Daily Brief

Meta plans to use E.U. user data for AI training without explicit opt-in consent, set to begin May 27, 2025. Austrian privacy group noyb issued a cease-and-desist letter to Meta, threatening a class action lawsuit over these plans. Meta argues it has a "legitimate interest" in using the data, bypassing the need for direct user consent which contradicts GDPR requirements. The initiative had previously been paused in June 2024 after concerns from Irish data protection authorities, but Meta intends to proceed. Noyb argues merely 10% of user consent would suffice for Meta's AI to learn about E.U. linguistic and cultural diversity. Other AI providers reportedly generate superior models without leveraging social network data, challenging Meta's necessity claim. National data protection authorities have not yet addressed the legality of this non-consensual data usage for AI by Meta. In response to the allegations, Meta insists its actions are lawful and that it provides users with an option to object to data processing.

Nova Scotia Power confirmed a significant data breach involving sensitive customer data due to unauthorized network access discovered last month. The breach was first detected on April 28, 2025, with investigations revealing that the breach occurred on March 19, 2025, nearly two months prior to alerting customers. The company, a primary utility in Canada servicing over 500,000 customers, stated the breach had no impact on electricity production and distribution but disrupted internal operations. Stolen data includes personal information, though the company has not observed any misuse of the data so far. Nova Scotia Power is offering two years of free credit monitoring to affected customers through TransUnion to mitigate potential risks. Customers have been advised to stay vigilant against phishing attempts, as threat actors may impersonate the utility company. No ransomware gangs have claimed responsibility for this cybersecurity incident.

Coinbase was targeted by cybercriminals who extorted $20 million after bribing support staff to steal customer data. Less than 1 percent of Coinbase’s monthly transacting users were affected, and no passwords or private keys were compromised. The stolen data was used in social engineering attacks to defraud Coinbase customers. Coinbase has responded by offering a $20 million bounty for information leading to the arrest of the perpetrators, rather than paying the ransom. The company terminated the involved personnel, boosted fraud monitoring defenses, and has taken steps to reimburse affected customers. Additional measures include investment in anti-fraud technologies and plans to centralize support operations in the US. Total remediation and reimbursement costs are estimated between $180 million to $400 million. Despite the breach, Coinbase states there was no access to customer funds and no material operational impact, though its shares dropped by over 7%.

Pwn2Own Berlin 2025 showcased successful hacks on Windows 11, Red Hat Linux, and Oracle VirtualBox, distributing $260,000 in prizes to participants. Security researchers demonstrated multiple zero-day exploits, securing root or SYSTEM privileges through various vulnerabilities including use-after-free, integer overflow, and out-of-bounds write. The DEVCORE Research Team, among others, highlighted critical security flaws in enterprise technologies by exploiting previously unknown vulnerabilities. Notable achievements included an exploit chain that allowed code execution on the underlying OS of Oracle VirtualBox and Docker Desktop. Pwn2Own 2025 targets a wide range of technologies including AI, web browsers, virtualization tools, and enterprise applications, with potential earnings exceeding $1,000,000. No attempts were made on the Tesla models available despite being included as targets in this year's competition. Following the competition, vendors have a 90-day window to patch the security vulnerabilities exposed during the event.

Socket has acquired Coana, a startup aimed at improving how security vulnerabilities are prioritized by letting users know which alerts can be ignored. Coana, founded by researchers from Aarhus University, employs reachability analysis to determine if attackers can realistically exploit reported vulnerabilities. The tool's efficiency lies in its use of static analysis, which allows for rapid, scalable evaluations with minimal false negatives or positives. Traditional security tools produce an excessive number of alerts, creating noise and increasing workload for developers, which Coana’s approach aims to reduce. Reachability analysis by Coana is especially effective for dynamic languages like JavaScript and Python, where static analysis is more challenging. The acquisition helps Socket address its users' concerns regarding overwhelming security alerts from dependency scans in application software libraries. Socket's CEO noted an ongoing challenge with the volume of security alerts and mentioned catching around 500 malicious packages weekly.

