Daily Brief

Account takeover (ATO) incidents occur when attackers gain unauthorized access to customer accounts, often reselling the credentials on the digital black market. Flare's report indicates a significant impact of ATOs on industries like e-commerce, gaming, and streaming, with over 100,000 accounts compromised monthly. A key technique used by attackers is session hijacking, which bypasses multi-factor authentication (MFA) by stealing and using session cookies. The economic impact of ATOs includes costs associated with labor, fraud, and customer churn, significantly affecting business revenue. Flare’s data shows a 26% increase year-over-year in credential theft and session cookie exposures. Recommendations for preventing ATOs include monitoring the infostealer ecosystem, detecting and remediating exposed accounts, and adopting a security-first approach with clear communication to customers. Many victims of ATOs are not notified by their companies, undermining trust and potentially increasing customer churn.

RansomHub, a prominent ransomware-as-a-service (RaaS) operation, went offline on April 1, 2025, causing affiliates to migrate to other RaaS entities like Qilin and DragonForce. The affiliates' transition may indicate a potential acquisition and integration of RansomHub by DragonForce, now rebranded as a "cartel" to attract more affiliates with flexible operational roles. Group-IB reports that RansomHub had rapidly ascended in the ransomware domain by integrating advanced features from acquired ransomware technologies and offering high financial rewards to affiliates. Affiliates are now facing an "uncertain environment" and are reportedly unsettled about their status within the rapidly shifting ransomware landscape. In addition to adopting established ransomware families, new entrants like Anubis are experimenting with innovative extortion methods, such as threatening to publish damaging investigative articles about the stolen data. Secureworks highlights that the rebranding and operational shifts within ransomware groups like DragonForce are indicative of evolving business models designed to maximize profits and adapt to increasing crackdowns on cybercrime. The latest developments stress the necessity for robust security measures and proactive defenses, particularly in high-risk sectors like healthcare, which are being targeted by sophisticated ransomware variants like ELENOR-corp.

A team of academics is developing methods for the static analysis of Unix shell scripts, aiming to improve their correctness and reliability before execution. The proposed techniques would offer pre-runtime guarantees and identify errors in shell programming environments like Bash and Zsh. Shell scripting, highly prevalent in Unix and Linux systems, has been notoriously difficult to secure and debug due to its dynamic and unstructured nature. Historical shell-related bugs have impacted major software and systems, including those from Nvidia, Apple iTunes, and Linux PCs involved in the 2015 Steam incident. The paper presented at the HotOS XX conference outlines the challenges and necessary advances for applying static analysis effectively to shell scripts. Success in this field could transform shell scripting, making it more predictable and safe, especially in critical infrastructure for continuous integration and deployment processes. This research marks a significant attempt, following previous failures, to address the nuances of shell script behaviors across various computing environments.

Dark Reading’s 2024 Strategic Security Survey shows significant concern among IT managers about cloud security, with nearly 50% worried about cloud service provider exploits. Intruder’s Cloud Security offers agentless security scans focusing on vulnerabilities in AWS environments, set to expand to other platforms. The platform identifies risks like insecure permissions, exposed secrets, and misconfigurations by integrating directly with AWS. Features include continuous risk monitoring, verification of encryption practices, and automatic asset detection for new services. Intruder provides remediation guidance and leverages a simplified user interface with transparent pricing. Upcoming features include support for Microsoft Azure, Google Cloud, and services using Kubernetes, enhancing its versatility. The service helps businesses prioritize risks using a signature noise reduction technique, improving focus on critical vulnerabilities.

Meta announced the launch of LlamaFirewall, a new open-source framework aimed at securing AI systems from threats like prompt injections and jailbreaks. LlamaFirewall includes features such as PromptGuard 2 for real-time detection of security breaches, Agent Alignment Checks for monitoring agent objectives, and CodeShield for preventing the generation of insecure code. The framework is described as flexible and modular, designed for layered defenses in both simple and complex AI applications. Alongside LlamaFirewall, Meta updated LlamaGuard and CyberSecEval to improve content violation detection and assess AI systems' cybersecurity defenses. The newly introduced AutoPatchBench within CyberSecEval 4 is built to evaluate AI-driven tools' effectiveness in repairing security vulnerabilities in C/C++ code found through fuzzing. Meta also launched Llama for Defenders, a program to aid organizations and AI developers in accessing AI solutions tailored for security challenges, including scam, fraud, and phishing detection. Concurrently, WhatsApp is developing a technology called Private Processing to enable AI feature use while maintaining user privacy by processing requests in a secure environment. Meta is engaging with the security community to audit and refine these technologies, planning further developments in collaboration with researchers.

