Daily Brief

CISOs should negotiate for personal liability insurance and a golden parachute before joining a new company to protect themselves in cases of scapegoating or misconduct accusations. A former CISO shared an experience of being fired for refusing to approve fraudulent invoices, highlighting the importance of integrity and strong internal relationships. Panelists at the RSA Conference advised CISOs against suing employers after whistleblowing to avoid industry blacklisting and ensure future career opportunities. It was recommended that security officers ensure their bosses fund both Directors and Officers (D&O) insurance and personal legal liability insurance (PLLI) for protection during and after tenure. One panelist emphasized the need for documenting all decisions and communications to create an evidence trail that can be crucial during disputes or investigations. The discussion also covered the risks associated with communicating whistleblowing incidents to the media, which could lead to an even higher chance of being blacklisted. Trusting HR or ethics panels is cautioned against, as these bodies often prioritize the interests of the company over individual employees during internal conflicts.

The NSA's highly anticipated "State of the Hack" panel at the RSA Conference was canceled, with no participation from NSA Director Dave Luber. Federal cyber officials, usually prominent at the RSA Conference, have significantly reduced their presence this year, with the FBI being an exception. Only one representative from CISA spoke at the conference, focusing on critical infrastructure threats in light of the agency currently having no officially installed director. U.S. Senator Ron Wyden is blocking the nomination of the new CISA director, demanding the release of a report on the security of American telecommunication networks. Homeland Security Head Kristi Noem added last minute to the RSA agenda to share her vision of America's cyber defense future. Former CISA directors Jen Easterly and Chris Krebs, alongside other ex-government officials, continue to engage with the public at the conference. The conference also discussed broader implications of cyber threats on democracy and policy, with noticeable absences possibly linked to recent budget and personnel cuts across federal cybersecurity positions.

Marks & Spencer (M&S), a major British retailer, suffered a ransomware attack that disrupted its services, including contactless payments and online ordering. The attack, attributed to the hacking group Scattered Spider, involved encrypting M&S servers and ongoing outages, affecting operations and leading to warehouse staff being sent home. Initial breach reportedly occurred in February, when attackers stole sensitive files from M&S's Windows domain controller, facilitating later data theft and system access. The DragonForce decryptor was used on April 24 to encrypt virtual machines on VMware ESXi hosts, intensifying the impact on M&S's infrastructure. M&S has enlisted the help of cybersecurity firms CrowdStrike, Microsoft, and Fenix24 to manage the investigation and response to the cyberattack. Reports indicate that Scattered Spider, known for its diverse and sophisticated attack methods, initiated the breach through advanced social engineering and has been active in high-profile ransomware campaigns. The situation highlights ongoing vulnerabilities in corporate cybersecurity defenses, particularly against social engineering and advanced ransomware threats.

Hitachi Vantara was targeted by the Akira ransomware, resulting in a significant system disruption on April 26, 2025. The company took immediate action by taking affected servers offline and initiating incident response protocols to contain the breach. External cybersecurity experts were employed by Hitachi Vantara to assist in assessing the impact and to oversee the remediation process. The attack impacted various services, including Hitachi Vantara systems and manufacturing, though cloud services remained unaffected. Customers with self-hosted setups could still access data, indicating no complete shutdown of operational capabilities. It was reported that the Akira ransomware operation stole sensitive files and left ransom notes on compromised systems. According to the FBI, the Akira ransomware has accumulated around $42 million in ransoms since its emergence in March 2023, victimizing over 250 organizations. The ransom demands from Akira range significantly, reflecting the varying sizes and types of organizations affected.

AI is significantly enhancing cybersecurity by automating critical tasks such as threat monitoring, alert triage, and malware analysis. The use of AI in cybersecurity is creating an arms race, with both defenders and attackers leveraging AI to outmaneuver each other. Global investment in AI-enhanced cybersecurity solutions is expected to reach $135 billion by 2030, indicating its critical role in future defense strategies. AI technologies are pivotal in securing complex environments within critical sectors like energy and healthcare, particularly with operational technology and IoT systems. While AI improves speed and accuracy in threat detection and response, there is a risk of overconfidence that can lead to underestimating sophisticated cyber adversaries. Continuous refinement and human oversight are necessary to ensure AI cybersecurity tools remain effective against evolving threats. Compliance with tightening global regulations requires innovative AI solutions, such as differential privacy and federated learning, to protect data privacy while maintaining strong defenses. Successful cybersecurity approaches will integrate AI across all networks, workflows, and teams, emphasizing real-world threat intelligence and a culture of shared cyber resilience.

