Daily Brief

Xinbi Guarantee, a Chinese-language Telegram-based marketplace, has handled $8.4 billion in transactions since 2022. The platform is known for selling illegal goods and services including technology, personal data, and specialized in money laundering services. A significant part of the transactions, according to Elliptic, are linked to criminal activities including funds stolen by North Korean operatives. Xinbi has attracted 233,000 users and supplies a broad range of services such as fake IDs, stolen personal data, and even services for intimidation and sex trafficking in China. It operates under the guise of an investment company registered in Colorado but has been marked as "Delinquent" on state records. Elliptic's report indicates that both Xinbi and HuiOne Guarantees were involved in laundering cryptocurrency for North Korea following the WazirX exchange hack. Telegram has shut down thousands of channels associated with these marketplaces, disrupting significant cybercrime operations. These findings were released shortly after the U.S. designated the HuiOne Group as a key entity in global money laundering schemes involving cryptocurrencies.

Nucor Corporation, the largest U.S. steel producer, experienced a significant cybersecurity incident causing disruptions in multiple locations. In response to the incident, Nucor took parts of its network offline to contain the attack and initiated containment and remediation measures. The cyberattack led to the temporary suspension of production activities, impacting operations across various facilities. The company has notified law enforcement and is working with external cybersecurity experts to investigate the attack. Details regarding the exact nature or date of the cyberattack have not been disclosed, nor is it clear if any data was stolen or encrypted. Nucor submitted an 8-K filing to the SEC detailing the incident and the company's immediate response measures. As part of the ongoing response, Nucor is gradually resuming production operations at affected locations.

VPN Secure's new parent company, InfiniteQuant, abruptly canceled thousands of "lifetime" accounts due to unsustainability and high costs from legacy deals. CEO Romain Brabant admitted the oversight happened during the acquisition process, stating the company was primarily focused on the technology and not the user agreements. Affected customers, who previously paid heavily discounted rates for lifetime service, expressed outrage on platforms like Reddit and Trustpilot, accusing the company of gaslighting. InfiniteQuant claims it was unaware of the lifetime deals, which were not disclosed by the former owner, BoostNetwork Pty Ltd, during the sale negotiations. A follow-up communication attempt to address customer concerns had over 20% bounce rate, further complicating the issue by poor email deliverability. InfiniteQuant intends to send a third email to apologize for the issue with previous communications and to offer discounted plans to the legacy lifetime subscribers. Users discovered the lifetime subscription offers through sources like StackSocial, although these were not mentioned in the financial documents reviewed during the acquisition. No refunds will be offered to the terminated lifetime accounts, with the company describing the move as a difficult decision required for survival.

A new phishing threat named "Meta Mirage" targets businesses using Meta's Business Suite. Cybersecurity firm CTM360 identified over 14,000 malicious URLs involved in this campaign, with 78% not blocked by browsers. The phishing operation uses fake Meta communications to deceive users into revealing passwords and OTPs. Attackers host phishing sites on trusted cloud platforms like GitHub, Firebase, and Vercel to evade detection. The campaign sends fake alerts about policy violations or urgent account issues, mimicking Meta's official tone and format. Victims receive progressively more urgent communications, heightening anxiety and pushing for quicker, less cautious responses. Compromised accounts are often used to run malicious ad campaigns, causing further damage. CTM360 recommends heightened vigilance and proactive security measures to combat this sophisticated phishing threat.

Keep Aware threat research team observed a sophisticated phishing attack that exploited legitimate domains to host malicious pages. The targeted phishing pages validated user credentials in real-time, specifically targeting corporate email addresses. Attack leveraged customized phishing pages featuring company-specific branding only when a recognized business email was entered. The attack employed anti-analysis JavaScript techniques on the phishing page to block right-click and shortcut keys, preventing easy inspection. Security measures include real-time, zero-day detection in-browser to prevent credential theft before data entry. The phishing infrastructure was capable of dynamically altering content based on the email address entered, featuring CAPTCHA challenges to add legitimacy. The phishing attack shows the importance of advanced browser-level protection to effectively block such targeted and sophisticated threats.

