Daily Brief

Law enforcement and private sector collaborated to dismantle the command-and-control infrastructure of Lumma Stealer malware, affecting 2,300 domains. The U.S. Department of Justice reports that Lumma malware has facilitated various crimes through stolen information such as login credentials and cryptocurrency details. FBI links approximately 10 million infections worldwide to the Lumma Stealer, with live domains now seized to prevent further data theft. Microsoft and partners like ESET and Cloudflare played critical roles in identifying and neutralizing over 394,000 infected Windows computers globally. The malware, operational since late 2022, was marketed as a service on Russian forums, allowing cybercriminals to customize and deploy their own versions. Developer "Shamel" from Russia, offered Lumma Stealer subscriptions ranging from $250 to $20,000 for advanced access and capabilities. Recent campaigns used sophisticated methods like fake reCAPTCHA pages to distribute the malware, targeting tech-savvy users. The dismantling of this network marks a significant blow to one of the world's most potent infostealer threats, highlighting the ongoing evolution of cybercrime defense strategies.

A critical vulnerability in Samlify's SSO can enable attackers to impersonate administrators. The flaw, identified as CVE-2025-47949, is a Signature Wrapping issue affecting all versions before 2.10.0. Attackers can inject malicious, unsigned SAML Assertions into legitimately signed XML documents. Samlify is widely used with over 200,000 downloads a week, impacting numerous SaaS platforms, internal tools, and federated identities. No active exploitation of the vulnerability has been reported, but users are urged to update to version 2.10.0 immediately. The core issue lies in Samlify’s handling of XML parsing, where it validates a signed document but fails to check all internal assertions. The vulnerability allows complete SSO bypass and unauthorized privileged access without needing user interaction.

A 19-year-old student from Assumption University, Matthew Lane, conspired to extort a telecommunications company and a school software provider, which has been identified as PowerSchool. PowerSchool, which was targeted in the extortion scheme, holds sensitive data on approximately 60 million students and 10 million teachers across North America. Lane and an accomplice initially attempted to extort $200,000 in Bitcoin from the telecommunications company, threatening to leak stolen customer data. Following the unsuccessful extortion of the telco, Lane illegally accessed PowerSchool’s systems using a contractor’s credentials, subsequently stealing and threatening to release sensitive data unless paid 30 Bitcoin (approximately $2.85 million). Despite PowerSchool's initial claim of paying to have the stolen data deleted, it was later revealed that the data was still compromised. Lane has agreed to plead guilty to multiple charges, including cyber extortion, unauthorized access, and identity theft, and will forfeit $160,981 linked to these criminal activities. He faces up to 17 years in prison, a $250,000 fine, and three years of supervised release, with a mandatory minimum of two years as per his plea deal.

APT28, a Russian state-sponsored group, has been compromising international organizations since 2022 to derail aid to Ukraine. Targets include sectors like defense, transportation, IT services, air traffic, and maritime across 12 European nations and the U.S. The campaign involves surveillance through compromised internet-connected cameras at key points such as border crossings and military sites. Techniques used for infiltration include password spraying, spear-phishing, and exploiting Microsoft Exchange vulnerabilities. The hackers utilize various methods like lateral movements, data extraction using native commands, and enrolling compromised accounts in MFA for sustained access. More than 10,000 camera feeds have been targeted, primarily in Ukraine, to monitor and potentially disrupt aid movements. Joint international cybersecurity advisory details tactics, provides security mitigations, and lists indicators of compromise to aid organizations in defense against such attacks.

Russian military intelligence, GRU unit 26165 (Fancy Bear), has been actively targeting logistics providers across several Western and NATO countries, including technology companies and government organizations involved in aid efforts to Ukraine. The cybersecurity breach has affected various modes of transportation such as air, sea, and rail, and even stretched to surveillance of internet-connected cameras at Ukrainian border crossings. The attacks, ongoing since 2022, involved sophisticated methods including spear-phishing, credential theft, and exploitation of vulnerabilities in several software platforms such as Microsoft Exchange and WinRAR. The operations focused on gathering strategic information like shipment schedules and coordinating personnel details, crucial for Russia’s interest in the geopolitical landscape around Ukraine. Security advisories from twenty-one government agencies across multiple nations including the US, UK, Canada, and Germany have issued warnings, underlining the severity and broad impact of these cyber espionage efforts. Two specific malware backdoors, named Headlace and Masepie, were identified as part of the arsenal used in these intrusion campaigns. The advisory emphasizes increased vigilance and enhanced defensive measures for organizations in the targeted sectors, recommending regular activity monitoring and the integration of strategic defense protocols against such threats.

