Daily Brief

A 36-year-old Yemeni, Rami Khaled Ahmed, is indicted for orchestrating 1,500 ransomware attacks on Microsoft Exchange servers globally. The malware deployed, known as Black Kingdom, demanded $10,000 in Bitcoin as a ransom for each attack. Victims of these attacks included diverse U.S. entities such as medical billing companies, ski resorts, school districts, and health clinics. Black Kingdom ransomware exploited the ProxyLogon vulnerability in Microsoft Exchange servers to gain unauthorized access. This vulnerability suite in Microsoft Exchange was first identified and exploited widely in early 2021. In addition to Exchange server attacks, Ahmed had previously targeted vulnerabilities in Pulse Secure VPN to breach networks. If convicted on all counts, Ahmed faces up to 15 years in federal prison, charged with conspiracy and causing intentional damage to protected computers. The suspect, Rami Khaled Ahmed, is currently believed to be residing in Yemen.

The UK's National Cyber Security Centre (NCSC) has issued a warning regarding multiple cyberattacks on UK retail chains, highlighting these incidents as a critical wake-up call for the sector. These attacks have affected prominent retailers including Harrods, Marks & Spencer, and the Co-operative Group, with varying impacts on their operations and services. Harrods responded to the cyber threats by restricting internet access, although it has not confirmed if its systems were breached. The Co-op experienced disruptions which prompted the disablement of VPN access, suggesting containment measures following a breach. Marks & Spencer suffered a ransomware attack that disrupted online ordering and contactless payment services, attributed to the Scattered Spider threat group deploying DragonForce ransomware. The NCSC is actively collaborating with impacted organizations to understand the nature and consequences of these cyber incidents. Advisory statements have been issued urging business leaders to follow recommended cyber defense strategies available on the NCSC website to enhance resilience against such threats.

Three young men from the UK have been charged with making false emergency calls across the US and Canada, a practice known as swatting. The charges follow a joint effort between the FBI and Merseyside Police after a recent crackdown on politically motivated swatting incidents in the US. The individuals involved, Liam White, Dylan Ash, and Keiron Ellison, are accused of belonging to an online group that organized and executed these fake emergency calls. Swatting incidents can provoke dangerous police responses, and in a noted case in 2017, led to the fatal shooting of an innocent man in Wichita, Kansas. This case in the UK marks an increasing attempt to legislate and prosecute swatting under existing laws due to the significant dangers it poses. The FBI has also launched a public awareness campaign to educate on the reality and dangers of swatting, contrary to perceptions of it as a harmless prank. There is currently no specific legislation for swatting in the UK; those involved are typically charged with perverting the course of justice.

TikTok has been fined €530 million by Ireland's Data Protection Commission (DPC) for violating GDPR by transferring European user data to China. The fine follows a probe initiated in September 2021, which investigated TikTok's adherence to EU data protection laws regarding transfers to third countries. The DPC's decision mandates that TikTok must halt any data transfer processes to China within six months and ensure their data handling complies with GDPR. The investigation revealed that TikTok incorrectly informed the DPC that no European user data were stored on Chinese servers, a claim later contradicted by the revelation of data storage identified in February 2025. TikTok's Deputy Commissioner criticized the company for not sufficiently protecting European user data from potential exploitation by Chinese authorities under national security laws. TikTok argued that the DPC decision overlooked its Project Clover, an initiative designed to enhance the security of European data. This penalty comes after a previous €345 million fine in September 2023 for mishandling data related to children under GDPR.

The Irish Data Protection Commission (DPC) fined TikTok €530 million for violating GDPR by transferring European user data to China. The fine consists of €485 million for unlawful data transfers under GDPR Article 46(1) and €45 million for lack of transparency per Article 13(1)(f). TikTok must align its data processing practices with EU law within six months to avoid a complete suspension of data transfers to China. The DPC raised concerns about the potential access of Chinese authorities to European data under China’s domestic laws contrasting with EU standards. In violation notices, TikTok had previously claimed European data was not stored in China, but in 2025 they admitted storing some data on Chinese servers. TikTok plans to appeal the fine, arguing that the DPC did not consider the safeguards provided in its Project Clover initiative. The fine is among the largest issued by the DPC, trailing only behind penalties against Amazon and Facebook for data protection violations.