VeriSource Services, a Texas-based employee benefits administrator, reported a data breach affecting 4 million people. The breach, initially detected in February 2024 due to unusual system activity, wasn't fully assessed until April 2025. Sensitive personal information, including SSNs, names, addresses, and birthdates, was potentially compromised. The firm has taken steps to secure its network and engaged a digital forensics firm to investigate the breach. Affected individuals are being notified and offered 12 months of credit monitoring and identity restoration services. VeriSource had previously sent notifications to smaller groups in May and September 2024, totaling 167,000 people. Despite these notifications, the full extent of the breach was only disclosed recently, emphasizing the need for affected users to utilize the protection services offered.

Over 1,200 internet-exposed SAP NetWeaver servers are susceptible to a severe unauthenticated file upload vulnerability, designated as CVE-2025-31324. The vulnerability allows remote attackers to upload and execute arbitrary files on affected servers without needing authentication, leading to potential full system compromise. Multiple cybersecurity entities, including ReliaQuest and Onapsis, have confirmed ongoing active exploitation, with attackers deploying web shells on compromised servers. SAP has responded by releasing a workaround on April 8, 2024, and a subsequent security update on April 25 to mitigate the vulnerability. The Shadowserver Foundation and Onyphe's findings highlight the broad exposure and severe potential impact of the flaw, reporting hundreds of compromised servers and many belonging to major global companies. A SAF spokesperson noted no reported incidents of the vulnerability affecting customer data or systems directly. Recommendations for affected organizations include applying SAP's security update promptly or employing other mitigation strategies if immediate updating isn't feasible.

Offensive Security announces that Kali Linux users may face update failures due to a lost repository signing key. Users urged to manually install a new Kali repository signing key to avoid disruption, as the old key was lost but not compromised. The new key (ED65462EC8D5E4C5) is available on the Ubuntu OpenPGP key server and signed by Kali developers. Systems using the outdated key display a "Missing key" error message when attempting to update software packages. The Kali Linux repository was temporarily frozen on February 18th to prevent issues until the new key was ready. For users wary of manual updates, reinstallation of Kali using updated images is recommended. Similar incidents occurred in 2018 when Kali developers had to ask users to manually update the GPG key due to expiration.

Cloudflare mitigated a record 21.3 million DDoS attacks in 2024, a 358% increase from the previous year, with 2025's first quarter already seeing 20.5 million attacks. The majority of attacks in 2025 targeted Cloudflare's own infrastructure, specifically through a 6.6 million attack-strong 18-day multi-vector DDoS campaign. Key attack methods included SYN flood attacks, Mirai-generated DDoS attacks, and SSDP amplification attacks, with network-layer attacks seeing a 509% growth year-over-year. Cloudflare tackled over 700 hyper-volumetric attacks in early 2025, with attacks exceeding 1 Tbps bandwidth or 1 billion packets per second. Two new threats identified in 2025 Q1 were CLDAP and ESP reflection/amplification attacks, registering unprecedented quarter-over-quarter increases of 3,488% and 2,301% respectively. A notable attack disrupted services for multiplayer gaming servers for popular games like Counter-Strike GO and Team Fortress 2, involving hyper-volumetric tactics reaching 1.5 billion packets per second. The CEO of Cloudflare announced a record-breaking DDoS attack peaking at 5.8 Tbps, hinting at even larger attacks that occurred concurrently.

VeriSource Services, a Houston-based tech firm providing employee benefits administration, was breached in February 2024, impacting 4 million individuals. Initial estimates from the company suggested only 112k were affected, but recent findings indicate a much larger scale of data compromise. Compromised data includes names, addresses, social security numbers, dates of birth, and genders, although not every individual's data set includes all data points. VeriSource has been working with affected client companies to determine the full extent of the breach, with their investigation concluding on April 17. The company has been in contact with the FBI since the incident and has offered credit monitoring and identity theft protection to all victims. There is no current evidence that the stolen data has been misused, nor has any specific cybercrime group claimed responsibility for the attack. This incident represents a significant escalation in the severity and impact of cybersecurity breaches reported over recent years.