International law enforcement, including the FBI and Microsoft's Digital Crimes Unit, dismantled the distribution network for the Lumma malware, seizing web domains and infrastructure. Lumma was involved in over 1.7 million data theft instances and linked to approximately 10 million infections, particularly in credit card theft, amounting to $36.5 million in 2023 alone. The malware, first identified in 2022 and priced between $250 to $1000 per month for criminal use, targeted sensitive data across various sectors including finance and healthcare. Microsoft identified over 394,000 infected Windows computers between March and May 2023, leading to multi-national collaborations and the seizure of over 2,300 related domains. The malware's administrator, believed to be based in Russia, attempted to circumvent law enforcement by setting up new user panel sites, which were subsequently seized. Previous phishing campaigns, such as one impersonating Booking.com, employed Lumma to commit financial fraud, impacting various online communities and critical infrastructure sectors.

Russian state-sponsored hackers, identified as APT28, have targeted entities involved in aiding Ukraine since 2022. The campaign focuses on espionage, specifically aiming at Western logistics and technology companies managing aid to Ukraine. APT28 exploits vulnerabilities in email systems and VPNs, using tactics like password spraying, spear-phishing, and manipulating mailbox permissions. The cyber operations have compromised dozens of firms across NATO member states and other regions including Bulgaria, France, Italy, and the United States. Targets span multiple sectors such as defense, transportation, and IT services, focusing on those instrumental in coordinating transportation and logistics. APT28 employs tools for post-exploitation activities like Impacket for lateral movement and Certipy for exfiltrating Active Directory information. Additionally, they monitor aid shipments by infiltrating internet-connected cameras at Ukrainian border crossings. The latest campaigns by APT28 also include deceit using fake reCAPTCHA pages hosted on cloud storage platforms to distribute malware.

Coinbase confirmed a data breach involving insider staffers who were bribed, impacting 69,461 users. The breach occurred on December 26, 2024, but was only discovered on May 11 of the following year. Affected users received notification letters and the breach was reported to the Maine Attorney General and disclosed in a Form 8-K filing to the SEC on May 15. Stolen data did not include passwords or direct account access information; the main concern is the potential for social engineering attacks. Coinbase fired the complicit support staff and has yet to disclose the exact location of these employees, although job postings hint at locations in the UK, Ireland, India, the Philippines, and Japan. Remediation costs are estimated between $180 million and $400 million, with ongoing investigations into the full extent of the damage. The company offered identity protection services to affected customers and implemented stronger security measures. A $20 million bounty was established for information leading to the capture and conviction of the culprits involved.

A ransomware group known as 3AM has been deploying targeted attacks that leverage email bombing and spoofed IT support calls to trick employees into giving up remote access credentials. Tactics involve socially engineering employees by impersonating their IT department via spoofed phone numbers, and intense email bombing, which results in obtaining network access. The attack methodology used includes the installation of a malicious archive containing a script and virtual emulators to establish backdoor access and evade detection systems. Besides initial infiltration, the attackers performed network reconnaissance, created administrative accounts, installed remote management software, and eventually exfiltrated significant data volumes. In one recent incident, while the ransomware's attempt to encrypt files en masse was blocked by cybersecurity defenses, attackers managed to export 868 GB of sensitive data to an external cloud storage service within three days. Sophos identified these attacks and suggested enhancing security measures such as auditing account security, utilizing extended detection and response (XDR) tools, enforcing signed script policies, and enhancing employee phishing awareness to mitigate similar threats. The cybercriminals linked to this ransomware operation are believed to be associated with previously known ransomware groups like Conti and Royal.

A coordinated global action seized over 2,300 domains and dismantled key infrastructure of the Lumma malware-as-a-service operation earlier this month. The collaborative effort involved Microsoft, DOJ, Europol, JC3, and various tech firms like Cloudflare, ESET, and BitSight. Microsoft's actions, backed by legal efforts, led to the identification of approximately 394,000 infected Windows computers worldwide. The DOJ and Europol targeted the malware's control panels and marketplaces, critically impacting the operators' ability to distribute and manage stolen data. Cloudflare improved security measures by implementing the Turnstile service to prevent the malware from bypassing interstitial warning pages. The crackdown not only damaged Lumma's operational abilities but also imposed significant financial losses on its operators and users. Lumma, known for its data theft capabilities, targets both Windows and macOS systems and is distributed through various channels like GitHub and malvertising. The disruption is expected to force Lumma's operators and customers to rebuild their services using new infrastructure, increasing their operational costs and complexities.