Harrods has become the third major UK retailer to report an attempted cyberattack, following incidents at M&S and Co-op. Neither Harrods, M&S, nor Co-op have announced that ransomware was the cause, though speculation surrounds involvement of Scattered Spider, a ransomware group affiliate. The UK's National Cyber Security Centre (NCSC) is currently assisting the affected retailers, underlining the seriousness of these security breaches. Cybersecurity advisory warnings are in place for UK retailers, with a threat of ongoing ransomware campaigns aimed specifically at this sector. There has been no clear attribution of the cyberattacks to any particular group as of yet, nor has any group claimed responsibility. Retail operations, including online and physical stores, continue to function, although some retailers are experiencing disruptions in service. The incidents have triggered warnings to all organizations to reinforce cyber defenses and follow stringent cybersecurity practices.

LivePerson utilized Tines, an AI and workflow orchestration platform, to automate the monitoring of security advisories and vulnerability responses. This new automated workflow helps in tracking and responding to advisories issued by CISA and enriched with CrowdStrike threat intelligence. Automation reduced the manual ticket creation time from 150 minutes to 60 minutes for 45 vulnerability advisories, enhancing efficiency by 60%. The workflow preserves critical analyst involvement in decision-making, thus maintaining quality control while speeding up the process. Implementation steps include setting up Tines account, importing workflows, configuring actions, and testing with real-world advisories before going live. The case study demonstrates significant time savings and reduction in manual errors, boosting both team morale and operational efficiency.

Microsoft fixed a machine learning model that incorrectly tagged Gmail emails as spam in Exchange Online, identified as EX1064599. The issue began on April 25 at 09:24 UTC, causing legitimate emails to be automatically moved to junk folders. The model misidentification was due to similarities between legitimate emails and those typically used in spam attacks. Microsoft reverted the ML model to its previous version on May 1 at 16:31 UTC, effectively resolving the false positive issue. Users and admins were advised to set custom allow rules to bypass the filtering glitch temporarily. Microsoft is continuing to refine their ML detection processes to minimize future false positives and improve email handling. The company confirmed the problem was resolved after monitoring and did not disclose the affected regions or the number of impacted users. This incident is part of a series of similar email misclassifications by Microsoft’s machine learning models throughout the year.

MintsLoader, a malware loader, uses obfuscated JavaScript and PowerShell to deliver the GhostWeaver remote access trojan. Utilizes evasion tactics like sandbox and virtual machine dodging, domain generation algorithms (DGA), and secure HTTP-based command-and-control communications. Detected in phishing and drive-by download attacks targeting sectors such as industrial, legal, and energy since early 2023. Employs a social engineering tactic known as ClickFix to deceive users into executing malicious scripts, often distributed via spam emails. MintsLoader's main function is to fetch next-stage payloads using a DGA domain, enhancing stealth and complicating detection. GhostWeaver maintains persistent C2 communications, supports additional payload deployment, and uses TLS encryption with an obfuscated self-signed certificate. Related attack campaigns like CLEARFAKE are exploiting similar tactics to deploy malware like Lumma Stealer through deceived user interactions.

Microsoft has announced that all new Microsoft accounts will be set to "passwordless by default," enhancing security against common password attacks. This change follows recent updates to user sign-in and registration flows on both web and mobile platforms, aimed at promoting passwordless and passkey-first authentication options. According to Microsoft executives Joy Chik and Vasu Jakkal, new users will not need to set up a password but will use passwordless methods like biometrics for account access. The company is encouraging the adoption of passkeys, which are viewed as a more secure alternative to traditional passwords, utilizing biometric identifiers such as fingerprints and facial recognition. Once users set up their account, they will be prompted to enroll a passkey, which will become their primary authentication method on subsequent logins. Microsoft claims the new passwordless system has already reduced password use by over 20% in trials and aims to continue decreasing reliance on passwords. Microsoft is a key player in the FIDO Alliance, promoting passkeys as a standard method for passwordless authentication across the industry.

