Daily Brief

A ransomware attack on Business Systems House (BSH), a Middle Eastern subsidiary of payroll provider ADP, resulted in the theft of Broadcom employee data. The attack occurred in September, and the stolen data was discovered online in December, though Broadcom was only informed by May the following year. Broadcom had already been in the process of changing payroll providers away from ADP/BSH when the incident occurred. The El Dorado ransomware group, believed to be linked to the Russian-speaking BlackLock group, claimed responsibility for the attack. The breach affected a limited number of ADP's clients and was localized to certain countries in the Middle East; ADP confirmed no impact to its own systems. Personal data released was in an unstructured format, complicating the identification of exactly which employees and data were affected. Local law enforcement and data protection authorities have been notified, and measures to harden BSH’s security environment are underway. Broadcom recommended affected individuals to enable multi-factor authentication and monitor their financial records closely.

New botnet malware, HTTPBot, has been actively targeting the gaming and technology sectors, specifically in China. HTTPBot, which operates on Windows systems, employs HTTP protocols to execute targeted distributed denial-of-service (DDoS) attacks. By using dynamic feature obfuscation and HTTP Flood attacks, HTTPBot avoids detection by traditional rule-based security systems. Since April 2025, HTTPBot has orchestrated over 200 precise attack commands against key business areas, particularly affecting game login and payment platforms. The malware conceals its operations by hiding its graphical user interface and manipulating the Windows Registry to run at system startup. HTTPBot communicates with a command-and-control server to receive instructions for launching high-volume HTTP request attacks to disrupt specific target operations. The botnet is designed to occupy server resources through complex URL paths and cookie mechanisms, setting it apart from typical DDoS attacks focused on overwhelming traffic volume. This emergence of HTTPBot signifies a strategic shift in DDoS tactics from broad traffic disruption to targeted business disruption.

French IT firm Atos announced a critical transformation plan labeled "Genesis," aiming for sustainable growth and a projected operating margin of 10% by 2028. The plan includes significant structural changes, with a focus on six new business lines, emphasizing AI, cybersecurity, and cloud services. Atos will reduce its operational footprint globally, retaining a presence in strategic and profitable markets through six main regional hubs. Job cuts and increased offshoring are key elements of the cost reduction strategy to adapt to the company’s resized structure and new business focus. The French State has shown an interest in purchasing Atos’ Advanced Computing activities, which may suggest partial national involvement in the company’s future. Philippe Salle, the newly appointed CEO, marks the seventh leadership change in three years, reflecting ongoing instability at the executive level. The company also paused the sale of its Mission Critical Systems and Cybersecurity Products businesses, indicating a potential reevaluation of asset disposals. Atos projects a decline in revenue to €8.5 billion in 2025, attributing this to strategic business modifications and reduced business engagement prior to restructuring completion.

Understanding specific data protection needs and outcomes is essential for defining a focused strategy. Leveraging AI for automated data classification enhances efficiency and accuracy in identifying sensitive information. Implementing zero trust security models with least-privileged access controls reduces risks of unauthorized data access. Centralizing Data Loss Prevention (DLP) systems ensures consistent and efficient threat detection and response across all platforms. Regular compliance checks and adherence to data protection regulations are crucial for avoiding legal penalties and upholding brand integrity. Addressing the security challenges of Bring Your Own Device (BYOD) policies through browser isolation techniques that prevent data extraction. Continuously managing and improving cloud security posture using SSPM and DSPM tools to prevent breaches through misconfigurations. Investing in data security training and integrating it with incident management to foster a proactive data protection culture in the organization.

Researchers at ETH Zürich have identified new security flaws in modern Intel CPUs termed Branch Privilege Injection (BPI), which allow attackers to leak sensitive data. The vulnerability arises from a condition known as Branch Predictor Race Conditions (BPRC), permitting unauthorized access to information across user privileges. The flaw impacts all Intel processors, enabling potential access to cache contents and other users' working memory on the same CPU. Intel has responded by releasing microcode patches to mitigate the vulnerability, designated CVE-2024-45332 with a CVSS v4 score of 5.7. Recent studies also spotlight self-training Spectre v2 attacks, also impacting Intel CPUs, characterized by high-speed memory leaks and compromise of domain isolation. These hardware vulnerabilities lead to the potential for user-user, guest-guest, and guest-host Spectre-v2 attacks, reviving concerns from past Spectre vulnerabilities. AMD has updated its guidance on handling Spectre and Meltdown vulnerabilities, emphasizing risks from the classic Berkeley Packet Filter (cBPF) use.