Delta Airlines is suing cybersecurity firm CrowdStrike for negligence and computer trespass after a faulty update disrupted operations. An update to CrowdStrike’s Falcon system in July caused Blue Screens of Death on approximately 8.5 million Windows PCs globally. The software malfunction forced Delta to cancel around 7,000 flights, exacerbating operational challenges and customer dissatisfaction. Although allegations of intentional misrepresentation and fraud by omission were dismissed, the case will continue with other claims intact. Potential damages for Delta are capped in the single-digit millions, with the worst-case financial scenario due to contractual limitations. CrowdStrike remains "confident" that any damages awarded will be limited, despite significant operational impact on Delta. The incident led to an investigation by the US Department of Transportation and a separate class-action lawsuit from affected passengers. Delta blames the severe disruption on both CrowdStrike and Microsoft, although Microsoft denies responsibility.

A Google Chrome Web Store campaign involved over 100 malicious browser extensions impersonating legitimate tools such as VPNs, AI assistants, and crypto utilities. These extensions have dual functionality: providing some of the promised services while secretly connecting to a threat actor's infrastructure to steal sensitive user data and receive malicious commands. The fake tools were found to modify network traffic for ad delivery, redirections, and proxying, and were promoted through more than 100 fake domains. Security researchers identified dangerous permissions within the extensions that allow the theft of browser cookies, session tokens, and enable dynamic script injection and DOM-based phishing. Certain extensions, including one named "fortivpn", could steal cookies, modify traffic, and route user's traffic through potentially malicious servers. The exploitation via these malicious extensions could lead to account hijacking, personal data theft, browsing activity surveillance, and even corporate network breaches via legitimate company VPN devices or accounts. Despite Google removing many identified malicious extensions, researchers noted that the actor’s persistence and the lag in detection and removal continue to pose significant threats. Users are advised to only download extensions from reputable publishers and to scrutinize user reviews for any potential red flags to avoid falling victim to such scams.

Google has enhanced its sovereign cloud offerings to address growing global concerns about data sovereignty and security. The move includes air-gapped and region-specific solutions. Google Cloud Air-Gapped provides a fully standalone ecosystem for users with stringent security needs, such as those in intelligence and defense, ensuring operational continuity without reliance on external networks. Google Cloud Dedicated, developed in collaboration with Thales, aims to meet local sovereignty standards and is prepped to serve AI workloads with specialized hardware. Google Cloud Data Boundary lets customers control data storage and processing locations, enhanced with a new User Data Shield to secure applications further. The expanded cloud services are a response to increased customer unease over U.S. dominance in digital infrastructure and potential foreign governmental access to sensitive data. Google's approach offers a suite of tailored solutions to fit various regulatory requirements and business needs, contrasting with one-size-fits-all models. Major competitors like Amazon and Microsoft have also recently intensified efforts to cater to European demands for data sovereignty amid escalating geopolitical tensions. Google's president of customer experience, Hayete Gallot, emphasizes the importance of providing flexible and secure options for clients as global instability increases demand for cloud sovereignty options.

Patching vulnerabilities remains a crucial yet challenging cybersecurity task due to operational constraints and the rapid exploitation of vulnerabilities by adversaries. Traditional patch management strategies often fall short, as hasty deployments can introduce additional risks, despite patches being available for extensive periods. ThreatLocker's approach integrates Ringfencing to secure fully patched apps from being exploited, aiming to prevent attacks and unauthorized lateral movements. Designed for Zero Trust environments, ThreatLocker treats every patch as untrusted until verified through rigorous internal reviews and testing by application engineers. During a recent zero-click vulnerability in Microsoft Outlook, ThreatLocker users were able to mitigate risks much faster than those with traditional patch management systems. ThreatLocker provides tools for automation and control, enabling precision in patch management, essential for modern cybersecurity strategies. The narrative emphasizes that effective patch management transcends compliance, integrating into strategic security operations for serious security-focused organizations.

President Trump has announced the "Golden Dome" defense initiative, a plan to cover the US with a network of missile interceptors, satellites, and radar systems. The initiative includes a $25 billion initial funding segment, part of a projected overall spend possibly reaching beyond $175 billion. The system is designed to counteract various types of missiles including ballistic, hypersonic, and cruise missiles through a combination of space-based and terrestrial technologies. Trump referenced the historical context of missile defense dating back to Reagan’s era, indicating this as a continuation and completion of Reagan's vision to neutralize missile threats. The implementation involves major domestic production with Trump highlighting Silicon Valley's role and potential collaborations with Canada under conditions of financial contribution. A Congressional Budget Office report estimates the potential cost for a functional space-based intercept system between $161 billion to $831 billion over 20 years. Skepticism remains about the effectiveness of the Golden Dome, particularly against large-scale missile attacks or those using advanced decoy tactics. The project is seen by some as a lucrative opportunity for defense contractors and commercial entities like those owned by Elon Musk.