Daily Brief

The European Union has sanctioned Stark Industries, a web-hosting provider, for supporting Russian cyber efforts and destabilising activities. CEO Iurie Neculiti and owner Ivan Neculiti of Stark Industries are specifically targeted due to their roles in enabling these cyber activities. Stark Industries is noted for being a historically bulletproof hosting provider, facilitating cyberattacks, including DDoS and disinformation campaigns advantageous to Russia. Investigations reveal Stark Industries had provided infrastructure for notorious cyber groups like FIN7, facilitating severe security threats. Despite Stark Industries' recent collaboration with cybersecurity firms to dismantle malicious infrastructure, EU sanctions proceed based on their prolonged enabling of harmful cyber activities. Additional sanctions by the EU target various other entities and individuals involved in propagating Russian foreign policy and misinformation. Sanctions include asset freezes and travel bans into the EU for the designated individuals and entities. Alongside Stark Industries, media outlets, news agencies, and companies tied to Russian espionage and electronic warfare activities faced EU sanctions.

A significant increase in PureRAT malware attacks targeting Russian businesses has been identified, with incidents quadrupling early in 2025 compared to the same timeframe in 2024. These malware attacks begin with a deceptive phishing email that includes a malicious RAR file attachment, disguised as a reputable document. Upon execution, the malware installs a RAT (Remote Access Trojan) that can control the infected system, capture keystrokes, and access files, cameras, and microphones. The executable involved in the attack sequence not only deploys the RAT but also downloads auxiliary components capable of conducting espionage and data theft. PureLogs, another component of the malware, specifically targets and extracts sensitive data from web browsers, email clients, and cryptocurrency wallets. Kaspersky has not attributed these attacks to any specific threat actor, emphasizing the ongoing threat to Russian firms through malicious email campaigns. The comprehensive capabilities of PureRAT and PureLogs highlight a sophisticated and well-resourced malware operation aimed at acquiring confidential data and maintaining persistent access to compromised systems.

Counterfeit Facebook ads are directing users to fake Kling AI websites, ultimately downloading remote access Trojan (RAT) malware. Kling AI, a popular AI-driven image and video synthesis platform by Kuaishou Technology, has been impersonated to deceive users. Detected first in early 2025, these fake platforms like klingaimedia[.]com lure users to download harmful executable files disguised with double extensions. The malicious software establishes persistence on infected systems, monitors for analysis tools, and evades detection via legitimate system processes. The malware, specifically PureHVNC RAT, steals data from cryptocurrency wallets through browser-stored credentials and captures sensitive information via screenshots. At least 70 promoted posts from fraudulent social media accounts were identified, with links pointing back to Vietnamese threat actors. These attacks are part of a larger trend exploiting the surging interest in generative AI tools to distribute information-stealing malware via social media platforms. Meta faces broader challenges with an "epidemic of scams" on its platforms, including Facebook and Instagram.

Kettering Health, a major healthcare network in Ohio, experienced a significant cyberattack resulting in a system-wide technology outage. The attack led to the cancellation of elective inpatient and outpatient procedures, and an ongoing disruption to its call center operations. Kettering Health employs over 15,000 staff and operates 14 medical centers and over 120 outpatient facilities, all of which have been affected. CNN reports attribute the ransomware attack to the Interlock ransomware gang, who have threatened to leak stolen data unless a ransom is paid. The organization advised patients against making credit card payments over the phone due to potential scam activities linked to the incident. While emergency services continue, elective procedures have been postponed with plans to reschedule. There is still no confirmation from Kettering Health if patient data was compromised during the attack.