Twelve suspects charged in a sophisticated RICO conspiracy involving over $230 million stolen in cryptocurrency. Suspects allegedly hacked cryptocurrency accounts, transferring funds to controlled wallets via fraudulent means. Notable tactics included phone number spoofing and impersonation of customer support at Google and Gemini to access private keys. Funds were laundered through a complex network of crypto exchanges, mixing services, and the use of virtual private networks. Majority of stolen funds converted to Monero to obscure the source, but traceable mistakes were made by the culprits. Lavish expenditures from the stolen funds included luxury cars, high-end watches, and extravagant nightclub parties. Defendants now face multiple charges including wire fraud, money laundering, and obstruction of justice.

A Darktrace report cites that 74% of cybersecurity professionals worldwide are already finding AI as a menacing challenge to their defenses. Increasing use of AI in cyberattacks includes sophisticated phishing and malware, demanding an equally advanced AI-augmented response from security sectors. In 2023, AI-based social engineering attacks have surged by 135%, coinciding with the rise of ChatGPT and similar technologies. Despite the growth in AI-powered threats, many companies feel underprepared due to a significant cybersecurity skills shortage; 45% of professionals expressed concerns over preparedness. The current focus for most companies is leveraging AI to enhance the speed and efficiency of their cybersecurity responses, with 95% acknowledging AI's potential benefits. 88% of the companies prefer AI-driven integrated cybersecurity platforms over isolated solutions, aiming for a comprehensive and preventative defense mechanism. The Darktrace study highlights a gap in understanding the specific types of AI used in cybersecurity, with only 42% of professionals fully aware of the AI models employed.

CISA has issued warnings to U.S. federal agencies about attacks exploiting a critical vulnerability in the Chrome web browser. The flaw, identified as CVE-2025-4664, was disclosed by Solidlab security researcher Vsevolod Kokorin and subsequently patched by Google. The vulnerability allows attackers to leak sensitive cross-origin data through specially crafted HTML pages, potentially leading to account takeovers. Though Google's update aimed at fixing this issue was released, the company suggested that an exploit for this vulnerability might already exist in the public domain. Following the discovery, CISA mandated federal agencies to apply the Chrome patch by May 7th to mitigate potential breaches, highlighting the directive under November 2021's Binding Operational Directive (BOD) 22-01. This incident marks the second Chrome zero-day exploited this year, previously targeting entities like Russian government organizations for cyber-espionage. Network defenders, irrespective of their affiliation with federal agencies, are urged to prioritize patching this security flaw to protect against similar exploitations.

Cybersecurity experts have uncovered a campaign using PowerShell shellcode to deliver the Remcos RAT, a form of malware. Malicious LNK files embedded within ZIP archives pose as Office documents, exploiting tax-related themes to deceive users into opening them. The attack leverages the legitimate mshta.exe Microsoft tool to run HTA files that initiate the download of further malicious components and registry changes for persistence. The malware operates entirely in memory, evading many traditional security measures by not leaving traces on the system's disk. Remcos RAT allows full system control with capabilities like keystroke logging, screenshot capture, and system information retrieval. Communication with its command-and-control server is secured via TLS, facilitating ongoing data theft and system manipulation. The threat of such fileless malware highlights the limitations of conventional security defenses and underscores the need for advanced detection solutions, including real-time PowerShell monitoring and improved email security. This particular technique of fileless infection and the evolution of threat mechanisms like AI-enabled polymorphism represent significant challenges to current cybersecurity approaches.

Modern applications evolve quickly, often outpacing the security measures implemented by businesses. Security teams frequently scan code in isolation and respond to cloud threats later than optimal, causing vulnerabilities. Attackers exploit these security gaps within hours, while organizations can take days to react to critical cloud alerts. Security efforts are often divided across different teams, such as DevSecOps, CloudSec, and SOC, leading to inefficiencies and uncoordinated responses. The webinar, hosted by Ory Segal of Cortex Cloud at Palo Alto Networks, addresses how to integrate application security across coding, cloud infrastructure, and security operations centers. Attendees will learn strategies for a unified security approach, enhancing protection against potential breaches and attacks. The session targets professionals in AppSec, CloudOps, DevSecOps, and SOC, aiming to provide actionable insights for immediate application.