Dior disclosed a cyberattack that compromised customer information from their Fashion and Accessories segments. The breach was identified on May 7; however, passwords or payment details weren't exposed as they were stored separately. Personal contact details, purchase history, and preferences are among the data exposed. Customers from Korea and China have been specifically notified, suggesting the breach had a significant regional impact. Dior has engaged top cybersecurity experts to further investigate and mitigate the incident. The brand is contacting regulators and impacted customers following legal requirements. Dior advises customers to stay alert for potential phishing scams that may impersonate the brand. The breach has led to some legal scrutiny in Korea regarding timely notifications to authorities.

Kosovo has extradited Liridon Masurica, the administrator of the BlackDB cybercrime marketplace, to the United States to face multiple cybercrime charges. Masurica was arrested by Kosovar authorities on December 14th, 2024, and extradited on May 9th, after being active in cybercrime since 2018. He appeared before United States Magistrate Judge Lindsay Saxe Griffin and faces five counts of using unauthorized access devices and one count of conspiracy. BlackDB.cc sold stolen credit card data, server credentials, and personal information, primarily affecting U.S. citizens. Purchasers of this data reportedly engaged in credit card fraud, tax fraud, and identity theft. The FBI collaborated closely with Kosovo Police's Cybercrime Investigation Directorate and received additional support from the FBI’s Legal Attaché Office in Sofia and the Department of Justice's Office of International Affairs. Following related investigations, law enforcement recently seized the Rydox cybercrime marketplace and arrested its three Kosovo administrators. If convicted on all counts, Masurica could face up to 55 years in federal prison.

Craig Lawson, Research Vice President at Gartner, advised against rushing to apply patches from Patch Tuesday, suggesting it doesn't necessarily lower risk. During a conference, Lawson highlighted that no large organization he spoke with, including hyperscalers and government agencies, has successfully kept up with all necessary security patches. Lawson introduced the concept of "threat debt," which is the accumulation of known but unaddressed security vulnerabilities. He argued that speeding up patching processes isn't an effective solution. He emphasized that only a small percentage (8-9%) of vulnerabilities are actually exploited by cybercriminals, and these often aren't the ones deemed critical. The analyst mentioned that patches can sometimes cause more issues, either by breaking systems or being too complex to implement effectively. Lawson suggested organizations should develop a "cohabitation metric" to assess how well they can manage with unpatched systems by implementing compensating controls. He advocated for a more tailored approach to patching, based on specific organizational needs and the practicality of implementing certain patches, encouraging cross-departmental collaboration.

Earth Ammit, linked to Chinese-speaking nation-state groups, conducted espionage targeting Taiwan and South Korea's military, satellite, and other sectors through 2023-2024. The VENOM campaign focused on software service providers, exploiting web server vulnerabilities to install RATs and harvest credentials. TIDRONE campaign, revealed by Trend Micro, utilized custom malware like CXCLNT and CLNTEND to attack drone manufacturers and military industries. Both campaigns involved sophisticated uses of ERP software to infiltrate the drone supply chain and leveraged trusted communication tools for distributing malware. The attackers used a combination of open-source tools and bespoke malware to obscure their activities and facilitate staged intrusions. Shared victims, service providers, and command-and-control infrastructures indicate a coordinated effort between the VENOM and TIDRONE campaigns. Trend Micro associated the tactics, techniques, and procedures of Earth Ammit with another Chinese hacking group, suggesting a shared toolkit and strategic approach.

Cybersecurity experts have uncovered a new phishing campaign distributing Horabot malware across six Latin American nations targeting Windows users. Malicious emails impersonating invoices or financial documents are used to trick users into opening attachments that compromise email credentials, contact lists, and install banking trojans. The malware conducts extensive activities, including system reconnaissance and credential theft using VBScript, AutoIt, and PowerShell scripts. Horabot was first identified in 2023 and is believed to be operated by a Brazilian threat actor, focusing on Spanish-speaking users since November 2020. The phishing mechanism starts with a deceiving email containing a ZIP file that masquerades as a PDF but actually holds a malicious HTML file leading to further malware downloads. Once the system is infected, the malware steals data from multiple browsers and displays fake pop-ups to capture more user login details. The malware avoids detection by terminating itself if Avast antivirus is present or if running in a virtual environment, enhancing its persistence and spread. Following infection, the malware also leverages compromised systems to propagate phishing emails through Outlook, perpetuating the cycle of infection.