CI/CD practices accelerate software development but introduce security vulnerabilities such as supply chain attacks and insider threats. Continuous security monitoring and best practices enforcement are essential at all stages of CI/CD workflows to mitigate risks. Wazuh, an open-source security platform, enhances CI/CD security through unified XDR and SIEM capabilities. Wazuh enables detailed monitoring of CI/CD environments, including servers, orchestration tools, and version control systems, to detect unauthorized activities and breaches. Features such as File Integrity Monitoring (FIM) help in real-time detection of unauthorized changes, with alerts generated for suspicious file activities. Wazuh supports custom rules creation and has streamlined security monitoring tailored to specific CI/CD needs, adhering to benchmarks like CIS Docker Benchmark. Integration capabilities with third-party tools, such as container vulnerability scanners, ensure comprehensive security checks throughout the CI/CD pipeline. Automated incident response by Wazuh minimizes manual intervention and swiftly addresses threats, maintaining the efficiency and reliability of CI/CD workflows.

Phishing remains a top threat in corporate security, exploiting employee trust to gain unauthorized access. Interactive sandboxing is proposed as an effective solution for analyzing suspicious emails and links without compromising system security. ANY.RUN sandbox allows safe detonation of phishing emails, displaying behaviors such as redirects and CAPTCHA challenges typically missed by automated tools. Once a phishing attempt is confirmed, the sandbox helps trace the full attack chain and gather indicators of compromise (IOCs) efficiently. Features of ANY.RUN include a fast analysis interface, capability of auto-handling elements like CAPTCHA, and comprehensive logging of network traffic and behavior. Utilizing sandboxes like ANY.RUN simplifies the process of identifying phishing infrastructure, providing crucial evidence for quick response and future prevention. The method ensures that SOC teams can conduct thorough analyses and obtain detailed reports in less than 40 seconds, enhancing both detection and response times.

Marks & Spencer (M&S) anticipates a potential £300 million ($402 million) profit loss due to a recent cyberattack. The attack led to significant disruption in online sales and operations, with system downtimes impacting the retailer heavily. Recovery includes additional costs in waste, logistics, and stock management as M&S manually operates. Online retail systems remain disabled; disruptions expected to continue affecting operations until at least July. Attack performed using DragonForce ransomware by the cyber group Scattered Spider, also responsible for attacks on other UK retail chains. M&S confirmed theft of customer data during the attack, adding to potential long-term reputational damage. UK National Cyber Security Centre has issued warnings and guidance in light of these attacks targeting UK retailers. Scattered Spider has expanded its operations, now also targeting U.S. retailers, signaling a broader threat landscape.

Coinbase, a major cryptocurrency exchange, disclosed a data breach affecting 69,461 customers. Personal information exposed includes names, dates of birth, social security numbers, email addresses, and partial bank account details. Sensitive data about government IDs, account transactions, and balances were also stolen, increasing the risk of social engineering attacks. The breach was facilitated by support staff or contractors outside the U.S., compromising less than 1% of Coinbase's customer base. Coinbase received a $20 million extortion demand from the attackers, which they refused to pay, opting instead for a reward fund to capture the culprits. Estimated financial impact due to the breach ranges from $180 million to $400 million for remediation and customer reimbursements. The exchange has committed to reimbursing affected customers and is urging all users to enhance security measures like withdrawal allow-listing and two-factor authentication. Coinbase also highlighted a broader cybersecurity framework analysis identifying top threats and defensive strategies to mitigate such risks.

Marks & Spencer anticipates a £300 million reduction in operating profits for the fiscal year 2025/26 due to a sophisticated, ongoing cyberattack. The impact includes significant disruptions, increased costs from manual logistics, and loss in sales, particularly from online platforms. M&S plans to utilize its cyber insurance, expecting to claim up to £100 million to offset some of the financial damage. CEO Stuart Machin emphasized the company's focus on recovery and technical transformation to strengthen business post-attack. Despite disruptions, M&S reported a 22.2% increase in pre-tax profits from the previous year and a sales growth of 6.1%. The attack led to the theft of customer data, although sensitive payment card information was not compromised. Share prices have fallen approximately 12% since the attack began, reflecting investor concerns over the company’s immediate financial health.

Cybersecurity experts have uncovered a malicious campaign targeting mobile users with JavaScript injections. The attack redirects users to a Chinese Progressive Web App (PWA) featuring adult-content scams. The scheme activates specifically on mobile platforms such as Android and iOS, ignoring desktop environments. Attackers employ Progressive Web Apps to mimic native applications and potentially evade standard browser security measures. The malicious code is injected into websites and triggers redirection only when accessed via mobile devices. Victims are led through several intermediary pages before arriving at fraudulent app store listings. This strategy indicates a shift towards more sophisticated, persistent methods of phishing on mobile devices.