Sayee Chaitanya Reddy Devagiri pleaded guilty to wire fraud conspiracy involving $2.59 million through fraudulent DoorDash deliveries. Involved parties created fake customer and driver accounts to order and verify delivery of non-existent food. Login credentials of DoorDash employees were used to manipulate order assignments within the company's system. Conspirators triggered false payments by reporting these phantom deliveries as completed, utilizing a vendor affiliated with DoorDash. The scheme was enabled by insider access, with some credentials linked to a brief former employee, Tyler Thomas Bottenhorn. This fraudulent operation, which repeated hundreds of times, was reportedly executed in less than five minutes per transaction. Devagiri is the third defendant to plead guilty and faces up to 20 years in prison plus a $250,000 fine. His court return is scheduled for September 16.

The FBI has issued a warning about scammers using deepfake audio to impersonate senior US government officials in a fraud campaign. This fraudulent activity primarily targets former and current US government personnel, seeking to obtain their login credentials. Impersonators use advanced AI technologies for voice spoofing in smishing (SMS phishing) and vishing (voice phishing) attacks. The attackers encourage victims to communicate via an unspecified messaging platform, presumably to evade detection. The FBI advises verifying the authenticity of suspicious communications by contacting officials through official numbers and being cautious of any anomalies in speech that could indicate a deepfake. Techniques like listening for unusual verbal tics or phrases are recommended to identify potential AI-generated impersonations. The widespread accessibility and reduced costs of AI technology have significantly enhanced the capabilities and incidence of deepfake scams.

ESET researchers identified a global cyberespionage effort labeled 'RoundPress,' led by Russian state-sponsored hackers APT28. The campaign began in 2023 and uses zero-day and n-day exploits in webmail servers to access sensitive emails from government entities. Targets include government offices in several countries, military units, defense companies, and critical infrastructure predominantly in Europe. Spear-phishing tactics are employed, utilizing current event-themed emails embedded with malicious JavaScript to exploit webmail XSS vulnerabilities. Simply opening the email triggers the malicious scripts, which steal webmail credentials and sensitive data without further victim interaction. Collected data includes email content, contacts, webmail settings, login history, and two-factor authentication details, all exfiltrated to controlled servers. The campaign has adapted over time, targeting multiple webmail platforms such as Roundcube, Horde, MDaemon, and Zimbra. While there is no reported activity for 2025, the consistent emergence of new XSS vulnerabilities in webmail products suggests potential continuation or evolution of these threat tactics.

The FBI issued a public service announcement alerting that AI-based voice deepfakes have been used in phishing attacks against U.S. officials since April 2025. Perpetrators impersonate senior U.S. officials using AI-generated audio to establish rapport and subsequently gain access to personal and governmental accounts. The agency highlighted the use of smishing (text-based) and vishing (voice-based) techniques that appear to originate from high-ranking officials to deceive targets. Once access is obtained, attackers exploit the breached accounts to gather sensitive information from, and about, other government individuals and potentially fund transfers. The warning aligns with a historical pattern, referencing a 2021 FBI notification regarding the increasing sophistication and expected proliferation of deepfakes in cyber operations. Concerns about deepfakes' role in cybersecurity have been escalating, with Europol and the U.S. Department of Health and Human Services noting its potential misuse in various frauds and social engineering since 2021. The recent misuse of deepfake technology in an attack on LastPass, involving a deepfake audio of the CEO, underscores the tangible threats posed by these technologies. The announcement aims to raise awareness and encourage vigilance, providing mitigation strategies to identify and defend against such deceptive tactics.

Scattered Spider, previously targeting UK retailers, has now begun attempts on major US retailers' IT structures. The attacks involve potential ransomware deployment, specifically DragonForce, as identified by Mandiant, Google's threat intelligence branch. In response to these attacks, affected organizations have initiated stringent cybersecurity measures, sometimes resulting in operational disruptions. The group, consisting mostly of young males from the US and UK, had paused operations following multiple arrests but resumed with new vigor recently. Under 10 prominent US retail companies have been targeted, facing various levels of security breaches and preventive action impacts. Scattered Spider's patterns show a shift in focus to different sectors periodically, with a prediction of soon moving on from the retail industry. The possibility of increased law enforcement action looms due to the high-profile nature of these cyberattacks.