Daily Brief

Yale New Haven Health has informed over 5.5 million individuals that their private information may have been stolen following a cybersecurity breach. The breach impacted the network of Connecticut’s largest healthcare provider, involving facilities in multiple states including New York and Rhode Island. Mandiant's incident response team was engaged to investigate the break-in, with the cybersecurity incident confirmed and relevant authorities notified. Stolen data could include sensitive details such as Social Security numbers, demographic information, and medical record numbers. No impact on patient care or access to electronic medical records was reported, despite initial disruptions to phone and internet connectivity. Yale New Haven Health has begun outreach to affected patients, offering them free credit monitoring and identity protection services. This incident marks one of the largest healthcare privacy breaches in the current year, raising concerns about the security of healthcare information systems.

Russian threat actors have been exploiting OAuth 2.0 authentication workflows to hijack Microsoft 365 accounts linked to Ukraine and human rights groups. Hackers impersonate European officials and Ukrainian diplomats, using WhatsApp and Signal to contact targets and lure them into providing Microsoft authorization codes. The attack begins by sending victims an OAuth phishing URL, purporting it's required for joining a private video meeting. Once authenticated, victims are redirected to a modified in-browser version of Visual Studio Code, which captures login parameters from Microsoft 365. The authorization code extracted during the phishing attack is valid for 60 days and allows access to all resources available to the user. Variants of the phishing attacks saw attackers registering a new device under the victim’s Microsoft Entra ID, once the two-factor authentication approval was social-engineered. Volexity has tracked these threat actors, identified as UTA0352 and UTA0355, and suggests they are Russian with medium confidence. Protective measures against such attacks include setting up alerts for unusual logins, blocking certain domains, and implementing conditional access policies.

North Korean threat group Lazarus executed a espionage campaign against software, IT, finance, and telecommunications industries in South Korea. The campaign, identified as "Operation SyncHole," involved watering hole attacks leveraging a known vulnerability in the Cross EX file transfer client. Compromised South Korean media portals redirected victims to malicious domains, mimicking legitimate software vendors. The malware deployed, ThreatNeedle, initiated with high privileges and could execute 37 distinct commands on an infected host. Kaspersky researchers observed variations in infection vectors and tools like the Innorix Abuser, wAgent, and Copperhedge across different attack phases. Lazarus' activities were linked to the North Korean government, with attacks consistent in method and timing with the group's recognized patterns. Korea Internet & Security Agency (KrCERT) was informed, with subsequent patches and updates applied to mitigate the exploited vulnerabilities and additional identified zero-day flaws.

Microsoft's latest security patch inadvertently introduces a flaw that stops Windows updates. The patch aimed to mitigate CVE-2025-21204 by pre-creating a folder named c:\inetpub to prevent symlink attacks. Security researcher Kevin Beaumont exploited this by redirecting the folder to a system executable using the mklink /j command, causing updates to fail. This loophole allows even standard users, without administrative rights, to block important security updates. System administrators now face additional tasks to check for tampered directory junctions that could prevent updates. The situation raises concerns about Microsoft's testing processes and the ease with which a basic denial-of-service (DoS) was introduced into production environments. Microsoft has been informed of the issue but has not yet issued a response or a fix.

In January, Frederick Health in Maryland was hit by a ransomware attack affecting its IT systems, detected on January 27, 2025. The unauthorized access led to the copying of files from a file share server, impacting sensitive patient information. Compromised data includes names, addresses, birth dates, Social Security and driver's license numbers, plus health-related information. Frederick Health has mailed notification letters to individuals whose data was involved and had sufficient contact information. As of late March, the incident was officially reported to the U.S. Department of Health and Human Services, confirming the breach affected 934,326 patients. The specific ransomware group has not claimed responsibility for the attack, indicating a possible ransom payment by Frederick Health. This cyber incident is part of a larger trend, as seen with similar breaches recently reported by Blue Shield of California and Yale New Haven Health.