Dr. Bleddyn Bowen highlighted the UK's significant reliance on the US for space technology and military capabilities during a House of Lords committee hearing. The UK abstained from developing independent satellite-launching and nuclear capabilities during the Cold War, relying instead on US provisions after extensive negotiations. Recent rhetoric and policies from the Trump administration have raised concerns about the future of UK-US relations, especially in areas of military and space cooperation. The importance of maintaining strong UK-US relations was emphasized given the deep integration in intelligence, space, and military sectors. The UK government committed to a defense spending increase to 2.5% of GDP by 2027, which was positively received by President Trump. Despite current political tensions, day-to-day military cooperation between the UK and US remains robust, with ongoing integration between UK Space Command and US Space Force. Shifts in the UK's defense procurement from the US towards European suppliers have been observed, indicating a potential diversification of defense alliances.

Scattered Spider initially focused on cryptocurrency theft and business process outsourcing before moving to the financial sector and now retail. Palo Alto Networks' Unit 42 observed the shift of this cybercrime group towards customer-facing retail sectors in the UK and US. The group's operatives, who tend to move across industries, leverage their insider industry knowledge to conduct crime efficiently. Social engineering tactics employed by Scattered Spider include using their native-English fluency to manipulate employees into bypassing internal security protocols. Despite recent retail and cryptocurrency exchanges' attacks, no direct evidence links these incidents specifically to Scattered Spider; however, their past involvement in similar cases leads experts to not rule out connections. Both major cryptocurrency exchanges, Binance and Kraken, have recently countered social engineering attacks, with discussions around potential losses if systems were breached. Coincidentally, Coinbase is working with the DOJ and international law enforcement to address the security incidents, indicating a serious concern over these breaches.

Google Chrome's built-in Password Manager can now automatically change a user's compromised password. This feature activates when Chrome detects compromised credentials during a sign-in process. For supported websites, Chrome will generate a strong, new password and update the user's account automatically. This development is part of Google's broader effort to reduce user friction and enhance account security. Website owners can facilitate this feature by adopting a well-known URL that directs to a password change page. This initiative aligns with industry moves toward using passkeys as a more secure method of account protection, with companies like Microsoft leading these changes.

Two Ivanti vulnerabilities, CVE-2025-4427 and CVE-2025-4428, are being actively exploited, affecting both on-premise and cloud environments. The vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) allow remote code execution and authenticated bypass, leading to unauthorized malware deployment. Ivanti has issued patches for these vulnerabilities, which stem from problems in open-source libraries used within the product. Security firm Wiz reported ongoing exploitation in the cloud, observing attacks since May 16 and utilization of a remote-control tool called Sliver by attackers. The exploited bugs were added to the U.S. government's Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities Catalog. Threat actors used the bugs to inject code and deploy Sliver, aimed at achieving long-term access for various malicious purposes. The same command-and-control server IP used in these attacks was also used in previous exploits against Palo Alto Networks' appliances, suggesting possible linked threat actors.

Matthew D. Lane, a 19-year-old college student, pleaded guilty to federal charges related to cyber extortion and unauthorized computer access. Lane and associates initially accessed confidential data by hacking a U.S. telecommunication company used by PowerSchool. Using stolen credentials from a contractor, the group targeted PowerSchool, threatening to sell or leak data of 62.4 million students and 9.5 million teachers unless paid a ransom. In December 2024, PowerSchool received a ransom demand for approximately $2.85 million in Bitcoin; the payment details remain unclear although a payment was made to prevent data leak. Even after the initial ransom was paid, the threat actors continued to extort individual school districts for additional payments. Lane also attempted to extort $200,000 from the breached telecommunications company, including threats against company executives. Lane faces a minimum sentence of two years for aggravated identity theft, with additional time for other charges.