Microsoft has configured new accounts to be passwordless by default, a move aimed at enhancing security and simplifying the user experience. New users are provided with various passwordless sign-in options, removing the need to set up a traditional password. Existing Microsoft account users can also eliminate their passwords by adjusting their account settings. The sign-in process now automatically detects and promotes the most secure method available for the user. Microsoft continues to support the broader shift toward a passwordless environment, mirroring actions by other tech giants including Apple and Google. Passkeys, supported by public/private key cryptography, do not require users to remember their passwords, thereby reducing the risk of phishing attacks. Implemented in Windows 11 and approved for global use by Google, passkeys have been adopted by over 15 billion user accounts. The FIDO Alliance, which backs the technology, is enhancing passkey interoperability and exploring its use in secure payments.

Ryan Kramer, under the alias "NullBulge," accessed and stole 1.1 terabytes of data from Disney's Slack channels using malware disguised as an AI image tool. The malware was distributed via GitHub, deceiving users, including a Disney employee, into granting access to their computers and stored passwords. Kramer used stolen credentials to infiltrate Disney's Slack, downloading confidential data across thousands of internal channels. After failing to coerce cooperation by posing as a Russian hacktivist group threatening to expose the stolen information, NullBulge published the data on BreachForums. The U.S. Department of Justice has charged Kramer with unauthorized computer access and threatening to damage a protected computer, with each count carrying up to five years in prison. The FBI is currently investigating two additional individuals who downloaded Kramer's malware, suggesting broader implications and potential further breaches. Kramer's plea encompasses his role and anticipation of his upcoming initial court appearance in Los Angeles.

House Democrats have initiated investigations into Elon Musk's financial disclosures and security clearances related to his role in a government project that was never officially sanctioned by Congress. Two letters were sent demanding the release of documents confirming Musk fulfilled legal requirements for his role, amid concerns of self-dealing and conflicts of interest. Democrats are skeptical about Musk’s private financial disclosure staying confidential given his significant influence on taxpayer funds and his high-profile position. Additional concerns were raised about Musk's ties with foreign entities and his suitability for a role involving national security, dominating his security clearance scrutiny. The inquiry also covers Musk's activities cutting jobs at the National Highway Traffic Safety Administration, which may constitute a conflict of interest due to ongoing Tesla investigations. Attention was also on Musk's abrupt decision to step down from his government role by May, lining up with the limit of 130 working days for Special Government Employees. Elon Musk and Tesla have faced negative publicities, such as protests and a substantial drop in Tesla's stock price, which have impacted his business operations. Separate concerns were raised about Musk’s department’s alleged mishandling of sensitive data at the National Labor Relations Board, potentially violating federal laws.

Pro-Russia hacktivists continue to target Dutch public and private organizations with DDoS attacks, disrupting accessibility and service provision. The Dutch National Cyber Security Center (NCSC) confirmed that multiple organizations in the Netherlands and other European countries experienced large-scale DDoS attacks. The NCSC revealed that the attacks were carried out by a hacktivist group known as NoName057(16), which claimed the actions were in retaliation for Dutch military aid to Ukraine. The group publicly asserted that its attacks were a response to the Netherlands' financial support to Ukraine, involving €6 billion previously and an additional planned €3.5 billion by 2026. Attacks have significantly impacted various Dutch regions including Groningen and Noord-Holland, affecting the online services of many municipalities and provinces. Despite the disruptions, there were no reported data breaches or internal system compromises within the targeted organizations. The DDoS campaign is part of ongoing activities by NoName057(16), which also runs a crowdsourced DDoS platform called 'DDoSIA', noted for its rapid recruitment and extensive reach in targeting Western organizations.

Artem Aleksandrovych Stryzhak, a 35-year-old Ukrainian national, was extradited from Spain to face charges in the U.S. related to Nefilim ransomware attacks. Arrested in Spain in June 2024, Stryzhak is charged with fraud, extortion, and related activities targeting major companies primarily in the U.S. and several European countries. Starting in June 2021, Stryzhak allegedly joined the Nefilim ransomware operation, receiving 20% of ransom payments from his attacks. Using platforms like Zoominfo, he and his co-conspirators identified potential corporate targets by researching their revenue, size, and contact information. The Nefilim ransomware, active since 2020 and related to Nemty ransomware, encrypts corporate data and demands ransom in bitcoin, threatening to leak data if unpaid. High-profile victims of Nefilim attacks include global enterprises like Toll Group, Orange, and Whirlpool. The indictment was unsealed in Brooklyn federal court, where Stryzhak faces up to five years in prison if convicted.