A Karnataka High Court ruling has mandated the blocking of Proton Mail in India due to a legal complaint alleging receipt of abusive content and AI-generated deepfake imagery. The complaint was initiated by M Moser Design Associated India Pvt Ltd, citing emails with obscene language and explicit content. Justice M Nagaprasanna directed the Indian government to proceed with blocking Proton Mail as per the IT Act, 2008, and associated rules. Although an immediate block of specific URLs is ordered, Proton Mail continues to be accessible in India as of this report. This legal development marks the second threat of a ban against Proton Mail in India, following previous misuse for hoax bomb threats. Proton Mail is subject to legal constraints under Swiss law, which prohibit data transmission to foreign authorities but require compliance with Swiss legal directives.

Microsoft to introduce paid subscriptions for Windows Server 2025 hotpatching starting July 2025. Hotpatching allows installation of security updates without the need for server restarts. Initially offered for free in a preview, the service will require a subscription at $1.50 USD per CPU core per month from July 2025. Users testing the preview must disenroll by June 30, 2025, to avoid automatic subscription charges. Hotpatching was first made available for Windows Server 2022 Datacenter: Azure Edition in February 2022. The service will be extended to multi-cloud environments and on-premises servers through Azure Arc. Regular Windows updates not included in the Hotpatch service still require server reboots. Hotpatching also becoming generally available for business customers of Windows 11 Enterprise 24H2 from April 2025.

The French foreign ministry has officially attributed 12 cyberattacks on French entities to APT28, a group linked to Russian military intelligence (GRU). Over the past four years, APT28 targeted a variety of organizations including government, aerospace, and financial sectors. France condemns these activities as destabilizing and contrary to the U.N. standards for responsible state behavior in cyberspace. The French National Agency for the Security of Information Systems (ANSSI) noted APT28's techniques include using low-cost infrastructure and phishing attacks through free web services. Since early 2024, APT28 has focused on gathering strategic intelligence primarily from France, Europe, Ukraine, and North America. This isn't the first time ANSSI has identified APT28; previous reports link the group to significant breaches in France since mid-2021. APT28 is known for high-profile global attacks, including breaches of the U.S. Democratic National Committee and the German Federal Parliament. France and its allies vow to use all available means to counteract Russian cyber threats effectively.

GreyNoise reports a significant rise in scans for exposed Git configuration files during April 20-21, 2025. Nearly 4,800 unique IP addresses participated in the scans, with Singapore being the prime source and target. The exposed Git configs contain sensitive data including credentials and authentication tokens. Such data can be used to compromise cloud services and source code repositories, posing substantial security risks. Previous similar scanning activities have led to major breaches, including the Internet Archive's "The Wayback Machine." The scans predominantly target Singapore, the USA, Spain, Germany, the UK, and India. Recommended mitigation strategies include blocking access to .git/ directories, monitoring for unauthorized access, and rotating exposed credentials.

A proof-of-concept malware named Curing uses Linux's io_uring interface to evade detection by monitoring tools designed to scan syscall activities. io_uring allows I/O operations to bypass traditional system calls, a fundamental method used by many antivirus systems to detect malicious activities. Popular antivirus tools, including Falco, Tetragon, and Microsoft Defender, failed to detect the malware in their default configurations. ARMO, the security company behind Curing, highlighted this method as a significant security oversight in Linux's security architecture. Google has deactivated io_uring in ChromeOS and limited its use in Android and production servers after spending $1 million on related bug bounties. While some antivirus vendors acknowledge the issue and are working on updates, ARMO suggests disabling io_uring when not in use to mitigate risks. This discovery calls for a reassessment of security practices and potentials for enhancements in antivirus technologies to address modern malware techniques.