A cyberattack on 4chan earlier this month was confirmed to be catastrophic, resulting in significant data theft. The attack utilized an outdated software package exploited through a bogus PDF upload, leading to unauthorized access to 4chan’s servers. Critical data, including database tables and source code, were extracted, and the site suffered intentional vandalism. The attack highlighted longstanding issues with updating 4chan’s technology, attributed to financial constraints and insufficient technical staff. After the attack, 4chan upgraded to new servers and disabled PDF uploads to prevent similar exploits. Financial and technical challenges persist for 4chan, with ongoing dependence on volunteer tech support. Despite setbacks, 4chan vows to continue operations, underscoring the unique community it hosts.

A critical flaw in SAP NetWeaver was exploited using a zero-day attack for unauthorized file uploads and remote code execution. Threat actors utilized the Brute Ratel C4 framework and Heaven's Gate technique to evade endpoint security. The cybersecurity landscape is transitioning towards AI-driven threats, emphasizing the inadequacy of traditional defenses like firewalls. New vulnerabilities disclosed include issues in Craft CMS, Commvault Command Center, Microsoft Windows, and multiple others, intensifying the patch urgency. Attackers leverage video call platforms, such as Zoom, using fake meeting invites to gain remote access and control over targets' systems. Recommendations include disabling unnecessary remote control features, verifying identities in video calls, and using browser-based communication tools for increased security. Highlighted the importance of beyond-technology defenses, focusing on human factors, trust, and behavior insights to shield against sophisticated cyber attacks.

Intruder's bug-hunting team illustrates how small flaws can result in significant security breaches. Example given of SSRF attack exploiting AWS credentials via a home-moving app, exposing sensitive metadata and IAM permissions. An exposed .git repository allowed attackers to bypass authentication and access a university's database, putting private data at risk. A document signing app was found vulnerable to remote code execution due to an outdated version of ExifTool. Site-wide account takeover was possible through a combined Self-XSS and cache poisoning vulnerability in an auction application. API weaknesses, such as IDOR vulnerabilities, were exploited by modifying request identifiers, leading to unauthorized data exposure. Intruder emphasizes proactive security measures, including continuous scanning for unknown assets and vulnerabilities to prevent attacks.

Earth Kurma, an advanced persistent threat (APT) group, has been active since June 2024, targeting Southeast Asian government and telecommunication sectors using sophisticated cyber espionage tactics. Rootkits and cloud storage services like Dropbox and Microsoft OneDrive are employed for stealthy data exfiltration, including sensitive data siphoning through malware tools such as TESDAT and SIMPOBOXSPY. Affected countries include the Philippines, Vietnam, Thailand, and Malaysia, with attacks posing significant risks like credential theft and persistent access through kernel-level rootkits. The campaign involves using living-off-the-land (LotL) techniques for installing malware, utilizing legitimate tools to maintain stealth. Keyloggers and several custom malware families—including KRNRAT and Moriya rootkits—are used for data gathering and maintaining long-term access within infected networks. Overlaps in tactics and tools suggest potential, although unconfirmed, links to other known APT groups like ToddyCat. The security firm Trend Micro highlights the ongoing threat posed by Earth Kurma, emphasizing their adaptability and continued evolution of attack methods. Security preparations in targeted sectors need urgent reassessment to mitigate threats from sophisticated actors like Earth Kurma.

A large-scale phishing campaign has been directed at users of WooCommerce, exploiting fears about security vulnerabilities. Cybersecurity firm Patchstack reported the phishing emails prompt users to download what is claimed to be a critical security patch from a disguised phishing site. The fake site uses an IDN homograph attack to mimic the legitimate WooCommerce website, deceiving recipients into believing it is authentic. Downloading and installing the fake patch results in the installation of a backdoor allowing attackers remote control over affected websites. The cybercriminals behind this scheme are possibly the same group or a new cluster replicating a similar phishing tactic observed in a previous campaign in December 2023. Consequences of the attack include potential server encrypting for extortion, addition of systems to botnets for DDoS attacks, and redirection of site visitors to malicious sites. Users are advised to conduct thorough scans for any unusual plugins or admin accounts and to keep their software rigorously updated to prevent such breaches.