European privacy group noyb has filed a GDPR complaint against Ubisoft for forcing single-player gamers to stay online, thereby collecting data unnecessarily. The complaint specifically cites violations of Article 6(1) of the GDPR, emphasizing lack of justifiable cause for data collection when games like Far Cry Primal have no online functionality. Analysis of network traffic revealed that Ubisoft sent encrypted data to servers owned by entities like Google, Amazon, and Datadog, raising concerns over privacy and data usage. Ubisoft reportedly offers an offline mode that is difficult to enable and not practically accessible, as evidenced by frustrations reported by a tech-savvy user. Noyb is pushing for substantial penalties against Ubisoft, leveraging the firm's €2 billion turnover to suggest fines could reach up to €92 million. This legal action could set a precedent impacting other game publishers with similar practices and is part of a larger effort to challenge intrusive data practices in the gaming industry.

The Interlock ransomware gang attacked DaVita, a major kidney care provider, impacting some of its operations. DaVita reported the ransomware incident to the U.S. Securities and Exchange Commission on April 12, noting the investigation was ongoing. Interlock has since claimed responsibility for the attack and added DaVita to its list of victims on the dark web's data leak site. The gang allegedly stole 1.5 terabytes of data from DaVita, including sensitive patient records, user accounts, insurance details, and financial information. Following unsuccessful negotiations, Interlock published nearly 700,000 files on their dark web site, indicating a breakdown in ransom negotiations. DaVita has been approached for comment regarding the data leak claim, but no immediate response was provided. The incident highlights the importance of cybersecurity vigilance, as affected patients are advised to watch for possible phishing scams related to their leaked data. Recent reports suggest that Interlock has shifted tactics, increasingly using methods like ‘ClickFix’ to deploy their ransomware.

The North Korea-linked Lazarus Group has targeted six South Korean organizations across various sectors including software, IT, and telecommunications. Operation SyncHole utilized advanced techniques, combining watering hole attacks with the exploitation of a zero-day vulnerability in Innorix Agent. Security analysts detected the first sign of the cyberattack in November 2024, emphasizing the strategic long-term planning of the threat actors. Lazarus exploited a flaw in Cross EX, a security software widely used in South Korea, to enable widespread malware deployment and data theft. Malware like ThreatNeedle, wAgent, SIGNBT, and COPPERHEDGE were deployed to facilitate initial access and establish persistence within infected networks. A variety of malware tools were used for different phases of the attack, from profiling victims to executing additional payloads via Agamemnon. Kaspersky discovered an additional arbitrary file download zero-day vulnerability in Innorix Agent, which has been patched since the findings. According to Kaspersky, ongoing efforts by Lazarus to refine their malware capabilities and minimize detection suggest continued attacks targeting South Korean supply chains.

Yale New Haven Health confirmed a data breach impacting 5.5 million patients after a cyberattack on March 8, 2025. Stolen data includes personal patient information; financial details and medical records were not compromised. YNHHS engaged Mandiant for forensic investigations and system restoration; federal authorities have been informed. Patients affected by the breach are being offered free credit monitoring and identity protection services. Notices to impacted patients began mailing on April 14, 2025, detailing available protective measures. A filing on the U.S. Department of Health and Human Services breach portal further validated the scope of the breach. No ransomware groups have claimed responsibility for the attack, and the identity of the perpetrators remains unknown. Legal actions are in preparation by law firms representing the victims for potential class action lawsuits.

Researchers at ARMO have uncovered a proof-of-concept rootkit, Curing, which exploits the Linux io_uring interface to circumvent system call monitoring tools. The io_uring mechanism, introduced in Linux kernel 5.1, allows asynchronous I/O operations between the kernel and user applications, enabling actions without traditional system calls. This rootkit avoids detection by major Linux runtime security tools like Falco and Tetragon, which rely heavily on monitoring system calls. CrowdStrike’s Falcon agent initially missed file system operations via io_uring but has since implemented a fix. However, Microsoft Defender for Endpoint still lacks comprehensive threat detection capabilities for Linux, especially with io_uring. Google has already restricted io_uring use on platforms such as Android, ChromeOS, and its servers due to the security risks, indicating a recognized vulnerability exploited by the rootkit. ARMO's findings hint at a significant need for security tools that provide deeper insight into kernel structures and operations beyond just system calls to effectively detect threats.