Security vulnerabilities affecting Apple's AirPlay Protocol and SDK could enable remote code execution, MITM, DoS attacks, and sensitive data access. The vulnerabilities, termed "AirBorne," were disclosed by Oligo Security and patched by Apple in updates for iOS, macOS, and visionOS devices. Attackers exploiting these vulnerabilities could remotely take control of devices without user interaction, using the flaws for wormable zero-click RCE exploits. Specifically affected by CVE-2025-24252 and CVE-2025-24132, attackers can bypass standard user interaction requirements, facilitating more stealthy attacks. Apple has patched related vulnerabilities across its software ecosystem, including AirPlay audio and video SDKs and CarPlay Communication Plugin. Users and organizations are urged to update all Apple and third-party AirPlay-enabled devices immediately to mitigate risks. Potential threats from unpatched devices include malware proliferation across networks, espionage, ransomware, and supply-chain attacks. Apple's user base is extensive, with over 2.35 billion active devices potentially impacted, highlighting the critical nature of these updates.

WhatsApp has launched a new feature called Private Processing, enabling AI enhancements while ensuring privacy. This technology allows users to utilize AI for actions like message summarization without compromising the security of message contents. Messages are processed in a Confidential Virtual Machine (CVM), where no third parties, including Meta or WhatsApp, can access the users' data. Private Processing uses anonymous credentials and Oblivious HTTP connections to protect user identity and data integrity. A Trusted Execution Environment (TEE) processes user requests and sends information back to the device in an encrypted format that only the device and server can decrypt. Meta acknowledges potential security vulnerabilities such as insider threats and supply chain risks, taking a defense-in-depth approach to mitigate these. Meta plans to release third-party logs for external scrutiny to assure transparency and further safeguard user data. The launch complements similar initiatives by other tech giants like Apple, which has developed its own confidential AI processing technologies.

Google Threat Intelligence Group observed 75 zero-day exploits in 2024, a decrease from 98 in 2023 but an increase from prior years. Over 50% of these exploits were linked to cyberespionage by state-sponsored groups and commercial surveillance vendors, with significant activity from China and North Korea. Enterprise technology, especially security and networking products, were the primary targets, comprising 44% of the total zero-days. Notable affected vendors included Microsoft, Google, Apple, and Ivanti, with Ivanti notably targeted by China’s UNC5221 group. The exploitation landscape is supported by a thriving underground market for zero-day exploits and slow adoption of secure development practices. Intelligence from the Five Eyes alliance indicates that zero-days are among the most abused vulnerabilities, urging vendors to enhance vulnerability management. Google predicts a continued rise in zero-day exploits despite improvements in vendor security practices, suggesting these will remain a critical threat in enterprise technology sectors.

South Korean mobile provider SK Telecom will offer free SIM card replacements to 25 million customers due to a USIM data breach. The breach, detected on April 19, involved malware that allowed theft of SIM data, including IMSI and MSISDN numbers, but did not expose personal or financial information. The primary risk associated with the breach is unauthorized SIM swapping, which could lead to cloned SIM cards. SK Telecom has enhanced its Fraud Detection System and SIM Protection Service to block unauthorized porting attempts. The company currently has 1 million SIM cards available and plans to secure an additional 5 million by May 2025, aiming to replace up to 6 million SIMs. Only subscribers as of April 18, 2025, are eligible for the replacement, and they must book through an online system to manage potential congestion. Investigations into the full extent and cause of the breach are ongoing, and no secondary damage or dark web leaks have been confirmed yet. Affected customers will receive personalized security instructions and can benefit from temporarily disabled roaming services, with plans to upgrade this feature for international use.

Generative AI services like OpenAI ChatGPT and Google Gemini are vulnerable to "jailbreak" attacks, where safety guardrails are bypassed to generate harmful content. Two main jailbreak methods identified: "Inception," which involves nested scenarios to elude safety measures, and direct querying about restricted responses. These attacks could allow the generation of illicit content including malware code and phishing schemes. Additional findings suggest generative AI can produce insecure code as a default, highlighting the risks in AI-driven software development ("vibe coding"). Security assessments on OpenAI’s GPT models show newer versions may introduce unintended security vulnerabilities, complicating model updates. The Model Context Protocol (MCP) can be exploited to perform covert data theft or manipulate AI behavior, as demonstrated in practical attacks and unauthorized Chrome extension activities. Researchers call for robust built-in guardrails and thorough testing of AI models to mitigate potential abuses and security breaches.