Tor has launched Oniux, a new tool to anonymize network traffic of any Linux application through the Tor network. Unlike torsocks, Oniux employs Linux namespaces for creating isolated network environments, enhancing security by preventing data leaks. Oniux isolates applications at the kernel level, ensuring all traffic is routed through Tor, utilizing a virtual interface and custom DNS settings. The tool is designed to be leak-proof with kernel-enforced isolation, which significantly surpasses the capabilities of torsocks. Despite its innovative approach, Oniux is still in an experimental phase and not recommended for critical operations until further testing. Tor has published the source code and calls for community engagement to test and refine Oniux to ensure its reliability for broader deployment. Users interested in testing the tool can install it using Rust and specific commands provided by the Tor Project.

Coinbase suffered a data breach orchestrated by cyber criminals who bribed internal customer support agents in India, leading to unauthorized data access. The attackers copied account data of less than 1% of Coinbase's 9.7 million monthly users to potentially deceive them into transferring cryptocurrency. The threat actors attempted to extort $20 million from Coinbase by threatening to release sensitive customer and internal information. No critical data such as passwords, private keys, or customer funds were compromised, and Coinbase Prime accounts remained secure. Coinbase has terminated the employment of the involved customer agents and is taking measures to reimburse affected customers. Enhanced security measures, including additional ID checks for large withdrawals and strengthened defenses against insider threats, are being implemented. Coinbase has announced a $20 million reward for information leading to the arrest and conviction of the responsible parties. Customers are advised to enhance security by enabling withdrawal allow-listing, two-factor authentication, and remaining vigilant against impostors.

Researchers identified a malicious NPM package named 'os-info-checker-es6' that employs Unicode steganography to conceal command-and-control links within Google Calendar events. Originally benign when added to NPM on March 19, the package began incorporating malicious elements in subsequent updates, significantly changing by May 7 to include sophisticated malware delivery mechanisms. The package, downloaded over 1,000 times, mimics a utility tool while secretly acting as a malware vector, impacting multiple users. 'os-info-checker-es6' is linked as a dependency in four other questionable NPM packages that pose as accessibility and development tools, potentially expanding its reach. The complex attack involves fetching a base64-encoded URL obscured within a Google Calendar event, which then directs to the actual malicious payload. Despite discoveries and reporting by Veracode, the harmful NPM packages remain available for download, posing ongoing risks to unsuspecting developers. The incident underscores the need for increased vigilance and robust security measures within software development environments, particularly in package management ecosystems.

Last spring, significant data breaches at Snowflake impacted major clients like Ticketmaster and Santander, involving unauthorized data access through exposed customer credentials. The breaches affected hundreds of millions and were facilitated by the misuse of stolen user credentials lacking multi-factor authentication—highlighting gaps in the shared responsibility security model. Snowflake’s CISO, Brad Jones, emphasized a shift from a shared responsibility model to a "shared destiny" model, strengthening proactive partnerships with customers to enhance security. Following the incidents, Snowflake mandated multi-factor authentication by default for new accounts and planned the phased elimination of single-factor password logins by November 2025. To further secure customer data, Snowflake implemented uniform security controls, private networking options, default encryption, and a service to detect and lock accounts with compromised credentials found on the dark web. The CISO highlighted new security challenges, particularly with AI, stressing the importance of adapting security measures rapidly in response to AI's evolving risks and capabilities. Microsoft’s three-phase model for agentic AI development, from basic chatbots to independent operation, presents new governance and security considerations. Snowflake’s approach now focuses on enabling business needs securely, reflecting the improv rule of "yes, and" to integrate necessary controls without stifling innovation.

Coinbase disclosed a significant data breach involving compromised customer information including government IDs, organized with the help of rogue overseas support agents. Cybercriminals demanded a $20 million ransom to avoid public release of the data, which Coinbase refused to pay, instead establishing a reward fund of equal amount to find the perpetrators. No customers' private keys or passwords were stolen, and Coinbase Prime accounts and wallets remain secure. Coinbase terminated the employment of the involved insiders who facilitated unauthorized access to the systems. The breach has potential financial implications estimated between $180 million and $400 million, mainly for remediation and customer compensations for those deceived into sending funds to attackers. The company plans to open a new U.S.-based support hub and increase investments in security measures, including insider-threat detection and automated response systems. Coinbase urges customers to use two-factor authentication and be cautious of scammers impersonating company employees.

