defenses and extract sensitive data. Microsoft highlights the threat's significant risk to NATO states and allies to Ukraine, especially in critical sectors like transportation and defense.

**Artificial intelligence (AI) is significantly boosting productivity in various enterprises, necessitating the management of an increasing number of non-human identities (NHIs) such as service accounts and bots.** **For every human identity, there are approximately 45 machine identities, each requiring secure secrets like API keys or certificates for authentication.** **Non-human identities, unlike humans, often lack strict policies for credential rotation or permission scoping, presenting a significant security risk.** **The proliferation of AI and machine learning models has accelerated the risk associated with these NHIs by enabling faster and more widespread access to sensitive data.** **Security vulnerabilities are introduced when AI tools like chatbots inadvertently expose secrets, potentially leaking sensitive information to unauthorized parties.** **Implementation of best practices such as auditing data sources, centralizing management of NHIs, preventing secrets leaks, improving logging security, and restricting AI data access is crucial for mitigating risks.** **Raising developer awareness about the importance of secure AI deployment practices is essential for fostering a secure AI implementation environment.** **Organizations that prioritize robust governance of machine identities and secure AI deployments will be better positioned to harness the advantages of AI without compromising on security.**

ReliaQuest discovered a new SEO poisoning campaign exploiting employee searches for payroll portals to commit fraud. Hackers create fake login pages that mimic company payroll portals, tricking employees into entering their credentials. Once credentials are stolen, attackers gain access to the payroll systems and redirect paychecks to their own accounts. The fraudulent campaign uses compromised home routers and mobile networks to disguise attacker traffic, evading standard security tools. Attackers specifically target mobile devices due to their lesser security measures and external network connections, which complicates detection and mitigation efforts. The campaign, detected in May 2025, is part of an ongoing operation with similar incidents traced back to late 2024. Cybersecurity responses are hampered as the fake sites avoid scanning and inclusion in threat indicator feeds by exploiting web and router vulnerabilities. Residential and mobile IP addresses are used to further conceal the fraudulent login attempts, making the attacks difficult to track and attribute.

Adidas disclosed a data breach originating from a hacked customer service provider, exposing certain customer data. The stolen customer information did not include payment details or passwords, only contact information. Adidas has engaged information security experts for a comprehensive investigation and has taken steps to contain the incident. The company is notifying affected consumers and relevant data protection and law enforcement authorities, following legal obligations. Adidas has a recent history of data breaches, with incidents in Turkey and South Korea affecting customer information. Details such as the name of the affected service provider, the exact number of affected customers, and whether Adidas’ own network was compromised remain undisclosed. Adidas reaffirms commitment to consumer privacy and security, expressing regret for the inconvenience caused.

The FBI has issued alerts about Luna Moth, a cyber extortion group targeting law firms using sophisticated social engineering tactics. Luna Moth employs callback phishing and poses as IT support to trick victims into granting remote access to their systems. Through telephone conversations and linked emails, victims are lured into installing malware, enabling unauthorized data access and theft. The attackers use legitimate remote access tools like Zoho Assist and AnyDesk, making their actions less likely to be detected by standard security measures. Recently, Luna Moth adapted its strategy, directly contacting targets and pretending to be their company’s IT personnel, guiding them to join remote access sessions. The group escalates privileges and employs tools like Rclone and WinSCP to exfiltrate sensitive data, which is then used for extortion. Cybersecurity firms have tracked Luna Moth's high-frequency callback phishing schemes, primarily targeting the legal and financial sectors in the U.S. The campaign involves registering helpdesk-themed domains to appear more credible, employing methods that are hard to detect and counter.