Researchers at ARMO identified a significant security gap in the Linux 'io_uring' interface that allows rootkits to evade detection. The proof-of-concept rootkit, named "Curing," exploits io_uring to perform malicious actions without triggering conventional security detections focused on syscalls. Google has disabled io_uring by default on platforms like Android and ChromeOS due to inherent vulnerabilities. Security tools such as Falco and Tetragon were unable to detect activities performed by the Curing rootkit under normal configurations. ARMO tested against multiple commercial security tools, which also failed to detect the malicious use of io_uring. ARMO advocates for the use of Kernel Runtime Security Instrumentation (KRSI) to enhance the detection of such threats. Curing rootkit has been made available on GitHub for organizations to test their security measures against this new exploit method.

Darcula, a phishing-as-a-service platform, has been updated to include generative artificial intelligence (GenAI) features, significantly reducing the technical knowledge required to create phishing campaigns. The GenAI capabilities enable the rapid development of customized phishing pages with multi-language support and automatic form generation, without needing programming skills. Initially identified in March 2024, Darcula has evolved from using smishing techniques with Apple iMessage and RCS to more sophisticated phishing site generation mimicking legitimate brands. The platform is operated by a threat actor known as LARVA-246 and is part of a broader cybercrime ecosystem linked to China, facilitating a variety of financial scams. The latest GenAI update was announced on April 23, 2025, enhancing the ability for attackers to generate phishing forms in different languages and customize form fields. Since its documentation, over 25,000 Darcula-linked phishing pages have been taken down by cybersecurity efforts, along with the blocking of nearly 31,000 IP addresses and flagging of over 90,000 domains. The ease of use introduced by GenAI in Darcula allows even novice cybercriminals to set up and deploy tailored phishing sites within minutes, underscoring an escalation in the tool's threat level.

Healthcare cybersecurity faces major challenges in 2025, with operational technology increasingly targeted and a convergence of IT and medical systems expanding the attack surface. Data breaches in 2024 exposed over 133 million patient records, marking the healthcare sector as the most costly for breaches, with an average cost of $11 million per incident. New regulatory measures, including revised HIPAA rules, now mandate stricter security controls such as network segmentation to protect electronic health information effectively. The divide between IT security teams and clinical/biomedical teams creates vulnerabilities, as medical devices often use outdated systems with limited security support. Integrated solutions like Armis Centrix™ and Elisity’s microsegmentation platforms are being employed to manage these challenges by providing comprehensive visibility and dynamic policy enforcement without network redesign. This approach allows for less intrusive deployment and robust security policy application, ensuring high availability and performance of healthcare networks. Main Line Health's successful implementation of this integrated solution has demonstrated significant improvements in compliance, risk management, and operational efficiency. The Elisity and Armis integration exemplifies the future direction of healthcare cybersecurity, focusing on advanced microsegmentation, AI-driven security responses, and tighter control over third-party network access.

Marks & Spencer (M&S) reported disruptions due to a cyber incident, affecting contactless payments and delaying orders. Click & Collect services at M&S have been suspended; home deliveries are also expected to face delays. The retailer hinted at a possible ransomware attack by stating some internal processes were moved offline. M&S has not confirmed the nature of the cyber incident but has taken measures to protect network and data. Stores remain operational, and customers can still place orders online or through the M&S app. The company is working with top industry experts to restore services and minimize customer inconvenience. M&S has been recognized for its transparent and effective communication regarding the incident. Public response has been generally positive towards M&S’s handling of the crisis, mirroring a shift towards better crisis communication in the UK.

In Q1 2025, 159 CVEs were identified as exploited, an increase from 151 in the previous quarter. Approximately 28.3% (45 CVEs) were exploited within 24 hours of their disclosure. Most exploited vulnerabilities were found in CMS, network devices, operating systems, and server software. Main products impacted included Microsoft Windows, Broadcom VMware, and other technology solutions. Of the vulnerabilities, 25.8% are still under review or analysis by NIST. Verizon's 2025 Data Breach Report noted a 34% rise in the use of exploits as the initial vector in intrusions. The global median dwell time for attackers increased slightly to 11 days from the previous year. Despite rising exploit trends, enhanced detection is helping reduce the duration of breaches.