Researchers discovered a malicious npm package named "os-info-checker-es6" which initially posed as a benign utility but later included malware. The package, camouflaging malicious content with invisible Unicode characters and using Google Calendar links, was downloaded over 1,000 times. Introduced to the npm in March with a benign intent, it later received updates adding malwares and complex command-and-control mechanisms. This package, alongside four others it's listed as a dependency for, leverage developer tools aesthetics to mask underlying harmful activities. The malicious code is hidden using Unicode steganography by embedding invisible characters that lead to a Google Calendar URL hosting malware. After redirections to finally achieve an HTTP 200 OK, a base64-encoded URL is scraped and decoded to deliver the final malware payload. Despite the payload not being retrievable at the time of research, this indicates either an early stage or a temporary pause in the attack campaign. Following Veracode's discovery and report to npm regarding the suspicious packages, the packages were still live on the platform.

Annual penetration tests are insufficient due to rapid developments and new vulnerabilities in software updates. Compliance frameworks like PCI DSS and HIPAA guide security but do not ensure vulnerability protection post-assessment. Continuous security testing is crucial to identify and fix new vulnerabilities before they are exploited by attackers. Strategic pen testing incorporates regular tests, integration with other security measures, and customization based on specific threats. Resource constraints and lack of qualified personnel hinder effective penetration testing implementation in many organizations. A cultural shift in organizations toward continuous testing and proactive risk management is necessary for improved security. Combining External Attack Surface Management (EASM) and Penetration Testing as a Service (PTaaS) can optimize security effectiveness. Outpost24's CyberFlex offers integrated solutions for continuous, flexible testing tailored to specific business needs.

Ransomware has become more sophisticated, leveraging legitimate IT tools and services such as Ransomware-as-a-Service (RaaS) to conduct widespread attacks. Microsoft reported misuse of its Quick Assist tool for deploying Black Basta ransomware, highlighting the evolving tactics of cybercriminals. The economic impact of ransomware could escalate to $275 billion annually by 2031, with attacks predicted to occur every 2 seconds. A robust business continuity and disaster recovery (BCDR) strategy, including the upgraded 3-2-1-1-0 backup rule, is critical for organizational resilience against ransomware. Immutable and isolated backups, continuous backup monitoring, and regular restore testing are paramount to ensure data integrity and recovery capabilities. Enhancing backup systems with anomaly detection and integrating them with security operations can expedite threat detection and response. Regular employee training on cyber hygiene and proactive threat reporting can further fortify the first line of defense against ransomware. Incorporating comprehensive BCDR solutions like Datto can streamline the implementation of these strategies and bolster overall ransomware preparedness.

A Russia-linked hacking group, APT28, exploited webmail software vulnerabilities to conduct cyber espionage, primarily against Eastern European governmental and defense entities. The campaign, named Operation RoundPress by ESET, began in 2023, utilizing cross-site scripting (XSS) attacks, including a zero-day vulnerability in MDaemon. Targets expanded globally, including governmental bodies in Africa, Europe, and South America, with a focus on harvesting email communication and sensitive data. Besides MDaemon, the XSS flaws exploited were found in other popular webmail platforms such as Horde, Roundcube, and Zimbra. The CVE identifier CVE-2024-11182 (MDaemon zero-day) and other related vulnerabilities in different platforms were patched, highlighting the importance of timely software updates. The malware used in the attacks, dubbed SpyPress, had capabilities like stealing credentials, emails, contact information, and maintaining access via Sieve rules in Roundcube. US CISA added CVE-2023-43770 associated with Roundcube to its Known Exploited Vulnerabilities catalog, underlining the severity and attention these exploits have garnered.

A malicious npm package named "os-info-checker-es6" was found using Unicode steganography and Google Calendar to drop payloads. "Os-info-checker-es6" mimics an operating system info tool to facilitate the installation of further malicious code undetected. Utilizes a Google Calendar event link with a Base64-encoded title that points to a remote C2 server, increasing difficulty in blocking the attack. The package was first uploaded on March 19, 2025, and has been downloaded over 2,000 times. No significant malicious activities were noted in the first five versions of the package; changes began appearing in later versions from May 7, 2025. Another npm package by the same developer, implying potential links in a broader malicious campaign. Security experts suggest combining behavioral analysis, static and dynamic testing, and thorough validation of third-party packages to combat such threats. The overview was part of a broader analysis detailing emerging cyber threats in software supply chains in the first half of 2025.