Russia-aligned TAG-110 targets Tajikistan's government entities with macro-enabled Word documents. The spear-phishing campaign marks a tactic shift from using HTML Application (.HTA) loaders to Word templates. These cyber espionage operations aim to influence regional politics or security amid sensitive events. TAG-110 overlaps with Russian state-sponsored APT28, known for targeting European embassies and various governmental bodies across Central Asia and East Asia. The campaign involves Word documents disguised as government-related content for delivering malware. The macro in the Word docs places the template in a startup folder, ensuring persistence and establishing communication with a command-and-control server. The nature of secondary payloads from the campaign remains uncertain, but likely involves further deployment of malware like HATVIBE or CHERRYSPY.

Over 60 malicious npm packages and eight VS Code extensions were identified, designed to steal data including IPs, DNS servers, and user directories. These packages transmit stolen information to a Discord-controlled endpoint, and have collective downloads exceeding 9,000 times. The infected packages include sandbox evasion techniques and target multiple operating systems like Windows, macOS, and Linux. Some npm packages mimic legitimate helper libraries, while deploying destructive payloads that can delete files or crash systems. Threat actors disguise harmful code within legitimate features in VS Code extensions to steal cryptocurrency wallet credentials. The abuse of open-source repositories and marketplaces by attackers underscores the ongoing risk of supply chain attacks. A sophisticated phishing attack using npm packages has also been connected to this malicious activity, showcasing hybrid cyber threat tactics. The comprehensive cybersecurity threat illustrated by these incidents highlights the importance of vigilant monitoring and robust defenses against evolving cyber threats.

Law enforcement and private sector collaboration led to the takedown of major malware infrastructures, namely Lumma Stealer and DanaBot. Charges have been filed against 16 individuals allegedly involved in the development and operation of DanaBot, a versatile malware used for stealing data and hijacking banking sessions. DanaBot has been notably repurposed by Russian state hackers for more complex intrusion campaigns, underlining the dangers of commodity malware being adapted for state-sponsored activities. Approximately 2,300 domains and 300 servers constituting the command-and-control network for Lumma information stealer were seized, significantly disrupting its operations. Additionally, 650 domains used for launching ransomware attacks have been neutralized in recent actions under Operation Endgame, aimed at combating international cybercrime. This article underscores the importance of international cooperation in tackling cyber threats and highlights the evolving nature of malware utilization by nation states.

The CISO's guide emphasizes the importance of transitioning from static, audit-based privacy programs to dynamic, continuous monitoring to ensure web privacy. It reveals a concerning trend: 70% of major US websites continue to track users via cookies even after opting out, thus failing to uphold their privacy commitments. Continuous web privacy validation tools are advocated to ensure compliance by actively monitoring websites and third-party scripts in real time. The article discusses the inadequacy of traditional reactive privacy measures, which often lead to undetected privacy violations and regulatory penalties. Examples include a global retailer and a bank facing severe financial penalties and reputational damage due to undetected third-party scripts that violated privacy regulations. Less than a quarter of companies are confident in their privacy compliance; continuous validation can improve confidence by integrating seamlessly with existing security processes, minimizing additional operational overhead. Urges CISOs to prepare for impending stringent regulations planned for 2025, including the EU AI Act and New Hampshire's NHPA, by implementing robust web privacy validation now.

A security breach at TeleMessage exposed sensitive communications involving over 60 government workers, affecting a White House staffer and Secret Service members. The leaked data included messages from the Trump administration and was publicly reported by Reuters and appeared on Distributed Denial of Secrets. Europol announced Operation Endgame II, resulting in 20 arrests and the disruption of five major malware groups including Qakbot and Danabot, seizing €21.2 million. Cybersecurity experts suggest a new predictive model for patch prioritization, potentially enhancing the current practices surrounding vulnerability management. CISA and other agencies are utilizing systems like the Exploit Prediction Scoring System and proposing a new likely exploited vulnerabilities list to better predict and address security threats. GoDaddy reached a settlement with the FTC over severe security failings that went unnoticed for three years, leading to customer outages and infected sites. A vast trove of 184 million unique login credentials was discovered unsecured online by a vpnMentor researcher, suspected to be compiled using infostealer malware.