Verizon's 2025 Data Breach Investigations Report indicates an 18% year-over-year increase in confirmed data breaches, with exploitation techniques rising by 34%. Many organizations are responding to the increase in cyberattacks by investing in both security tools and compliance standards, although these alone are not sufficient to fully mitigate cyber risks. Effective cybersecurity underscored by the need for offensive security training across all roles within security teams to understand and anticipate attacker behaviors and strategies. This training empowers non-offensive roles such as new practitioners, incident handlers, forensic analysts, and security managers with insights into how attackers operate, enhancing their effectiveness in their respective positions. Hands-on offensive operations training allows security professionals to gain practical experience with common attack methods, enhancing their ability to identify risks, prioritize responses, and improve overall security strategies. Security managers benefit significantly from understanding offensive techniques, aiding them in better strategic decision-making and risk management. Ultimately, continuous learning and adaptation to new cybersecurity challenges through such training can strengthen an organization's defensive posture significantly.

Peter Garraghan highlighted at CYBERUK conference the lack of security awareness in AI deployments among organizations. The NCSC's recent report warns of AI systems increasing vulnerability potential in critical systems by 2027 if not properly secured. AI deployment is often prioritized for competitive market share over implementing necessary security measures. The report identifies prompt injections and supply chain attacks as major threats facilitated by AI. Garraghan’s firm exploited vulnerabilities in a candle shop’s AI chatbot, demonstrating potential severe risks. The NCSC emphasized the importance of incorporating cybersecurity in AI to mitigate risks of advanced cyberattacks. Current AI deployments could potentially expose organizations to data theft and other cyber exploitations if not managed correctly. The NCSC continues to develop guidance for organizations to strengthen cybersecurity in the era of AI advancements.

Microsoft issued updates for 78 security flaws, 11 of which are critical. Five zero-day vulnerabilities were actively exploited, prompting immediate patches. Patches cover various issues including remote code execution and privilege escalation. Notable among the fixes is CVE-2025-29813, a critical bug in Azure DevOps Server with a CVSS score of 10.0. Among the exploited flaws, attackers targeted components like Microsoft Scripting Engine and DWM Core Library. CISA has mandated federal agencies to apply these fixes by June 3, 2025, highlighting the severity. Microsoft also fixed security flaws in products like Edge, and other vendors released patches for additional vulnerabilities. Enhanced focus on improving security posture as new vulnerabilities allow network privilege escalation and data theft.

Ransomware attacks are increasingly targeting the intermediary systems between IT and operational technology (OT) in critical infrastructure sectors. These middle systems are seen as vulnerable spots, less guarded than core IT or heavy industrial OT systems. Attackers focus on these systems due to the higher likelihood of companies paying ransoms due to the operational impact and potential safety risks. Examples include potential manipulation of pharmaceutical labeling led to life-threatening errors. The SANS Institute has identified increased ransomware activities as a significant threat, especially when it involves IT systems related to critical services like healthcare and utilities. Nation-state actors, notably from Russia, China, and Iran, are also intensively targeting these critical infrastructures for more destructive purposes. The experts suggest a shift from recovery-focused defenses to early detection strategies to counteract the manipulation of critical systems.

Fortinet has addressed a critical zero-day vulnerability, CVE-2025-32756, with a CVSS score of 9.6, affecting multiple products including FortiVoice. The stack-based overflow vulnerability allows remote unauthenticated attackers to execute arbitrary code via crafted HTTP requests. The flaw has actively been exploited in attacks specifically targeting FortiVoice enterprise phone systems. Attackers utilized the vulnerability to perform network scans, erase crash logs, and enable debugging features to intercept credentials. Products impacted include FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. Fortinet's product security team discovered the flaw following suspicious activity from specific IP addresses. Users are urged to patch affected systems immediately or disable the HTTP/HTTPS administrative interface as a temporary measure if patching is delayed.